atomic-red-team/atomics/Indexes/Indexes-CSV/windows-index.csv at AutoSUID_linux

Files

T

CircleCI Atomic Red Team doc generator ccb98851fe Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2022-02-07 15:33:54 +00:00

95 KiB

Raw Permalink Blame History

1	Tactic	Technique #	Technique Name	Test #	Test Name	Test GUID	Executor Name
2	credential-access	T1558.004	AS-REP Roasting	1	Rubeus asreproast	615bd568-2859-41b5-9aed-61f6a88e48dd	powershell
3	credential-access	T1056.004	Credential API Hooking	1	Hook PowerShell TLS Encrypt/Decrypt Messages	de1934ea-1fbf-425b-8795-65fb27dd7e33	powershell
4	credential-access	T1552.001	Credentials In Files	3	Extracting passwords with findstr	0e56bf29-ff49-4ea5-9af4-3b81283fd513	powershell
5	credential-access	T1552.001	Credentials In Files	4	Access unattend.xml	367d4004-5fc0-446d-823f-960c74ae52c3	command_prompt
6	credential-access	T1555	Credentials from Password Stores	1	Extract Windows Credential Manager via VBA	234f9b7c-b53d-4f32-897b-b880a6c9ea7b	powershell
7	credential-access	T1555	Credentials from Password Stores	2	Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]	c89becbe-1758-4e7d-a0f4-97d2188a23e3	powershell
8	credential-access	T1555	Credentials from Password Stores	3	Dump credentials from Windows Credential Manager With PowerShell [web Credentials]	8fd5a296-6772-4766-9991-ff4e92af7240	powershell
9	credential-access	T1555	Credentials from Password Stores	4	Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]	36753ded-e5c4-4eb5-bc3c-e8fba236878d	powershell
10	credential-access	T1555	Credentials from Password Stores	5	Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]	bc071188-459f-44d5-901a-f8f2625b2d2e	powershell
11	credential-access	T1555.003	Credentials from Web Browsers	1	Run Chrome-password Collector	8c05b133-d438-47ca-a630-19cc464c4622	powershell
12	credential-access	T1555.003	Credentials from Web Browsers	3	LaZagne - Credentials from Browser	9a2915b3-3954-4cce-8c76-00fbf4dbd014	command_prompt
13	credential-access	T1555.003	Credentials from Web Browsers	4	Simulating access to Chrome Login Data	3d111226-d09a-4911-8715-fe11664f960d	powershell
14	credential-access	T1555.003	Credentials from Web Browsers	5	Simulating access to Opera Login Data	28498c17-57e4-495a-b0be-cc1e36de408b	powershell
15	credential-access	T1555.003	Credentials from Web Browsers	6	Simulating access to Windows Firefox Login Data	eb8da98a-2e16-4551-b3dd-83de49baa14c	powershell
16	credential-access	T1555.003	Credentials from Web Browsers	7	Simulating access to Windows Edge Login Data	a6a5ec26-a2d1-4109-9d35-58b867689329	powershell
17	credential-access	T1552.002	Credentials in Registry	1	Enumeration for Credentials in Registry	b6ec082c-7384-46b3-a111-9a9b8b14e5e7	command_prompt
18	credential-access	T1552.002	Credentials in Registry	2	Enumeration for PuTTY Credentials in Registry	af197fd7-e868-448e-9bd5-05d1bcd9d9e5	command_prompt
19	credential-access	T1003.006	DCSync	1	DCSync (Active Directory)	129efd28-8497-4c87-a1b0-73b9a870ca3e	command_prompt
20	credential-access	T1003.006	DCSync	2	Run DSInternals Get-ADReplAccount	a0bced08-3fc5-4d8b-93b7-e8344739376e	powershell
21	credential-access	T1187	Forced Authentication	1	PetitPotam	485ce873-2e65-4706-9c7e-ae3ab9e14213	powershell
22	credential-access	T1056.002	GUI Input Capture	2	PowerShell - Prompt User for Password	2b162bfd-0928-4d4c-9ec3-4d9f88374b52	powershell
23	credential-access	T1558.001	Golden Ticket	1	Crafting Active Directory golden tickets with mimikatz	9726592a-dabc-4d4d-81cd-44070008b3af	powershell
24	credential-access	T1558.001	Golden Ticket	2	Crafting Active Directory golden tickets with Rubeus	e42d33cd-205c-4acf-ab59-a9f38f6bad9c	powershell
25	credential-access	T1552.006	Group Policy Preferences	1	GPP Passwords (findstr)	870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f	command_prompt
26	credential-access	T1552.006	Group Policy Preferences	2	GPP Passwords (Get-GPPPassword)	e9584f82-322c-474a-b831-940fd8b4455c	powershell
27	credential-access	T1558.003	Kerberoasting	1	Request for service tickets	3f987809-3681-43c8-bcd8-b3ff3a28533a	powershell
28	credential-access	T1558.003	Kerberoasting	2	Rubeus kerberoast	14625569-6def-4497-99ac-8e7817105b55	powershell
29	credential-access	T1558.003	Kerberoasting	3	Extract all accounts in use as SPN using setspn	e6f4affd-d826-4871-9a62-6c9004b8fe06	command_prompt
30	credential-access	T1558.003	Kerberoasting	4	Request A Single Ticket via PowerShell	988539bc-2ed7-4e62-aec6-7c5cf6680863	powershell
31	credential-access	T1558.003	Kerberoasting	5	Request All Tickets via PowerShell	902f4ed2-1aba-4133-90f2-cff6d299d6da	powershell
32	credential-access	T1056.001	Keylogging	1	Input Capture	d9b633ca-8efb-45e6-b838-70f595c6ae26	powershell
33	credential-access	T1557.001	LLMNR/NBT-NS Poisoning and SMB Relay	1	LLMNR Poisoning with Inveigh (PowerShell)	deecd55f-afe0-4a62-9fba-4d1ba2deb321	powershell
34	credential-access	T1003.004	LSA Secrets	1	Dumping LSA Secrets	55295ab0-a703-433b-9ca4-ae13807de12f	command_prompt
35	credential-access	T1003.001	LSASS Memory	1	Windows Credential Editor	0f7c5301-6859-45ba-8b4d-1fac30fc31ed	command_prompt
36	credential-access	T1003.001	LSASS Memory	2	Dump LSASS.exe Memory using ProcDump	0be2230c-9ab3-4ac2-8826-3199b9a0ebf8	command_prompt
37	credential-access	T1003.001	LSASS Memory	3	Dump LSASS.exe Memory using comsvcs.dll	2536dee2-12fb-459a-8c37-971844fa73be	powershell
38	credential-access	T1003.001	LSASS Memory	4	Dump LSASS.exe Memory using direct system calls and API unhooking	7ae7102c-a099-45c8-b985-4c7a2d05790d	command_prompt
39	credential-access	T1003.001	LSASS Memory	5	Dump LSASS.exe Memory using NanoDump	dddd4aca-bbed-46f0-984d-e4c5971c51ea	command_prompt
40	credential-access	T1003.001	LSASS Memory	6	Dump LSASS.exe Memory using Windows Task Manager	dea6c349-f1c6-44f3-87a1-1ed33a59a607	manual
41	credential-access	T1003.001	LSASS Memory	7	Offline Credential Theft With Mimikatz	453acf13-1dbd-47d7-b28a-172ce9228023	command_prompt
42	credential-access	T1003.001	LSASS Memory	8	LSASS read with pypykatz	c37bc535-5c62-4195-9cc3-0517673171d8	command_prompt
43	credential-access	T1003.001	LSASS Memory	9	Dump LSASS.exe Memory using Out-Minidump.ps1	6502c8f0-b775-4dbd-9193-1298f56b6781	powershell
44	credential-access	T1003.001	LSASS Memory	10	Create Mini Dump of LSASS.exe using ProcDump	7cede33f-0acd-44ef-9774-15511300b24b	command_prompt
45	credential-access	T1003.001	LSASS Memory	11	Powershell Mimikatz	66fb0bc1-3c3f-47e9-a298-550ecfefacbc	powershell
46	credential-access	T1003.001	LSASS Memory	12	Dump LSASS with .Net 5 createdump.exe	9d0072c8-7cca-45c4-bd14-f852cfa35cf0	powershell
47	credential-access	T1003.001	LSASS Memory	13	Dump LSASS.exe using imported Microsoft DLLs	86fc3f40-237f-4701-b155-81c01c48d697	powershell
48	credential-access	T1003.003	NTDS	1	Create Volume Shadow Copy with vssadmin	dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f	command_prompt
49	credential-access	T1003.003	NTDS	2	Copy NTDS.dit from Volume Shadow Copy	c6237146-9ea6-4711-85c9-c56d263a6b03	command_prompt
50	credential-access	T1003.003	NTDS	3	Dump Active Directory Database with NTDSUtil	2364e33d-ceab-4641-8468-bfb1d7cc2723	command_prompt
51	credential-access	T1003.003	NTDS	4	Create Volume Shadow Copy with WMI	224f7de0-8f0a-4a94-b5d8-989b036c86da	command_prompt
52	credential-access	T1003.003	NTDS	5	Create Volume Shadow Copy remotely with WMI	d893459f-71f0-484d-9808-ec83b2b64226	command_prompt
53	credential-access	T1003.003	NTDS	6	Create Volume Shadow Copy with Powershell	542bb97e-da53-436b-8e43-e0a7d31a6c24	powershell
54	credential-access	T1003.003	NTDS	7	Create Symlink to Volume Shadow Copy	21748c28-2793-4284-9e07-d6d028b66702	command_prompt
55	credential-access	T1040	Network Sniffing	3	Packet Capture Windows Command Prompt	a5b2f6a0-24b4-493e-9590-c699f75723ca	command_prompt
56	credential-access	T1040	Network Sniffing	4	Windows Internal Packet Capture	b5656f67-d67f-4de8-8e62-b5581630f528	command_prompt
57	credential-access	T1003	OS Credential Dumping	1	Gsecdump	96345bfc-8ae7-4b6a-80b7-223200f24ef9	command_prompt
58	credential-access	T1003	OS Credential Dumping	2	Credential Dumping with NPPSpy	9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6	powershell
59	credential-access	T1003	OS Credential Dumping	3	Dump svchost.exe to gather RDP credentials	d400090a-d8ca-4be0-982e-c70598a23de9	powershell
60	credential-access	T1110.002	Password Cracking	1	Password Cracking with Hashcat	6d27df5d-69d4-4c91-bc33-5983ffe91692	command_prompt
61	credential-access	T1556.002	Password Filter DLL	1	Install and Register Password Filter DLL	a7961770-beb5-4134-9674-83d7e1fa865c	powershell
62	credential-access	T1110.001	Password Guessing	1	Brute Force Credentials of single Active Directory domain users via SMB	09480053-2f98-4854-be6e-71ae5f672224	command_prompt
63	credential-access	T1110.001	Password Guessing	2	Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)	c2969434-672b-4ec8-8df0-bbb91f40e250	powershell
64	credential-access	T1110.003	Password Spraying	1	Password Spray all Domain Users	90bc2e54-6c84-47a5-9439-0a2a92b4b175	command_prompt
65	credential-access	T1110.003	Password Spraying	2	Password Spray (DomainPasswordSpray)	263ae743-515f-4786-ac7d-41ef3a0d4b2b	powershell
66	credential-access	T1110.003	Password Spraying	3	Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)	f14d956a-5b6e-4a93-847f-0c415142f07d	powershell
67	credential-access	T1552.004	Private Keys	1	Private Keys	520ce462-7ca7-441e-b5a5-f8347f632696	command_prompt
68	credential-access	T1552.004	Private Keys	6	ADFS token signing and encryption certificates theft - Local	78e95057-d429-4e66-8f82-0f060c1ac96f	powershell
69	credential-access	T1552.004	Private Keys	7	ADFS token signing and encryption certificates theft - Remote	cab413d8-9e4a-4b8d-9b84-c985bd73a442	powershell
70	credential-access	T1003.002	Security Account Manager	1	Registry dump of SAM, creds, and secrets	5c2571d0-1572-416d-9676-812e64ca9f44	command_prompt
71	credential-access	T1003.002	Security Account Manager	2	Registry parse with pypykatz	a96872b2-cbf3-46cf-8eb4-27e8c0e85263	command_prompt
72	credential-access	T1003.002	Security Account Manager	3	esentutl.exe SAM copy	a90c2f4d-6726-444e-99d2-a00cd7c20480	command_prompt
73	credential-access	T1003.002	Security Account Manager	4	PowerDump Registry dump of SAM for hashes and usernames	804f28fc-68fc-40da-b5a2-e9d0bce5c193	powershell
74	credential-access	T1003.002	Security Account Manager	5	dump volume shadow copy hives with certutil	eeb9751a-d598-42d3-b11c-c122d9c3f6c7	powershell
75	credential-access	T1003.002	Security Account Manager	6	dump volume shadow copy hives with System.IO.File	9d77fed7-05f8-476e-a81b-8ff0472c64d0	powershell
76	collection	T1560	Archive Collected Data	1	Compress Data for Exfiltration With PowerShell	41410c60-614d-4b9d-b66e-b0192dd9c597	powershell
77	collection	T1560.001	Archive via Utility	1	Compress Data for Exfiltration With Rar	02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0	command_prompt
78	collection	T1560.001	Archive via Utility	2	Compress Data and lock with password for Exfiltration with winrar	8dd61a55-44c6-43cc-af0c-8bdda276860c	command_prompt
79	collection	T1560.001	Archive via Utility	3	Compress Data and lock with password for Exfiltration with winzip	01df0353-d531-408d-a0c5-3161bf822134	command_prompt
80	collection	T1560.001	Archive via Utility	4	Compress Data and lock with password for Exfiltration with 7zip	d1334303-59cb-4a03-8313-b3e24d02c198	command_prompt
81	collection	T1123	Audio Capture	1	using device audio capture commandlet	9c3ad250-b185-4444-b5a9-d69218a10c95	powershell
82	collection	T1119	Automated Collection	1	Automated Collection Command Prompt	cb379146-53f1-43e0-b884-7ce2c635ff5b	command_prompt
83	collection	T1119	Automated Collection	2	Automated Collection PowerShell	634bd9b9-dc83-4229-b19f-7f83ba9ad313	powershell
84	collection	T1119	Automated Collection	3	Recon information for export with PowerShell	c3f6d794-50dd-482f-b640-0384fbb7db26	powershell
85	collection	T1119	Automated Collection	4	Recon information for export with Command Prompt	aa1180e2-f329-4e1e-8625-2472ec0bfaf3	command_prompt
86	collection	T1115	Clipboard Data	1	Utilize Clipboard to store or execute commands from	0cd14633-58d4-4422-9ede-daa2c9474ae7	command_prompt
87	collection	T1115	Clipboard Data	2	Execute Commands from Clipboard using PowerShell	d6dc21af-bec9-4152-be86-326b6babd416	powershell
88	collection	T1115	Clipboard Data	4	Collect Clipboard Data via VBA	9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52	powershell
89	collection	T1056.004	Credential API Hooking	1	Hook PowerShell TLS Encrypt/Decrypt Messages	de1934ea-1fbf-425b-8795-65fb27dd7e33	powershell
90	collection	T1056.002	GUI Input Capture	2	PowerShell - Prompt User for Password	2b162bfd-0928-4d4c-9ec3-4d9f88374b52	powershell
91	collection	T1056.001	Keylogging	1	Input Capture	d9b633ca-8efb-45e6-b838-70f595c6ae26	powershell
92	collection	T1557.001	LLMNR/NBT-NS Poisoning and SMB Relay	1	LLMNR Poisoning with Inveigh (PowerShell)	deecd55f-afe0-4a62-9fba-4d1ba2deb321	powershell
93	collection	T1074.001	Local Data Staging	1	Stage data from Discovery.bat	107706a5-6f9f-451a-adae-bab8c667829f	powershell
94	collection	T1074.001	Local Data Staging	3	Zip a Folder with PowerShell for Staging in Temp	a57fbe4b-3440-452a-88a7-943531ac872a	powershell
95	collection	T1114.001	Local Email Collection	1	Email Collection with PowerShell Get-Inbox	3f1b5096-0139-4736-9b78-19bcb02bb1cb	powershell
96	collection	T1113	Screen Capture	5	Windows Screencapture	3c898f62-626c-47d5-aad2-6de873d69153	powershell
97	collection	T1113	Screen Capture	6	Windows Screen Capture (CopyFromScreen)	e9313014-985a-48ef-80d9-cde604ffc187	powershell
98	privilege-escalation	T1546.008	Accessibility Features	1	Attaches Command Prompt as a Debugger to a List of Target Processes	3309f53e-b22b-4eb6-8fd2-a6cf58b355a9	powershell
99	privilege-escalation	T1546.008	Accessibility Features	2	Replace binary of sticky keys	934e90cf-29ca-48b3-863c-411737ad44e3	command_prompt
100	privilege-escalation	T1546.010	AppInit DLLs	1	Install AppInit Shim	a58d9386-3080-4242-ab5f-454c16503d18	command_prompt
101	privilege-escalation	T1546.011	Application Shimming	1	Application Shim Installation	9ab27e22-ee62-4211-962b-d36d9a0e6a18	command_prompt
102	privilege-escalation	T1546.011	Application Shimming	2	New shim database files created in the default shim database directory	aefd6866-d753-431f-a7a4-215ca7e3f13d	powershell
103	privilege-escalation	T1546.011	Application Shimming	3	Registry key creation and/or modification events for SDB	9b6a06f9-ab5e-4e8d-8289-1df4289db02f	powershell
104	privilege-escalation	T1055.004	Asynchronous Procedure Call	1	Process Injection via C#	611b39b7-e243-4c81-87a4-7145a90358b1	command_prompt
105	privilege-escalation	T1053.002	At (Windows)	1	At.exe Scheduled task	4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8	command_prompt
106	privilege-escalation	T1547.002	Authentication Package	1	Authentication Package	be2590e8-4ac3-47ac-b4b5-945820f2fbe9	powershell
107	privilege-escalation	T1548.002	Bypass User Account Control	1	Bypass UAC using Event Viewer (cmd)	5073adf8-9a50-4bd9-b298-a9bd2ead8af9	command_prompt
108	privilege-escalation	T1548.002	Bypass User Account Control	2	Bypass UAC using Event Viewer (PowerShell)	a6ce9acf-842a-4af6-8f79-539be7608e2b	powershell
109	privilege-escalation	T1548.002	Bypass User Account Control	3	Bypass UAC using Fodhelper	58f641ea-12e3-499a-b684-44dee46bd182	command_prompt
110	privilege-escalation	T1548.002	Bypass User Account Control	4	Bypass UAC using Fodhelper - PowerShell	3f627297-6c38-4e7d-a278-fc2563eaaeaa	powershell
111	privilege-escalation	T1548.002	Bypass User Account Control	5	Bypass UAC using ComputerDefaults (PowerShell)	3c51abf2-44bf-42d8-9111-dc96ff66750f	powershell
112	privilege-escalation	T1548.002	Bypass User Account Control	6	Bypass UAC by Mocking Trusted Directories	f7a35090-6f7f-4f64-bb47-d657bf5b10c1	command_prompt
113	privilege-escalation	T1548.002	Bypass User Account Control	7	Bypass UAC using sdclt DelegateExecute	3be891eb-4608-4173-87e8-78b494c029b7	powershell
114	privilege-escalation	T1548.002	Bypass User Account Control	8	Disable UAC using reg.exe	9e8af564-53ec-407e-aaa8-3cb20c3af7f9	command_prompt
115	privilege-escalation	T1548.002	Bypass User Account Control	9	Bypass UAC using SilentCleanup task	28104f8a-4ff1-4582-bcf6-699dce156608	command_prompt
116	privilege-escalation	T1548.002	Bypass User Account Control	10	UACME Bypass Method 23	8ceab7a2-563a-47d2-b5ba-0995211128d7	command_prompt
117	privilege-escalation	T1548.002	Bypass User Account Control	11	UACME Bypass Method 31	b0f76240-9f33-4d34-90e8-3a7d501beb15	command_prompt
118	privilege-escalation	T1548.002	Bypass User Account Control	12	UACME Bypass Method 33	e514bb03-f71c-4b22-9092-9f961ec6fb03	command_prompt
119	privilege-escalation	T1548.002	Bypass User Account Control	13	UACME Bypass Method 34	695b2dac-423e-448e-b6ef-5b88e93011d6	command_prompt
120	privilege-escalation	T1548.002	Bypass User Account Control	14	UACME Bypass Method 39	56163687-081f-47da-bb9c-7b231c5585cf	command_prompt
121	privilege-escalation	T1548.002	Bypass User Account Control	15	UACME Bypass Method 56	235ec031-cd2d-465d-a7ae-68bab281e80e	command_prompt
122	privilege-escalation	T1548.002	Bypass User Account Control	16	UACME Bypass Method 59	dfb1b667-4bb8-4a63-a85e-29936ea75f29	command_prompt
123	privilege-escalation	T1548.002	Bypass User Account Control	17	UACME Bypass Method 61	7825b576-744c-4555-856d-caf3460dc236	command_prompt
124	privilege-escalation	T1574.012	COR_PROFILER	1	User scope COR_PROFILER	9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a	powershell
125	privilege-escalation	T1574.012	COR_PROFILER	2	System Scope COR_PROFILER	f373b482-48c8-4ce4-85ed-d40c8b3f7310	powershell
126	privilege-escalation	T1574.012	COR_PROFILER	3	Registry-free process scope COR_PROFILER	79d57242-bbef-41db-b301-9d01d9f6e817	powershell
127	privilege-escalation	T1546.001	Change Default File Association	1	Change Default File Association	10a08978-2045-4d62-8c42-1957bbbea102	command_prompt
128	privilege-escalation	T1546.015	Component Object Model Hijacking	1	COM Hijacking - InprocServer32	48117158-d7be-441b-bc6a-d9e36e47b52b	powershell
129	privilege-escalation	T1134.002	Create Process with Token	1	Access Token Manipulation	dbf4f5a9-b8e0-46a3-9841-9ad71247239e	powershell
130	privilege-escalation	T1574.001	DLL Search Order Hijacking	1	DLL Search Order Hijacking - amsi.dll	8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3	command_prompt
131	privilege-escalation	T1574.002	DLL Side-Loading	1	DLL Side-Loading using the Notepad++ GUP.exe binary	65526037-7079-44a9-bda1-2cb624838040	command_prompt
132	privilege-escalation	T1078.001	Default Accounts	1	Enable Guest account with RDP capability and admin privileges	99747561-ed8d-47f2-9c91-1e5fde1ed6e0	command_prompt
133	privilege-escalation	T1078.001	Default Accounts	2	Activate Guest Account	aa6cb8c4-b582-4f8e-b677-37733914abda	command_prompt
134	privilege-escalation	T1055.001	Dynamic-link Library Injection	1	Process Injection via mavinject.exe	74496461-11a1-4982-b439-4d87a550d254	powershell
135	privilege-escalation	T1546.012	Image File Execution Options Injection	1	IFEO Add Debugger	fdda2626-5234-4c90-b163-60849a24c0b8	command_prompt
136	privilege-escalation	T1546.012	Image File Execution Options Injection	2	IFEO Global Flags	46b1f278-c8ee-4aa5-acce-65e77b11f3c1	command_prompt
137	privilege-escalation	T1078.003	Local Accounts	1	Create local account with admin privileges	a524ce99-86de-4db6-b4f9-e08f35a47a15	command_prompt
138	privilege-escalation	T1037.001	Logon Script (Windows)	1	Logon Scripts	d6042746-07d4-4c92-9ad8-e644c114a231	command_prompt
139	privilege-escalation	T1546.007	Netsh Helper DLL	1	Netsh Helper DLL Registration	3244697d-5a3a-4dfc-941c-550f69f91a4d	command_prompt
140	privilege-escalation	T1134.004	Parent PID Spoofing	1	Parent PID Spoofing using PowerShell	069258f4-2162-46e9-9a25-c9c6c56150d2	powershell
141	privilege-escalation	T1134.004	Parent PID Spoofing	2	Parent PID Spoofing - Spawn from Current Process	14920ebd-1d61-491a-85e0-fe98efe37f25	powershell
142	privilege-escalation	T1134.004	Parent PID Spoofing	3	Parent PID Spoofing - Spawn from Specified Process	cbbff285-9051-444a-9d17-c07cd2d230eb	powershell
143	privilege-escalation	T1134.004	Parent PID Spoofing	4	Parent PID Spoofing - Spawn from svchost.exe	e9f2b777-3123-430b-805d-5cedc66ab591	powershell
144	privilege-escalation	T1134.004	Parent PID Spoofing	5	Parent PID Spoofing - Spawn from New Process	2988133e-561c-4e42-a15f-6281e6a9b2db	powershell
145	privilege-escalation	T1574.009	Path Interception by Unquoted Path	1	Execution of program.exe as service with unquoted service path	2770dea7-c50f-457b-84c4-c40a47460d9f	command_prompt
146	privilege-escalation	T1547.010	Port Monitors	1	Add Port Monitor persistence in Registry	d34ef297-f178-4462-871e-9ce618d44e50	command_prompt
147	privilege-escalation	T1546.013	PowerShell Profile	1	Append malicious start-process cmdlet	090e5aa5-32b6-473b-a49b-21e843a56896	powershell
148	privilege-escalation	T1055.012	Process Hollowing	1	Process Hollowing using PowerShell	562427b4-39ef-4e8c-af88-463a78e70b9c	powershell
149	privilege-escalation	T1055.012	Process Hollowing	2	RunPE via VBA	3ad4a037-1598-4136-837c-4027e4fa319b	powershell
150	privilege-escalation	T1055	Process Injection	1	Shellcode execution via VBA	1c91e740-1729-4329-b779-feba6e71d048	powershell
151	privilege-escalation	T1055	Process Injection	2	Remote Process Injection in LSASS via mimikatz	3203ad24-168e-4bec-be36-f79b13ef8a83	command_prompt
152	privilege-escalation	T1547.001	Registry Run Keys / Startup Folder	1	Reg Key Run	e55be3fd-3521-4610-9d1a-e210e42dcf05	command_prompt
153	privilege-escalation	T1547.001	Registry Run Keys / Startup Folder	2	Reg Key RunOnce	554cbd88-cde1-4b56-8168-0be552eed9eb	command_prompt
154	privilege-escalation	T1547.001	Registry Run Keys / Startup Folder	3	PowerShell Registry RunOnce	eb44f842-0457-4ddc-9b92-c4caa144ac42	powershell
155	privilege-escalation	T1547.001	Registry Run Keys / Startup Folder	4	Suspicious vbs file run from startup Folder	2cb98256-625e-4da9-9d44-f2e5f90b8bd5	powershell
156	privilege-escalation	T1547.001	Registry Run Keys / Startup Folder	5	Suspicious jse file run from startup Folder	dade9447-791e-4c8f-b04b-3a35855dfa06	powershell
157	privilege-escalation	T1547.001	Registry Run Keys / Startup Folder	6	Suspicious bat file run from startup Folder	5b6768e4-44d2-44f0-89da-a01d1430fd5e	powershell
158	privilege-escalation	T1547.001	Registry Run Keys / Startup Folder	7	Add Executable Shortcut Link to User Startup Folder	24e55612-85f6-4bd6-ae74-a73d02e3441d	powershell
159	privilege-escalation	T1053.005	Scheduled Task	1	Scheduled Task Startup Script	fec27f65-db86-4c2d-b66c-61945aee87c2	command_prompt
160	privilege-escalation	T1053.005	Scheduled Task	2	Scheduled task Local	42f53695-ad4a-4546-abb6-7d837f644a71	command_prompt
161	privilege-escalation	T1053.005	Scheduled Task	3	Scheduled task Remote	2e5eac3e-327b-4a88-a0c0-c4057039a8dd	command_prompt
162	privilege-escalation	T1053.005	Scheduled Task	4	Powershell Cmdlet Scheduled Task	af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd	powershell
163	privilege-escalation	T1053.005	Scheduled Task	5	Task Scheduler via VBA	ecd3fa21-7792-41a2-8726-2c5c673414d3	powershell
164	privilege-escalation	T1053.005	Scheduled Task	6	WMI Invoke-CimMethod Scheduled Task	e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b	powershell
165	privilege-escalation	T1546.002	Screensaver	1	Set Arbitrary Binary as Screensaver	281201e7-de41-4dc9-b73d-f288938cbb64	command_prompt
166	privilege-escalation	T1547.005	Security Support Provider	1	Modify SSP configuration in registry	afdfd7e3-8a0b-409f-85f7-886fdf249c9e	powershell
167	privilege-escalation	T1574.011	Services Registry Permissions Weakness	1	Service Registry Permissions Weakness	f7536d63-7fd4-466f-89da-7e48d550752a	powershell
168	privilege-escalation	T1574.011	Services Registry Permissions Weakness	2	Service ImagePath Change with reg.exe	f38e9eea-e1d7-4ba6-b716-584791963827	command_prompt
169	privilege-escalation	T1547.009	Shortcut Modification	1	Shortcut Modification	ce4fc678-364f-4282-af16-2fb4c78005ce	command_prompt
170	privilege-escalation	T1547.009	Shortcut Modification	2	Create shortcut to cmd in startup folders	cfdc954d-4bb0-4027-875b-a1893ce406f2	powershell
171	privilege-escalation	T1134.001	Token Impersonation/Theft	1	Named pipe client impersonation	90db9e27-8e7c-4c04-b602-a45927884966	powershell
172	privilege-escalation	T1134.001	Token Impersonation/Theft	2	`SeDebugPrivilege` token duplication	34f0a430-9d04-4d98-bcb5-1989f14719f0	powershell
173	privilege-escalation	T1546.003	Windows Management Instrumentation Event Subscription	1	Persistence via WMI Event Subscription	3c64f177-28e2-49eb-a799-d767b24dd1e0	powershell
174	privilege-escalation	T1543.003	Windows Service	1	Modify Fax service to run PowerShell	ed366cde-7d12-49df-a833-671904770b9f	command_prompt
175	privilege-escalation	T1543.003	Windows Service	2	Service Installation CMD	981e2942-e433-44e9-afc1-8c957a1496b6	command_prompt
176	privilege-escalation	T1543.003	Windows Service	3	Service Installation PowerShell	491a4af6-a521-4b74-b23b-f7b3f1ee9e77	powershell
177	privilege-escalation	T1543.003	Windows Service	4	TinyTurla backdoor service w64time	ef0581fd-528e-4662-87bc-4c2affb86940	command_prompt
178	privilege-escalation	T1547.004	Winlogon Helper DLL	1	Winlogon Shell Key Persistence - PowerShell	bf9f9d65-ee4d-4c3e-a843-777d04f19c38	powershell
179	privilege-escalation	T1547.004	Winlogon Helper DLL	2	Winlogon Userinit Key Persistence - PowerShell	fb32c935-ee2e-454b-8fa3-1c46b42e8dfb	powershell
180	privilege-escalation	T1547.004	Winlogon Helper DLL	3	Winlogon Notify Key Logon Persistence - PowerShell	d40da266-e073-4e5a-bb8b-2b385023e5f9	powershell
181	defense-evasion	T1055.004	Asynchronous Procedure Call	1	Process Injection via C#	611b39b7-e243-4c81-87a4-7145a90358b1	command_prompt
182	defense-evasion	T1197	BITS Jobs	1	Bitsadmin Download (cmd)	3c73d728-75fb-4180-a12f-6712864d7421	command_prompt
183	defense-evasion	T1197	BITS Jobs	2	Bitsadmin Download (PowerShell)	f63b8bc4-07e5-4112-acba-56f646f3f0bc	powershell
184	defense-evasion	T1197	BITS Jobs	3	Persist, Download, & Execute	62a06ec5-5754-47d2-bcfc-123d8314c6ae	command_prompt
185	defense-evasion	T1197	BITS Jobs	4	Bits download using desktopimgdownldr.exe (cmd)	afb5e09e-e385-4dee-9a94-6ee60979d114	command_prompt
186	defense-evasion	T1548.002	Bypass User Account Control	1	Bypass UAC using Event Viewer (cmd)	5073adf8-9a50-4bd9-b298-a9bd2ead8af9	command_prompt
187	defense-evasion	T1548.002	Bypass User Account Control	2	Bypass UAC using Event Viewer (PowerShell)	a6ce9acf-842a-4af6-8f79-539be7608e2b	powershell
188	defense-evasion	T1548.002	Bypass User Account Control	3	Bypass UAC using Fodhelper	58f641ea-12e3-499a-b684-44dee46bd182	command_prompt
189	defense-evasion	T1548.002	Bypass User Account Control	4	Bypass UAC using Fodhelper - PowerShell	3f627297-6c38-4e7d-a278-fc2563eaaeaa	powershell
190	defense-evasion	T1548.002	Bypass User Account Control	5	Bypass UAC using ComputerDefaults (PowerShell)	3c51abf2-44bf-42d8-9111-dc96ff66750f	powershell
191	defense-evasion	T1548.002	Bypass User Account Control	6	Bypass UAC by Mocking Trusted Directories	f7a35090-6f7f-4f64-bb47-d657bf5b10c1	command_prompt
192	defense-evasion	T1548.002	Bypass User Account Control	7	Bypass UAC using sdclt DelegateExecute	3be891eb-4608-4173-87e8-78b494c029b7	powershell
193	defense-evasion	T1548.002	Bypass User Account Control	8	Disable UAC using reg.exe	9e8af564-53ec-407e-aaa8-3cb20c3af7f9	command_prompt
194	defense-evasion	T1548.002	Bypass User Account Control	9	Bypass UAC using SilentCleanup task	28104f8a-4ff1-4582-bcf6-699dce156608	command_prompt
195	defense-evasion	T1548.002	Bypass User Account Control	10	UACME Bypass Method 23	8ceab7a2-563a-47d2-b5ba-0995211128d7	command_prompt
196	defense-evasion	T1548.002	Bypass User Account Control	11	UACME Bypass Method 31	b0f76240-9f33-4d34-90e8-3a7d501beb15	command_prompt
197	defense-evasion	T1548.002	Bypass User Account Control	12	UACME Bypass Method 33	e514bb03-f71c-4b22-9092-9f961ec6fb03	command_prompt
198	defense-evasion	T1548.002	Bypass User Account Control	13	UACME Bypass Method 34	695b2dac-423e-448e-b6ef-5b88e93011d6	command_prompt
199	defense-evasion	T1548.002	Bypass User Account Control	14	UACME Bypass Method 39	56163687-081f-47da-bb9c-7b231c5585cf	command_prompt
200	defense-evasion	T1548.002	Bypass User Account Control	15	UACME Bypass Method 56	235ec031-cd2d-465d-a7ae-68bab281e80e	command_prompt
201	defense-evasion	T1548.002	Bypass User Account Control	16	UACME Bypass Method 59	dfb1b667-4bb8-4a63-a85e-29936ea75f29	command_prompt
202	defense-evasion	T1548.002	Bypass User Account Control	17	UACME Bypass Method 61	7825b576-744c-4555-856d-caf3460dc236	command_prompt
203	defense-evasion	T1218.003	CMSTP	1	CMSTP Executing Remote Scriptlet	34e63321-9683-496b-bbc1-7566bc55e624	command_prompt
204	defense-evasion	T1218.003	CMSTP	2	CMSTP Executing UAC Bypass	748cb4f6-2fb3-4e97-b7ad-b22635a09ab0	command_prompt
205	defense-evasion	T1574.012	COR_PROFILER	1	User scope COR_PROFILER	9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a	powershell
206	defense-evasion	T1574.012	COR_PROFILER	2	System Scope COR_PROFILER	f373b482-48c8-4ce4-85ed-d40c8b3f7310	powershell
207	defense-evasion	T1574.012	COR_PROFILER	3	Registry-free process scope COR_PROFILER	79d57242-bbef-41db-b301-9d01d9f6e817	powershell
208	defense-evasion	T1070.003	Clear Command History	10	Prevent Powershell History Logging	2f898b81-3e97-4abb-bc3f-a95138988370	powershell
209	defense-evasion	T1070.003	Clear Command History	11	Clear Powershell History by Deleting History File	da75ae8d-26d6-4483-b0fe-700e4df4f037	powershell
210	defense-evasion	T1070.001	Clear Windows Event Logs	1	Clear Logs	e6abb60e-26b8-41da-8aae-0c35174b0967	command_prompt
211	defense-evasion	T1070.001	Clear Windows Event Logs	2	Delete System Logs Using Clear-EventLog	b13e9306-3351-4b4b-a6e8-477358b0b498	powershell
212	defense-evasion	T1070.001	Clear Windows Event Logs	3	Clear Event Logs via VBA	1b682d84-f075-4f93-9a89-8a8de19ffd6e	powershell
213	defense-evasion	T1027.004	Compile After Delivery	1	Compile After Delivery using csc.exe	ffcdbd6a-b0e8-487d-927a-09127fe9a206	command_prompt
214	defense-evasion	T1027.004	Compile After Delivery	2	Dynamic C# Compile	453614d8-3ba6-4147-acc0-7ec4b3e1faef	powershell
215	defense-evasion	T1218.001	Compiled HTML File	1	Compiled HTML Help Local Payload	5cb87818-0d7c-4469-b7ef-9224107aebe8	command_prompt
216	defense-evasion	T1218.001	Compiled HTML File	2	Compiled HTML Help Remote Payload	0f8af516-9818-4172-922b-42986ef1e81d	command_prompt
217	defense-evasion	T1218.001	Compiled HTML File	3	Invoke CHM with default Shortcut Command Execution	29d6f0d7-be63-4482-8827-ea77126c1ef7	powershell
218	defense-evasion	T1218.001	Compiled HTML File	4	Invoke CHM with InfoTech Storage Protocol Handler	b4094750-5fc7-4e8e-af12-b4e36bf5e7f6	powershell
219	defense-evasion	T1218.001	Compiled HTML File	5	Invoke CHM Simulate Double click	5decef42-92b8-4a93-9eb2-877ddcb9401a	powershell
220	defense-evasion	T1218.001	Compiled HTML File	6	Invoke CHM with Script Engine and Help Topic	4f83adda-f5ec-406d-b318-9773c9ca92e5	powershell
221	defense-evasion	T1218.001	Compiled HTML File	7	Invoke CHM Shortcut Command with ITS and Help Topic	15756147-7470-4a83-87fb-bb5662526247	powershell
222	defense-evasion	T1218.002	Control Panel	1	Control Panel Items	037e9d8a-9e46-4255-8b33-2ae3b545ca6f	command_prompt
223	defense-evasion	T1134.002	Create Process with Token	1	Access Token Manipulation	dbf4f5a9-b8e0-46a3-9841-9ad71247239e	powershell
224	defense-evasion	T1574.001	DLL Search Order Hijacking	1	DLL Search Order Hijacking - amsi.dll	8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3	command_prompt
225	defense-evasion	T1574.002	DLL Side-Loading	1	DLL Side-Loading using the Notepad++ GUP.exe binary	65526037-7079-44a9-bda1-2cb624838040	command_prompt
226	defense-evasion	T1078.001	Default Accounts	1	Enable Guest account with RDP capability and admin privileges	99747561-ed8d-47f2-9c91-1e5fde1ed6e0	command_prompt
227	defense-evasion	T1078.001	Default Accounts	2	Activate Guest Account	aa6cb8c4-b582-4f8e-b677-37733914abda	command_prompt
228	defense-evasion	T1140	Deobfuscate/Decode Files or Information	1	Deobfuscate/Decode Files Or Information	dc6fe391-69e6-4506-bd06-ea5eeb4082f8	command_prompt
229	defense-evasion	T1140	Deobfuscate/Decode Files or Information	2	Certutil Rename and Decode	71abc534-3c05-4d0c-80f7-cbe93cb2aa94	command_prompt
230	defense-evasion	T1006	Direct Volume Access	1	Read volume boot sector via DOS device path (PowerShell)	88f6327e-51ec-4bbf-b2e8-3fea534eab8b	powershell
231	defense-evasion	T1562.002	Disable Windows Event Logging	1	Disable Windows IIS HTTP Logging	69435dcf-c66f-4ec0-a8b1-82beb76b34db	powershell
232	defense-evasion	T1562.002	Disable Windows Event Logging	2	Kill Event Log Service Threads	41ac52ba-5d5e-40c0-b267-573ed90489bd	powershell
233	defense-evasion	T1562.002	Disable Windows Event Logging	3	Impair Windows Audit Log Policy	5102a3a7-e2d7-4129-9e45-f483f2e0eea8	command_prompt
234	defense-evasion	T1562.002	Disable Windows Event Logging	4	Clear Windows Audit Policy Config	913c0e4e-4b37-4b78-ad0b-90e7b25010f6	command_prompt
235	defense-evasion	T1562.002	Disable Windows Event Logging	5	Disable Event Logging with wevtutil	b26a3340-dad7-4360-9176-706269c74103	command_prompt
236	defense-evasion	T1562.002	Disable Windows Event Logging	6	Makes Eventlog blind with Phant0m	3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741	command_prompt
237	defense-evasion	T1562.004	Disable or Modify System Firewall	1	Disable Microsoft Defender Firewall	88d05800-a5e4-407e-9b53-ece4174f197f	command_prompt
238	defense-evasion	T1562.004	Disable or Modify System Firewall	2	Disable Microsoft Defender Firewall via Registry	afedc8c4-038c-4d82-b3e5-623a95f8a612	command_prompt
239	defense-evasion	T1562.004	Disable or Modify System Firewall	3	Allow SMB and RDP on Microsoft Defender Firewall	d9841bf8-f161-4c73-81e9-fd773a5ff8c1	command_prompt
240	defense-evasion	T1562.004	Disable or Modify System Firewall	4	Opening ports for proxy - HARDRAIN	15e57006-79dd-46df-9bf9-31bc24fb5a80	command_prompt
241	defense-evasion	T1562.004	Disable or Modify System Firewall	5	Open a local port through Windows Firewall to any profile	9636dd6e-7599-40d2-8eee-ac16434f35ed	powershell
242	defense-evasion	T1562.004	Disable or Modify System Firewall	6	Allow Executable Through Firewall Located in Non-Standard Location	6f5822d2-d38d-4f48-9bfc-916607ff6b8c	powershell
243	defense-evasion	T1562.001	Disable or Modify Tools	10	Unload Sysmon Filter Driver	811b3e76-c41b-430c-ac0d-e2380bfaa164	command_prompt
244	defense-evasion	T1562.001	Disable or Modify Tools	11	Uninstall Sysmon	a316fb2e-5344-470d-91c1-23e15c374edc	command_prompt
245	defense-evasion	T1562.001	Disable or Modify Tools	12	AMSI Bypass - AMSI InitFailed	695eed40-e949-40e5-b306-b4031e4154bd	powershell
246	defense-evasion	T1562.001	Disable or Modify Tools	13	AMSI Bypass - Remove AMSI Provider Reg Key	13f09b91-c953-438e-845b-b585e51cac9b	powershell
247	defense-evasion	T1562.001	Disable or Modify Tools	14	Disable Arbitrary Security Windows Service	a1230893-56ac-4c81-b644-2108e982f8f5	command_prompt
248	defense-evasion	T1562.001	Disable or Modify Tools	15	Tamper with Windows Defender ATP PowerShell	6b8df440-51ec-4d53-bf83-899591c9b5d7	powershell
249	defense-evasion	T1562.001	Disable or Modify Tools	16	Tamper with Windows Defender Command Prompt	aa875ed4-8935-47e2-b2c5-6ec00ab220d2	command_prompt
250	defense-evasion	T1562.001	Disable or Modify Tools	17	Tamper with Windows Defender Registry	1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45	powershell
251	defense-evasion	T1562.001	Disable or Modify Tools	18	Disable Microsoft Office Security Features	6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7	powershell
252	defense-evasion	T1562.001	Disable or Modify Tools	19	Remove Windows Defender Definition Files	3d47daaa-2f56-43e0-94cc-caf5d8d52a68	command_prompt
253	defense-evasion	T1562.001	Disable or Modify Tools	20	Stop and Remove Arbitrary Security Windows Service	ae753dda-0f15-4af6-a168-b9ba16143143	powershell
254	defense-evasion	T1562.001	Disable or Modify Tools	21	Uninstall Crowdstrike Falcon on Windows	b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297	powershell
255	defense-evasion	T1562.001	Disable or Modify Tools	22	Tamper with Windows Defender Evade Scanning -Folder	0b19f4ee-de90-4059-88cb-63c800c683ed	powershell
256	defense-evasion	T1562.001	Disable or Modify Tools	23	Tamper with Windows Defender Evade Scanning -Extension	315f4be6-2240-4552-b3e1-d1047f5eecea	powershell
257	defense-evasion	T1562.001	Disable or Modify Tools	24	Tamper with Windows Defender Evade Scanning -Process	a123ce6a-3916-45d6-ba9c-7d4081315c27	powershell
258	defense-evasion	T1562.001	Disable or Modify Tools	26	Disable Windows Defender with DISM	871438ac-7d6e-432a-b27d-3e7db69faf58	command_prompt
259	defense-evasion	T1562.001	Disable or Modify Tools	27	Disable Defender with Defender Control	178136d8-2778-4d7a-81f3-d517053a4fd6	powershell
260	defense-evasion	T1055.001	Dynamic-link Library Injection	1	Process Injection via mavinject.exe	74496461-11a1-4982-b439-4d87a550d254	powershell
261	defense-evasion	T1070.004	File Deletion	4	Delete a single file - Windows cmd	861ea0b4-708a-4d17-848d-186c9c7f17e3	command_prompt
262	defense-evasion	T1070.004	File Deletion	5	Delete an entire folder - Windows cmd	ded937c4-2add-42f7-9c2c-c742b7a98698	command_prompt
263	defense-evasion	T1070.004	File Deletion	6	Delete a single file - Windows PowerShell	9dee89bd-9a98-4c4f-9e2d-4256690b0e72	powershell
264	defense-evasion	T1070.004	File Deletion	7	Delete an entire folder - Windows PowerShell	edd779e4-a509-4cba-8dfa-a112543dbfb1	powershell
265	defense-evasion	T1070.004	File Deletion	9	Delete Prefetch File	36f96049-0ad7-4a5f-8418-460acaeb92fb	powershell
266	defense-evasion	T1070.004	File Deletion	10	Delete TeamViewer Log Files	69f50a5f-967c-4327-a5bb-e1a9a9983785	powershell
267	defense-evasion	T1564.001	Hidden Files and Directories	3	Create Windows System File with Attrib	f70974c8-c094-4574-b542-2c545af95a32	command_prompt
268	defense-evasion	T1564.001	Hidden Files and Directories	4	Create Windows Hidden File with Attrib	dadb792e-4358-4d8d-9207-b771faa0daa5	command_prompt
269	defense-evasion	T1564.003	Hidden Window	1	Hidden Window	f151ee37-9e2b-47e6-80e4-550b9f999b7a	powershell
270	defense-evasion	T1564	Hide Artifacts	1	Extract binary files via VBA	6afe288a-8a8b-4d33-a629-8d03ba9dad3a	powershell
271	defense-evasion	T1564	Hide Artifacts	2	Create a Hidden User Called "$"	2ec63cc2-4975-41a6-bf09-dffdfb610778	command_prompt
272	defense-evasion	T1564	Hide Artifacts	3	Create an "Administrator " user (with a space on the end)	5bb20389-39a5-4e99-9264-aeb92a55a85c	powershell
273	defense-evasion	T1070	Indicator Removal on Host	1	Indicator Removal using FSUtil	b4115c7a-0e92-47f0-a61e-17e7218b2435	command_prompt
274	defense-evasion	T1202	Indirect Command Execution	1	Indirect Command Execution - pcalua.exe	cecfea7a-5f03-4cdd-8bc8-6f7c22862440	command_prompt
275	defense-evasion	T1202	Indirect Command Execution	2	Indirect Command Execution - forfiles.exe	8b34a448-40d9-4fc3-a8c8-4bb286faf7dc	command_prompt
276	defense-evasion	T1202	Indirect Command Execution	3	Indirect Command Execution - conhost.exe	cf3391e0-b482-4b02-87fc-ca8362269b29	command_prompt
277	defense-evasion	T1553.004	Install Root Certificate	4	Install root CA on Windows	76f49d86-5eb1-461a-a032-a480f86652f1	powershell
278	defense-evasion	T1553.004	Install Root Certificate	5	Install root CA on Windows with certutil	5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f	powershell
279	defense-evasion	T1218.004	InstallUtil	1	CheckIfInstallable method call	ffd9c807-d402-47d2-879d-f915cf2a3a94	powershell
280	defense-evasion	T1218.004	InstallUtil	2	InstallHelper method call	d43a5bde-ae28-4c55-a850-3f4c80573503	powershell
281	defense-evasion	T1218.004	InstallUtil	3	InstallUtil class constructor method call	9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93	powershell
282	defense-evasion	T1218.004	InstallUtil	4	InstallUtil Install method call	9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b	powershell
283	defense-evasion	T1218.004	InstallUtil	5	InstallUtil Uninstall method call - /U variant	34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b	powershell
284	defense-evasion	T1218.004	InstallUtil	6	InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant	06d9deba-f732-48a8-af8e-bdd6e4d98c1d	powershell
285	defense-evasion	T1218.004	InstallUtil	7	InstallUtil HelpText method call	5a683850-1145-4326-a0e5-e91ced3c6022	powershell
286	defense-evasion	T1218.004	InstallUtil	8	InstallUtil evasive invocation	559e6d06-bb42-4307-bff7-3b95a8254bad	powershell
287	defense-evasion	T1078.003	Local Accounts	1	Create local account with admin privileges	a524ce99-86de-4db6-b4f9-e08f35a47a15	command_prompt
288	defense-evasion	T1127.001	MSBuild	1	MSBuild Bypass Using Inline Tasks (C#)	58742c0f-cb01-44cd-a60b-fb26e8871c93	command_prompt
289	defense-evasion	T1127.001	MSBuild	2	MSBuild Bypass Using Inline Tasks (VB)	ab042179-c0c5-402f-9bc8-42741f5ce359	command_prompt
290	defense-evasion	T1553.005	Mark-of-the-Web Bypass	1	Mount ISO image	002cca30-4778-4891-878a-aaffcfa502fa	powershell
291	defense-evasion	T1553.005	Mark-of-the-Web Bypass	2	Mount an ISO image and run executable from the ISO	42f22b00-0242-4afc-a61b-0da05041f9cc	powershell
292	defense-evasion	T1553.005	Mark-of-the-Web Bypass	3	Remove the Zone.Identifier alternate data stream	64b12afc-18b8-4d3f-9eab-7f6cae7c73f9	powershell
293	defense-evasion	T1036.004	Masquerade Task or Service	1	Creating W32Time similar named service using schtasks	f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9	command_prompt
294	defense-evasion	T1036.004	Masquerade Task or Service	2	Creating W32Time similar named service using sc	b721c6ef-472c-4263-a0d9-37f1f4ecff66	command_prompt
295	defense-evasion	T1036	Masquerading	1	System File Copied to Unusual Location	51005ac7-52e2-45e0-bdab-d17c6d4916cd	command_prompt
296	defense-evasion	T1036	Masquerading	2	Malware Masquerading and Execution from Zip File	4449c89b-ec82-43a4-89c1-91e2f1abeecc	powershell
297	defense-evasion	T1112	Modify Registry	1	Modify Registry of Current User Profile - cmd	1324796b-d0f6-455a-b4ae-21ffee6aa6b9	command_prompt
298	defense-evasion	T1112	Modify Registry	2	Modify Registry of Local Machine - cmd	282f929a-6bc5-42b8-bd93-960c3ba35afe	command_prompt
299	defense-evasion	T1112	Modify Registry	3	Modify registry to store logon credentials	c0413fb5-33e2-40b7-9b6f-60b29f4a7a18	command_prompt
300	defense-evasion	T1112	Modify Registry	4	Add domain to Trusted sites Zone	cf447677-5a4e-4937-a82c-e47d254afd57	powershell
301	defense-evasion	T1112	Modify Registry	5	Javascript in registry	15f44ea9-4571-4837-be9e-802431a7bfae	powershell
302	defense-evasion	T1112	Modify Registry	6	Change Powershell Execution Policy to Bypass	f3a6cceb-06c9-48e5-8df8-8867a6814245	powershell
303	defense-evasion	T1218.005	Mshta	1	Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject	1483fab9-4f52-4217-a9ce-daa9d7747cae	command_prompt
304	defense-evasion	T1218.005	Mshta	2	Mshta executes VBScript to execute malicious command	906865c3-e05f-4acc-85c4-fbc185455095	command_prompt
305	defense-evasion	T1218.005	Mshta	3	Mshta Executes Remote HTML Application (HTA)	c4b97eeb-5249-4455-a607-59f95485cb45	powershell
306	defense-evasion	T1218.005	Mshta	4	Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement	007e5672-2088-4853-a562-7490ddc19447	powershell
307	defense-evasion	T1218.005	Mshta	5	Invoke HTML Application - Jscript Engine Simulating Double Click	58a193ec-131b-404e-b1ca-b35cf0b18c33	powershell
308	defense-evasion	T1218.005	Mshta	6	Invoke HTML Application - Direct download from URI	39ceed55-f653-48ac-bd19-aceceaf525db	powershell
309	defense-evasion	T1218.005	Mshta	7	Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler	e7e3a525-7612-4d68-a5d3-c4649181b8af	powershell
310	defense-evasion	T1218.005	Mshta	8	Invoke HTML Application - JScript Engine with Inline Protocol Handler	d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840	powershell
311	defense-evasion	T1218.005	Mshta	9	Invoke HTML Application - Simulate Lateral Movement over UNC Path	b8a8bdb2-7eae-490d-8251-d5e0295b2362	powershell
312	defense-evasion	T1218.005	Mshta	10	Mshta used to Execute PowerShell	8707a805-2b76-4f32-b1c0-14e558205772	command_prompt
313	defense-evasion	T1218.007	Msiexec	1	Msiexec.exe - Execute Local MSI file	0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8	command_prompt
314	defense-evasion	T1218.007	Msiexec	2	Msiexec.exe - Execute Remote MSI file	bde7d2fe-d049-458d-a362-abda32a7e649	command_prompt
315	defense-evasion	T1218.007	Msiexec	3	Msiexec.exe - Execute Arbitrary DLL	66f64bd5-7c35-4c24-953a-04ca30a0a0ec	command_prompt
316	defense-evasion	T1564.004	NTFS File Attributes	1	Alternate Data Streams (ADS)	8822c3b0-d9f9-4daf-a043-49f4602364f4	command_prompt
317	defense-evasion	T1564.004	NTFS File Attributes	2	Store file in Alternate Data Stream (ADS)	2ab75061-f5d5-4c1a-b666-ba2a50df5b02	powershell
318	defense-evasion	T1564.004	NTFS File Attributes	3	Create ADS command prompt	17e7637a-ddaf-4a82-8622-377e20de8fdb	command_prompt
319	defense-evasion	T1564.004	NTFS File Attributes	4	Create ADS PowerShell	0045ea16-ed3c-4d4c-a9ee-15e44d1560d1	powershell
320	defense-evasion	T1070.005	Network Share Connection Removal	1	Add Network Share	14c38f32-6509-46d8-ab43-d53e32d2b131	command_prompt
321	defense-evasion	T1070.005	Network Share Connection Removal	2	Remove Network Share	09210ad5-1ef2-4077-9ad3-7351e13e9222	command_prompt
322	defense-evasion	T1070.005	Network Share Connection Removal	3	Remove Network Share PowerShell	0512d214-9512-4d22-bde7-f37e058259b3	powershell
323	defense-evasion	T1070.005	Network Share Connection Removal	4	Disable Administrative Share Creation at Startup	99c657aa-ebeb-4179-a665-69288fdd12b8	command_prompt
324	defense-evasion	T1070.005	Network Share Connection Removal	5	Remove Administrative Shares	4299eff5-90f1-4446-b2f3-7f4f5cfd5d62	command_prompt
325	defense-evasion	T1027	Obfuscated Files or Information	2	Execute base64-encoded PowerShell	a50d5a97-2531-499e-a1de-5544c74432c6	powershell
326	defense-evasion	T1027	Obfuscated Files or Information	3	Execute base64-encoded PowerShell from Windows Registry	450e7218-7915-4be4-8b9b-464a49eafcec	powershell
327	defense-evasion	T1027	Obfuscated Files or Information	4	Execution from Compressed File	f8c8a909-5f29-49ac-9244-413936ce6d1f	command_prompt
328	defense-evasion	T1027	Obfuscated Files or Information	5	DLP Evasion via Sensitive Data in VBA Macro over email	129edb75-d7b8-42cd-a8ba-1f3db64ec4ad	powershell
329	defense-evasion	T1027	Obfuscated Files or Information	6	DLP Evasion via Sensitive Data in VBA Macro over HTTP	e2d85e66-cb66-4ed7-93b1-833fc56c9319	powershell
330	defense-evasion	T1027	Obfuscated Files or Information	7	Obfuscated Command in PowerShell	8b3f4ed6-077b-4bdd-891c-2d237f19410f	powershell
331	defense-evasion	T1027	Obfuscated Files or Information	8	Obfuscated Command Line using special Unicode characters	e68b945c-52d0-4dd9-a5e8-d173d70c448f	manual
332	defense-evasion	T1218.008	Odbcconf	1	Odbcconf.exe - Execute Arbitrary DLL	2430498b-06c0-4b92-a448-8ad263c388e2	command_prompt
333	defense-evasion	T1134.004	Parent PID Spoofing	1	Parent PID Spoofing using PowerShell	069258f4-2162-46e9-9a25-c9c6c56150d2	powershell
334	defense-evasion	T1134.004	Parent PID Spoofing	2	Parent PID Spoofing - Spawn from Current Process	14920ebd-1d61-491a-85e0-fe98efe37f25	powershell
335	defense-evasion	T1134.004	Parent PID Spoofing	3	Parent PID Spoofing - Spawn from Specified Process	cbbff285-9051-444a-9d17-c07cd2d230eb	powershell
336	defense-evasion	T1134.004	Parent PID Spoofing	4	Parent PID Spoofing - Spawn from svchost.exe	e9f2b777-3123-430b-805d-5cedc66ab591	powershell
337	defense-evasion	T1134.004	Parent PID Spoofing	5	Parent PID Spoofing - Spawn from New Process	2988133e-561c-4e42-a15f-6281e6a9b2db	powershell
338	defense-evasion	T1550.002	Pass the Hash	1	Mimikatz Pass the Hash	ec23cef9-27d9-46e4-a68d-6f75f7b86908	command_prompt
339	defense-evasion	T1550.002	Pass the Hash	2	crackmapexec Pass the Hash	eb05b028-16c8-4ad8-adea-6f5b219da9a9	command_prompt
340	defense-evasion	T1550.003	Pass the Ticket	1	Mimikatz Kerberos Ticket Attack	dbf38128-7ba7-4776-bedf-cc2eed432098	command_prompt
341	defense-evasion	T1550.003	Pass the Ticket	2	Rubeus Kerberos Pass The Ticket	a2fc4ec5-12c6-4fb4-b661-961f23f359cb	powershell
342	defense-evasion	T1556.002	Password Filter DLL	1	Install and Register Password Filter DLL	a7961770-beb5-4134-9674-83d7e1fa865c	powershell
343	defense-evasion	T1574.009	Path Interception by Unquoted Path	1	Execution of program.exe as service with unquoted service path	2770dea7-c50f-457b-84c4-c40a47460d9f	command_prompt
344	defense-evasion	T1055.012	Process Hollowing	1	Process Hollowing using PowerShell	562427b4-39ef-4e8c-af88-463a78e70b9c	powershell
345	defense-evasion	T1055.012	Process Hollowing	2	RunPE via VBA	3ad4a037-1598-4136-837c-4027e4fa319b	powershell
346	defense-evasion	T1055	Process Injection	1	Shellcode execution via VBA	1c91e740-1729-4329-b779-feba6e71d048	powershell
347	defense-evasion	T1055	Process Injection	2	Remote Process Injection in LSASS via mimikatz	3203ad24-168e-4bec-be36-f79b13ef8a83	command_prompt
348	defense-evasion	T1216.001	PubPrn	1	PubPrn.vbs Signed Script Bypass	9dd29a1f-1e16-4862-be83-913b10a88f6c	command_prompt
349	defense-evasion	T1218.009	Regsvcs/Regasm	1	Regasm Uninstall Method Call Test	71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112	command_prompt
350	defense-evasion	T1218.009	Regsvcs/Regasm	2	Regsvcs Uninstall Method Call Test	fd3c1c6a-02d2-4b72-82d9-71c527abb126	powershell
351	defense-evasion	T1218.010	Regsvr32	1	Regsvr32 local COM scriptlet execution	449aa403-6aba-47ce-8a37-247d21ef0306	command_prompt
352	defense-evasion	T1218.010	Regsvr32	2	Regsvr32 remote COM scriptlet execution	c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36	command_prompt
353	defense-evasion	T1218.010	Regsvr32	3	Regsvr32 local DLL execution	08ffca73-9a3d-471a-aeb0-68b4aa3ab37b	command_prompt
354	defense-evasion	T1218.010	Regsvr32	4	Regsvr32 Registering Non DLL	1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421	command_prompt
355	defense-evasion	T1218.010	Regsvr32	5	Regsvr32 Silent DLL Install Call DllRegisterServer	9d71c492-ea2e-4c08-af16-c6994cdf029f	command_prompt
356	defense-evasion	T1036.003	Rename System Utilities	1	Masquerading as Windows LSASS process	5ba5a3d1-cf3c-4499-968a-a93155d1f717	command_prompt
357	defense-evasion	T1036.003	Rename System Utilities	3	Masquerading - cscript.exe running as notepad.exe	3a2a578b-0a01-46e4-92e3-62e2859b42f0	command_prompt
358	defense-evasion	T1036.003	Rename System Utilities	4	Masquerading - wscript.exe running as svchost.exe	24136435-c91a-4ede-9da1-8b284a1c1a23	command_prompt
359	defense-evasion	T1036.003	Rename System Utilities	5	Masquerading - powershell.exe running as taskhostw.exe	ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa	command_prompt
360	defense-evasion	T1036.003	Rename System Utilities	6	Masquerading - non-windows exe running as windows exe	bc15c13f-d121-4b1f-8c7d-28d95854d086	powershell
361	defense-evasion	T1036.003	Rename System Utilities	7	Masquerading - windows exe running as different windows exe	c3d24a39-2bfe-4c6a-b064-90cd73896cb0	powershell
362	defense-evasion	T1036.003	Rename System Utilities	8	Malicious process Masquerading as LSM.exe	83810c46-f45e-4485-9ab6-8ed0e9e6ed7f	command_prompt
363	defense-evasion	T1036.003	Rename System Utilities	9	File Extension Masquerading	c7fa0c3b-b57f-4cba-9118-863bf4e653fc	command_prompt
364	defense-evasion	T1207	Rogue Domain Controller	1	DCShadow (Active Directory)	0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6	powershell
365	defense-evasion	T1218.011	Rundll32	1	Rundll32 execute JavaScript Remote Payload With GetObject	cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be	command_prompt
366	defense-evasion	T1218.011	Rundll32	2	Rundll32 execute VBscript command	638730e7-7aed-43dc-bf8c-8117f805f5bb	command_prompt
367	defense-evasion	T1218.011	Rundll32	3	Rundll32 advpack.dll Execution	d91cae26-7fc1-457b-a854-34c8aad48c89	command_prompt
368	defense-evasion	T1218.011	Rundll32	4	Rundll32 ieadvpack.dll Execution	5e46a58e-cbf6-45ef-a289-ed7754603df9	command_prompt
369	defense-evasion	T1218.011	Rundll32	5	Rundll32 syssetup.dll Execution	41fa324a-3946-401e-bbdd-d7991c628125	command_prompt
370	defense-evasion	T1218.011	Rundll32	6	Rundll32 setupapi.dll Execution	71d771cd-d6b3-4f34-bc76-a63d47a10b19	command_prompt
371	defense-evasion	T1218.011	Rundll32	7	Execution of HTA and VBS Files using Rundll32 and URL.dll	22cfde89-befe-4e15-9753-47306b37a6e3	command_prompt
372	defense-evasion	T1218.011	Rundll32	8	Launches an executable using Rundll32 and pcwutl.dll	9f5d081a-ee5a-42f9-a04e-b7bdc487e676	command_prompt
373	defense-evasion	T1218.011	Rundll32	9	Execution of non-dll using rundll32.exe	ae3a8605-b26e-457c-b6b3-2702fd335bac	powershell
374	defense-evasion	T1574.011	Services Registry Permissions Weakness	1	Service Registry Permissions Weakness	f7536d63-7fd4-466f-89da-7e48d550752a	powershell
375	defense-evasion	T1574.011	Services Registry Permissions Weakness	2	Service ImagePath Change with reg.exe	f38e9eea-e1d7-4ba6-b716-584791963827	command_prompt
376	defense-evasion	T1218	Signed Binary Proxy Execution	1	mavinject - Inject DLL into running process	c426dacf-575d-4937-8611-a148a86a5e61	command_prompt
377	defense-evasion	T1218	Signed Binary Proxy Execution	2	SyncAppvPublishingServer - Execute arbitrary PowerShell code	d590097e-d402-44e2-ad72-2c6aa1ce78b1	command_prompt
378	defense-evasion	T1218	Signed Binary Proxy Execution	3	Register-CimProvider - Execute evil dll	ad2c17ed-f626-4061-b21e-b9804a6f3655	command_prompt
379	defense-evasion	T1218	Signed Binary Proxy Execution	4	InfDefaultInstall.exe .inf Execution	54ad7d5a-a1b5-472c-b6c4-f8090fb2daef	command_prompt
380	defense-evasion	T1218	Signed Binary Proxy Execution	5	ProtocolHandler.exe Downloaded a Suspicious File	db020456-125b-4c8b-a4a7-487df8afb5a2	command_prompt
381	defense-evasion	T1218	Signed Binary Proxy Execution	6	Microsoft.Workflow.Compiler.exe Payload Execution	7cbb0f26-a4c1-4f77-b180-a009aa05637e	powershell
382	defense-evasion	T1218	Signed Binary Proxy Execution	7	Renamed Microsoft.Workflow.Compiler.exe Payload Executions	4cc40fd7-87b8-4b16-b2d7-57534b86b911	powershell
383	defense-evasion	T1218	Signed Binary Proxy Execution	8	Invoke-ATHRemoteFXvGPUDisablementCommand base test	9ebe7901-7edf-45c0-b5c7-8366300919db	powershell
384	defense-evasion	T1216	Signed Script Proxy Execution	1	SyncAppvPublishingServer Signed Script PowerShell Command Execution	275d963d-3f36-476c-8bef-a2a3960ee6eb	command_prompt
385	defense-evasion	T1216	Signed Script Proxy Execution	2	manage-bde.wsf Signed Script Command Execution	2a8f2d3c-3dec-4262-99dd-150cb2a4d63a	command_prompt
386	defense-evasion	T1497.001	System Checks	2	Detect Virtualization Environment (Windows)	502a7dc4-9d6f-4d28-abf2-f0e84692562d	powershell
387	defense-evasion	T1497.001	System Checks	4	Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)	4a41089a-48e0-47aa-82cb-5b81a463bc78	powershell
388	defense-evasion	T1221	Template Injection	1	WINWORD Remote Template Injection	1489e08a-82c7-44ee-b769-51b72d03521d	command_prompt
389	defense-evasion	T1070.006	Timestomp	5	Windows - Modify file creation timestamp with PowerShell	b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c	powershell
390	defense-evasion	T1070.006	Timestomp	6	Windows - Modify file last modified timestamp with PowerShell	f8f6634d-93e1-4238-8510-f8a90a20dcf2	powershell
391	defense-evasion	T1070.006	Timestomp	7	Windows - Modify file last access timestamp with PowerShell	da627f63-b9bd-4431-b6f8-c5b44d061a62	powershell
392	defense-evasion	T1070.006	Timestomp	8	Windows - Timestomp a File	d7512c33-3a75-4806-9893-69abc3ccdd43	powershell
393	defense-evasion	T1134.001	Token Impersonation/Theft	1	Named pipe client impersonation	90db9e27-8e7c-4c04-b602-a45927884966	powershell
394	defense-evasion	T1134.001	Token Impersonation/Theft	2	`SeDebugPrivilege` token duplication	34f0a430-9d04-4d98-bcb5-1989f14719f0	powershell
395	defense-evasion	T1222.001	Windows File and Directory Permissions Modification	1	Take ownership using takeown utility	98d34bb4-6e75-42ad-9c41-1dae7dc6a001	command_prompt
396	defense-evasion	T1222.001	Windows File and Directory Permissions Modification	2	cacls - Grant permission to specified user or group recursively	a8206bcc-f282-40a9-a389-05d9c0263485	command_prompt
397	defense-evasion	T1222.001	Windows File and Directory Permissions Modification	3	attrib - Remove read-only attribute	bec1e95c-83aa-492e-ab77-60c71bbd21b0	command_prompt
398	defense-evasion	T1222.001	Windows File and Directory Permissions Modification	4	attrib - hide file	32b979da-7b68-42c9-9a99-0e39900fc36c	command_prompt
399	defense-evasion	T1222.001	Windows File and Directory Permissions Modification	5	Grant Full Access to folder for Everyone - Ryuk Ransomware Style	ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6	command_prompt
400	defense-evasion	T1220	XSL Script Processing	1	MSXSL Bypass using local files	ca23bfb2-023f-49c5-8802-e66997de462d	command_prompt
401	defense-evasion	T1220	XSL Script Processing	2	MSXSL Bypass using remote files	a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985	command_prompt
402	defense-evasion	T1220	XSL Script Processing	3	WMIC bypass using local XSL file	1b237334-3e21-4a0c-8178-b8c996124988	command_prompt
403	defense-evasion	T1220	XSL Script Processing	4	WMIC bypass using remote XSL file	7f5be499-33be-4129-a560-66021f379b9b	command_prompt
404	persistence	T1546.008	Accessibility Features	1	Attaches Command Prompt as a Debugger to a List of Target Processes	3309f53e-b22b-4eb6-8fd2-a6cf58b355a9	powershell
405	persistence	T1546.008	Accessibility Features	2	Replace binary of sticky keys	934e90cf-29ca-48b3-863c-411737ad44e3	command_prompt
406	persistence	T1098	Account Manipulation	1	Admin Account Manipulate	5598f7cb-cf43-455e-883a-f6008c5d46af	powershell
407	persistence	T1098	Account Manipulation	2	Domain Account and Group Manipulate	a55a22e9-a3d3-42ce-bd48-2653adb8f7a9	powershell
408	persistence	T1137.006	Add-ins	1	Code Executed Via Excel Add-in File (Xll)	441b1a0f-a771-428a-8af0-e99e4698cda3	powershell
409	persistence	T1546.010	AppInit DLLs	1	Install AppInit Shim	a58d9386-3080-4242-ab5f-454c16503d18	command_prompt
410	persistence	T1546.011	Application Shimming	1	Application Shim Installation	9ab27e22-ee62-4211-962b-d36d9a0e6a18	command_prompt
411	persistence	T1546.011	Application Shimming	2	New shim database files created in the default shim database directory	aefd6866-d753-431f-a7a4-215ca7e3f13d	powershell
412	persistence	T1546.011	Application Shimming	3	Registry key creation and/or modification events for SDB	9b6a06f9-ab5e-4e8d-8289-1df4289db02f	powershell
413	persistence	T1053.002	At (Windows)	1	At.exe Scheduled task	4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8	command_prompt
414	persistence	T1547.002	Authentication Package	1	Authentication Package	be2590e8-4ac3-47ac-b4b5-945820f2fbe9	powershell
415	persistence	T1197	BITS Jobs	1	Bitsadmin Download (cmd)	3c73d728-75fb-4180-a12f-6712864d7421	command_prompt
416	persistence	T1197	BITS Jobs	2	Bitsadmin Download (PowerShell)	f63b8bc4-07e5-4112-acba-56f646f3f0bc	powershell
417	persistence	T1197	BITS Jobs	3	Persist, Download, & Execute	62a06ec5-5754-47d2-bcfc-123d8314c6ae	command_prompt
418	persistence	T1197	BITS Jobs	4	Bits download using desktopimgdownldr.exe (cmd)	afb5e09e-e385-4dee-9a94-6ee60979d114	command_prompt
419	persistence	T1176	Browser Extensions	1	Chrome (Developer Mode)	3ecd790d-2617-4abf-9a8c-4e8d47da9ee1	manual
420	persistence	T1176	Browser Extensions	2	Chrome (Chrome Web Store)	4c83940d-8ca5-4bb2-8100-f46dc914bc3f	manual
421	persistence	T1176	Browser Extensions	3	Firefox	cb790029-17e6-4c43-b96f-002ce5f10938	manual
422	persistence	T1176	Browser Extensions	4	Edge Chromium Addon - VPN	3d456e2b-a7db-4af8-b5b3-720e7c4d9da5	manual
423	persistence	T1574.012	COR_PROFILER	1	User scope COR_PROFILER	9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a	powershell
424	persistence	T1574.012	COR_PROFILER	2	System Scope COR_PROFILER	f373b482-48c8-4ce4-85ed-d40c8b3f7310	powershell
425	persistence	T1574.012	COR_PROFILER	3	Registry-free process scope COR_PROFILER	79d57242-bbef-41db-b301-9d01d9f6e817	powershell
426	persistence	T1546.001	Change Default File Association	1	Change Default File Association	10a08978-2045-4d62-8c42-1957bbbea102	command_prompt
427	persistence	T1546.015	Component Object Model Hijacking	1	COM Hijacking - InprocServer32	48117158-d7be-441b-bc6a-d9e36e47b52b	powershell
428	persistence	T1574.001	DLL Search Order Hijacking	1	DLL Search Order Hijacking - amsi.dll	8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3	command_prompt
429	persistence	T1574.002	DLL Side-Loading	1	DLL Side-Loading using the Notepad++ GUP.exe binary	65526037-7079-44a9-bda1-2cb624838040	command_prompt
430	persistence	T1078.001	Default Accounts	1	Enable Guest account with RDP capability and admin privileges	99747561-ed8d-47f2-9c91-1e5fde1ed6e0	command_prompt
431	persistence	T1078.001	Default Accounts	2	Activate Guest Account	aa6cb8c4-b582-4f8e-b677-37733914abda	command_prompt
432	persistence	T1136.002	Domain Account	1	Create a new Windows domain admin user	fcec2963-9951-4173-9bfa-98d8b7834e62	command_prompt
433	persistence	T1136.002	Domain Account	2	Create a new account similar to ANONYMOUS LOGON	dc7726d2-8ccb-4cc6-af22-0d5afb53a548	command_prompt
434	persistence	T1136.002	Domain Account	3	Create a new Domain Account using PowerShell	5a3497a4-1568-4663-b12a-d4a5ed70c7d7	powershell
435	persistence	T1133	External Remote Services	1	Running Chrome VPN Extensions via the Registry 2 vpn extension	4c8db261-a58b-42a6-a866-0a294deedde4	powershell
436	persistence	T1546.012	Image File Execution Options Injection	1	IFEO Add Debugger	fdda2626-5234-4c90-b163-60849a24c0b8	command_prompt
437	persistence	T1546.012	Image File Execution Options Injection	2	IFEO Global Flags	46b1f278-c8ee-4aa5-acce-65e77b11f3c1	command_prompt
438	persistence	T1136.001	Local Account	3	Create a new user in a command prompt	6657864e-0323-4206-9344-ac9cd7265a4f	command_prompt
439	persistence	T1136.001	Local Account	4	Create a new user in PowerShell	bc8be0ac-475c-4fbf-9b1d-9fffd77afbde	powershell
440	persistence	T1136.001	Local Account	6	Create a new Windows admin user	fda74566-a604-4581-a4cc-fbbe21d66559	command_prompt
441	persistence	T1078.003	Local Accounts	1	Create local account with admin privileges	a524ce99-86de-4db6-b4f9-e08f35a47a15	command_prompt
442	persistence	T1037.001	Logon Script (Windows)	1	Logon Scripts	d6042746-07d4-4c92-9ad8-e644c114a231	command_prompt
443	persistence	T1546.007	Netsh Helper DLL	1	Netsh Helper DLL Registration	3244697d-5a3a-4dfc-941c-550f69f91a4d	command_prompt
444	persistence	T1137	Office Application Startup	1	Office Application Startup - Outlook as a C2	bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c	command_prompt
445	persistence	T1137.002	Office Test	1	Office Application Startup Test Persistence	c3e35b58-fe1c-480b-b540-7600fb612563	command_prompt
446	persistence	T1137.004	Outlook Home Page	1	Install Outlook Home Page Persistence	7a91ad51-e6d2-4d43-9471-f26362f5738e	command_prompt
447	persistence	T1556.002	Password Filter DLL	1	Install and Register Password Filter DLL	a7961770-beb5-4134-9674-83d7e1fa865c	powershell
448	persistence	T1574.009	Path Interception by Unquoted Path	1	Execution of program.exe as service with unquoted service path	2770dea7-c50f-457b-84c4-c40a47460d9f	command_prompt
449	persistence	T1547.010	Port Monitors	1	Add Port Monitor persistence in Registry	d34ef297-f178-4462-871e-9ce618d44e50	command_prompt
450	persistence	T1546.013	PowerShell Profile	1	Append malicious start-process cmdlet	090e5aa5-32b6-473b-a49b-21e843a56896	powershell
451	persistence	T1547.001	Registry Run Keys / Startup Folder	1	Reg Key Run	e55be3fd-3521-4610-9d1a-e210e42dcf05	command_prompt
452	persistence	T1547.001	Registry Run Keys / Startup Folder	2	Reg Key RunOnce	554cbd88-cde1-4b56-8168-0be552eed9eb	command_prompt
453	persistence	T1547.001	Registry Run Keys / Startup Folder	3	PowerShell Registry RunOnce	eb44f842-0457-4ddc-9b92-c4caa144ac42	powershell
454	persistence	T1547.001	Registry Run Keys / Startup Folder	4	Suspicious vbs file run from startup Folder	2cb98256-625e-4da9-9d44-f2e5f90b8bd5	powershell
455	persistence	T1547.001	Registry Run Keys / Startup Folder	5	Suspicious jse file run from startup Folder	dade9447-791e-4c8f-b04b-3a35855dfa06	powershell
456	persistence	T1547.001	Registry Run Keys / Startup Folder	6	Suspicious bat file run from startup Folder	5b6768e4-44d2-44f0-89da-a01d1430fd5e	powershell
457	persistence	T1547.001	Registry Run Keys / Startup Folder	7	Add Executable Shortcut Link to User Startup Folder	24e55612-85f6-4bd6-ae74-a73d02e3441d	powershell
458	persistence	T1053.005	Scheduled Task	1	Scheduled Task Startup Script	fec27f65-db86-4c2d-b66c-61945aee87c2	command_prompt
459	persistence	T1053.005	Scheduled Task	2	Scheduled task Local	42f53695-ad4a-4546-abb6-7d837f644a71	command_prompt
460	persistence	T1053.005	Scheduled Task	3	Scheduled task Remote	2e5eac3e-327b-4a88-a0c0-c4057039a8dd	command_prompt
461	persistence	T1053.005	Scheduled Task	4	Powershell Cmdlet Scheduled Task	af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd	powershell
462	persistence	T1053.005	Scheduled Task	5	Task Scheduler via VBA	ecd3fa21-7792-41a2-8726-2c5c673414d3	powershell
463	persistence	T1053.005	Scheduled Task	6	WMI Invoke-CimMethod Scheduled Task	e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b	powershell
464	persistence	T1546.002	Screensaver	1	Set Arbitrary Binary as Screensaver	281201e7-de41-4dc9-b73d-f288938cbb64	command_prompt
465	persistence	T1547.005	Security Support Provider	1	Modify SSP configuration in registry	afdfd7e3-8a0b-409f-85f7-886fdf249c9e	powershell
466	persistence	T1574.011	Services Registry Permissions Weakness	1	Service Registry Permissions Weakness	f7536d63-7fd4-466f-89da-7e48d550752a	powershell
467	persistence	T1574.011	Services Registry Permissions Weakness	2	Service ImagePath Change with reg.exe	f38e9eea-e1d7-4ba6-b716-584791963827	command_prompt
468	persistence	T1547.009	Shortcut Modification	1	Shortcut Modification	ce4fc678-364f-4282-af16-2fb4c78005ce	command_prompt
469	persistence	T1547.009	Shortcut Modification	2	Create shortcut to cmd in startup folders	cfdc954d-4bb0-4027-875b-a1893ce406f2	powershell
470	persistence	T1505.002	Transport Agent	1	Install MS Exchange Transport Agent Persistence	43e92449-ff60-46e9-83a3-1a38089df94d	powershell
471	persistence	T1505.003	Web Shell	1	Web Shell Written to Disk	0a2ce662-1efa-496f-a472-2fe7b080db16	command_prompt
472	persistence	T1546.003	Windows Management Instrumentation Event Subscription	1	Persistence via WMI Event Subscription	3c64f177-28e2-49eb-a799-d767b24dd1e0	powershell
473	persistence	T1543.003	Windows Service	1	Modify Fax service to run PowerShell	ed366cde-7d12-49df-a833-671904770b9f	command_prompt
474	persistence	T1543.003	Windows Service	2	Service Installation CMD	981e2942-e433-44e9-afc1-8c957a1496b6	command_prompt
475	persistence	T1543.003	Windows Service	3	Service Installation PowerShell	491a4af6-a521-4b74-b23b-f7b3f1ee9e77	powershell
476	persistence	T1543.003	Windows Service	4	TinyTurla backdoor service w64time	ef0581fd-528e-4662-87bc-4c2affb86940	command_prompt
477	persistence	T1547.004	Winlogon Helper DLL	1	Winlogon Shell Key Persistence - PowerShell	bf9f9d65-ee4d-4c3e-a843-777d04f19c38	powershell
478	persistence	T1547.004	Winlogon Helper DLL	2	Winlogon Userinit Key Persistence - PowerShell	fb32c935-ee2e-454b-8fa3-1c46b42e8dfb	powershell
479	persistence	T1547.004	Winlogon Helper DLL	3	Winlogon Notify Key Logon Persistence - PowerShell	d40da266-e073-4e5a-bb8b-2b385023e5f9	powershell
480	impact	T1531	Account Access Removal	1	Change User Password - Windows	1b99ef28-f83c-4ec5-8a08-1a56263a5bb2	command_prompt
481	impact	T1531	Account Access Removal	2	Delete User - Windows	f21a1d7d-a62f-442a-8c3a-2440d43b19e5	command_prompt
482	impact	T1531	Account Access Removal	3	Remove Account From Domain Admin Group	43f71395-6c37-498e-ab17-897d814a0947	powershell
483	impact	T1485	Data Destruction	1	Windows - Overwrite file with Sysinternals SDelete	476419b5-aebf-4366-a131-ae3e8dae5fc2	powershell
484	impact	T1485	Data Destruction	3	Overwrite deleted data on C drive	321fd25e-0007-417f-adec-33232252be19	command_prompt
485	impact	T1486	Data Encrypted for Impact	5	PureLocker Ransom Note	649349c7-9abf-493b-a7a2-b1aa4d141528	command_prompt
486	impact	T1490	Inhibit System Recovery	1	Windows - Delete Volume Shadow Copies	43819286-91a9-4369-90ed-d31fb4da2c01	command_prompt
487	impact	T1490	Inhibit System Recovery	2	Windows - Delete Volume Shadow Copies via WMI	6a3ff8dd-f49c-4272-a658-11c2fe58bd88	command_prompt
488	impact	T1490	Inhibit System Recovery	3	Windows - wbadmin Delete Windows Backup Catalog	263ba6cb-ea2b-41c9-9d4e-b652dadd002c	command_prompt
489	impact	T1490	Inhibit System Recovery	4	Windows - Disable Windows Recovery Console Repair	cf21060a-80b3-4238-a595-22525de4ab81	command_prompt
490	impact	T1490	Inhibit System Recovery	5	Windows - Delete Volume Shadow Copies via WMI with PowerShell	39a295ca-7059-4a88-86f6-09556c1211e7	powershell
491	impact	T1490	Inhibit System Recovery	6	Windows - Delete Backup Files	6b1dbaf6-cc8a-4ea6-891f-6058569653bf	command_prompt
492	impact	T1490	Inhibit System Recovery	7	Windows - wbadmin Delete systemstatebackup	584331dd-75bc-4c02-9e0b-17f5fd81c748	command_prompt
493	impact	T1490	Inhibit System Recovery	8	Windows - Disable the SR scheduled task	1c68c68d-83a4-4981-974e-8993055fa034	command_prompt
494	impact	T1491.001	Internal Defacement	1	Replace Desktop Wallpaper	30558d53-9d76-41c4-9267-a7bd5184bed3	powershell
495	impact	T1489	Service Stop	1	Windows - Stop service using Service Controller	21dfb440-830d-4c86-a3e5-2a491d5a8d04	command_prompt
496	impact	T1489	Service Stop	2	Windows - Stop service using net.exe	41274289-ec9c-4213-bea4-e43c4aa57954	command_prompt
497	impact	T1489	Service Stop	3	Windows - Stop service by killing process	f3191b84-c38b-400b-867e-3a217a27795f	command_prompt
498	impact	T1529	System Shutdown/Reboot	1	Shutdown System - Windows	ad254fa8-45c0-403b-8c77-e00b3d3e7a64	command_prompt
499	impact	T1529	System Shutdown/Reboot	2	Restart System - Windows	f4648f0d-bf78-483c-bafc-3ec99cd1c302	command_prompt
500	discovery	T1010	Application Window Discovery	1	List Process Main Windows - C# .NET	fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4	command_prompt
501	discovery	T1217	Browser Bookmark Discovery	4	List Google Chrome / Opera Bookmarks on Windows with powershell	faab755e-4299-48ec-8202-fc7885eb6545	powershell
502	discovery	T1217	Browser Bookmark Discovery	5	List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt	76f71e2f-480e-4bed-b61e-398fe17499d5	command_prompt
503	discovery	T1217	Browser Bookmark Discovery	6	List Mozilla Firefox bookmarks on Windows with command prompt	4312cdbc-79fc-4a9c-becc-53d49c734bc5	command_prompt
504	discovery	T1217	Browser Bookmark Discovery	7	List Internet Explorer Bookmarks using the command prompt	727dbcdb-e495-4ab1-a6c4-80c7f77aef85	command_prompt
505	discovery	T1087.002	Domain Account	1	Enumerate all accounts (Domain)	6fbc9e68-5ad7-444a-bd11-8bf3136c477e	command_prompt
506	discovery	T1087.002	Domain Account	2	Enumerate all accounts via PowerShell (Domain)	8b8a6449-be98-4f42-afd2-dedddc7453b2	powershell
507	discovery	T1087.002	Domain Account	3	Enumerate logged on users via CMD (Domain)	161dcd85-d014-4f5e-900c-d3eaae82a0f7	command_prompt
508	discovery	T1087.002	Domain Account	4	Automated AD Recon (ADRecon)	95018438-454a-468c-a0fa-59c800149b59	powershell
509	discovery	T1087.002	Domain Account	5	Adfind -Listing password policy	736b4f53-f400-4c22-855d-1a6b5a551600	command_prompt
510	discovery	T1087.002	Domain Account	6	Adfind - Enumerate Active Directory Admins	b95fd967-4e62-4109-b48d-265edfd28c3a	command_prompt
511	discovery	T1087.002	Domain Account	7	Adfind - Enumerate Active Directory User Objects	e1ec8d20-509a-4b9a-b820-06c9b2da8eb7	command_prompt
512	discovery	T1087.002	Domain Account	8	Adfind - Enumerate Active Directory Exchange AD Objects	5e2938fb-f919-47b6-8b29-2f6a1f718e99	command_prompt
513	discovery	T1087.002	Domain Account	9	Enumerate Default Domain Admin Details (Domain)	c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef	command_prompt
514	discovery	T1087.002	Domain Account	10	Enumerate Active Directory for Unconstrained Delegation	46f8dbe9-22a5-4770-8513-66119c5be63b	powershell
515	discovery	T1069.002	Domain Groups	1	Basic Permission Groups Discovery Windows (Domain)	dd66d77d-8998-48c0-8024-df263dc2ce5d	command_prompt
516	discovery	T1069.002	Domain Groups	2	Permission Groups Discovery PowerShell (Domain)	6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7	powershell
517	discovery	T1069.002	Domain Groups	3	Elevated group enumeration using net group (Domain)	0afb5163-8181-432e-9405-4322710c0c37	command_prompt
518	discovery	T1069.002	Domain Groups	4	Find machines where user has local admin access (PowerView)	a2d71eee-a353-4232-9f86-54f4288dd8c1	powershell
519	discovery	T1069.002	Domain Groups	5	Find local admins on all machines in domain (PowerView)	a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd	powershell
520	discovery	T1069.002	Domain Groups	6	Find Local Admins via Group Policy (PowerView)	64fdb43b-5259-467a-b000-1b02c00e510a	powershell
521	discovery	T1069.002	Domain Groups	7	Enumerate Users Not Requiring Pre Auth (ASRepRoast)	870ba71e-6858-4f6d-895c-bb6237f6121b	powershell
522	discovery	T1069.002	Domain Groups	8	Adfind - Query Active Directory Groups	48ddc687-82af-40b7-8472-ff1e742e8274	command_prompt
523	discovery	T1482	Domain Trust Discovery	1	Windows - Discover domain trusts with dsquery	4700a710-c821-4e17-a3ec-9e4c81d6845f	command_prompt
524	discovery	T1482	Domain Trust Discovery	2	Windows - Discover domain trusts with nltest	2e22641d-0498-48d2-b9ff-c71e496ccdbe	command_prompt
525	discovery	T1482	Domain Trust Discovery	3	Powershell enumerate domains and forests	c58fbc62-8a62-489e-8f2d-3565d7d96f30	powershell
526	discovery	T1482	Domain Trust Discovery	4	Adfind - Enumerate Active Directory OUs	d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec	command_prompt
527	discovery	T1482	Domain Trust Discovery	5	Adfind - Enumerate Active Directory Trusts	15fe436d-e771-4ff3-b655-2dca9ba52834	command_prompt
528	discovery	T1482	Domain Trust Discovery	6	Get-DomainTrust with PowerView	f974894c-5991-4b19-aaf5-7cc2fe298c5d	powershell
529	discovery	T1482	Domain Trust Discovery	7	Get-ForestTrust with PowerView	58ed10e8-0738-4651-8408-3a3e9a526279	powershell
530	discovery	T1083	File and Directory Discovery	1	File and Directory Discovery (cmd.exe)	0e36303b-6762-4500-b003-127743b80ba6	command_prompt
531	discovery	T1083	File and Directory Discovery	2	File and Directory Discovery (PowerShell)	2158908e-b7ef-4c21-8a83-3ce4dd05a924	powershell
532	discovery	T1087.001	Local Account	8	Enumerate all accounts on Windows (Local)	80887bec-5a9b-4efc-a81d-f83eb2eb32ab	command_prompt
533	discovery	T1087.001	Local Account	9	Enumerate all accounts via PowerShell (Local)	ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b	powershell
534	discovery	T1087.001	Local Account	10	Enumerate logged on users via CMD (Local)	a138085e-bfe5-46ba-a242-74a6fb884af3	command_prompt
535	discovery	T1069.001	Local Groups	2	Basic Permission Groups Discovery Windows (Local)	1f454dd6-e134-44df-bebb-67de70fb6cd8	command_prompt
536	discovery	T1069.001	Local Groups	3	Permission Groups Discovery PowerShell (Local)	a580462d-2c19-4bc7-8b9a-57a41b7d3ba4	powershell
537	discovery	T1069.001	Local Groups	4	SharpHound3 - LocalAdmin	e03ada14-0980-4107-aff1-7783b2b59bb1	powershell
538	discovery	T1069.001	Local Groups	5	Wmic Group Discovery	7413be50-be8e-430f-ad4d-07bf197884b2	powershell
539	discovery	T1069.001	Local Groups	6	WMIObject Group Discovery	69119e58-96db-4110-ad27-954e48f3bb13	powershell
540	discovery	T1046	Network Service Scanning	3	Port Scan NMap for Windows	d696a3cb-d7a8-4976-8eb5-5af4abf2e3df	powershell
541	discovery	T1046	Network Service Scanning	4	Port Scan using python	6ca45b04-9f15-4424-b9d3-84a217285a5c	powershell
542	discovery	T1135	Network Share Discovery	3	Network Share Discovery command prompt	20f1097d-81c1-405c-8380-32174d493bbb	command_prompt
543	discovery	T1135	Network Share Discovery	4	Network Share Discovery PowerShell	1b0814d1-bb24-402d-9615-1b20c50733fb	powershell
544	discovery	T1135	Network Share Discovery	5	View available share drives	ab39a04f-0c93-4540-9ff2-83f862c385ae	command_prompt
545	discovery	T1135	Network Share Discovery	6	Share Discovery with PowerView	b1636f0a-ba82-435c-b699-0d78794d8bfd	powershell
546	discovery	T1135	Network Share Discovery	7	PowerView ShareFinder	d07e4cc1-98ae-447e-9d31-36cb430d28c4	powershell
547	discovery	T1040	Network Sniffing	3	Packet Capture Windows Command Prompt	a5b2f6a0-24b4-493e-9590-c699f75723ca	command_prompt
548	discovery	T1040	Network Sniffing	4	Windows Internal Packet Capture	b5656f67-d67f-4de8-8e62-b5581630f528	command_prompt
549	discovery	T1201	Password Policy Discovery	5	Examine local password policy - Windows	4588d243-f24e-4549-b2e3-e627acc089f6	command_prompt
550	discovery	T1201	Password Policy Discovery	6	Examine domain password policy - Windows	46c2c362-2679-4ef5-aec9-0e958e135be4	command_prompt
551	discovery	T1120	Peripheral Device Discovery	1	Win32_PnPEntity Hardware Inventory	2cb4dbf2-2dca-4597-8678-4d39d207a3a5	powershell
552	discovery	T1057	Process Discovery	2	Process Discovery - tasklist	c5806a4f-62b8-4900-980b-c7ec004e9908	command_prompt
553	discovery	T1012	Query Registry	1	Query Registry	8f7578c4-9863-4d83-875c-a565573bbdf0	command_prompt
554	discovery	T1018	Remote System Discovery	1	Remote System Discovery - net	85321a9c-897f-4a60-9f20-29788e50bccd	command_prompt
555	discovery	T1018	Remote System Discovery	2	Remote System Discovery - net group Domain Computers	f1bf6c8f-9016-4edf-aff9-80b65f5d711f	command_prompt
556	discovery	T1018	Remote System Discovery	3	Remote System Discovery - nltest	52ab5108-3f6f-42fb-8ba3-73bc054f22c8	command_prompt
557	discovery	T1018	Remote System Discovery	4	Remote System Discovery - ping sweep	6db1f57f-d1d5-4223-8a66-55c9c65a9592	command_prompt
558	discovery	T1018	Remote System Discovery	5	Remote System Discovery - arp	2d5a61f5-0447-4be4-944a-1f8530ed6574	command_prompt
559	discovery	T1018	Remote System Discovery	8	Remote System Discovery - nslookup	baa01aaa-5e13-45ec-8a0d-e46c93c9760f	powershell
560	discovery	T1018	Remote System Discovery	9	Remote System Discovery - adidnsdump	95e19466-469e-4316-86d2-1dc401b5a959	command_prompt
561	discovery	T1018	Remote System Discovery	10	Adfind - Enumerate Active Directory Computer Objects	a889f5be-2d54-4050-bd05-884578748bb4	command_prompt
562	discovery	T1018	Remote System Discovery	11	Adfind - Enumerate Active Directory Domain Controller Objects	5838c31e-a0e2-4b9f-b60a-d79d2cb7995e	command_prompt
563	discovery	T1518.001	Security Software Discovery	1	Security Software Discovery	f92a380f-ced9-491f-b338-95a991418ce2	command_prompt
564	discovery	T1518.001	Security Software Discovery	2	Security Software Discovery - powershell	7f566051-f033-49fb-89de-b6bacab730f0	powershell
565	discovery	T1518.001	Security Software Discovery	5	Security Software Discovery - Sysmon Service	fe613cf3-8009-4446-9a0f-bc78a15b66c9	command_prompt
566	discovery	T1518.001	Security Software Discovery	6	Security Software Discovery - AV Discovery via WMI	1553252f-14ea-4d3b-8a08-d7a4211aa945	command_prompt
567	discovery	T1518	Software Discovery	1	Find and Display Internet Explorer Browser Version	68981660-6670-47ee-a5fa-7e74806420a4	command_prompt
568	discovery	T1518	Software Discovery	2	Applications Installed	c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b	powershell
569	discovery	T1497.001	System Checks	2	Detect Virtualization Environment (Windows)	502a7dc4-9d6f-4d28-abf2-f0e84692562d	powershell
570	discovery	T1497.001	System Checks	4	Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)	4a41089a-48e0-47aa-82cb-5b81a463bc78	powershell
571	discovery	T1082	System Information Discovery	1	System Information Discovery	66703791-c902-4560-8770-42b8a91f7667	command_prompt
572	discovery	T1082	System Information Discovery	6	Hostname Discovery (Windows)	85cfbf23-4a1e-4342-8792-007e004b975f	command_prompt
573	discovery	T1082	System Information Discovery	8	Windows MachineGUID Discovery	224b4daf-db44-404e-b6b2-f4d1f0126ef8	command_prompt
574	discovery	T1082	System Information Discovery	9	Griffon Recon	69bd4abe-8759-49a6-8d21-0f15822d6370	powershell
575	discovery	T1082	System Information Discovery	10	Environment variables discovery on windows	f400d1c0-1804-4ff8-b069-ef5ddd2adbf3	command_prompt
576	discovery	T1016	System Network Configuration Discovery	1	System Network Configuration Discovery on Windows	970ab6a1-0157-4f3f-9a73-ec4166754b23	command_prompt
577	discovery	T1016	System Network Configuration Discovery	2	List Windows Firewall Rules	038263cb-00f4-4b0a-98ae-0696c67e1752	command_prompt
578	discovery	T1016	System Network Configuration Discovery	4	System Network Configuration Discovery (TrickBot Style)	dafaf052-5508-402d-bf77-51e0700c02e2	command_prompt
579	discovery	T1016	System Network Configuration Discovery	5	List Open Egress Ports	4b467538-f102-491d-ace7-ed487b853bf5	powershell
580	discovery	T1016	System Network Configuration Discovery	6	Adfind - Enumerate Active Directory Subnet Objects	9bb45dd7-c466-4f93-83a1-be30e56033ee	command_prompt
581	discovery	T1016	System Network Configuration Discovery	7	Qakbot Recon	121de5c6-5818-4868-b8a7-8fd07c455c1b	command_prompt
582	discovery	T1049	System Network Connections Discovery	1	System Network Connections Discovery	0940a971-809a-48f1-9c4d-b1d785e96ee5	command_prompt
583	discovery	T1049	System Network Connections Discovery	2	System Network Connections Discovery with PowerShell	f069f0f1-baad-4831-aa2b-eddac4baac4a	powershell
584	discovery	T1049	System Network Connections Discovery	4	System Discovery using SharpView	96f974bb-a0da-4d87-a744-ff33e73367e9	powershell
585	discovery	T1033	System Owner/User Discovery	1	System Owner/User Discovery	4c4959bf-addf-4b4a-be86-8d09cc1857aa	command_prompt
586	discovery	T1033	System Owner/User Discovery	3	Find computers where user has session - Stealth mode (PowerView)	29857f27-a36f-4f7e-8084-4557cd6207ca	powershell
587	discovery	T1007	System Service Discovery	1	System Service Discovery	89676ba1-b1f8-47ee-b940-2e1a113ebc71	command_prompt
588	discovery	T1007	System Service Discovery	2	System Service Discovery - net.exe	5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3	command_prompt
589	discovery	T1124	System Time Discovery	1	System Time Discovery	20aba24b-e61f-4b26-b4ce-4784f763ca20	command_prompt
590	discovery	T1124	System Time Discovery	2	System Time Discovery - PowerShell	1d5711d6-655c-4a47-ae9c-6503c74fa877	powershell
591	command-and-control	T1071.004	DNS	1	DNS Large Query Volume	1700f5d6-5a44-487b-84de-bc66f507b0a6	powershell
592	command-and-control	T1071.004	DNS	2	DNS Regular Beaconing	3efc144e-1af8-46bb-8ca2-1376bb6db8b6	powershell
593	command-and-control	T1071.004	DNS	3	DNS Long Domain Query	fef31710-223a-40ee-8462-a396d6b66978	powershell
594	command-and-control	T1071.004	DNS	4	DNS C2	e7bf9802-2e78-4db9-93b5-181b7bcd37d7	powershell
595	command-and-control	T1573	Encrypted Channel	1	OpenSSL C2	21caf58e-87ad-440c-a6b8-3ac259964003	powershell
596	command-and-control	T1105	Ingress Tool Transfer	7	certutil download (urlcache)	dd3b61dd-7bbc-48cd-ab51-49ad1a776df0	command_prompt
597	command-and-control	T1105	Ingress Tool Transfer	8	certutil download (verifyctl)	ffd492e3-0455-4518-9fb1-46527c9f241b	powershell
598	command-and-control	T1105	Ingress Tool Transfer	9	Windows - BITSAdmin BITS Download	a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b	command_prompt
599	command-and-control	T1105	Ingress Tool Transfer	10	Windows - PowerShell Download	42dc4460-9aa6-45d3-b1a6-3955d34e1fe8	powershell
600	command-and-control	T1105	Ingress Tool Transfer	11	OSTAP Worming Activity	2ca61766-b456-4fcf-a35a-1233685e1cad	command_prompt
601	command-and-control	T1105	Ingress Tool Transfer	12	svchost writing a file to a UNC path	fa5a2759-41d7-4e13-a19c-e8f28a53566f	command_prompt
602	command-and-control	T1105	Ingress Tool Transfer	13	Download a File with Windows Defender MpCmdRun.exe	815bef8b-bf91-4b67-be4c-abe4c2a94ccc	command_prompt
603	command-and-control	T1105	Ingress Tool Transfer	15	File Download via PowerShell	54a4daf1-71df-4383-9ba7-f1a295d8b6d2	powershell
604	command-and-control	T1105	Ingress Tool Transfer	16	File download with finger.exe on Windows	5f507e45-8411-4f99-84e7-e38530c45d01	command_prompt
605	command-and-control	T1105	Ingress Tool Transfer	17	Download a file with IMEWDBLD.exe	1a02df58-09af-4064-a765-0babe1a0d1e2	powershell
606	command-and-control	T1105	Ingress Tool Transfer	18	Curl Download File	2b080b99-0deb-4d51-af0f-833d37c4ca6a	command_prompt
607	command-and-control	T1105	Ingress Tool Transfer	19	Curl Upload File	635c9a38-6cbf-47dc-8615-3810bc1167cf	command_prompt
608	command-and-control	T1105	Ingress Tool Transfer	20	Download a file with Microsoft Connection Manager Auto-Download	d239772b-88e2-4a2e-8473-897503401bcc	command_prompt
609	command-and-control	T1090.001	Internal Proxy	3	portproxy reg key	b8223ea9-4be2-44a6-b50a-9657a3d4e72a	powershell
610	command-and-control	T1095	Non-Application Layer Protocol	1	ICMP C2	0268e63c-e244-42db-bef7-72a9e59fc1fc	powershell
611	command-and-control	T1095	Non-Application Layer Protocol	2	Netcat C2	bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37	powershell
612	command-and-control	T1095	Non-Application Layer Protocol	3	Powercat C2	3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e	powershell
613	command-and-control	T1571	Non-Standard Port	1	Testing usage of uncommonly used port with PowerShell	21fe622f-8e53-4b31-ba83-6d333c2583f4	powershell
614	command-and-control	T1572	Protocol Tunneling	1	DNS over HTTPS Large Query Volume	ae9ef4b0-d8c1-49d4-8758-06206f19af0a	powershell
615	command-and-control	T1572	Protocol Tunneling	2	DNS over HTTPS Regular Beaconing	0c5f9705-c575-42a6-9609-cbbff4b2fc9b	powershell
616	command-and-control	T1572	Protocol Tunneling	3	DNS over HTTPS Long Domain Query	748a73d5-cea4-4f34-84d8-839da5baa99c	powershell
617	command-and-control	T1219	Remote Access Software	1	TeamViewer Files Detected Test on Windows	8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0	powershell
618	command-and-control	T1219	Remote Access Software	2	AnyDesk Files Detected Test on Windows	6b8b7391-5c0a-4f8c-baee-78d8ce0ce330	powershell
619	command-and-control	T1219	Remote Access Software	3	LogMeIn Files Detected Test on Windows	d03683ec-aae0-42f9-9b4c-534780e0f8e1	powershell
620	command-and-control	T1219	Remote Access Software	4	GoToAssist Files Detected Test on Windows	1b72b3bd-72f8-4b63-a30b-84e91b9c3578	powershell
621	command-and-control	T1219	Remote Access Software	5	ScreenConnect Application Download and Install on Windows	4a18cc4e-416f-4966-9a9d-75731c4684c0	powershell
622	command-and-control	T1132.001	Standard Encoding	2	XOR Encoded data.	c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08	powershell
623	command-and-control	T1071.001	Web Protocols	1	Malicious User Agents - Powershell	81c13829-f6c9-45b8-85a6-053366d55297	powershell
624	command-and-control	T1071.001	Web Protocols	2	Malicious User Agents - CMD	dc3488b0-08c7-4fea-b585-905c83b48180	command_prompt
625	execution	T1053.002	At (Windows)	1	At.exe Scheduled task	4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8	command_prompt
626	execution	T1559.002	Dynamic Data Exchange	1	Execute Commands	f592ba2a-e9e8-4d62-a459-ef63abd819fd	manual
627	execution	T1559.002	Dynamic Data Exchange	2	Execute PowerShell script via Word DDE	47c21fb6-085e-4b0d-b4d2-26d72c3830b3	command_prompt
628	execution	T1559.002	Dynamic Data Exchange	3	DDEAUTO	cf91174c-4e74-414e-bec0-8d60a104d181	manual
629	execution	T1204.002	Malicious File	1	OSTap Style Macro Execution	8bebc690-18c7-4549-bc98-210f7019efff	powershell
630	execution	T1204.002	Malicious File	2	OSTap Payload Download	3f3af983-118a-4fa1-85d3-ba4daa739d80	command_prompt
631	execution	T1204.002	Malicious File	3	Maldoc choice flags command execution	0330a5d2-a45a-4272-a9ee-e364411c4b18	powershell
632	execution	T1204.002	Malicious File	4	OSTAP JS version	add560ef-20d6-4011-a937-2c340f930911	powershell
633	execution	T1204.002	Malicious File	5	Office launching .bat file from AppData	9215ea92-1ded-41b7-9cd6-79f9a78397aa	powershell
634	execution	T1204.002	Malicious File	6	Excel 4 Macro	4ea1fc97-8a46-4b4e-ba48-af43d2a98052	powershell
635	execution	T1204.002	Malicious File	7	Headless Chrome code execution via VBA	a19ee671-ed98-4e9d-b19c-d1954a51585a	powershell
636	execution	T1204.002	Malicious File	8	Potentially Unwanted Applications (PUA)	02f35d62-9fdc-4a97-b899-a5d9a876d295	powershell
637	execution	T1204.002	Malicious File	9	Office Generic Payload Download	5202ee05-c420-4148-bf5e-fd7f7d24850c	powershell
638	execution	T1106	Native API	1	Execution through API - CreateProcess	99be2089-c52d-4a4a-b5c3-261ee42c8b62	command_prompt
639	execution	T1059.001	PowerShell	1	Mimikatz	f3132740-55bc-48c4-bcc0-758a459cd027	command_prompt
640	execution	T1059.001	PowerShell	2	Run BloodHound from local disk	a21bb23e-e677-4ee7-af90-6931b57b6350	powershell
641	execution	T1059.001	PowerShell	3	Run Bloodhound from Memory using Download Cradle	bf8c1441-4674-4dab-8e4e-39d93d08f9b7	powershell
642	execution	T1059.001	PowerShell	4	Obfuscation Tests	4297c41a-8168-4138-972d-01f3ee92c804	powershell
643	execution	T1059.001	PowerShell	5	Mimikatz - Cradlecraft PsSendKeys	af1800cf-9f9d-4fd1-a709-14b1e6de020d	powershell
644	execution	T1059.001	PowerShell	6	Invoke-AppPathBypass	06a220b6-7e29-4bd8-9d07-5b4d86742372	command_prompt
645	execution	T1059.001	PowerShell	7	Powershell MsXml COM object - with prompt	388a7340-dbc1-4c9d-8e59-b75ad8c6d5da	command_prompt
646	execution	T1059.001	PowerShell	8	Powershell XML requests	4396927f-e503-427b-b023-31049b9b09a6	command_prompt
647	execution	T1059.001	PowerShell	9	Powershell invoke mshta.exe download	8a2ad40b-12c7-4b25-8521-2737b0a415af	command_prompt
648	execution	T1059.001	PowerShell	10	Powershell Invoke-DownloadCradle	cc50fa2a-a4be-42af-a88f-e347ba0bf4d7	manual
649	execution	T1059.001	PowerShell	11	PowerShell Fileless Script Execution	fa050f5e-bc75-4230-af73-b6fd7852cd73	powershell
650	execution	T1059.001	PowerShell	12	PowerShell Downgrade Attack	9148e7c4-9356-420e-a416-e896e9c0f73e	powershell
651	execution	T1059.001	PowerShell	13	NTFS Alternate Data Stream Access	8e5c5532-1181-4c1d-bb79-b3a9f5dbd680	powershell
652	execution	T1059.001	PowerShell	14	PowerShell Session Creation and Use	7c1acec2-78fa-4305-a3e0-db2a54cddecd	powershell
653	execution	T1059.001	PowerShell	15	ATHPowerShellCommandLineParameter -Command parameter variations	686a9785-f99b-41d4-90df-66ed515f81d7	powershell
654	execution	T1059.001	PowerShell	16	ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments	1c0a870f-dc74-49cf-9afc-eccc45e58790	powershell
655	execution	T1059.001	PowerShell	17	ATHPowerShellCommandLineParameter -EncodedCommand parameter variations	86a43bad-12e3-4e85-b97c-4d5cf25b95c3	powershell
656	execution	T1059.001	PowerShell	18	ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments	0d181431-ddf3-4826-8055-2dbf63ae848b	powershell
657	execution	T1059.001	PowerShell	19	PowerShell Command Execution	a538de64-1c74-46ed-aa60-b995ed302598	command_prompt
658	execution	T1059.001	PowerShell	20	PowerShell Invoke Known Malicious Cmdlets	49eb9404-5e0f-4031-a179-b40f7be385e3	powershell
659	execution	T1059.001	PowerShell	21	PowerUp Invoke-AllChecks	1289f78d-22d2-4590-ac76-166737e1811b	powershell
660	execution	T1053.005	Scheduled Task	1	Scheduled Task Startup Script	fec27f65-db86-4c2d-b66c-61945aee87c2	command_prompt
661	execution	T1053.005	Scheduled Task	2	Scheduled task Local	42f53695-ad4a-4546-abb6-7d837f644a71	command_prompt
662	execution	T1053.005	Scheduled Task	3	Scheduled task Remote	2e5eac3e-327b-4a88-a0c0-c4057039a8dd	command_prompt
663	execution	T1053.005	Scheduled Task	4	Powershell Cmdlet Scheduled Task	af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd	powershell
664	execution	T1053.005	Scheduled Task	5	Task Scheduler via VBA	ecd3fa21-7792-41a2-8726-2c5c673414d3	powershell
665	execution	T1053.005	Scheduled Task	6	WMI Invoke-CimMethod Scheduled Task	e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b	powershell
666	execution	T1569.002	Service Execution	1	Execute a Command as a Service	2382dee2-a75f-49aa-9378-f52df6ed3fb1	command_prompt
667	execution	T1569.002	Service Execution	2	Use PsExec to execute a command on a remote host	873106b7-cfed-454b-8680-fa9f6400431c	command_prompt
668	execution	T1072	Software Deployment Tools	1	Radmin Viewer Utility	b4988cad-6ed2-434d-ace5-ea2670782129	command_prompt
669	execution	T1059.005	Visual Basic	1	Visual Basic script execution to gather local computer information	1620de42-160a-4fe5-bbaf-d3fef0181ce9	powershell
670	execution	T1059.005	Visual Basic	2	Encoded VBS code execution	e8209d5f-e42d-45e6-9c2f-633ac4f1eefa	powershell
671	execution	T1059.005	Visual Basic	3	Extract Memory via VBA	8faff437-a114-4547-9a60-749652a03df6	powershell
672	execution	T1059.003	Windows Command Shell	1	Create and Execute Batch Script	9e8894c0-50bd-4525-a96c-d4ac78ece388	powershell
673	execution	T1059.003	Windows Command Shell	2	Writes text to a file and displays it.	127b4afe-2346-4192-815c-69042bec570e	command_prompt
674	execution	T1059.003	Windows Command Shell	3	Suspicious Execution via Windows Command Shell	d0eb3597-a1b3-4d65-b33b-2cda8d397f20	command_prompt
675	execution	T1047	Windows Management Instrumentation	1	WMI Reconnaissance Users	c107778c-dcf5-47c5-af2e-1d058a3df3ea	command_prompt
676	execution	T1047	Windows Management Instrumentation	2	WMI Reconnaissance Processes	5750aa16-0e59-4410-8b9a-8a47ca2788e2	command_prompt
677	execution	T1047	Windows Management Instrumentation	3	WMI Reconnaissance Software	718aebaa-d0e0-471a-8241-c5afa69c7414	command_prompt
678	execution	T1047	Windows Management Instrumentation	4	WMI Reconnaissance List Remote Services	0fd48ef7-d890-4e93-a533-f7dedd5191d3	command_prompt
679	execution	T1047	Windows Management Instrumentation	5	WMI Execute Local Process	b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3	command_prompt
680	execution	T1047	Windows Management Instrumentation	6	WMI Execute Remote Process	9c8ef159-c666-472f-9874-90c8d60d136b	command_prompt
681	execution	T1047	Windows Management Instrumentation	7	Create a Process using WMI Query and an Encoded Command	7db7a7f9-9531-4840-9b30-46220135441c	command_prompt
682	execution	T1047	Windows Management Instrumentation	8	Create a Process using obfuscated Win32_Process	10447c83-fc38-462a-a936-5102363b1c43	powershell
683	execution	T1047	Windows Management Instrumentation	9	WMI Execute rundll32	00738d2a-4651-4d76-adf2-c43a41dfb243	powershell
684	execution	T1047	Windows Management Instrumentation	10	Application uninstall using WMIC	c510d25b-1667-467d-8331-a56d3e9bc4ff	command_prompt
685	exfiltration	T1020	Automated Exfiltration	1	IcedID Botnet HTTP PUT	9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0	powershell
686	exfiltration	T1048	Exfiltration Over Alternative Protocol	3	DNSExfiltration (doh)	c943d285-ada3-45ca-b3aa-7cd6500c6a48	powershell
687	exfiltration	T1048.002	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	1	Exfiltrate data HTTPS using curl windows	1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0	command_prompt
688	exfiltration	T1041	Exfiltration Over C2 Channel	1	C2 Data Exfiltration	d1253f6e-c29b-49dc-b466-2147a6191932	powershell
689	exfiltration	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	2	Exfiltration Over Alternative Protocol - ICMP	dd4b4421-2e25-4593-90ae-7021947ad12e	powershell
690	exfiltration	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4	Exfiltration Over Alternative Protocol - HTTP	6aa58451-1121-4490-a8e9-1dada3f1c68c	powershell
691	exfiltration	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	5	Exfiltration Over Alternative Protocol - SMTP	ec3a835e-adca-4c7c-88d2-853b69c11bb9	powershell
692	exfiltration	T1567	Exfiltration Over Web Service	1	Data Exfiltration with ConfigSecurityPolicy	5568a8f4-a8b1-4c40-9399-4969b642f122	powershell
693	lateral-movement	T1021.003	Distributed Component Object Model	1	PowerShell Lateral Movement using MMC20	6dc74eb1-c9d6-4c53-b3b5-6f50ae339673	powershell
694	lateral-movement	T1550.002	Pass the Hash	1	Mimikatz Pass the Hash	ec23cef9-27d9-46e4-a68d-6f75f7b86908	command_prompt
695	lateral-movement	T1550.002	Pass the Hash	2	crackmapexec Pass the Hash	eb05b028-16c8-4ad8-adea-6f5b219da9a9	command_prompt
696	lateral-movement	T1550.003	Pass the Ticket	1	Mimikatz Kerberos Ticket Attack	dbf38128-7ba7-4776-bedf-cc2eed432098	command_prompt
697	lateral-movement	T1550.003	Pass the Ticket	2	Rubeus Kerberos Pass The Ticket	a2fc4ec5-12c6-4fb4-b661-961f23f359cb	powershell
698	lateral-movement	T1563.002	RDP Hijacking	1	RDP hijacking	a37ac520-b911-458e-8aed-c5f1576d9f46	command_prompt
699	lateral-movement	T1021.001	Remote Desktop Protocol	1	RDP to DomainController	355d4632-8cb9-449d-91ce-b566d0253d3e	powershell
700	lateral-movement	T1021.001	Remote Desktop Protocol	2	RDP to Server	7382a43e-f19c-46be-8f09-5c63af7d3e2b	powershell
701	lateral-movement	T1021.001	Remote Desktop Protocol	3	Changing RDP Port to Non Standard Port via Powershell	2f840dd4-8a2e-4f44-beb3-6b2399ea3771	powershell
702	lateral-movement	T1021.001	Remote Desktop Protocol	4	Changing RDP Port to Non Standard Port via Command_Prompt	74ace21e-a31c-4f7d-b540-53e4eb6d1f73	command_prompt
703	lateral-movement	T1091	Replication Through Removable Media	1	USB Malware Spread Simulation	d44b7297-622c-4be8-ad88-ec40d7563c75	powershell
704	lateral-movement	T1021.002	SMB/Windows Admin Shares	1	Map admin share	3386975b-367a-4fbb-9d77-4dcf3639ffd3	command_prompt
705	lateral-movement	T1021.002	SMB/Windows Admin Shares	2	Map Admin Share PowerShell	514e9cd7-9207-4882-98b1-c8f791bae3c5	powershell
706	lateral-movement	T1021.002	SMB/Windows Admin Shares	3	Copy and Execute File with PsExec	0eb03d41-79e4-4393-8e57-6344856be1cf	command_prompt
707	lateral-movement	T1021.002	SMB/Windows Admin Shares	4	Execute command writing output to local Admin Share	d41aaab5-bdfe-431d-a3d5-c29e9136ff46	command_prompt
708	lateral-movement	T1072	Software Deployment Tools	1	Radmin Viewer Utility	b4988cad-6ed2-434d-ace5-ea2670782129	command_prompt
709	lateral-movement	T1021.006	Windows Remote Management	1	Enable Windows Remote Management	9059e8de-3d7d-4954-a322-46161880b9cf	powershell
710	lateral-movement	T1021.006	Windows Remote Management	2	Invoke-Command	5295bd61-bd7e-4744-9d52-85962a4cf2d6	powershell
711	lateral-movement	T1021.006	Windows Remote Management	3	WinRM Access with Evil-WinRM	efe86d95-44c4-4509-ae42-7bfd9d1f5b3d	powershell
712	initial-access	T1078.001	Default Accounts	1	Enable Guest account with RDP capability and admin privileges	99747561-ed8d-47f2-9c91-1e5fde1ed6e0	command_prompt
713	initial-access	T1078.001	Default Accounts	2	Activate Guest Account	aa6cb8c4-b582-4f8e-b677-37733914abda	command_prompt
714	initial-access	T1133	External Remote Services	1	Running Chrome VPN Extensions via the Registry 2 vpn extension	4c8db261-a58b-42a6-a866-0a294deedde4	powershell
715	initial-access	T1078.003	Local Accounts	1	Create local account with admin privileges	a524ce99-86de-4db6-b4f9-e08f35a47a15	command_prompt
716	initial-access	T1091	Replication Through Removable Media	1	USB Malware Spread Simulation	d44b7297-622c-4be8-ad88-ec40d7563c75	powershell
717	initial-access	T1566.001	Spearphishing Attachment	1	Download Macro-Enabled Phishing Attachment	114ccff9-ae6d-4547-9ead-4cd69f687306	powershell
718	initial-access	T1566.001	Spearphishing Attachment	2	Word spawned a command shell and used an IP address in the command line	cbb6799a-425c-4f83-9194-5447a909d67f	powershell

95 KiB Raw Permalink Blame History

95 KiB

Raw Permalink Blame History