Atomic Red Team doc generator
336 KiB
336 KiB
| 1 | Tactic | Technique # | Technique Name | Test # | Test Name | Test GUID | Executor Name |
|---|---|---|---|---|---|---|---|
| 2 | defense-evasion | T1055.011 | Process Injection: Extra Window Memory Injection | 1 | Process Injection via Extra Window Memory (EWM) x64 executable | 93ca40d2-336c-446d-bcef-87f14d438018 | powershell |
| 3 | defense-evasion | T1218.011 | Signed Binary Proxy Execution: Rundll32 | 1 | Rundll32 execute JavaScript Remote Payload With GetObject | 57ba4ce9-ee7a-4f27-9928-3c70c489b59d | command_prompt |
| 4 | defense-evasion | T1218.011 | Signed Binary Proxy Execution: Rundll32 | 2 | Rundll32 execute VBscript command | 638730e7-7aed-43dc-bf8c-8117f805f5bb | command_prompt |
| 5 | defense-evasion | T1218.011 | Signed Binary Proxy Execution: Rundll32 | 3 | Rundll32 execute VBscript command using Ordinal number | 32d1cf1b-cbc2-4c09-8d05-07ec5c83a821 | command_prompt |
| 6 | defense-evasion | T1218.011 | Signed Binary Proxy Execution: Rundll32 | 4 | Rundll32 advpack.dll Execution | d91cae26-7fc1-457b-a854-34c8aad48c89 | command_prompt |
| 7 | defense-evasion | T1218.011 | Signed Binary Proxy Execution: Rundll32 | 5 | Rundll32 ieadvpack.dll Execution | 5e46a58e-cbf6-45ef-a289-ed7754603df9 | command_prompt |
| 8 | defense-evasion | T1218.011 | Signed Binary Proxy Execution: Rundll32 | 6 | Rundll32 syssetup.dll Execution | 41fa324a-3946-401e-bbdd-d7991c628125 | command_prompt |
| 9 | defense-evasion | T1218.011 | Signed Binary Proxy Execution: Rundll32 | 7 | Rundll32 setupapi.dll Execution | 71d771cd-d6b3-4f34-bc76-a63d47a10b19 | command_prompt |
| 10 | defense-evasion | T1218.011 | Signed Binary Proxy Execution: Rundll32 | 8 | Execution of HTA and VBS Files using Rundll32 and URL.dll | 22cfde89-befe-4e15-9753-47306b37a6e3 | command_prompt |
| 11 | defense-evasion | T1218.011 | Signed Binary Proxy Execution: Rundll32 | 9 | Launches an executable using Rundll32 and pcwutl.dll | 9f5d081a-ee5a-42f9-a04e-b7bdc487e676 | command_prompt |
| 12 | defense-evasion | T1218.011 | Signed Binary Proxy Execution: Rundll32 | 10 | Execution of non-dll using rundll32.exe | ae3a8605-b26e-457c-b6b3-2702fd335bac | powershell |
| 13 | defense-evasion | T1218.011 | Signed Binary Proxy Execution: Rundll32 | 11 | Rundll32 with Ordinal Value | 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0 | command_prompt |
| 14 | defense-evasion | T1218.011 | Signed Binary Proxy Execution: Rundll32 | 12 | Rundll32 with Control_RunDLL | e4c04b6f-c492-4782-82c7-3bf75eb8077e | command_prompt |
| 15 | defense-evasion | T1218.011 | Signed Binary Proxy Execution: Rundll32 | 13 | Rundll32 with desk.cpl | 83a95136-a496-423c-81d3-1c6750133917 | command_prompt |
| 16 | defense-evasion | T1218.011 | Signed Binary Proxy Execution: Rundll32 | 14 | Running DLL with .init extension and function | 2d5029f0-ae20-446f-8811-e7511b58e8b6 | command_prompt |
| 17 | defense-evasion | T1218.011 | Signed Binary Proxy Execution: Rundll32 | 15 | Rundll32 execute command via FileProtocolHandler | f3ad3c5b-1db1-45c1-81bf-d3370ebab6c8 | command_prompt |
| 18 | defense-evasion | T1218.011 | Signed Binary Proxy Execution: Rundll32 | 16 | Rundll32 execute payload by calling RouteTheCall | 8a7f56ee-10e7-444c-a139-0109438288eb | powershell |
| 19 | defense-evasion | T1556.003 | Modify Authentication Process: Pluggable Authentication Modules | 1 | Malicious PAM rule | 4b9dde80-ae22-44b1-a82a-644bf009eb9c | sh |
| 20 | defense-evasion | T1556.003 | Modify Authentication Process: Pluggable Authentication Modules | 2 | Malicious PAM rule (freebsd) | b17eacac-282d-4ca8-a240-46602cf863e3 | sh |
| 21 | defense-evasion | T1556.003 | Modify Authentication Process: Pluggable Authentication Modules | 3 | Malicious PAM module | 65208808-3125-4a2e-8389-a0a00e9ab326 | sh |
| 22 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 1 | chmod - Change file or folder mode (numeric mode) | 34ca1464-de9d-40c6-8c77-690adf36a135 | sh |
| 23 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 2 | chmod - Change file or folder mode (symbolic mode) | fc9d6695-d022-4a80-91b1-381f5c35aff3 | sh |
| 24 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 3 | chmod - Change file or folder mode (numeric mode) recursively | ea79f937-4a4d-4348-ace6-9916aec453a4 | sh |
| 25 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 4 | chmod - Change file or folder mode (symbolic mode) recursively | 0451125c-b5f6-488f-993b-5a32b09f7d8f | bash |
| 26 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 5 | chown - Change file or folder ownership and group | d169e71b-85f9-44ec-8343-27093ff3dfc0 | bash |
| 27 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 6 | chown - Change file or folder ownership and group recursively | b78598be-ff39-448f-a463-adbf2a5b7848 | bash |
| 28 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 7 | chown - Change file or folder mode ownership only | 967ba79d-f184-4e0e-8d09-6362b3162e99 | sh |
| 29 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 8 | chown - Change file or folder ownership recursively | 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 | bash |
| 30 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 9 | chattr - Remove immutable file attribute | e7469fe2-ad41-4382-8965-99b94dd3c13f | sh |
| 31 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 10 | chflags - Remove immutable file attribute | 60eee3ea-2ebd-453b-a666-c52ce08d2709 | sh |
| 32 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 11 | Chmod through c script | 973631cf-6680-4ffa-a053-045e1b6b67ab | sh |
| 33 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 12 | Chmod through c script (freebsd) | da40b5fe-3098-4b3b-a410-ff177e49ee2e | sh |
| 34 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 13 | Chown through c script | 18592ba1-5f88-4e3c-abc8-ab1c6042e389 | sh |
| 35 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 14 | Chown through c script (freebsd) | eb577a19-b730-4918-9b03-c5edcf51dc4e | sh |
| 36 | defense-evasion | T1216.001 | Signed Script Proxy Execution: Pubprn | 1 | PubPrn.vbs Signed Script Bypass | 9dd29a1f-1e16-4862-be83-913b10a88f6c | command_prompt |
| 37 | defense-evasion | T1006 | Direct Volume Access | 1 | Read volume boot sector via DOS device path (PowerShell) | 88f6327e-51ec-4bbf-b2e8-3fea534eab8b | powershell |
| 38 | defense-evasion | T1564.008 | Hide Artifacts: Email Hiding Rules | 1 | New-Inbox Rule to Hide E-mail in M365 | 30f7d3d1-78e2-4bf0-9efa-a175b5fce2a9 | powershell |
| 39 | defense-evasion | T1027.013 | Obfuscated Files or Information: Encrypted/Encoded File | 1 | Decode Eicar File and Write to File | 7693ccaa-8d64-4043-92a5-a2eb70359535 | powershell |
| 40 | defense-evasion | T1027.013 | Obfuscated Files or Information: Encrypted/Encoded File | 2 | Decrypt Eicar File and Write to File | b404caaa-12ce-43c7-9214-62a531c044f7 | powershell |
| 41 | defense-evasion | T1014 | Rootkit | 1 | Loadable Kernel Module based Rootkit | dfb50072-e45a-4c75-a17e-a484809c8553 | sh |
| 42 | defense-evasion | T1014 | Rootkit | 2 | Loadable Kernel Module based Rootkit | 75483ef8-f10f-444a-bf02-62eb0e48db6f | sh |
| 43 | defense-evasion | T1014 | Rootkit | 3 | dynamic-linker based rootkit (libprocesshider) | 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3 | sh |
| 44 | defense-evasion | T1014 | Rootkit | 4 | Loadable Kernel Module based Rootkit (Diamorphine) | 0b996469-48c6-46e2-8155-a17f8b6c2247 | sh |
| 45 | defense-evasion | T1036.007 | Masquerading: Double File Extension | 1 | File Extension Masquerading | c7fa0c3b-b57f-4cba-9118-863bf4e653fc | command_prompt |
| 46 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 1 | Bypass UAC using Event Viewer (cmd) | 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 | command_prompt |
| 47 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 2 | Bypass UAC using Event Viewer (PowerShell) | a6ce9acf-842a-4af6-8f79-539be7608e2b | powershell |
| 48 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 3 | Bypass UAC using Fodhelper | 58f641ea-12e3-499a-b684-44dee46bd182 | command_prompt |
| 49 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 4 | Bypass UAC using Fodhelper - PowerShell | 3f627297-6c38-4e7d-a278-fc2563eaaeaa | powershell |
| 50 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 5 | Bypass UAC using ComputerDefaults (PowerShell) | 3c51abf2-44bf-42d8-9111-dc96ff66750f | powershell |
| 51 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 6 | Bypass UAC by Mocking Trusted Directories | f7a35090-6f7f-4f64-bb47-d657bf5b10c1 | command_prompt |
| 52 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 7 | Bypass UAC using sdclt DelegateExecute | 3be891eb-4608-4173-87e8-78b494c029b7 | powershell |
| 53 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 8 | Disable UAC using reg.exe | 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 | command_prompt |
| 54 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 9 | Bypass UAC using SilentCleanup task | 28104f8a-4ff1-4582-bcf6-699dce156608 | command_prompt |
| 55 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 10 | UACME Bypass Method 23 | 8ceab7a2-563a-47d2-b5ba-0995211128d7 | command_prompt |
| 56 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 11 | UACME Bypass Method 31 | b0f76240-9f33-4d34-90e8-3a7d501beb15 | command_prompt |
| 57 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 12 | UACME Bypass Method 33 | e514bb03-f71c-4b22-9092-9f961ec6fb03 | command_prompt |
| 58 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 13 | UACME Bypass Method 34 | 695b2dac-423e-448e-b6ef-5b88e93011d6 | command_prompt |
| 59 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 14 | UACME Bypass Method 39 | 56163687-081f-47da-bb9c-7b231c5585cf | command_prompt |
| 60 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 15 | UACME Bypass Method 56 | 235ec031-cd2d-465d-a7ae-68bab281e80e | command_prompt |
| 61 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 16 | UACME Bypass Method 59 | dfb1b667-4bb8-4a63-a85e-29936ea75f29 | command_prompt |
| 62 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 17 | UACME Bypass Method 61 | 7825b576-744c-4555-856d-caf3460dc236 | command_prompt |
| 63 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 18 | WinPwn - UAC Magic | 964d8bf8-37bc-4fd3-ba36-ad13761ebbcc | powershell |
| 64 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 19 | WinPwn - UAC Bypass ccmstp technique | f3c145f9-3c8d-422c-bd99-296a17a8f567 | powershell |
| 65 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 20 | WinPwn - UAC Bypass DiskCleanup technique | 1ed67900-66cd-4b09-b546-2a0ef4431a0c | powershell |
| 66 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 21 | WinPwn - UAC Bypass DccwBypassUAC technique | 2b61977b-ae2d-4ae4-89cb-5c36c89586be | powershell |
| 67 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 22 | Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key | 251c5936-569f-42f4-9ac2-87a173b9e9b8 | powershell |
| 68 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 23 | UAC Bypass with WSReset Registry Modification | 3b96673f-9c92-40f1-8a3e-ca060846f8d9 | powershell |
| 69 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 24 | Disable UAC - Switch to the secure desktop when prompting for elevation via registry key | 85f3a526-4cfa-4fe7-98c1-dea99be025c7 | powershell |
| 70 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 25 | Disable UAC notification via registry keys | 160a7c77-b00e-4111-9e45-7c2a44eda3fd | command_prompt |
| 71 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 26 | Disable ConsentPromptBehaviorAdmin via registry keys | a768aaa2-2442-475c-8990-69cf33af0f4e | command_prompt |
| 72 | defense-evasion | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 27 | UAC bypassed by Utilizing ProgIDs registry. | b6f4645c-34ea-4c7c-98f2-d5a2747efb08 | command_prompt |
| 73 | defense-evasion | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 1 | Sudo usage | 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e | sh |
| 74 | defense-evasion | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 2 | Sudo usage (freebsd) | 2bf9a018-4664-438a-b435-cc6f8c6f71b1 | sh |
| 75 | defense-evasion | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 3 | Unlimited sudo cache timeout | a7b17659-dd5e-46f7-b7d1-e6792c91d0bc | sh |
| 76 | defense-evasion | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 4 | Unlimited sudo cache timeout (freebsd) | a83ad6e8-6f24-4d7f-8f44-75f8ab742991 | sh |
| 77 | defense-evasion | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 5 | Disable tty_tickets for sudo caching | 91a60b03-fb75-4d24-a42e-2eb8956e8de1 | sh |
| 78 | defense-evasion | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 6 | Disable tty_tickets for sudo caching (freebsd) | 4df6a0fe-2bdd-4be8-8618-a6a19654a57a | sh |
| 79 | defense-evasion | T1542.001 | Pre-OS Boot: System Firmware | 1 | UEFI Persistence via Wpbbin.exe File Creation | b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1 | powershell |
| 80 | defense-evasion | T1574.011 | Hijack Execution Flow: Services Registry Permissions Weakness | 1 | Service Registry Permissions Weakness | f7536d63-7fd4-466f-89da-7e48d550752a | powershell |
| 81 | defense-evasion | T1574.011 | Hijack Execution Flow: Services Registry Permissions Weakness | 2 | Service ImagePath Change with reg.exe | f38e9eea-e1d7-4ba6-b716-584791963827 | command_prompt |
| 82 | defense-evasion | T1036.005 | Masquerading: Match Legitimate Name or Location | 1 | Execute a process from a directory masquerading as the current parent directory | 812c3ab8-94b0-4698-a9bf-9420af23ce24 | sh |
| 83 | defense-evasion | T1036.005 | Masquerading: Match Legitimate Name or Location | 2 | Masquerade as a built-in system executable | 35eb8d16-9820-4423-a2a1-90c4f5edd9ca | powershell |
| 84 | defense-evasion | T1036.005 | Masquerading: Match Legitimate Name or Location | 3 | Masquerading cmd.exe as VEDetector.exe | 03ae82a6-9fa0-465b-91df-124d8ca5c4e8 | powershell |
| 85 | defense-evasion | T1564 | Hide Artifacts | 1 | Extract binary files via VBA | 6afe288a-8a8b-4d33-a629-8d03ba9dad3a | powershell |
| 86 | defense-evasion | T1564 | Hide Artifacts | 2 | Create a Hidden User Called "$" | 2ec63cc2-4975-41a6-bf09-dffdfb610778 | command_prompt |
| 87 | defense-evasion | T1564 | Hide Artifacts | 3 | Create an "Administrator " user (with a space on the end) | 5bb20389-39a5-4e99-9264-aeb92a55a85c | powershell |
| 88 | defense-evasion | T1564 | Hide Artifacts | 4 | Create and Hide a Service with sc.exe | 333c7de0-6fbe-42aa-ac2b-c7e40b18246a | command_prompt |
| 89 | defense-evasion | T1564 | Hide Artifacts | 5 | Command Execution with NirCmd | 2748ab4a-1e0b-4cf2-a2b0-8ef765bec7be | powershell |
| 90 | defense-evasion | T1484.002 | Domain Trust Modification | 1 | Add Federation to Azure AD | 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 | powershell |
| 91 | defense-evasion | T1562.009 | Impair Defenses: Safe Boot Mode | 1 | Safe Mode Boot | 2a78362e-b79a-4482-8e24-be397bce4d85 | command_prompt |
| 92 | defense-evasion | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 1 | Detect Virtualization Environment (Linux) | dfbd1a21-540d-4574-9731-e852bd6fe840 | sh |
| 93 | defense-evasion | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 2 | Detect Virtualization Environment (FreeBSD) | e129d73b-3e03-4ae9-bf1e-67fc8921e0fd | sh |
| 94 | defense-evasion | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 3 | Detect Virtualization Environment (Windows) | 502a7dc4-9d6f-4d28-abf2-f0e84692562d | powershell |
| 95 | defense-evasion | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 4 | Detect Virtualization Environment via ioreg | a960185f-aef6-4547-8350-d1ce16680d09 | sh |
| 96 | defense-evasion | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 5 | Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) | 4a41089a-48e0-47aa-82cb-5b81a463bc78 | powershell |
| 97 | defense-evasion | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 6 | Detect Virtualization Environment using sysctl (hw.model) | 6beae646-eb4c-4730-95be-691a4094408c | sh |
| 98 | defense-evasion | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 7 | Check if System Integrity Protection is enabled | 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945 | sh |
| 99 | defense-evasion | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 8 | Detect Virtualization Environment using system_profiler | e04d2e89-de15-4d90-92f9-a335c7337f0f | sh |
| 100 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 1 | rm -rf | 989cc1b1-3642-4260-a809-54f9dd559683 | sh |
| 101 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 2 | rm -rf | bd8ccc45-d632-481e-b7cf-c467627d68f9 | sh |
| 102 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 3 | Delete log files using built-in log utility | 653d39cd-bae7-499a-898c-9fb96b8b5cd1 | sh |
| 103 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 4 | Truncate system log files via truncate utility | 6290f8a8-8ee9-4661-b9cf-390031bf6973 | sh |
| 104 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 5 | Truncate system log files via truncate utility (freebsd) | 14033063-ee04-4eaf-8f5d-ba07ca7a097c | sh |
| 105 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 6 | Delete log files via cat utility by appending /dev/null or /dev/zero | c23bdb88-928d-493e-b46d-df2906a50941 | sh |
| 106 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 7 | Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd) | 369878c6-fb04-48d6-8fc2-da9d97b3e054 | sh |
| 107 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 8 | System log file deletion via find utility | bc8eeb4a-cc3e-45ec-aa6e-41e973da2558 | sh |
| 108 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 9 | Overwrite macOS system log via echo utility | 0208ea60-98f1-4e8c-8052-930dce8f742c | sh |
| 109 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 10 | Overwrite FreeBSD system log via echo utility | 11cb8ee1-97fb-4960-8587-69b8388ee9d9 | sh |
| 110 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 11 | Real-time system log clearance/deletion | 848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c | sh |
| 111 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 12 | Delete system log files via unlink utility | 03013b4b-01db-437d-909b-1fdaa5010ee8 | sh |
| 112 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 13 | Delete system log files via unlink utility (freebsd) | 45ad4abd-19bd-4c5f-a687-41f3eee8d8c2 | sh |
| 113 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 14 | Delete system log files using shred utility | 86f0e4d5-3ca7-45fb-829d-4eda32b232bb | sh |
| 114 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 15 | Delete system log files using srm utility | b0768a5e-0f32-4e75-ae5b-d036edcf96b6 | sh |
| 115 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 16 | Delete system log files using OSAScript | 810a465f-cd4f-47bc-b43e-d2de3b033ecc | sh |
| 116 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 17 | Delete system log files using Applescript | e62f8694-cbc7-468f-862c-b10cd07e1757 | sh |
| 117 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 18 | Delete system journal logs via rm and journalctl utilities | ca50dd85-81ff-48ca-92e1-61f119cb1dcf | sh |
| 118 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 19 | Overwrite Linux Mail Spool | 1602ff76-ed7f-4c94-b550-2f727b4782d4 | bash |
| 119 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 20 | Overwrite Linux Log | d304b2dc-90b4-4465-a650-16ddd503f7b5 | bash |
| 120 | defense-evasion | T1218.004 | Signed Binary Proxy Execution: InstallUtil | 1 | CheckIfInstallable method call | ffd9c807-d402-47d2-879d-f915cf2a3a94 | powershell |
| 121 | defense-evasion | T1218.004 | Signed Binary Proxy Execution: InstallUtil | 2 | InstallHelper method call | d43a5bde-ae28-4c55-a850-3f4c80573503 | powershell |
| 122 | defense-evasion | T1218.004 | Signed Binary Proxy Execution: InstallUtil | 3 | InstallUtil class constructor method call | 9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93 | powershell |
| 123 | defense-evasion | T1218.004 | Signed Binary Proxy Execution: InstallUtil | 4 | InstallUtil Install method call | 9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b | powershell |
| 124 | defense-evasion | T1218.004 | Signed Binary Proxy Execution: InstallUtil | 5 | InstallUtil Uninstall method call - /U variant | 34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b | powershell |
| 125 | defense-evasion | T1218.004 | Signed Binary Proxy Execution: InstallUtil | 6 | InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant | 06d9deba-f732-48a8-af8e-bdd6e4d98c1d | powershell |
| 126 | defense-evasion | T1218.004 | Signed Binary Proxy Execution: InstallUtil | 7 | InstallUtil HelpText method call | 5a683850-1145-4326-a0e5-e91ced3c6022 | powershell |
| 127 | defense-evasion | T1218.004 | Signed Binary Proxy Execution: InstallUtil | 8 | InstallUtil evasive invocation | 559e6d06-bb42-4307-bff7-3b95a8254bad | powershell |
| 128 | defense-evasion | T1574.001 | Hijack Execution Flow: DLL | 1 | DLL Search Order Hijacking - amsi.dll | 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 | command_prompt |
| 129 | defense-evasion | T1574.001 | Hijack Execution Flow: DLL | 2 | Phantom Dll Hijacking - WinAppXRT.dll | 46ed938b-c617-429a-88dc-d49b5c9ffedb | command_prompt |
| 130 | defense-evasion | T1574.001 | Hijack Execution Flow: DLL | 3 | Phantom Dll Hijacking - ualapi.dll | 5898902d-c5ad-479a-8545-6f5ab3cfc87f | command_prompt |
| 131 | defense-evasion | T1574.001 | Hijack Execution Flow: DLL | 4 | DLL Side-Loading using the Notepad++ GUP.exe binary | 65526037-7079-44a9-bda1-2cb624838040 | command_prompt |
| 132 | defense-evasion | T1574.001 | Hijack Execution Flow: DLL | 5 | DLL Side-Loading using the dotnet startup hook environment variable | d322cdd7-7d60-46e3-9111-648848da7c02 | command_prompt |
| 133 | defense-evasion | T1574.001 | Hijack Execution Flow: DLL | 6 | DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE | c095ad8e-4469-4d33-be9d-6f6d1fb21585 | powershell |
| 134 | defense-evasion | T1553.001 | Subvert Trust Controls: Gatekeeper Bypass | 1 | Gatekeeper Bypass | fb3d46c6-9480-4803-8d7d-ce676e1f1a9b | sh |
| 135 | defense-evasion | T1222.001 | File and Directory Permissions Modification: Windows File and Directory Permissions Modification | 1 | Take ownership using takeown utility | 98d34bb4-6e75-42ad-9c41-1dae7dc6a001 | command_prompt |
| 136 | defense-evasion | T1222.001 | File and Directory Permissions Modification: Windows File and Directory Permissions Modification | 2 | cacls - Grant permission to specified user or group recursively | a8206bcc-f282-40a9-a389-05d9c0263485 | command_prompt |
| 137 | defense-evasion | T1222.001 | File and Directory Permissions Modification: Windows File and Directory Permissions Modification | 3 | attrib - Remove read-only attribute | bec1e95c-83aa-492e-ab77-60c71bbd21b0 | command_prompt |
| 138 | defense-evasion | T1222.001 | File and Directory Permissions Modification: Windows File and Directory Permissions Modification | 4 | attrib - hide file | 32b979da-7b68-42c9-9a99-0e39900fc36c | command_prompt |
| 139 | defense-evasion | T1222.001 | File and Directory Permissions Modification: Windows File and Directory Permissions Modification | 5 | Grant Full Access to folder for Everyone - Ryuk Ransomware Style | ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 | command_prompt |
| 140 | defense-evasion | T1222.001 | File and Directory Permissions Modification: Windows File and Directory Permissions Modification | 6 | SubInAcl Execution | a8568b10-9ab9-4140-a523-1c72e0176924 | command_prompt |
| 141 | defense-evasion | T1218.007 | Signed Binary Proxy Execution: Msiexec | 1 | Msiexec.exe - Execute Local MSI file with embedded JScript | a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04 | command_prompt |
| 142 | defense-evasion | T1218.007 | Signed Binary Proxy Execution: Msiexec | 2 | Msiexec.exe - Execute Local MSI file with embedded VBScript | 8d73c7b0-c2b1-4ac1-881a-4aa644f76064 | command_prompt |
| 143 | defense-evasion | T1218.007 | Signed Binary Proxy Execution: Msiexec | 3 | Msiexec.exe - Execute Local MSI file with an embedded DLL | 628fa796-76c5-44c3-93aa-b9d8214fd568 | command_prompt |
| 144 | defense-evasion | T1218.007 | Signed Binary Proxy Execution: Msiexec | 4 | Msiexec.exe - Execute Local MSI file with an embedded EXE | ed3fa08a-ca18-4009-973e-03d13014d0e8 | command_prompt |
| 145 | defense-evasion | T1218.007 | Signed Binary Proxy Execution: Msiexec | 5 | WMI Win32_Product Class - Execute Local MSI file with embedded JScript | 882082f0-27c6-4eec-a43c-9aa80bccdb30 | powershell |
| 146 | defense-evasion | T1218.007 | Signed Binary Proxy Execution: Msiexec | 6 | WMI Win32_Product Class - Execute Local MSI file with embedded VBScript | cf470d9a-58e7-43e5-b0d2-805dffc05576 | powershell |
| 147 | defense-evasion | T1218.007 | Signed Binary Proxy Execution: Msiexec | 7 | WMI Win32_Product Class - Execute Local MSI file with an embedded DLL | 32eb3861-30da-4993-897a-42737152f5f8 | powershell |
| 148 | defense-evasion | T1218.007 | Signed Binary Proxy Execution: Msiexec | 8 | WMI Win32_Product Class - Execute Local MSI file with an embedded EXE | 55080eb0-49ae-4f55-a440-4167b7974f79 | powershell |
| 149 | defense-evasion | T1218.007 | Signed Binary Proxy Execution: Msiexec | 9 | Msiexec.exe - Execute the DllRegisterServer function of a DLL | 0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d | command_prompt |
| 150 | defense-evasion | T1218.007 | Signed Binary Proxy Execution: Msiexec | 10 | Msiexec.exe - Execute the DllUnregisterServer function of a DLL | ab09ec85-4955-4f9c-b8e0-6851baf4d47f | command_prompt |
| 151 | defense-evasion | T1218.007 | Signed Binary Proxy Execution: Msiexec | 11 | Msiexec.exe - Execute Remote MSI file | 44a4bedf-ffe3-452e-bee4-6925ab125662 | command_prompt |
| 152 | defense-evasion | T1556.002 | Modify Authentication Process: Password Filter DLL | 1 | Install and Register Password Filter DLL | a7961770-beb5-4134-9674-83d7e1fa865c | powershell |
| 153 | defense-evasion | T1556.002 | Modify Authentication Process: Password Filter DLL | 2 | Install Additional Authentication Packages | 91580da6-bc6e-431b-8b88-ac77180005f2 | powershell |
| 154 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 1 | Clear Bash history (rm) | a934276e-2be5-4a36-93fd-98adbb5bd4fc | sh |
| 155 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 2 | Clear Bash history (echo) | cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 | sh |
| 156 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 3 | Clear Bash history (cat dev/null) | b1251c35-dcd3-4ea1-86da-36d27b54f31f | sh |
| 157 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 4 | Clear Bash history (ln dev/null) | 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 | sh |
| 158 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 5 | Clear Bash history (truncate) | 47966a1d-df4f-4078-af65-db6d9aa20739 | sh |
| 159 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 6 | Clear history of a bunch of shells | 7e6721df-5f08-4370-9255-f06d8a77af4c | sh |
| 160 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 7 | Clear and Disable Bash History Logging | 784e4011-bd1a-4ecd-a63a-8feb278512e6 | bash |
| 161 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 8 | Use Space Before Command to Avoid Logging to History | 53b03a54-4529-4992-852d-a00b4b7215a6 | sh |
| 162 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 9 | Disable Bash History Logging with SSH -T | 5f8abd62-f615-43c5-b6be-f780f25790a1 | sh |
| 163 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 10 | Clear Docker Container Logs | 553b39f9-1e8c-47b1-abf5-8daf7b0391e9 | bash |
| 164 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 11 | Prevent Powershell History Logging | 2f898b81-3e97-4abb-bc3f-a95138988370 | powershell |
| 165 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 12 | Clear Powershell History by Deleting History File | da75ae8d-26d6-4483-b0fe-700e4df4f037 | powershell |
| 166 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 13 | Set Custom AddToHistoryHandler to Avoid History File Logging | 1d0d9aa6-6111-4f89-927b-53e8afae7f94 | powershell |
| 167 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 14 | Clear PowerShell Session History | 22c779cd-9445-4d3e-a136-f75adbf0315f | powershell |
| 168 | defense-evasion | T1202 | Indirect Command Execution | 1 | Indirect Command Execution - pcalua.exe | cecfea7a-5f03-4cdd-8bc8-6f7c22862440 | command_prompt |
| 169 | defense-evasion | T1202 | Indirect Command Execution | 2 | Indirect Command Execution - forfiles.exe | 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc | command_prompt |
| 170 | defense-evasion | T1202 | Indirect Command Execution | 3 | Indirect Command Execution - conhost.exe | cf3391e0-b482-4b02-87fc-ca8362269b29 | command_prompt |
| 171 | defense-evasion | T1202 | Indirect Command Execution | 4 | Indirect Command Execution - Scriptrunner.exe | 0fd14730-6226-4f5e-8d67-43c65f1be940 | powershell |
| 172 | defense-evasion | T1202 | Indirect Command Execution | 5 | Indirect Command Execution - RunMRU Dialog | de323a93-2f18-4bd5-ba60-d6fca6aeff76 | powershell |
| 173 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 1 | Deobfuscate/Decode Files Or Information | dc6fe391-69e6-4506-bd06-ea5eeb4082f8 | command_prompt |
| 174 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 2 | Certutil Rename and Decode | 71abc534-3c05-4d0c-80f7-cbe93cb2aa94 | command_prompt |
| 175 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 3 | Base64 decoding with Python | 356dc0e8-684f-4428-bb94-9313998ad608 | sh |
| 176 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 4 | Base64 decoding with Perl | 6604d964-b9f6-4d4b-8ce8-499829a14d0a | sh |
| 177 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 5 | Base64 decoding with shell utilities | b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e | sh |
| 178 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 6 | Base64 decoding with shell utilities (freebsd) | b6097712-c42e-4174-b8f2-4b1e1a5bbb3d | sh |
| 179 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 7 | FreeBSD b64encode Shebang in CLI | 18ee2002-66e8-4518-87c5-c0ec9c8299ac | sh |
| 180 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 8 | Hex decoding with shell utilities | 005943f9-8dd5-4349-8b46-0313c0a9f973 | sh |
| 181 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 9 | Linux Base64 Encoded Shebang in CLI | 3a15c372-67c1-4430-ac8e-ec06d641ce4d | sh |
| 182 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 10 | XOR decoding and command execution using Python | c3b65cd5-ee51-4e98-b6a3-6cbdec138efc | bash |
| 183 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 11 | Expand CAB with expand.exe | 9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11 | command_prompt |
| 184 | defense-evasion | T1562 | Impair Defenses | 1 | Windows Disable LSA Protection | 40075d5f-3a70-4c66-9125-f72bee87247d | command_prompt |
| 185 | defense-evasion | T1562 | Impair Defenses | 2 | Disable journal logging via systemctl utility | c3a377f9-1203-4454-aa35-9d391d34768f | sh |
| 186 | defense-evasion | T1562 | Impair Defenses | 3 | Disable journal logging via sed utility | 12e5551c-8d5c-408e-b3e4-63f53b03379f | sh |
| 187 | defense-evasion | T1055.003 | Thread Execution Hijacking | 1 | Thread Execution Hijacking | 578025d5-faa9-4f6d-8390-aae527d503e1 | powershell |
| 188 | defense-evasion | T1036 | Masquerading | 1 | System File Copied to Unusual Location | 51005ac7-52e2-45e0-bdab-d17c6d4916cd | powershell |
| 189 | defense-evasion | T1036 | Masquerading | 2 | Malware Masquerading and Execution from Zip File | 4449c89b-ec82-43a4-89c1-91e2f1abeecc | powershell |
| 190 | defense-evasion | T1070.008 | Email Collection: Mailbox Manipulation | 1 | Copy and Delete Mailbox Data on Windows | d29f01ea-ac72-4efc-8a15-bea64b77fabf | powershell |
| 191 | defense-evasion | T1070.008 | Email Collection: Mailbox Manipulation | 2 | Copy and Delete Mailbox Data on Linux | 25e2be0e-96f7-4417-bd16-a4a2500e3802 | bash |
| 192 | defense-evasion | T1070.008 | Email Collection: Mailbox Manipulation | 3 | Copy and Delete Mailbox Data on macOS | 3824130e-a6e4-4528-8091-3a52eeb540f6 | bash |
| 193 | defense-evasion | T1070.008 | Email Collection: Mailbox Manipulation | 4 | Copy and Modify Mailbox Data on Windows | edddff85-fee0-499d-9501-7d4d2892e79b | powershell |
| 194 | defense-evasion | T1070.008 | Email Collection: Mailbox Manipulation | 5 | Copy and Modify Mailbox Data on Linux | 6d99f93c-da56-49e3-b195-163090ace4f6 | bash |
| 195 | defense-evasion | T1070.008 | Email Collection: Mailbox Manipulation | 6 | Copy and Modify Mailbox Data on macOS | 8a0b1579-5a36-483a-9cde-0236983e1665 | bash |
| 196 | defense-evasion | T1055 | Process Injection | 1 | Shellcode execution via VBA | 1c91e740-1729-4329-b779-feba6e71d048 | powershell |
| 197 | defense-evasion | T1055 | Process Injection | 2 | Remote Process Injection in LSASS via mimikatz | 3203ad24-168e-4bec-be36-f79b13ef8a83 | command_prompt |
| 198 | defense-evasion | T1055 | Process Injection | 3 | Section View Injection | c6952f41-6cf0-450a-b352-2ca8dae7c178 | powershell |
| 199 | defense-evasion | T1055 | Process Injection | 4 | Dirty Vanity process Injection | 49543237-25db-497b-90df-d0a0a6e8fe2c | powershell |
| 200 | defense-evasion | T1055 | Process Injection | 5 | Read-Write-Execute process Injection | 0128e48e-8c1a-433a-a11a-a5387384f1e1 | powershell |
| 201 | defense-evasion | T1055 | Process Injection | 6 | Process Injection with Go using UuidFromStringA WinAPI | 2315ce15-38b6-46ac-a3eb-5e21abef2545 | powershell |
| 202 | defense-evasion | T1055 | Process Injection | 7 | Process Injection with Go using EtwpCreateEtwThread WinAPI | 7362ecef-6461-402e-8716-7410e1566400 | powershell |
| 203 | defense-evasion | T1055 | Process Injection | 8 | Remote Process Injection with Go using RtlCreateUserThread WinAPI | a0c1725f-abcd-40d6-baac-020f3cf94ecd | powershell |
| 204 | defense-evasion | T1055 | Process Injection | 9 | Remote Process Injection with Go using CreateRemoteThread WinAPI | 69534efc-d5f5-4550-89e6-12c6457b9edd | powershell |
| 205 | defense-evasion | T1055 | Process Injection | 10 | Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively) | 2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39 | powershell |
| 206 | defense-evasion | T1055 | Process Injection | 11 | Process Injection with Go using CreateThread WinAPI | 2871ed59-3837-4a52-9107-99500ebc87cb | powershell |
| 207 | defense-evasion | T1055 | Process Injection | 12 | Process Injection with Go using CreateThread WinAPI (Natively) | 2a3c7035-d14f-467a-af94-933e49fe6786 | powershell |
| 208 | defense-evasion | T1055 | Process Injection | 13 | UUID custom process Injection | 0128e48e-8c1a-433a-a11a-a5304734f1e1 | powershell |
| 209 | defense-evasion | T1218 | Signed Binary Proxy Execution | 1 | mavinject - Inject DLL into running process | c426dacf-575d-4937-8611-a148a86a5e61 | command_prompt |
| 210 | defense-evasion | T1218 | Signed Binary Proxy Execution | 2 | Register-CimProvider - Execute evil dll | ad2c17ed-f626-4061-b21e-b9804a6f3655 | command_prompt |
| 211 | defense-evasion | T1218 | Signed Binary Proxy Execution | 3 | InfDefaultInstall.exe .inf Execution | 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef | command_prompt |
| 212 | defense-evasion | T1218 | Signed Binary Proxy Execution | 4 | ProtocolHandler.exe Downloaded a Suspicious File | db020456-125b-4c8b-a4a7-487df8afb5a2 | command_prompt |
| 213 | defense-evasion | T1218 | Signed Binary Proxy Execution | 5 | Microsoft.Workflow.Compiler.exe Payload Execution | 7cbb0f26-a4c1-4f77-b180-a009aa05637e | powershell |
| 214 | defense-evasion | T1218 | Signed Binary Proxy Execution | 6 | Renamed Microsoft.Workflow.Compiler.exe Payload Executions | 4cc40fd7-87b8-4b16-b2d7-57534b86b911 | powershell |
| 215 | defense-evasion | T1218 | Signed Binary Proxy Execution | 7 | Invoke-ATHRemoteFXvGPUDisablementCommand base test | 9ebe7901-7edf-45c0-b5c7-8366300919db | powershell |
| 216 | defense-evasion | T1218 | Signed Binary Proxy Execution | 8 | DiskShadow Command Execution | 0e1483ba-8f0c-425d-b8c6-42736e058eaa | powershell |
| 217 | defense-evasion | T1218 | Signed Binary Proxy Execution | 9 | Load Arbitrary DLL via Wuauclt (Windows Update Client) | 49fbd548-49e9-4bb7-94a6-3769613912b8 | command_prompt |
| 218 | defense-evasion | T1218 | Signed Binary Proxy Execution | 10 | Lolbin Gpscript logon option | 5bcda9cd-8e85-48fa-861d-b5a85d91d48c | command_prompt |
| 219 | defense-evasion | T1218 | Signed Binary Proxy Execution | 11 | Lolbin Gpscript startup option | f8da74bb-21b8-4af9-8d84-f2c8e4a220e3 | command_prompt |
| 220 | defense-evasion | T1218 | Signed Binary Proxy Execution | 12 | Lolbas ie4uinit.exe use as proxy | 13c0804e-615e-43ad-b223-2dfbacd0b0b3 | command_prompt |
| 221 | defense-evasion | T1218 | Signed Binary Proxy Execution | 13 | LOLBAS CustomShellHost to Spawn Process | b1eeb683-90bb-4365-bbc2-2689015782fe | powershell |
| 222 | defense-evasion | T1218 | Signed Binary Proxy Execution | 14 | Provlaunch.exe Executes Arbitrary Command via Registry Key | ab76e34f-28bf-441f-a39c-8db4835b89cc | command_prompt |
| 223 | defense-evasion | T1218 | Signed Binary Proxy Execution | 15 | LOLBAS Msedge to Spawn Process | e5eedaed-ad42-4c1e-8783-19529738a349 | powershell |
| 224 | defense-evasion | T1218 | Signed Binary Proxy Execution | 16 | System Binary Proxy Execution - Wlrmdr Lolbin | 7816c252-b728-4ea6-a683-bd9441ca0b71 | powershell |
| 225 | defense-evasion | T1070.006 | Indicator Removal on Host: Timestomp | 1 | Set a file's access timestamp | 5f9113d5-ed75-47ed-ba23-ea3573d05810 | sh |
| 226 | defense-evasion | T1070.006 | Indicator Removal on Host: Timestomp | 2 | Set a file's modification timestamp | 20ef1523-8758-4898-b5a2-d026cc3d2c52 | sh |
| 227 | defense-evasion | T1070.006 | Indicator Removal on Host: Timestomp | 3 | Set a file's creation timestamp | 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b | sh |
| 228 | defense-evasion | T1070.006 | Indicator Removal on Host: Timestomp | 4 | Modify file timestamps using reference file | 631ea661-d661-44b0-abdb-7a7f3fc08e50 | sh |
| 229 | defense-evasion | T1070.006 | Indicator Removal on Host: Timestomp | 5 | Windows - Modify file creation timestamp with PowerShell | b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c | powershell |
| 230 | defense-evasion | T1070.006 | Indicator Removal on Host: Timestomp | 6 | Windows - Modify file last modified timestamp with PowerShell | f8f6634d-93e1-4238-8510-f8a90a20dcf2 | powershell |
| 231 | defense-evasion | T1070.006 | Indicator Removal on Host: Timestomp | 7 | Windows - Modify file last access timestamp with PowerShell | da627f63-b9bd-4431-b6f8-c5b44d061a62 | powershell |
| 232 | defense-evasion | T1070.006 | Indicator Removal on Host: Timestomp | 8 | Windows - Timestomp a File | d7512c33-3a75-4806-9893-69abc3ccdd43 | powershell |
| 233 | defense-evasion | T1070.006 | Indicator Removal on Host: Timestomp | 9 | MacOS - Timestomp Date Modified | 87fffff4-d371-4057-a539-e3b24c37e564 | sh |
| 234 | defense-evasion | T1070.006 | Indicator Removal on Host: Timestomp | 10 | Event Log Manipulations- Time slipping via Powershell | 7bcf83bf-f5ef-425c-9d9a-71618ad9ed12 | powershell |
| 235 | defense-evasion | T1620 | Reflective Code Loading | 1 | WinPwn - Reflectively load Mimik@tz into memory | 56b9589c-9170-4682-8c3d-33b86ecb5119 | powershell |
| 236 | defense-evasion | T1497.003 | Time Based Evasion | 1 | Delay execution with ping | 8b87dd03-8204-478c-bac3-3959f6528de3 | sh |
| 237 | defense-evasion | T1218.003 | Signed Binary Proxy Execution: CMSTP | 1 | CMSTP Executing Remote Scriptlet | 34e63321-9683-496b-bbc1-7566bc55e624 | command_prompt |
| 238 | defense-evasion | T1218.003 | Signed Binary Proxy Execution: CMSTP | 2 | CMSTP Executing UAC Bypass | 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 | command_prompt |
| 239 | defense-evasion | T1562.002 | Impair Defenses: Disable Windows Event Logging | 1 | Disable Windows IIS HTTP Logging | 69435dcf-c66f-4ec0-a8b1-82beb76b34db | powershell |
| 240 | defense-evasion | T1562.002 | Impair Defenses: Disable Windows Event Logging | 2 | Disable Windows IIS HTTP Logging via PowerShell | a957fb0f-1e85-49b2-a211-413366784b1e | powershell |
| 241 | defense-evasion | T1562.002 | Impair Defenses: Disable Windows Event Logging | 3 | Kill Event Log Service Threads | 41ac52ba-5d5e-40c0-b267-573ed90489bd | powershell |
| 242 | defense-evasion | T1562.002 | Impair Defenses: Disable Windows Event Logging | 4 | Impair Windows Audit Log Policy | 5102a3a7-e2d7-4129-9e45-f483f2e0eea8 | command_prompt |
| 243 | defense-evasion | T1562.002 | Impair Defenses: Disable Windows Event Logging | 5 | Clear Windows Audit Policy Config | 913c0e4e-4b37-4b78-ad0b-90e7b25010f6 | command_prompt |
| 244 | defense-evasion | T1562.002 | Impair Defenses: Disable Windows Event Logging | 6 | Disable Event Logging with wevtutil | b26a3340-dad7-4360-9176-706269c74103 | command_prompt |
| 245 | defense-evasion | T1562.002 | Impair Defenses: Disable Windows Event Logging | 7 | Makes Eventlog blind with Phant0m | 3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741 | command_prompt |
| 246 | defense-evasion | T1562.002 | Impair Defenses: Disable Windows Event Logging | 8 | Modify Event Log Channel Access Permissions via Registry - PowerShell | 8e81d090-0cd6-4d46-863c-eec11311298f | powershell |
| 247 | defense-evasion | T1562.002 | Impair Defenses: Disable Windows Event Logging | 9 | Modify Event Log Channel Access Permissions via Registry 2 - PowerShell | 85e6eff8-3ed4-4e03-ae50-aa6a404898a5 | powershell |
| 248 | defense-evasion | T1562.002 | Impair Defenses: Disable Windows Event Logging | 10 | Modify Event Log Access Permissions via Registry - PowerShell | a0cb81f8-44d0-4ac4-a8f3-c5c7f43a12c1 | powershell |
| 249 | defense-evasion | T1218.002 | Signed Binary Proxy Execution: Control Panel | 1 | Control Panel Items | 037e9d8a-9e46-4255-8b33-2ae3b545ca6f | command_prompt |
| 250 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 1 | Disable Microsoft Defender Firewall | 88d05800-a5e4-407e-9b53-ece4174f197f | command_prompt |
| 251 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 2 | Disable Microsoft Defender Firewall via Registry | afedc8c4-038c-4d82-b3e5-623a95f8a612 | command_prompt |
| 252 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 3 | Allow SMB and RDP on Microsoft Defender Firewall | d9841bf8-f161-4c73-81e9-fd773a5ff8c1 | command_prompt |
| 253 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 4 | Opening ports for proxy - HARDRAIN | 15e57006-79dd-46df-9bf9-31bc24fb5a80 | command_prompt |
| 254 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 5 | Open a local port through Windows Firewall to any profile | 9636dd6e-7599-40d2-8eee-ac16434f35ed | powershell |
| 255 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 6 | Allow Executable Through Firewall Located in Non-Standard Location | 6f5822d2-d38d-4f48-9bfc-916607ff6b8c | powershell |
| 256 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 7 | Stop/Start UFW firewall | fe135572-edcd-49a2-afe6-1d39521c5a9a | sh |
| 257 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 8 | Stop/Start Packet Filter | 0ca82ed1-0a94-4774-9a9a-a2c83a8022b7 | sh |
| 258 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 9 | Stop/Start UFW firewall systemctl | 9fd99609-1854-4f3c-b47b-97d9a5972bd1 | sh |
| 259 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 10 | Turn off UFW logging | 8a95b832-2c2a-494d-9cb0-dc9dd97c8bad | sh |
| 260 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 11 | Add and delete UFW firewall rules | b2563a4e-c4b8-429c-8d47-d5bcb227ba7a | sh |
| 261 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 12 | Add and delete Packet Filter rules | 8b23cae1-66c1-41c5-b79d-e095b6098b5b | sh |
| 262 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 13 | Edit UFW firewall user.rules file | beaf815a-c883-4194-97e9-fdbbb2bbdd7c | sh |
| 263 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 14 | Edit UFW firewall ufw.conf file | c1d8c4eb-88da-4927-ae97-c7c25893803b | sh |
| 264 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 15 | Edit UFW firewall sysctl.conf file | c4ae0701-88d3-4cd8-8bce-4801ed9f97e4 | sh |
| 265 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 16 | Edit UFW firewall main configuration file | 7b697ece-8270-46b5-bbc7-6b9e27081831 | sh |
| 266 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 17 | Tail the UFW firewall log file | 419cca0c-fa52-4572-b0d7-bc7c6f388a27 | sh |
| 267 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 18 | Disable iptables | 7784c64e-ed0b-4b65-bf63-c86db229fd56 | sh |
| 268 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 19 | Modify/delete iptables firewall rules | 899a7fb5-d197-4951-8614-f19ac4a73ad4 | sh |
| 269 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 20 | LockBit Black - Unusual Windows firewall registry modification -cmd | a4651931-ebbb-4cde-9363-ddf3d66214cb | command_prompt |
| 270 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 21 | LockBit Black - Unusual Windows firewall registry modification -Powershell | 80b453d1-eec5-4144-bf08-613a6c3ffe12 | powershell |
| 271 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 22 | Blackbit - Disable Windows Firewall using netsh firewall | 91f348e6-3760-4997-a93b-2ceee7f254ee | command_prompt |
| 272 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 23 | ESXi - Disable Firewall via Esxcli | bac8a340-be64-4491-a0cc-0985cb227f5a | command_prompt |
| 273 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 24 | Set a firewall rule using New-NetFirewallRule | 94be7646-25f6-467e-af23-585fb13000c8 | powershell |
| 274 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 25 | ESXi - Set Firewall to PASS Traffic | a67e8aea-ea7c-4c3b-9b1b-8c2957c3091d | command_prompt |
| 275 | defense-evasion | T1553.003 | Subvert Trust Controls: SIP and Trust Provider Hijacking | 1 | SIP (Subject Interface Package) Hijacking via Custom DLL | e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675 | command_prompt |
| 276 | defense-evasion | T1562.012 | Impair Defenses: Disable or Modify Linux Audit System | 1 | Delete all auditd rules using auditctl | 33a29ab1-cabb-407f-9448-269041bf2856 | sh |
| 277 | defense-evasion | T1562.012 | Impair Defenses: Disable or Modify Linux Audit System | 2 | Disable auditd using auditctl | 7906f0a6-b527-46ee-9026-6e81a9184e08 | sh |
| 278 | defense-evasion | T1207 | Rogue Domain Controller | 1 | DCShadow (Active Directory) | 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6 | powershell |
| 279 | defense-evasion | T1553.006 | Subvert Trust Controls: Code Signing Policy Modification | 1 | Code Signing Policy Modification | bb6b51e1-ab92-45b5-aeea-e410d06405f8 | command_prompt |
| 280 | defense-evasion | T1610 | Deploy a container | 1 | Deploy Docker container | 59aa6f26-7620-417e-9318-589e0fb7a372 | bash |
| 281 | defense-evasion | T1112 | Modify Registry | 1 | Modify Registry of Current User Profile - cmd | 1324796b-d0f6-455a-b4ae-21ffee6aa6b9 | command_prompt |
| 282 | defense-evasion | T1112 | Modify Registry | 2 | Modify Registry of Local Machine - cmd | 282f929a-6bc5-42b8-bd93-960c3ba35afe | command_prompt |
| 283 | defense-evasion | T1112 | Modify Registry | 3 | Modify registry to store logon credentials | c0413fb5-33e2-40b7-9b6f-60b29f4a7a18 | command_prompt |
| 284 | defense-evasion | T1112 | Modify Registry | 4 | Use Powershell to Modify registry to store logon credentials | 68254a85-aa42-4312-a695-38b7276307f8 | powershell |
| 285 | defense-evasion | T1112 | Modify Registry | 5 | Add domain to Trusted sites Zone | cf447677-5a4e-4937-a82c-e47d254afd57 | powershell |
| 286 | defense-evasion | T1112 | Modify Registry | 6 | Javascript in registry | 15f44ea9-4571-4837-be9e-802431a7bfae | powershell |
| 287 | defense-evasion | T1112 | Modify Registry | 7 | Change Powershell Execution Policy to Bypass | f3a6cceb-06c9-48e5-8df8-8867a6814245 | powershell |
| 288 | defense-evasion | T1112 | Modify Registry | 8 | BlackByte Ransomware Registry Changes - CMD | 4f4e2f9f-6209-4fcf-9b15-3b7455706f5b | command_prompt |
| 289 | defense-evasion | T1112 | Modify Registry | 9 | BlackByte Ransomware Registry Changes - Powershell | 0b79c06f-c788-44a2-8630-d69051f1123d | powershell |
| 290 | defense-evasion | T1112 | Modify Registry | 10 | Disable Windows Registry Tool | ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8 | command_prompt |
| 291 | defense-evasion | T1112 | Modify Registry | 11 | Disable Windows CMD application | d2561a6d-72bd-408c-b150-13efe1801c2a | powershell |
| 292 | defense-evasion | T1112 | Modify Registry | 12 | Disable Windows Task Manager application | af254e70-dd0e-4de6-9afe-a994d9ea8b62 | command_prompt |
| 293 | defense-evasion | T1112 | Modify Registry | 13 | Disable Windows Notification Center | c0d6d67f-1f63-42cc-95c0-5fd6b20082ad | command_prompt |
| 294 | defense-evasion | T1112 | Modify Registry | 14 | Disable Windows Shutdown Button | 6e0d1131-2d7e-4905-8ca5-d6172f05d03d | command_prompt |
| 295 | defense-evasion | T1112 | Modify Registry | 15 | Disable Windows LogOff Button | e246578a-c24d-46a7-9237-0213ff86fb0c | command_prompt |
| 296 | defense-evasion | T1112 | Modify Registry | 16 | Disable Windows Change Password Feature | d4a6da40-618f-454d-9a9e-26af552aaeb0 | command_prompt |
| 297 | defense-evasion | T1112 | Modify Registry | 17 | Disable Windows Lock Workstation Feature | 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56 | command_prompt |
| 298 | defense-evasion | T1112 | Modify Registry | 18 | Activate Windows NoDesktop Group Policy Feature | 93386d41-525c-4a1b-8235-134a628dee17 | command_prompt |
| 299 | defense-evasion | T1112 | Modify Registry | 19 | Activate Windows NoRun Group Policy Feature | d49ff3cc-8168-4123-b5b3-f057d9abbd55 | command_prompt |
| 300 | defense-evasion | T1112 | Modify Registry | 20 | Activate Windows NoFind Group Policy Feature | ffbb407e-7f1d-4c95-b22e-548169db1fbd | command_prompt |
| 301 | defense-evasion | T1112 | Modify Registry | 21 | Activate Windows NoControlPanel Group Policy Feature | a450e469-ba54-4de1-9deb-9023a6111690 | command_prompt |
| 302 | defense-evasion | T1112 | Modify Registry | 22 | Activate Windows NoFileMenu Group Policy Feature | 5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4 | command_prompt |
| 303 | defense-evasion | T1112 | Modify Registry | 23 | Activate Windows NoClose Group Policy Feature | 12f50e15-dbc6-478b-a801-a746e8ba1723 | command_prompt |
| 304 | defense-evasion | T1112 | Modify Registry | 24 | Activate Windows NoSetTaskbar Group Policy Feature | d29b7faf-7355-4036-9ed3-719bd17951ed | command_prompt |
| 305 | defense-evasion | T1112 | Modify Registry | 25 | Activate Windows NoTrayContextMenu Group Policy Feature | 4d72d4b1-fa7b-4374-b423-0fe326da49d2 | command_prompt |
| 306 | defense-evasion | T1112 | Modify Registry | 26 | Activate Windows NoPropertiesMyDocuments Group Policy Feature | 20fc9daa-bd48-4325-9aff-81b967a84b1d | command_prompt |
| 307 | defense-evasion | T1112 | Modify Registry | 27 | Hide Windows Clock Group Policy Feature | 8023db1e-ad06-4966-934b-b6a0ae52689e | command_prompt |
| 308 | defense-evasion | T1112 | Modify Registry | 28 | Windows HideSCAHealth Group Policy Feature | a4637291-40b1-4a96-8c82-b28f1d73e54e | command_prompt |
| 309 | defense-evasion | T1112 | Modify Registry | 29 | Windows HideSCANetwork Group Policy Feature | 3e757ce7-eca0-411a-9583-1c33b8508d52 | command_prompt |
| 310 | defense-evasion | T1112 | Modify Registry | 30 | Windows HideSCAPower Group Policy Feature | 8d85a5d8-702f-436f-bc78-fcd9119496fc | command_prompt |
| 311 | defense-evasion | T1112 | Modify Registry | 31 | Windows HideSCAVolume Group Policy Feature | 7f037590-b4c6-4f13-b3cc-e424c5ab8ade | command_prompt |
| 312 | defense-evasion | T1112 | Modify Registry | 32 | Windows Modify Show Compress Color And Info Tip Registry | 795d3248-0394-4d4d-8e86-4e8df2a2693f | command_prompt |
| 313 | defense-evasion | T1112 | Modify Registry | 33 | Windows Powershell Logging Disabled | 95b25212-91a7-42ff-9613-124aca6845a8 | command_prompt |
| 314 | defense-evasion | T1112 | Modify Registry | 34 | Windows Add Registry Value to Load Service in Safe Mode without Network | 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5 | command_prompt |
| 315 | defense-evasion | T1112 | Modify Registry | 35 | Windows Add Registry Value to Load Service in Safe Mode with Network | c173c948-65e5-499c-afbe-433722ed5bd4 | command_prompt |
| 316 | defense-evasion | T1112 | Modify Registry | 36 | Disable Windows Toast Notifications | 003f466a-6010-4b15-803a-cbb478a314d7 | command_prompt |
| 317 | defense-evasion | T1112 | Modify Registry | 37 | Disable Windows Security Center Notifications | 45914594-8df6-4ea9-b3cc-7eb9321a807e | command_prompt |
| 318 | defense-evasion | T1112 | Modify Registry | 38 | Suppress Win Defender Notifications | c30dada3-7777-4590-b970-dc890b8cf113 | command_prompt |
| 319 | defense-evasion | T1112 | Modify Registry | 39 | Allow RDP Remote Assistance Feature | 86677d0e-0b5e-4a2b-b302-454175f9aa9e | command_prompt |
| 320 | defense-evasion | T1112 | Modify Registry | 40 | NetWire RAT Registry Key Creation | 65704cd4-6e36-4b90-b6c1-dc29a82c8e56 | command_prompt |
| 321 | defense-evasion | T1112 | Modify Registry | 41 | Ursnif Malware Registry Key Creation | c375558d-7c25-45e9-bd64-7b23a97c1db0 | command_prompt |
| 322 | defense-evasion | T1112 | Modify Registry | 42 | Terminal Server Client Connection History Cleared | 3448824b-3c35-4a9e-a8f5-f887f68bea21 | command_prompt |
| 323 | defense-evasion | T1112 | Modify Registry | 43 | Disable Windows Error Reporting Settings | d2c9e41e-cd86-473d-980d-b6403562e3e1 | command_prompt |
| 324 | defense-evasion | T1112 | Modify Registry | 44 | DisallowRun Execution Of Certain Applications | 71db768a-5a9c-4047-b5e7-59e01f188e84 | command_prompt |
| 325 | defense-evasion | T1112 | Modify Registry | 45 | Enabling Restricted Admin Mode via Command_Prompt | fe7974e5-5813-477b-a7bd-311d4f535e83 | command_prompt |
| 326 | defense-evasion | T1112 | Modify Registry | 46 | Mimic Ransomware - Enable Multiple User Sessions | 39f1f378-ba8a-42b3-96dc-2a6540cfc1e3 | command_prompt |
| 327 | defense-evasion | T1112 | Modify Registry | 47 | Mimic Ransomware - Allow Multiple RDP Sessions per User | 35727d9e-7a7f-4d0c-a259-dc3906d6e8b9 | command_prompt |
| 328 | defense-evasion | T1112 | Modify Registry | 48 | Event Viewer Registry Modification - Redirection URL | 6174be7f-5153-4afd-92c5-e0c3b7cdb5ae | command_prompt |
| 329 | defense-evasion | T1112 | Modify Registry | 49 | Event Viewer Registry Modification - Redirection Program | 81483501-b8a5-4225-8b32-52128e2f69db | command_prompt |
| 330 | defense-evasion | T1112 | Modify Registry | 50 | Enabling Remote Desktop Protocol via Remote Registry | e3ad8e83-3089-49ff-817f-e52f8c948090 | command_prompt |
| 331 | defense-evasion | T1112 | Modify Registry | 51 | Disable Win Defender Notification | 12e03af7-79f9-4f95-af48-d3f12f28a260 | command_prompt |
| 332 | defense-evasion | T1112 | Modify Registry | 52 | Disable Windows OS Auto Update | 01b20ca8-c7a3-4d86-af59-059f15ed5474 | command_prompt |
| 333 | defense-evasion | T1112 | Modify Registry | 53 | Disable Windows Auto Reboot for current logon user | 396f997b-c5f8-4a96-bb2c-3c8795cf459d | command_prompt |
| 334 | defense-evasion | T1112 | Modify Registry | 54 | Windows Auto Update Option to Notify before download | 335a6b15-b8d2-4a3f-a973-ad69aa2620d7 | command_prompt |
| 335 | defense-evasion | T1112 | Modify Registry | 55 | Do Not Connect To Win Update | d1de3767-99c2-4c6c-8c5a-4ba4586474c8 | command_prompt |
| 336 | defense-evasion | T1112 | Modify Registry | 56 | Tamper Win Defender Protection | 3b625eaa-c10d-4635-af96-3eae7d2a2f3c | command_prompt |
| 337 | defense-evasion | T1112 | Modify Registry | 57 | Snake Malware Registry Blob | 8318ad20-0488-4a64-98f4-72525a012f6b | powershell |
| 338 | defense-evasion | T1112 | Modify Registry | 58 | Allow Simultaneous Download Registry | 37950714-e923-4f92-8c7c-51e4b6fffbf6 | command_prompt |
| 339 | defense-evasion | T1112 | Modify Registry | 59 | Modify Internet Zone Protocol Defaults in Current User Registry - cmd | c88ef166-50fa-40d5-a80c-e2b87d4180f7 | command_prompt |
| 340 | defense-evasion | T1112 | Modify Registry | 60 | Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell | b1a4d687-ba52-4057-81ab-757c3dc0d3b5 | powershell |
| 341 | defense-evasion | T1112 | Modify Registry | 61 | Activities To Disable Secondary Authentication Detected By Modified Registry Value. | c26fb85a-fa50-4fab-a64a-c51f5dc538d5 | command_prompt |
| 342 | defense-evasion | T1112 | Modify Registry | 62 | Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. | ffeddced-bb9f-49c6-97f0-3d07a509bf94 | command_prompt |
| 343 | defense-evasion | T1112 | Modify Registry | 63 | Scarab Ransomware Defense Evasion Activities | ca8ba39c-3c5a-459f-8e15-280aec65a910 | command_prompt |
| 344 | defense-evasion | T1112 | Modify Registry | 64 | Disable Remote Desktop Anti-Alias Setting Through Registry | 61d35188-f113-4334-8245-8c6556d43909 | command_prompt |
| 345 | defense-evasion | T1112 | Modify Registry | 65 | Disable Remote Desktop Security Settings Through Registry | 4b81bcfa-fb0a-45e9-90c2-e3efe5160140 | command_prompt |
| 346 | defense-evasion | T1112 | Modify Registry | 66 | Disabling ShowUI Settings of Windows Error Reporting (WER) | 09147b61-40f6-4b2a-b6fb-9e73a3437c96 | command_prompt |
| 347 | defense-evasion | T1112 | Modify Registry | 67 | Enable Proxy Settings | eb0ba433-63e5-4a8c-a9f0-27c4192e1336 | command_prompt |
| 348 | defense-evasion | T1112 | Modify Registry | 68 | Set-Up Proxy Server | d88a3d3b-d016-4939-a745-03638aafd21b | command_prompt |
| 349 | defense-evasion | T1112 | Modify Registry | 69 | RDP Authentication Level Override | 7e7b62e9-5f83-477d-8935-48600f38a3c6 | command_prompt |
| 350 | defense-evasion | T1112 | Modify Registry | 70 | Enable RDP via Registry (fDenyTSConnections) | 16bdbe52-371c-4ccf-b708-79fba61f1db4 | command_prompt |
| 351 | defense-evasion | T1112 | Modify Registry | 71 | Disable Windows Prefetch Through Registry | 7979dd41-2045-48b2-a54e-b1bc2415c9da | command_prompt |
| 352 | defense-evasion | T1112 | Modify Registry | 72 | Setting Shadow key in Registry for RDP Shadowing | ac494fe5-81a4-4897-af42-e774cf005ecb | powershell |
| 353 | defense-evasion | T1112 | Modify Registry | 73 | Flush Shimcache | ecbd533e-b45d-4239-aeff-b857c6f6d68b | command_prompt |
| 354 | defense-evasion | T1112 | Modify Registry | 74 | Disable Windows Remote Desktop Protocol | 5f8e36de-37ca-455e-b054-a2584f043c06 | command_prompt |
| 355 | defense-evasion | T1112 | Modify Registry | 75 | Enforce Smart Card Authentication Through Registry | 4c4bf587-fe7f-448f-ba8d-1ecec9db88be | command_prompt |
| 356 | defense-evasion | T1112 | Modify Registry | 76 | Requires the BitLocker PIN for Pre-boot authentication | 26fc7375-a551-4336-90d7-3f2817564304 | command_prompt |
| 357 | defense-evasion | T1112 | Modify Registry | 77 | Modify EnableBDEWithNoTPM Registry entry | bacb3e73-8161-43a9-8204-a69fe0e4b482 | command_prompt |
| 358 | defense-evasion | T1112 | Modify Registry | 78 | Modify UseTPM Registry entry | 7c8c7bd8-0a5c-4514-a6a3-0814c5a98cf0 | command_prompt |
| 359 | defense-evasion | T1112 | Modify Registry | 79 | Modify UseTPMPIN Registry entry | 10b33fb0-c58b-44cd-8599-b6da5ad6384c | command_prompt |
| 360 | defense-evasion | T1112 | Modify Registry | 80 | Modify UseTPMKey Registry entry | c8480c83-a932-446e-a919-06a1fd1e512a | command_prompt |
| 361 | defense-evasion | T1112 | Modify Registry | 81 | Modify UseTPMKeyPIN Registry entry | 02d8b9f7-1a51-4011-8901-2d55cca667f9 | command_prompt |
| 362 | defense-evasion | T1112 | Modify Registry | 82 | Modify EnableNonTPM Registry entry | e672a340-a933-447c-954c-d68db38a09b1 | command_prompt |
| 363 | defense-evasion | T1112 | Modify Registry | 83 | Modify UsePartialEncryptionKey Registry entry | b5169fd5-85c8-4b2c-a9b6-64cc0b9febef | command_prompt |
| 364 | defense-evasion | T1112 | Modify Registry | 84 | Modify UsePIN Registry entry | 3ac0b30f-532f-43c6-8f01-fb657aaed7e4 | command_prompt |
| 365 | defense-evasion | T1112 | Modify Registry | 85 | Abusing Windows TelemetryController Registry Key for Persistence | 4469192c-2d2d-4a3a-9758-1f31d937a92b | command_prompt |
| 366 | defense-evasion | T1112 | Modify Registry | 86 | Modify RDP-Tcp Initial Program Registry Entry | c691cee2-8d17-4395-b22f-00644c7f1c2d | command_prompt |
| 367 | defense-evasion | T1112 | Modify Registry | 87 | Abusing MyComputer Disk Cleanup Path for Persistence | f2915249-4485-42e2-96b7-9bf34328d497 | command_prompt |
| 368 | defense-evasion | T1112 | Modify Registry | 88 | Abusing MyComputer Disk Fragmentation Path for Persistence | 3235aafe-b49d-451b-a1f1-d979fa65ddaf | command_prompt |
| 369 | defense-evasion | T1112 | Modify Registry | 89 | Abusing MyComputer Disk Backup Path for Persistence | 599f3b5c-0323-44ed-bb63-4551623bf675 | command_prompt |
| 370 | defense-evasion | T1112 | Modify Registry | 90 | Adding custom paths for application execution | 573d15da-c34e-4c59-a7d2-18f20d92dfa3 | command_prompt |
| 371 | defense-evasion | T1574.008 | Hijack Execution Flow: Path Interception by Search Order Hijacking | 1 | powerShell Persistence via hijacking default modules - Get-Variable.exe | 1561de08-0b4b-498e-8261-e922f3494aae | powershell |
| 372 | defense-evasion | T1027.001 | Obfuscated Files or Information: Binary Padding | 1 | Pad Binary to Change Hash - Linux/macOS dd | ffe2346c-abd5-4b45-a713-bf5f1ebd573a | sh |
| 373 | defense-evasion | T1027.001 | Obfuscated Files or Information: Binary Padding | 2 | Pad Binary to Change Hash using truncate command - Linux/macOS | e22a9e89-69c7-410f-a473-e6c212cd2292 | sh |
| 374 | defense-evasion | T1484.001 | Domain Policy Modification: Group Policy Modification | 1 | LockBit Black - Modify Group policy settings -cmd | 9ab80952-74ee-43da-a98c-1e740a985f28 | command_prompt |
| 375 | defense-evasion | T1484.001 | Domain Policy Modification: Group Policy Modification | 2 | LockBit Black - Modify Group policy settings -Powershell | b51eae65-5441-4789-b8e8-64783c26c1d1 | powershell |
| 376 | defense-evasion | T1078.001 | Valid Accounts: Default Accounts | 1 | Enable Guest account with RDP capability and admin privileges | 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 | command_prompt |
| 377 | defense-evasion | T1078.001 | Valid Accounts: Default Accounts | 2 | Activate Guest Account | aa6cb8c4-b582-4f8e-b677-37733914abda | command_prompt |
| 378 | defense-evasion | T1078.001 | Valid Accounts: Default Accounts | 3 | Enable Guest Account on macOS | 0315bdff-4178-47e9-81e4-f31a6d23f7e4 | sh |
| 379 | defense-evasion | T1574.006 | Hijack Execution Flow: LD_PRELOAD | 1 | Shared Library Injection via /etc/ld.so.preload | 39cb0e67-dd0d-4b74-a74b-c072db7ae991 | bash |
| 380 | defense-evasion | T1574.006 | Hijack Execution Flow: LD_PRELOAD | 2 | Shared Library Injection via LD_PRELOAD | bc219ff7-789f-4d51-9142-ecae3397deae | bash |
| 381 | defense-evasion | T1574.006 | Hijack Execution Flow: LD_PRELOAD | 3 | Dylib Injection via DYLD_INSERT_LIBRARIES | 4d66029d-7355-43fd-93a4-b63ba92ea1be | bash |
| 382 | defense-evasion | T1070.001 | Indicator Removal on Host: Clear Windows Event Logs | 1 | Clear Logs | e6abb60e-26b8-41da-8aae-0c35174b0967 | command_prompt |
| 383 | defense-evasion | T1070.001 | Indicator Removal on Host: Clear Windows Event Logs | 2 | Delete System Logs Using Clear-EventLog | b13e9306-3351-4b4b-a6e8-477358b0b498 | powershell |
| 384 | defense-evasion | T1070.001 | Indicator Removal on Host: Clear Windows Event Logs | 3 | Clear Event Logs via VBA | 1b682d84-f075-4f93-9a89-8a8de19ffd6e | powershell |
| 385 | defense-evasion | T1222 | File and Directory Permissions Modification | 1 | Enable Local and Remote Symbolic Links via fsutil | 6c4ac96f-d4fa-44f4-83ca-56d8f4a55c02 | command_prompt |
| 386 | defense-evasion | T1222 | File and Directory Permissions Modification | 2 | Enable Local and Remote Symbolic Links via reg.exe | 78bef0d4-57fb-417d-a67a-b75ae02ea3ab | command_prompt |
| 387 | defense-evasion | T1222 | File and Directory Permissions Modification | 3 | Enable Local and Remote Symbolic Links via Powershell | 6cd715aa-20ac-4be1-a8f1-dda7bae160bd | powershell |
| 388 | defense-evasion | T1134.002 | Create Process with Token | 1 | Access Token Manipulation | dbf4f5a9-b8e0-46a3-9841-9ad71247239e | powershell |
| 389 | defense-evasion | T1134.002 | Create Process with Token | 2 | WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique | ccf4ac39-ec93-42be-9035-90e2f26bcd92 | powershell |
| 390 | defense-evasion | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 1 | Make and modify binary from C source | 896dfe97-ae43-4101-8e96-9a7996555d80 | sh |
| 391 | defense-evasion | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 2 | Make and modify binary from C source (freebsd) | dd580455-d84b-481b-b8b0-ac96f3b1dc4c | sh |
| 392 | defense-evasion | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 3 | Set a SetUID flag on file | 759055b3-3885-4582-a8ec-c00c9d64dd79 | sh |
| 393 | defense-evasion | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 4 | Set a SetUID flag on file (freebsd) | 9be9b827-ff47-4e1b-bef8-217db6fb7283 | sh |
| 394 | defense-evasion | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 5 | Set a SetGID flag on file | db55f666-7cba-46c6-9fe6-205a05c3242c | sh |
| 395 | defense-evasion | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 6 | Set a SetGID flag on file (freebsd) | 1f73af33-62a8-4bf1-bd10-3bea931f2c0d | sh |
| 396 | defense-evasion | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 7 | Make and modify capabilities of a binary | db53959c-207d-4000-9e7a-cd8eb417e072 | sh |
| 397 | defense-evasion | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 8 | Provide the SetUID capability to a file | 1ac3272f-9bcf-443a-9888-4b1d3de785c1 | sh |
| 398 | defense-evasion | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 9 | Do reconnaissance for files that have the setuid bit set | 8e36da01-cd29-45fd-be72-8a0fcaad4481 | sh |
| 399 | defense-evasion | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 10 | Do reconnaissance for files that have the setgid bit set | 3fb46e17-f337-4c14-9f9a-a471946533e2 | sh |
| 400 | defense-evasion | T1218.008 | Signed Binary Proxy Execution: Odbcconf | 1 | Odbcconf.exe - Execute Arbitrary DLL | 2430498b-06c0-4b92-a448-8ad263c388e2 | command_prompt |
| 401 | defense-evasion | T1218.008 | Signed Binary Proxy Execution: Odbcconf | 2 | Odbcconf.exe - Load Response File | 331ce274-f9c9-440b-9f8c-a1006e1fce0b | command_prompt |
| 402 | defense-evasion | T1562.006 | Impair Defenses: Indicator Blocking | 1 | Auditing Configuration Changes on Linux Host | 212cfbcf-4770-4980-bc21-303e37abd0e3 | bash |
| 403 | defense-evasion | T1562.006 | Impair Defenses: Indicator Blocking | 2 | Auditing Configuration Changes on FreeBSD Host | cedaf7e7-28ee-42ab-ba13-456abd35d1bd | sh |
| 404 | defense-evasion | T1562.006 | Impair Defenses: Indicator Blocking | 3 | Logging Configuration Changes on Linux Host | 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c | bash |
| 405 | defense-evasion | T1562.006 | Impair Defenses: Indicator Blocking | 4 | Logging Configuration Changes on FreeBSD Host | 6b8ca3ab-5980-4321-80c3-bcd77c8daed8 | sh |
| 406 | defense-evasion | T1562.006 | Impair Defenses: Indicator Blocking | 5 | Disable Powershell ETW Provider - Windows | 6f118276-121d-4c09-bb58-a8fb4a72ee84 | powershell |
| 407 | defense-evasion | T1562.006 | Impair Defenses: Indicator Blocking | 6 | Disable .NET Event Tracing for Windows Via Registry (cmd) | 8a4c33be-a0d3-434a-bee6-315405edbd5b | command_prompt |
| 408 | defense-evasion | T1562.006 | Impair Defenses: Indicator Blocking | 7 | Disable .NET Event Tracing for Windows Via Registry (powershell) | 19c07a45-452d-4620-90ed-4c34fffbe758 | powershell |
| 409 | defense-evasion | T1562.006 | Impair Defenses: Indicator Blocking | 8 | LockBit Black - Disable the ETW Provider of Windows Defender -cmd | f6df0b8e-2c83-44c7-ba5e-0fa4386bec41 | command_prompt |
| 410 | defense-evasion | T1562.006 | Impair Defenses: Indicator Blocking | 9 | LockBit Black - Disable the ETW Provider of Windows Defender -Powershell | 69fc085b-5444-4879-8002-b24c8e1a3e02 | powershell |
| 411 | defense-evasion | T1562.006 | Impair Defenses: Indicator Blocking | 10 | Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd | fdac1f79-b833-4bab-b4a1-11b1ed676a4b | command_prompt |
| 412 | defense-evasion | T1562.006 | Impair Defenses: Indicator Blocking | 11 | Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell | b42c1f8c-399b-47ae-8fd8-763181395fee | powershell |
| 413 | defense-evasion | T1562.006 | Impair Defenses: Indicator Blocking | 12 | Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd | 110b4281-43fe-405f-a184-5d8eaf228ebf | command_prompt |
| 414 | defense-evasion | T1562.006 | Impair Defenses: Indicator Blocking | 13 | Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell | 4d61779d-be7f-425c-b560-0cafb2522911 | powershell |
| 415 | defense-evasion | T1562.006 | Impair Defenses: Indicator Blocking | 14 | Block Cybersecurity communication by leveraging Windows Name Resolution Policy Table | 1174b5df-2c33-490f-8854-f5eb80c907ca | powershell |
| 416 | defense-evasion | T1070 | Indicator Removal on Host | 1 | Indicator Removal using FSUtil | b4115c7a-0e92-47f0-a61e-17e7218b2435 | command_prompt |
| 417 | defense-evasion | T1070 | Indicator Removal on Host | 2 | Indicator Manipulation using FSUtil | 96e86706-6afd-45b6-95d6-108d23eaf2e9 | powershell |
| 418 | defense-evasion | T1550.003 | Use Alternate Authentication Material: Pass the Ticket | 1 | Mimikatz Kerberos Ticket Attack | dbf38128-7ba7-4776-bedf-cc2eed432098 | command_prompt |
| 419 | defense-evasion | T1550.003 | Use Alternate Authentication Material: Pass the Ticket | 2 | Rubeus Kerberos Pass The Ticket | a2fc4ec5-12c6-4fb4-b661-961f23f359cb | powershell |
| 420 | defense-evasion | T1036.004 | Masquerading: Masquerade Task or Service | 1 | Creating W32Time similar named service using schtasks | f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9 | command_prompt |
| 421 | defense-evasion | T1036.004 | Masquerading: Masquerade Task or Service | 2 | Creating W32Time similar named service using sc | b721c6ef-472c-4263-a0d9-37f1f4ecff66 | command_prompt |
| 422 | defense-evasion | T1036.004 | Masquerading: Masquerade Task or Service | 3 | linux rename /proc/pid/comm using prctl | f0e3aaea-5cd9-4db6-a077-631dd19b27a8 | sh |
| 423 | defense-evasion | T1036.004 | Masquerading: Masquerade Task or Service | 4 | Hiding a malicious process with bind mounts | ad4b73c2-d6e2-4d8b-9868-4c6f55906e01 | sh |
| 424 | defense-evasion | T1055.004 | Process Injection: Asynchronous Procedure Call | 1 | Process Injection via C# | 611b39b7-e243-4c81-87a4-7145a90358b1 | command_prompt |
| 425 | defense-evasion | T1055.004 | Process Injection: Asynchronous Procedure Call | 2 | EarlyBird APC Queue Injection in Go | 73785dd2-323b-4205-ab16-bb6f06677e14 | powershell |
| 426 | defense-evasion | T1055.004 | Process Injection: Asynchronous Procedure Call | 3 | Remote Process Injection with Go using NtQueueApcThreadEx WinAPI | 4cc571b1-f450-414a-850f-879baf36aa06 | powershell |
| 427 | defense-evasion | T1647 | Plist File Modification | 1 | Plist Modification | 394a538e-09bb-4a4a-95d1-b93cf12682a8 | manual |
| 428 | defense-evasion | T1553.005 | Subvert Trust Controls: Mark-of-the-Web Bypass | 1 | Mount ISO image | 002cca30-4778-4891-878a-aaffcfa502fa | powershell |
| 429 | defense-evasion | T1553.005 | Subvert Trust Controls: Mark-of-the-Web Bypass | 2 | Mount an ISO image and run executable from the ISO | 42f22b00-0242-4afc-a61b-0da05041f9cc | powershell |
| 430 | defense-evasion | T1553.005 | Subvert Trust Controls: Mark-of-the-Web Bypass | 3 | Remove the Zone.Identifier alternate data stream | 64b12afc-18b8-4d3f-9eab-7f6cae7c73f9 | powershell |
| 431 | defense-evasion | T1553.005 | Subvert Trust Controls: Mark-of-the-Web Bypass | 4 | Execute LNK file from ISO | c2587b8d-743d-4985-aa50-c83394eaeb68 | powershell |
| 432 | defense-evasion | T1612 | Build Image on Host | 1 | Build Image On Host | 2db30061-589d-409b-b125-7b473944f9b3 | sh |
| 433 | defense-evasion | T1055.002 | Process Injection: Portable Executable Injection | 1 | Portable Executable Injection | 578025d5-faa9-4f6d-8390-aae739d503e1 | powershell |
| 434 | defense-evasion | T1562.010 | Impair Defenses: Downgrade Attack | 1 | ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI | 062f92c9-28b1-4391-a5f8-9d8ca6852091 | powershell |
| 435 | defense-evasion | T1562.010 | Impair Defenses: Downgrade Attack | 2 | ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI | 14d55b96-b2f5-428d-8fed-49dc4d9dd616 | command_prompt |
| 436 | defense-evasion | T1562.010 | Impair Defenses: Downgrade Attack | 3 | PowerShell Version 2 Downgrade | 47c96489-2f55-4774-a6df-39faff428f6f | powershell |
| 437 | defense-evasion | T1218.005 | Signed Binary Proxy Execution: Mshta | 1 | Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject | 1483fab9-4f52-4217-a9ce-daa9d7747cae | command_prompt |
| 438 | defense-evasion | T1218.005 | Signed Binary Proxy Execution: Mshta | 2 | Mshta executes VBScript to execute malicious command | 906865c3-e05f-4acc-85c4-fbc185455095 | command_prompt |
| 439 | defense-evasion | T1218.005 | Signed Binary Proxy Execution: Mshta | 3 | Mshta Executes Remote HTML Application (HTA) | c4b97eeb-5249-4455-a607-59f95485cb45 | powershell |
| 440 | defense-evasion | T1218.005 | Signed Binary Proxy Execution: Mshta | 4 | Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement | 007e5672-2088-4853-a562-7490ddc19447 | powershell |
| 441 | defense-evasion | T1218.005 | Signed Binary Proxy Execution: Mshta | 5 | Invoke HTML Application - Jscript Engine Simulating Double Click | 58a193ec-131b-404e-b1ca-b35cf0b18c33 | powershell |
| 442 | defense-evasion | T1218.005 | Signed Binary Proxy Execution: Mshta | 6 | Invoke HTML Application - Direct download from URI | 39ceed55-f653-48ac-bd19-aceceaf525db | powershell |
| 443 | defense-evasion | T1218.005 | Signed Binary Proxy Execution: Mshta | 7 | Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler | e7e3a525-7612-4d68-a5d3-c4649181b8af | powershell |
| 444 | defense-evasion | T1218.005 | Signed Binary Proxy Execution: Mshta | 8 | Invoke HTML Application - JScript Engine with Inline Protocol Handler | d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840 | powershell |
| 445 | defense-evasion | T1218.005 | Signed Binary Proxy Execution: Mshta | 9 | Invoke HTML Application - Simulate Lateral Movement over UNC Path | b8a8bdb2-7eae-490d-8251-d5e0295b2362 | powershell |
| 446 | defense-evasion | T1218.005 | Signed Binary Proxy Execution: Mshta | 10 | Mshta used to Execute PowerShell | 8707a805-2b76-4f32-b1c0-14e558205772 | command_prompt |
| 447 | defense-evasion | T1134.001 | Access Token Manipulation: Token Impersonation/Theft | 1 | Named pipe client impersonation | 90db9e27-8e7c-4c04-b602-a45927884966 | powershell |
| 448 | defense-evasion | T1134.001 | Access Token Manipulation: Token Impersonation/Theft | 2 | `SeDebugPrivilege` token duplication | 34f0a430-9d04-4d98-bcb5-1989f14719f0 | powershell |
| 449 | defense-evasion | T1134.001 | Access Token Manipulation: Token Impersonation/Theft | 3 | Launch NSudo Executable | 7be1bc0f-d8e5-4345-9333-f5f67d742cb9 | powershell |
| 450 | defense-evasion | T1134.001 | Access Token Manipulation: Token Impersonation/Theft | 4 | Bad Potato | 9c6d799b-c111-4749-a42f-ec2f8cb51448 | powershell |
| 451 | defense-evasion | T1134.001 | Access Token Manipulation: Token Impersonation/Theft | 5 | Juicy Potato | f095e373-b936-4eb4-8d22-f47ccbfbe64a | powershell |
| 452 | defense-evasion | T1564.002 | Hide Artifacts: Hidden Users | 1 | Create Hidden User using UniqueID < 500 | 4238a7f0-a980-4fff-98a2-dfc0a363d507 | sh |
| 453 | defense-evasion | T1564.002 | Hide Artifacts: Hidden Users | 2 | Create Hidden User using IsHidden option | de87ed7b-52c3-43fd-9554-730f695e7f31 | sh |
| 454 | defense-evasion | T1564.002 | Hide Artifacts: Hidden Users | 3 | Create Hidden User in Registry | 173126b7-afe4-45eb-8680-fa9f6400431c | command_prompt |
| 455 | defense-evasion | T1562.003 | Impair Defenses: Impair Command History Logging | 1 | Disable history collection | 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 | sh |
| 456 | defense-evasion | T1562.003 | Impair Defenses: Impair Command History Logging | 2 | Disable history collection (freebsd) | cada55b4-8251-4c60-819e-8ec1b33c9306 | sh |
| 457 | defense-evasion | T1562.003 | Impair Defenses: Impair Command History Logging | 3 | Mac HISTCONTROL | 468566d5-83e5-40c1-b338-511e1659628d | manual |
| 458 | defense-evasion | T1562.003 | Impair Defenses: Impair Command History Logging | 4 | Clear bash history | 878794f7-c511-4199-a950-8c28b3ed8e5b | bash |
| 459 | defense-evasion | T1562.003 | Impair Defenses: Impair Command History Logging | 5 | Setting the HISTCONTROL environment variable | 10ab786a-028e-4465-96f6-9e83ca6c5f24 | bash |
| 460 | defense-evasion | T1562.003 | Impair Defenses: Impair Command History Logging | 6 | Setting the HISTFILESIZE environment variable | 5cafd6c1-2f43-46eb-ac47-a5301ba0a618 | bash |
| 461 | defense-evasion | T1562.003 | Impair Defenses: Impair Command History Logging | 7 | Setting the HISTSIZE environment variable | 386d3850-2ce7-4508-b56b-c0558922c814 | sh |
| 462 | defense-evasion | T1562.003 | Impair Defenses: Impair Command History Logging | 8 | Setting the HISTFILE environment variable | b3dacb6c-a9e3-44ec-bf87-38db60c5cad1 | bash |
| 463 | defense-evasion | T1562.003 | Impair Defenses: Impair Command History Logging | 9 | Setting the HISTFILE environment variable (freebsd) | f7308845-6da8-468e-99f2-4271f2f5bb67 | sh |
| 464 | defense-evasion | T1562.003 | Impair Defenses: Impair Command History Logging | 10 | Setting the HISTIGNORE environment variable | f12acddb-7502-4ce6-a146-5b62c59592f1 | bash |
| 465 | defense-evasion | T1562.003 | Impair Defenses: Impair Command History Logging | 11 | Disable Windows Command Line Auditing using reg.exe | 1329d5ab-e10e-4e5e-93d1-4d907eb656e5 | command_prompt |
| 466 | defense-evasion | T1562.003 | Impair Defenses: Impair Command History Logging | 12 | Disable Windows Command Line Auditing using Powershell Cmdlet | 95f5c72f-6dfe-45f3-a8c1-d8faa07176fa | powershell |
| 467 | defense-evasion | T1134.004 | Access Token Manipulation: Parent PID Spoofing | 1 | Parent PID Spoofing using PowerShell | 069258f4-2162-46e9-9a25-c9c6c56150d2 | powershell |
| 468 | defense-evasion | T1134.004 | Access Token Manipulation: Parent PID Spoofing | 2 | Parent PID Spoofing - Spawn from Current Process | 14920ebd-1d61-491a-85e0-fe98efe37f25 | powershell |
| 469 | defense-evasion | T1134.004 | Access Token Manipulation: Parent PID Spoofing | 3 | Parent PID Spoofing - Spawn from Specified Process | cbbff285-9051-444a-9d17-c07cd2d230eb | powershell |
| 470 | defense-evasion | T1134.004 | Access Token Manipulation: Parent PID Spoofing | 4 | Parent PID Spoofing - Spawn from svchost.exe | e9f2b777-3123-430b-805d-5cedc66ab591 | powershell |
| 471 | defense-evasion | T1134.004 | Access Token Manipulation: Parent PID Spoofing | 5 | Parent PID Spoofing - Spawn from New Process | 2988133e-561c-4e42-a15f-6281e6a9b2db | powershell |
| 472 | defense-evasion | T1218.001 | Signed Binary Proxy Execution: Compiled HTML File | 1 | Compiled HTML Help Local Payload | 5cb87818-0d7c-4469-b7ef-9224107aebe8 | command_prompt |
| 473 | defense-evasion | T1218.001 | Signed Binary Proxy Execution: Compiled HTML File | 2 | Compiled HTML Help Remote Payload | 0f8af516-9818-4172-922b-42986ef1e81d | command_prompt |
| 474 | defense-evasion | T1218.001 | Signed Binary Proxy Execution: Compiled HTML File | 3 | Invoke CHM with default Shortcut Command Execution | 29d6f0d7-be63-4482-8827-ea77126c1ef7 | powershell |
| 475 | defense-evasion | T1218.001 | Signed Binary Proxy Execution: Compiled HTML File | 4 | Invoke CHM with InfoTech Storage Protocol Handler | b4094750-5fc7-4e8e-af12-b4e36bf5e7f6 | powershell |
| 476 | defense-evasion | T1218.001 | Signed Binary Proxy Execution: Compiled HTML File | 5 | Invoke CHM Simulate Double click | 5decef42-92b8-4a93-9eb2-877ddcb9401a | powershell |
| 477 | defense-evasion | T1218.001 | Signed Binary Proxy Execution: Compiled HTML File | 6 | Invoke CHM with Script Engine and Help Topic | 4f83adda-f5ec-406d-b318-9773c9ca92e5 | powershell |
| 478 | defense-evasion | T1218.001 | Signed Binary Proxy Execution: Compiled HTML File | 7 | Invoke CHM Shortcut Command with ITS and Help Topic | 15756147-7470-4a83-87fb-bb5662526247 | powershell |
| 479 | defense-evasion | T1218.001 | Signed Binary Proxy Execution: Compiled HTML File | 8 | Decompile Local CHM File | 20cb05e0-1fa5-406d-92c1-84da4ba01813 | command_prompt |
| 480 | defense-evasion | T1070.005 | Indicator Removal on Host: Network Share Connection Removal | 1 | Add Network Share | 14c38f32-6509-46d8-ab43-d53e32d2b131 | command_prompt |
| 481 | defense-evasion | T1070.005 | Indicator Removal on Host: Network Share Connection Removal | 2 | Remove Network Share | 09210ad5-1ef2-4077-9ad3-7351e13e9222 | command_prompt |
| 482 | defense-evasion | T1070.005 | Indicator Removal on Host: Network Share Connection Removal | 3 | Remove Network Share PowerShell | 0512d214-9512-4d22-bde7-f37e058259b3 | powershell |
| 483 | defense-evasion | T1070.005 | Indicator Removal on Host: Network Share Connection Removal | 4 | Disable Administrative Share Creation at Startup | 99c657aa-ebeb-4179-a665-69288fdd12b8 | command_prompt |
| 484 | defense-evasion | T1070.005 | Indicator Removal on Host: Network Share Connection Removal | 5 | Remove Administrative Shares | 4299eff5-90f1-4446-b2f3-7f4f5cfd5d62 | command_prompt |
| 485 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 1 | Disable syslog | 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8 | sh |
| 486 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 2 | Disable syslog (freebsd) | db9de996-441e-4ae0-947b-61b6871e2fdf | sh |
| 487 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 3 | Disable Cb Response | ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 | sh |
| 488 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 4 | Disable SELinux | fc225f36-9279-4c39-b3f9-5141ab74f8d8 | sh |
| 489 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 5 | Stop Crowdstrike Falcon on Linux | 828a1278-81cc-4802-96ab-188bf29ca77d | sh |
| 490 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 6 | Disable Carbon Black Response | 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c | sh |
| 491 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 7 | Disable LittleSnitch | 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3 | sh |
| 492 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 8 | Disable OpenDNS Umbrella | 07f43b33-1e15-4e99-be70-bc094157c849 | sh |
| 493 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 9 | Disable macOS Gatekeeper | 2a821573-fb3f-4e71-92c3-daac7432f053 | sh |
| 494 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 10 | Stop and unload Crowdstrike Falcon on macOS | b3e7510c-2d4c-4249-a33f-591a2bc83eef | sh |
| 495 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 11 | Unload Sysmon Filter Driver | 811b3e76-c41b-430c-ac0d-e2380bfaa164 | command_prompt |
| 496 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 12 | Uninstall Sysmon | a316fb2e-5344-470d-91c1-23e15c374edc | command_prompt |
| 497 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 13 | AMSI Bypass - AMSI InitFailed | 695eed40-e949-40e5-b306-b4031e4154bd | powershell |
| 498 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 14 | AMSI Bypass - Remove AMSI Provider Reg Key | 13f09b91-c953-438e-845b-b585e51cac9b | powershell |
| 499 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 15 | Disable Arbitrary Security Windows Service | a1230893-56ac-4c81-b644-2108e982f8f5 | command_prompt |
| 500 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 16 | Tamper with Windows Defender ATP PowerShell | 6b8df440-51ec-4d53-bf83-899591c9b5d7 | powershell |
| 501 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 17 | Tamper with Windows Defender Command Prompt | aa875ed4-8935-47e2-b2c5-6ec00ab220d2 | command_prompt |
| 502 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 18 | Tamper with Windows Defender Registry | 1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45 | powershell |
| 503 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 19 | Disable Microsoft Office Security Features | 6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7 | powershell |
| 504 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 20 | Remove Windows Defender Definition Files | 3d47daaa-2f56-43e0-94cc-caf5d8d52a68 | command_prompt |
| 505 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 21 | Stop and Remove Arbitrary Security Windows Service | ae753dda-0f15-4af6-a168-b9ba16143143 | powershell |
| 506 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 22 | Uninstall Crowdstrike Falcon on Windows | b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297 | powershell |
| 507 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 23 | Tamper with Windows Defender Evade Scanning -Folder | 0b19f4ee-de90-4059-88cb-63c800c683ed | powershell |
| 508 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 24 | Tamper with Windows Defender Evade Scanning -Extension | 315f4be6-2240-4552-b3e1-d1047f5eecea | powershell |
| 509 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 25 | Tamper with Windows Defender Evade Scanning -Process | a123ce6a-3916-45d6-ba9c-7d4081315c27 | powershell |
| 510 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 26 | office-365-Disable-AntiPhishRule | b9bbae2c-2ba6-4cf3-b452-8e8f908696f3 | powershell |
| 511 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 27 | Disable Windows Defender with DISM | 871438ac-7d6e-432a-b27d-3e7db69faf58 | command_prompt |
| 512 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 28 | Disable Defender Using NirSoft AdvancedRun | 81ce22fd-9612-4154-918e-8a1f285d214d | powershell |
| 513 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 29 | Kill antimalware protected processes using Backstab | 24a12b91-05a7-4deb-8d7f-035fa98591bc | powershell |
| 514 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 30 | WinPwn - Kill the event log services for stealth | 7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66 | powershell |
| 515 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 31 | Tamper with Windows Defender ATP using Aliases - PowerShell | c531aa6e-9c97-4b29-afee-9b7be6fc8a64 | powershell |
| 516 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 32 | LockBit Black - Disable Privacy Settings Experience Using Registry -cmd | d6d22332-d07d-498f-aea0-6139ecb7850e | command_prompt |
| 517 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 33 | LockBit Black - Use Registry Editor to turn on automatic logon -cmd | 9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70 | command_prompt |
| 518 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 34 | LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell | d8c57eaa-497a-4a08-961e-bd5efd7c9374 | powershell |
| 519 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 35 | Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell | 5e27f36d-5132-4537-b43b-413b0d5eec9a | powershell |
| 520 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 36 | Disable Windows Defender with PwSh Disable-WindowsOptionalFeature | f542ffd3-37b4-4528-837f-682874faa012 | powershell |
| 521 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 37 | WMIC Tamper with Windows Defender Evade Scanning Folder | 59d386fc-3a4b-41b8-850d-9e3eee24dfe4 | command_prompt |
| 522 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 38 | Delete Windows Defender Scheduled Tasks | 4b841aa1-0d05-4b32-bbe7-7564346e7c76 | command_prompt |
| 523 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 39 | Clear History | 23b88394-091b-4968-a42d-fb8076992443 | sh |
| 524 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 40 | Suspend History | 94f6a1c9-aae7-46a4-9083-2bb1f5768ec4 | sh |
| 525 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 41 | Reboot Linux Host via Kernel System Request | 6d6d3154-1a52-4d1a-9d51-92ab8148b32e | sh |
| 526 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 42 | Clear Pagging Cache | f790927b-ea85-4a16-b7b2-7eb44176a510 | sh |
| 527 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 43 | Disable Memory Swap | e74e4c63-6fde-4ad2-9ee8-21c3a1733114 | sh |
| 528 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 44 | Disable Hypervisor-Enforced Code Integrity (HVCI) | 70bd71e6-eba4-4e00-92f7-617911dbe020 | powershell |
| 529 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 45 | AMSI Bypass - Override AMSI via COM | 17538258-5699-4ff1-92d1-5ac9b0dc21f5 | command_prompt |
| 530 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 46 | AWS - GuardDuty Suspension or Deletion | 11e65d8d-e7e4-470e-a3ff-82bc56ad938e | bash |
| 531 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 47 | Tamper with Defender ATP on Linux/MacOS | 40074085-dbc8-492b-90a3-11bcfc52fda8 | sh |
| 532 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 48 | Tamper with Windows Defender Registry - Reg.exe | 1f6743da-6ecc-4a93-b03f-dc357e4b313f | command_prompt |
| 533 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 49 | Tamper with Windows Defender Registry - Powershell | a72cfef8-d252-48b3-b292-635d332625c3 | powershell |
| 534 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 50 | ESXi - Disable Account Lockout Policy via PowerCLI | 091a6290-cd29-41cb-81ea-b12f133c66cb | powershell |
| 535 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 51 | Delete Microsoft Defender ASR Rules - InTune | eea0a6c2-84e9-4e8c-a242-ac585d28d0d1 | powershell |
| 536 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 52 | Delete Microsoft Defender ASR Rules - GPO | 0e7b8a4b-2ca5-4743-a9f9-96051abb6e50 | powershell |
| 537 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 53 | AMSI Bypass - Create AMSIEnable Reg Key | 728eca7b-0444-4f6f-ac36-437e3d751dc0 | powershell |
| 538 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 54 | Disable EventLog-Application Auto Logger Session Via Registry - Cmd | 653c6e17-14a2-4849-851d-f1c0cc8ea9ab | command_prompt |
| 539 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 55 | Disable EventLog-Application Auto Logger Session Via Registry - PowerShell | da86f239-9bd3-4e85-92ed-4a94ef111a1c | powershell |
| 540 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 56 | Disable EventLog-Application ETW Provider Via Registry - Cmd | 1cac9b54-810e-495c-8aac-989e0076583b | command_prompt |
| 541 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 57 | Disable EventLog-Application ETW Provider Via Registry - PowerShell | 8f907648-1ebf-4276-b0f0-e2678ca474f0 | powershell |
| 542 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 58 | Freeze PPL-protected process with EDR-Freeze | cbb2573a-a6ad-4c87-aef8-6e175598559b | powershell |
| 543 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 59 | Disable ASLR Via sysctl parameters - Linux | ac333fe1-ce2b-400b-a117-538634427439 | bash |
| 544 | defense-evasion | T1055.012 | Process Injection: Process Hollowing | 1 | Process Hollowing using PowerShell | 562427b4-39ef-4e8c-af88-463a78e70b9c | powershell |
| 545 | defense-evasion | T1055.012 | Process Injection: Process Hollowing | 2 | RunPE via VBA | 3ad4a037-1598-4136-837c-4027e4fa319b | powershell |
| 546 | defense-evasion | T1055.012 | Process Injection: Process Hollowing | 3 | Process Hollowing in Go using CreateProcessW WinAPI | c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a | powershell |
| 547 | defense-evasion | T1055.012 | Process Injection: Process Hollowing | 4 | Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012) | 94903cc5-d462-498a-b919-b1e5ab155fee | powershell |
| 548 | defense-evasion | T1027 | Obfuscated Files or Information | 1 | Decode base64 Data into Script | f45df6be-2e1e-4136-a384-8f18ab3826fb | sh |
| 549 | defense-evasion | T1027 | Obfuscated Files or Information | 2 | Execute base64-encoded PowerShell | a50d5a97-2531-499e-a1de-5544c74432c6 | powershell |
| 550 | defense-evasion | T1027 | Obfuscated Files or Information | 3 | Execute base64-encoded PowerShell from Windows Registry | 450e7218-7915-4be4-8b9b-464a49eafcec | powershell |
| 551 | defense-evasion | T1027 | Obfuscated Files or Information | 4 | Execution from Compressed File | f8c8a909-5f29-49ac-9244-413936ce6d1f | command_prompt |
| 552 | defense-evasion | T1027 | Obfuscated Files or Information | 5 | DLP Evasion via Sensitive Data in VBA Macro over email | 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad | powershell |
| 553 | defense-evasion | T1027 | Obfuscated Files or Information | 6 | DLP Evasion via Sensitive Data in VBA Macro over HTTP | e2d85e66-cb66-4ed7-93b1-833fc56c9319 | powershell |
| 554 | defense-evasion | T1027 | Obfuscated Files or Information | 7 | Obfuscated Command in PowerShell | 8b3f4ed6-077b-4bdd-891c-2d237f19410f | powershell |
| 555 | defense-evasion | T1027 | Obfuscated Files or Information | 8 | Obfuscated Command Line using special Unicode characters | e68b945c-52d0-4dd9-a5e8-d173d70c448f | manual |
| 556 | defense-evasion | T1027 | Obfuscated Files or Information | 9 | Snake Malware Encrypted crmlog file | 7e47ee60-9dd1-4269-9c4f-97953b183268 | powershell |
| 557 | defense-evasion | T1027 | Obfuscated Files or Information | 10 | Execution from Compressed JScript File | fad04df1-5229-4185-b016-fb6010cd87ac | command_prompt |
| 558 | defense-evasion | T1564.006 | Run Virtual Instance | 1 | Register Portable Virtualbox | c59f246a-34f8-4e4d-9276-c295ef9ba0dd | command_prompt |
| 559 | defense-evasion | T1564.006 | Run Virtual Instance | 2 | Create and start VirtualBox virtual machine | 88b81702-a1c0-49a9-95b2-2dd53d755767 | command_prompt |
| 560 | defense-evasion | T1564.006 | Run Virtual Instance | 3 | Create and start Hyper-V virtual machine | fb8d4d7e-f5a4-481c-8867-febf13f8b6d3 | powershell |
| 561 | defense-evasion | T1134.005 | Access Token Manipulation: SID-History Injection | 1 | Injection SID-History with mimikatz | 6bef32e5-9456-4072-8f14-35566fb85401 | command_prompt |
| 562 | defense-evasion | T1218.010 | Signed Binary Proxy Execution: Regsvr32 | 1 | Regsvr32 local COM scriptlet execution | 449aa403-6aba-47ce-8a37-247d21ef0306 | command_prompt |
| 563 | defense-evasion | T1218.010 | Signed Binary Proxy Execution: Regsvr32 | 2 | Regsvr32 remote COM scriptlet execution | c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36 | command_prompt |
| 564 | defense-evasion | T1218.010 | Signed Binary Proxy Execution: Regsvr32 | 3 | Regsvr32 local DLL execution | 08ffca73-9a3d-471a-aeb0-68b4aa3ab37b | command_prompt |
| 565 | defense-evasion | T1218.010 | Signed Binary Proxy Execution: Regsvr32 | 4 | Regsvr32 Registering Non DLL | 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421 | command_prompt |
| 566 | defense-evasion | T1218.010 | Signed Binary Proxy Execution: Regsvr32 | 5 | Regsvr32 Silent DLL Install Call DllRegisterServer | 9d71c492-ea2e-4c08-af16-c6994cdf029f | command_prompt |
| 567 | defense-evasion | T1036.003 | Masquerading: Rename System Utilities | 1 | Masquerading as Windows LSASS process | 5ba5a3d1-cf3c-4499-968a-a93155d1f717 | command_prompt |
| 568 | defense-evasion | T1036.003 | Masquerading: Rename System Utilities | 2 | Masquerading as FreeBSD or Linux crond process. | a315bfff-7a98-403b-b442-2ea1b255e556 | sh |
| 569 | defense-evasion | T1036.003 | Masquerading: Rename System Utilities | 3 | Masquerading - cscript.exe running as notepad.exe | 3a2a578b-0a01-46e4-92e3-62e2859b42f0 | command_prompt |
| 570 | defense-evasion | T1036.003 | Masquerading: Rename System Utilities | 4 | Masquerading - wscript.exe running as svchost.exe | 24136435-c91a-4ede-9da1-8b284a1c1a23 | command_prompt |
| 571 | defense-evasion | T1036.003 | Masquerading: Rename System Utilities | 5 | Masquerading - powershell.exe running as taskhostw.exe | ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa | command_prompt |
| 572 | defense-evasion | T1036.003 | Masquerading: Rename System Utilities | 6 | Masquerading - non-windows exe running as windows exe | bc15c13f-d121-4b1f-8c7d-28d95854d086 | powershell |
| 573 | defense-evasion | T1036.003 | Masquerading: Rename System Utilities | 7 | Masquerading - windows exe running as different windows exe | c3d24a39-2bfe-4c6a-b064-90cd73896cb0 | powershell |
| 574 | defense-evasion | T1036.003 | Masquerading: Rename System Utilities | 8 | Malicious process Masquerading as LSM.exe | 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f | command_prompt |
| 575 | defense-evasion | T1574.009 | Hijack Execution Flow: Path Interception by Unquoted Path | 1 | Execution of program.exe as service with unquoted service path | 2770dea7-c50f-457b-84c4-c40a47460d9f | command_prompt |
| 576 | defense-evasion | T1218.009 | Signed Binary Proxy Execution: Regsvcs/Regasm | 1 | Regasm Uninstall Method Call Test | 71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112 | command_prompt |
| 577 | defense-evasion | T1218.009 | Signed Binary Proxy Execution: Regsvcs/Regasm | 2 | Regsvcs Uninstall Method Call Test | fd3c1c6a-02d2-4b72-82d9-71c527abb126 | powershell |
| 578 | defense-evasion | T1553.004 | Subvert Trust Controls: Install Root Certificate | 1 | Install root CA on CentOS/RHEL | 9c096ec4-fd42-419d-a762-d64cc950627e | sh |
| 579 | defense-evasion | T1553.004 | Subvert Trust Controls: Install Root Certificate | 2 | Install root CA on FreeBSD | f4568003-1438-44ab-a234-b3252ea7e7a3 | sh |
| 580 | defense-evasion | T1553.004 | Subvert Trust Controls: Install Root Certificate | 3 | Install root CA on Debian/Ubuntu | 53bcf8a0-1549-4b85-b919-010c56d724ff | sh |
| 581 | defense-evasion | T1553.004 | Subvert Trust Controls: Install Root Certificate | 4 | Install root CA on macOS | cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 | sh |
| 582 | defense-evasion | T1553.004 | Subvert Trust Controls: Install Root Certificate | 5 | Install root CA on Windows | 76f49d86-5eb1-461a-a032-a480f86652f1 | powershell |
| 583 | defense-evasion | T1553.004 | Subvert Trust Controls: Install Root Certificate | 6 | Install root CA on Windows with certutil | 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f | powershell |
| 584 | defense-evasion | T1553.004 | Subvert Trust Controls: Install Root Certificate | 7 | Add Root Certificate to CurrentUser Certificate Store | ca20a3f1-42b5-4e21-ad3f-1049199ec2e0 | powershell |
| 585 | defense-evasion | T1027.004 | Obfuscated Files or Information: Compile After Delivery | 1 | Compile After Delivery using csc.exe | ffcdbd6a-b0e8-487d-927a-09127fe9a206 | command_prompt |
| 586 | defense-evasion | T1027.004 | Obfuscated Files or Information: Compile After Delivery | 2 | Dynamic C# Compile | 453614d8-3ba6-4147-acc0-7ec4b3e1faef | powershell |
| 587 | defense-evasion | T1027.004 | Obfuscated Files or Information: Compile After Delivery | 3 | C compile | d0377aa6-850a-42b2-95f0-de558d80be57 | sh |
| 588 | defense-evasion | T1027.004 | Obfuscated Files or Information: Compile After Delivery | 4 | CC compile | da97bb11-d6d0-4fc1-b445-e443d1346efe | sh |
| 589 | defense-evasion | T1027.004 | Obfuscated Files or Information: Compile After Delivery | 5 | Go compile | 78bd3fa7-773c-449e-a978-dc1f1500bc52 | sh |
| 590 | defense-evasion | T1197 | BITS Jobs | 1 | Bitsadmin Download (cmd) | 3c73d728-75fb-4180-a12f-6712864d7421 | command_prompt |
| 591 | defense-evasion | T1197 | BITS Jobs | 2 | Bitsadmin Download (PowerShell) | f63b8bc4-07e5-4112-acba-56f646f3f0bc | powershell |
| 592 | defense-evasion | T1197 | BITS Jobs | 3 | Persist, Download, & Execute | 62a06ec5-5754-47d2-bcfc-123d8314c6ae | command_prompt |
| 593 | defense-evasion | T1197 | BITS Jobs | 4 | Bits download using desktopimgdownldr.exe (cmd) | afb5e09e-e385-4dee-9a94-6ee60979d114 | command_prompt |
| 594 | defense-evasion | T1127.001 | Trusted Developer Utilities Proxy Execution: MSBuild | 1 | MSBuild Bypass Using Inline Tasks (C#) | 58742c0f-cb01-44cd-a60b-fb26e8871c93 | command_prompt |
| 595 | defense-evasion | T1127.001 | Trusted Developer Utilities Proxy Execution: MSBuild | 2 | MSBuild Bypass Using Inline Tasks (VB) | ab042179-c0c5-402f-9bc8-42741f5ce359 | command_prompt |
| 596 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 1 | AWS - CloudTrail Changes | 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e | sh |
| 597 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 2 | Azure - Eventhub Deletion | 5e09bed0-7d33-453b-9bf3-caea32bff719 | powershell |
| 598 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 3 | Office 365 - Exchange Audit Log Disabled | 1ee572f3-056c-4632-a7fc-7e7c42b1543c | powershell |
| 599 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 4 | AWS - Disable CloudTrail Logging Through Event Selectors using Stratus | a27418de-bdce-4ebd-b655-38f11142bf0c | sh |
| 600 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 5 | AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus | 22d89a2f-d475-4895-b2d4-68626d49c029 | sh |
| 601 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 6 | AWS - Remove VPC Flow Logs using Stratus | 93c150f5-ad7b-4ee3-8992-df06dec2ac79 | sh |
| 602 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 7 | AWS - CloudWatch Log Group Deletes | 89422c87-b57b-4a04-a8ca-802bb9d06121 | sh |
| 603 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 8 | AWS CloudWatch Log Stream Deletes | 33ca84bc-4259-4943-bd36-4655dc420932 | sh |
| 604 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 9 | Office 365 - Set Audit Bypass For a Mailbox | c9a2f6fe-7197-488c-af6d-10c782121ca6 | powershell |
| 605 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 10 | GCP - Delete Activity Event Log | d56152ec-01d9-42a2-877c-aac1f6ebe8e6 | sh |
| 606 | defense-evasion | T1564.003 | Hide Artifacts: Hidden Window | 1 | Hidden Window | f151ee37-9e2b-47e6-80e4-550b9f999b7a | powershell |
| 607 | defense-evasion | T1564.003 | Hide Artifacts: Hidden Window | 2 | Headless Browser Accessing Mockbin | 0ad9ab92-c48c-4f08-9b20-9633277c4646 | command_prompt |
| 608 | defense-evasion | T1564.003 | Hide Artifacts: Hidden Window | 3 | Hidden Window-Conhost Execution | 5510d22f-2595-4911-8456-4d630c978616 | powershell |
| 609 | defense-evasion | T1027.006 | HTML Smuggling | 1 | HTML Smuggling Remote Payload | 30cbeda4-08d9-42f1-8685-197fad677734 | powershell |
| 610 | defense-evasion | T1070.004 | Indicator Removal on Host: File Deletion | 1 | Delete a single file - FreeBSD/Linux/macOS | 562d737f-2fc6-4b09-8c2a-7f8ff0828480 | sh |
| 611 | defense-evasion | T1070.004 | Indicator Removal on Host: File Deletion | 2 | Delete an entire folder - FreeBSD/Linux/macOS | a415f17e-ce8d-4ce2-a8b4-83b674e7017e | sh |
| 612 | defense-evasion | T1070.004 | Indicator Removal on Host: File Deletion | 3 | Overwrite and delete a file with shred | 039b4b10-2900-404b-b67f-4b6d49aa6499 | sh |
| 613 | defense-evasion | T1070.004 | Indicator Removal on Host: File Deletion | 4 | Delete a single file - Windows cmd | 861ea0b4-708a-4d17-848d-186c9c7f17e3 | command_prompt |
| 614 | defense-evasion | T1070.004 | Indicator Removal on Host: File Deletion | 5 | Delete an entire folder - Windows cmd | ded937c4-2add-42f7-9c2c-c742b7a98698 | command_prompt |
| 615 | defense-evasion | T1070.004 | Indicator Removal on Host: File Deletion | 6 | Delete a single file - Windows PowerShell | 9dee89bd-9a98-4c4f-9e2d-4256690b0e72 | powershell |
| 616 | defense-evasion | T1070.004 | Indicator Removal on Host: File Deletion | 7 | Delete an entire folder - Windows PowerShell | edd779e4-a509-4cba-8dfa-a112543dbfb1 | powershell |
| 617 | defense-evasion | T1070.004 | Indicator Removal on Host: File Deletion | 8 | Delete Filesystem - Linux | f3aa95fe-4f10-4485-ad26-abf22a764c52 | sh |
| 618 | defense-evasion | T1070.004 | Indicator Removal on Host: File Deletion | 9 | Delete Prefetch File | 36f96049-0ad7-4a5f-8418-460acaeb92fb | powershell |
| 619 | defense-evasion | T1070.004 | Indicator Removal on Host: File Deletion | 10 | Delete TeamViewer Log Files | 69f50a5f-967c-4327-a5bb-e1a9a9983785 | powershell |
| 620 | defense-evasion | T1070.004 | Indicator Removal on Host: File Deletion | 11 | Clears Recycle bin via rd | f723d13d-48dc-4317-9990-cf43a9ac0bf2 | command_prompt |
| 621 | defense-evasion | T1221 | Template Injection | 1 | WINWORD Remote Template Injection | 1489e08a-82c7-44ee-b769-51b72d03521d | command_prompt |
| 622 | defense-evasion | T1027.002 | Obfuscated Files or Information: Software Packing | 1 | Binary simply packed by UPX (linux) | 11c46cd8-e471-450e-acb8-52a1216ae6a4 | sh |
| 623 | defense-evasion | T1027.002 | Obfuscated Files or Information: Software Packing | 2 | Binary packed by UPX, with modified headers (linux) | f06197f8-ff46-48c2-a0c6-afc1b50665e1 | sh |
| 624 | defense-evasion | T1027.002 | Obfuscated Files or Information: Software Packing | 3 | Binary simply packed by UPX | b16ef901-00bb-4dda-b4fc-a04db5067e20 | sh |
| 625 | defense-evasion | T1027.002 | Obfuscated Files or Information: Software Packing | 4 | Binary packed by UPX, with modified headers | 4d46e16b-5765-4046-9f25-a600d3e65e4d | sh |
| 626 | defense-evasion | T1622 | Debugger Evasion | 1 | Detect a Debugger Presence in the Machine | 58bd8c8d-3a1a-4467-a69c-439c75469b07 | powershell |
| 627 | defense-evasion | T1036.006 | Masquerading: Space after Filename | 1 | Space After Filename (Manual) | 89a7dd26-e510-4c9f-9b15-f3bae333360f | manual |
| 628 | defense-evasion | T1036.006 | Masquerading: Space after Filename | 2 | Space After Filename | b95ce2eb-a093-4cd8-938d-5258cef656ea | sh |
| 629 | defense-evasion | T1550.002 | Use Alternate Authentication Material: Pass the Hash | 1 | Mimikatz Pass the Hash | ec23cef9-27d9-46e4-a68d-6f75f7b86908 | command_prompt |
| 630 | defense-evasion | T1550.002 | Use Alternate Authentication Material: Pass the Hash | 2 | crackmapexec Pass the Hash | eb05b028-16c8-4ad8-adea-6f5b219da9a9 | command_prompt |
| 631 | defense-evasion | T1550.002 | Use Alternate Authentication Material: Pass the Hash | 3 | Invoke-WMIExec Pass the Hash | f8757545-b00a-4e4e-8cfb-8cfb961ee713 | powershell |
| 632 | defense-evasion | T1027.007 | Obfuscated Files or Information: Dynamic API Resolution | 1 | Dynamic API Resolution-Ninja-syscall | 578025d5-faa9-4f6d-8390-aae739d507e1 | powershell |
| 633 | defense-evasion | T1055.015 | Process Injection: ListPlanting | 1 | Process injection ListPlanting | 4f3c7502-b111-4dfe-8a6e-529307891a59 | powershell |
| 634 | defense-evasion | T1220 | XSL Script Processing | 1 | MSXSL Bypass using local files | ca23bfb2-023f-49c5-8802-e66997de462d | command_prompt |
| 635 | defense-evasion | T1220 | XSL Script Processing | 2 | MSXSL Bypass using remote files | a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 | command_prompt |
| 636 | defense-evasion | T1220 | XSL Script Processing | 3 | WMIC bypass using local XSL file | 1b237334-3e21-4a0c-8178-b8c996124988 | command_prompt |
| 637 | defense-evasion | T1220 | XSL Script Processing | 4 | WMIC bypass using remote XSL file | 7f5be499-33be-4129-a560-66021f379b9b | command_prompt |
| 638 | defense-evasion | T1564.001 | Hide Artifacts: Hidden Files and Directories | 1 | Create a hidden file in a hidden directory | 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be | sh |
| 639 | defense-evasion | T1564.001 | Hide Artifacts: Hidden Files and Directories | 2 | Mac Hidden file | cddb9098-3b47-4e01-9d3b-6f5f323288a9 | sh |
| 640 | defense-evasion | T1564.001 | Hide Artifacts: Hidden Files and Directories | 3 | Create Windows System File with Attrib | f70974c8-c094-4574-b542-2c545af95a32 | command_prompt |
| 641 | defense-evasion | T1564.001 | Hide Artifacts: Hidden Files and Directories | 4 | Create Windows Hidden File with Attrib | dadb792e-4358-4d8d-9207-b771faa0daa5 | command_prompt |
| 642 | defense-evasion | T1564.001 | Hide Artifacts: Hidden Files and Directories | 5 | Hidden files | 3b7015f2-3144-4205-b799-b05580621379 | sh |
| 643 | defense-evasion | T1564.001 | Hide Artifacts: Hidden Files and Directories | 6 | Hide a Directory | b115ecaf-3b24-4ed2-aefe-2fcb9db913d3 | sh |
| 644 | defense-evasion | T1564.001 | Hide Artifacts: Hidden Files and Directories | 7 | Show all hidden files | 9a1ec7da-b892-449f-ad68-67066d04380c | sh |
| 645 | defense-evasion | T1564.001 | Hide Artifacts: Hidden Files and Directories | 8 | Hide Files Through Registry | f650456b-bd49-4bc1-ae9d-271b5b9581e7 | command_prompt |
| 646 | defense-evasion | T1564.001 | Hide Artifacts: Hidden Files and Directories | 9 | Create Windows Hidden File with powershell | 7f66d539-4fbe-4cfa-9a56-4a2bf660c58a | powershell |
| 647 | defense-evasion | T1564.001 | Hide Artifacts: Hidden Files and Directories | 10 | Create Windows System File with powershell | d380c318-0b34-45cb-9dad-828c11891e43 | powershell |
| 648 | defense-evasion | T1578.001 | Modify Cloud Compute Infrastructure: Create Snapshot | 1 | AWS - Create Snapshot from EBS Volume | a3c09662-85bb-4ea8-b15b-6dc8a844e236 | sh |
| 649 | defense-evasion | T1578.001 | Modify Cloud Compute Infrastructure: Create Snapshot | 2 | Azure - Create Snapshot from Managed Disk | 89e69b4b-3458-4ec6-b819-b3008debc1bc | sh |
| 650 | defense-evasion | T1578.001 | Modify Cloud Compute Infrastructure: Create Snapshot | 3 | GCP - Create Snapshot from Persistent Disk | e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d | sh |
| 651 | defense-evasion | T1078.004 | Valid Accounts: Cloud Accounts | 1 | Creating GCP Service Account and Service Account Key | 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e | sh |
| 652 | defense-evasion | T1078.004 | Valid Accounts: Cloud Accounts | 2 | Azure Persistence Automation Runbook Created or Modified | 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac | powershell |
| 653 | defense-evasion | T1078.004 | Valid Accounts: Cloud Accounts | 3 | GCP - Create Custom IAM Role | 3a159042-69e6-4398-9a69-3308a4841c85 | sh |
| 654 | defense-evasion | T1564.004 | Hide Artifacts: NTFS File Attributes | 1 | Alternate Data Streams (ADS) | 8822c3b0-d9f9-4daf-a043-49f4602364f4 | command_prompt |
| 655 | defense-evasion | T1564.004 | Hide Artifacts: NTFS File Attributes | 2 | Store file in Alternate Data Stream (ADS) | 2ab75061-f5d5-4c1a-b666-ba2a50df5b02 | powershell |
| 656 | defense-evasion | T1564.004 | Hide Artifacts: NTFS File Attributes | 3 | Create ADS command prompt | 17e7637a-ddaf-4a82-8622-377e20de8fdb | command_prompt |
| 657 | defense-evasion | T1564.004 | Hide Artifacts: NTFS File Attributes | 4 | Create ADS PowerShell | 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1 | powershell |
| 658 | defense-evasion | T1564.004 | Hide Artifacts: NTFS File Attributes | 5 | Create Hidden Directory via $index_allocation | 3e6791e7-232c-481c-a680-a52f86b83fdf | command_prompt |
| 659 | defense-evasion | T1055.001 | Process Injection: Dynamic-link Library Injection | 1 | Process Injection via mavinject.exe | 74496461-11a1-4982-b439-4d87a550d254 | powershell |
| 660 | defense-evasion | T1055.001 | Process Injection: Dynamic-link Library Injection | 2 | WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique | 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5 | powershell |
| 661 | defense-evasion | T1216 | Signed Script Proxy Execution | 1 | SyncAppvPublishingServer Signed Script PowerShell Command Execution | 275d963d-3f36-476c-8bef-a2a3960ee6eb | command_prompt |
| 662 | defense-evasion | T1216 | Signed Script Proxy Execution | 2 | manage-bde.wsf Signed Script Command Execution | 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a | command_prompt |
| 663 | defense-evasion | T1078.003 | Valid Accounts: Local Accounts | 1 | Create local account with admin privileges | a524ce99-86de-4db6-b4f9-e08f35a47a15 | command_prompt |
| 664 | defense-evasion | T1078.003 | Valid Accounts: Local Accounts | 2 | Create local account with admin privileges - MacOS | f1275566-1c26-4b66-83e3-7f9f7f964daa | bash |
| 665 | defense-evasion | T1078.003 | Valid Accounts: Local Accounts | 3 | Create local account with admin privileges using sysadminctl utility - MacOS | 191db57d-091a-47d5-99f3-97fde53de505 | bash |
| 666 | defense-evasion | T1078.003 | Valid Accounts: Local Accounts | 4 | Enable root account using dsenableroot utility - MacOS | 20b40ea9-0e17-4155-b8e6-244911a678ac | bash |
| 667 | defense-evasion | T1078.003 | Valid Accounts: Local Accounts | 5 | Add a new/existing user to the admin group using dseditgroup utility - macOS | 433842ba-e796-4fd5-a14f-95d3a1970875 | bash |
| 668 | defense-evasion | T1078.003 | Valid Accounts: Local Accounts | 6 | WinPwn - Loot local Credentials - powerhell kittie | 9e9fd066-453d-442f-88c1-ad7911d32912 | powershell |
| 669 | defense-evasion | T1078.003 | Valid Accounts: Local Accounts | 7 | WinPwn - Loot local Credentials - Safetykatz | e9fdb899-a980-4ba4-934b-486ad22e22f4 | powershell |
| 670 | defense-evasion | T1078.003 | Valid Accounts: Local Accounts | 8 | Create local account (Linux) | 02a91c34-8a5b-4bed-87af-501103eb5357 | bash |
| 671 | defense-evasion | T1078.003 | Valid Accounts: Local Accounts | 9 | Reactivate a locked/expired account (Linux) | d2b95631-62d7-45a3-aaef-0972cea97931 | bash |
| 672 | defense-evasion | T1078.003 | Valid Accounts: Local Accounts | 10 | Reactivate a locked/expired account (FreeBSD) | 09e3380a-fae5-4255-8b19-9950be0252cf | sh |
| 673 | defense-evasion | T1078.003 | Valid Accounts: Local Accounts | 11 | Login as nobody (Linux) | 3d2cd093-ee05-41bd-a802-59ee5c301b85 | bash |
| 674 | defense-evasion | T1078.003 | Valid Accounts: Local Accounts | 12 | Login as nobody (freebsd) | 16f6374f-7600-459a-9b16-6a88fd96d310 | sh |
| 675 | defense-evasion | T1078.003 | Valid Accounts: Local Accounts | 13 | Use PsExec to elevate to NT Authority\SYSTEM account | 6904235f-0f55-4039-8aed-41c300ff7733 | command_prompt |
| 676 | defense-evasion | T1127 | Trusted Developer Utilities Proxy Execution | 1 | Lolbin Jsc.exe compile javascript to exe | 1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8 | command_prompt |
| 677 | defense-evasion | T1127 | Trusted Developer Utilities Proxy Execution | 2 | Lolbin Jsc.exe compile javascript to dll | 3fc9fea2-871d-414d-8ef6-02e85e322b80 | command_prompt |
| 678 | defense-evasion | T1574.012 | Hijack Execution Flow: COR_PROFILER | 1 | User scope COR_PROFILER | 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a | powershell |
| 679 | defense-evasion | T1574.012 | Hijack Execution Flow: COR_PROFILER | 2 | System Scope COR_PROFILER | f373b482-48c8-4ce4-85ed-d40c8b3f7310 | powershell |
| 680 | defense-evasion | T1574.012 | Hijack Execution Flow: COR_PROFILER | 3 | Registry-free process scope COR_PROFILER | 79d57242-bbef-41db-b301-9d01d9f6e817 | powershell |
| 681 | privilege-escalation | T1055.011 | Process Injection: Extra Window Memory Injection | 1 | Process Injection via Extra Window Memory (EWM) x64 executable | 93ca40d2-336c-446d-bcef-87f14d438018 | powershell |
| 682 | privilege-escalation | T1053.005 | Scheduled Task/Job: Scheduled Task | 1 | Scheduled Task Startup Script | fec27f65-db86-4c2d-b66c-61945aee87c2 | command_prompt |
| 683 | privilege-escalation | T1053.005 | Scheduled Task/Job: Scheduled Task | 2 | Scheduled task Local | 42f53695-ad4a-4546-abb6-7d837f644a71 | command_prompt |
| 684 | privilege-escalation | T1053.005 | Scheduled Task/Job: Scheduled Task | 3 | Scheduled task Remote | 2e5eac3e-327b-4a88-a0c0-c4057039a8dd | command_prompt |
| 685 | privilege-escalation | T1053.005 | Scheduled Task/Job: Scheduled Task | 4 | Powershell Cmdlet Scheduled Task | af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd | powershell |
| 686 | privilege-escalation | T1053.005 | Scheduled Task/Job: Scheduled Task | 5 | Task Scheduler via VBA | ecd3fa21-7792-41a2-8726-2c5c673414d3 | powershell |
| 687 | privilege-escalation | T1053.005 | Scheduled Task/Job: Scheduled Task | 6 | WMI Invoke-CimMethod Scheduled Task | e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b | powershell |
| 688 | privilege-escalation | T1053.005 | Scheduled Task/Job: Scheduled Task | 7 | Scheduled Task Executing Base64 Encoded Commands From Registry | e895677d-4f06-49ab-91b6-ae3742d0a2ba | command_prompt |
| 689 | privilege-escalation | T1053.005 | Scheduled Task/Job: Scheduled Task | 8 | Import XML Schedule Task with Hidden Attribute | cd925593-fbb4-486d-8def-16cbdf944bf4 | powershell |
| 690 | privilege-escalation | T1053.005 | Scheduled Task/Job: Scheduled Task | 9 | PowerShell Modify A Scheduled Task | dda6fc7b-c9a6-4c18-b98d-95ec6542af6d | powershell |
| 691 | privilege-escalation | T1053.005 | Scheduled Task/Job: Scheduled Task | 10 | Scheduled Task ("Ghost Task") via Registry Key Manipulation | 704333ca-cc12-4bcf-9916-101844881f54 | command_prompt |
| 692 | privilege-escalation | T1053.005 | Scheduled Task/Job: Scheduled Task | 11 | Scheduled Task Persistence via CompMgmt.msc | 8fcfa3d5-ea7d-4e1c-bd3e-3c4ed315b7d2 | command_prompt |
| 693 | privilege-escalation | T1053.005 | Scheduled Task/Job: Scheduled Task | 12 | Scheduled Task Persistence via Eventviewer.msc | 02124c37-767e-4b76-9383-c9fc366d9d4c | command_prompt |
| 694 | privilege-escalation | T1546.013 | Event Triggered Execution: PowerShell Profile | 1 | Append malicious start-process cmdlet | 090e5aa5-32b6-473b-a49b-21e843a56896 | powershell |
| 695 | privilege-escalation | T1053.007 | Kubernetes Cronjob | 1 | ListCronjobs | ddfb0bc1-3c3f-47e9-a298-550ecfefacbd | bash |
| 696 | privilege-escalation | T1053.007 | Kubernetes Cronjob | 2 | CreateCronjob | f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 | bash |
| 697 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 1 | Bypass UAC using Event Viewer (cmd) | 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 | command_prompt |
| 698 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 2 | Bypass UAC using Event Viewer (PowerShell) | a6ce9acf-842a-4af6-8f79-539be7608e2b | powershell |
| 699 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 3 | Bypass UAC using Fodhelper | 58f641ea-12e3-499a-b684-44dee46bd182 | command_prompt |
| 700 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 4 | Bypass UAC using Fodhelper - PowerShell | 3f627297-6c38-4e7d-a278-fc2563eaaeaa | powershell |
| 701 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 5 | Bypass UAC using ComputerDefaults (PowerShell) | 3c51abf2-44bf-42d8-9111-dc96ff66750f | powershell |
| 702 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 6 | Bypass UAC by Mocking Trusted Directories | f7a35090-6f7f-4f64-bb47-d657bf5b10c1 | command_prompt |
| 703 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 7 | Bypass UAC using sdclt DelegateExecute | 3be891eb-4608-4173-87e8-78b494c029b7 | powershell |
| 704 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 8 | Disable UAC using reg.exe | 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 | command_prompt |
| 705 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 9 | Bypass UAC using SilentCleanup task | 28104f8a-4ff1-4582-bcf6-699dce156608 | command_prompt |
| 706 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 10 | UACME Bypass Method 23 | 8ceab7a2-563a-47d2-b5ba-0995211128d7 | command_prompt |
| 707 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 11 | UACME Bypass Method 31 | b0f76240-9f33-4d34-90e8-3a7d501beb15 | command_prompt |
| 708 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 12 | UACME Bypass Method 33 | e514bb03-f71c-4b22-9092-9f961ec6fb03 | command_prompt |
| 709 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 13 | UACME Bypass Method 34 | 695b2dac-423e-448e-b6ef-5b88e93011d6 | command_prompt |
| 710 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 14 | UACME Bypass Method 39 | 56163687-081f-47da-bb9c-7b231c5585cf | command_prompt |
| 711 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 15 | UACME Bypass Method 56 | 235ec031-cd2d-465d-a7ae-68bab281e80e | command_prompt |
| 712 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 16 | UACME Bypass Method 59 | dfb1b667-4bb8-4a63-a85e-29936ea75f29 | command_prompt |
| 713 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 17 | UACME Bypass Method 61 | 7825b576-744c-4555-856d-caf3460dc236 | command_prompt |
| 714 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 18 | WinPwn - UAC Magic | 964d8bf8-37bc-4fd3-ba36-ad13761ebbcc | powershell |
| 715 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 19 | WinPwn - UAC Bypass ccmstp technique | f3c145f9-3c8d-422c-bd99-296a17a8f567 | powershell |
| 716 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 20 | WinPwn - UAC Bypass DiskCleanup technique | 1ed67900-66cd-4b09-b546-2a0ef4431a0c | powershell |
| 717 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 21 | WinPwn - UAC Bypass DccwBypassUAC technique | 2b61977b-ae2d-4ae4-89cb-5c36c89586be | powershell |
| 718 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 22 | Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key | 251c5936-569f-42f4-9ac2-87a173b9e9b8 | powershell |
| 719 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 23 | UAC Bypass with WSReset Registry Modification | 3b96673f-9c92-40f1-8a3e-ca060846f8d9 | powershell |
| 720 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 24 | Disable UAC - Switch to the secure desktop when prompting for elevation via registry key | 85f3a526-4cfa-4fe7-98c1-dea99be025c7 | powershell |
| 721 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 25 | Disable UAC notification via registry keys | 160a7c77-b00e-4111-9e45-7c2a44eda3fd | command_prompt |
| 722 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 26 | Disable ConsentPromptBehaviorAdmin via registry keys | a768aaa2-2442-475c-8990-69cf33af0f4e | command_prompt |
| 723 | privilege-escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | 27 | UAC bypassed by Utilizing ProgIDs registry. | b6f4645c-34ea-4c7c-98f2-d5a2747efb08 | command_prompt |
| 724 | privilege-escalation | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 1 | Sudo usage | 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e | sh |
| 725 | privilege-escalation | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 2 | Sudo usage (freebsd) | 2bf9a018-4664-438a-b435-cc6f8c6f71b1 | sh |
| 726 | privilege-escalation | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 3 | Unlimited sudo cache timeout | a7b17659-dd5e-46f7-b7d1-e6792c91d0bc | sh |
| 727 | privilege-escalation | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 4 | Unlimited sudo cache timeout (freebsd) | a83ad6e8-6f24-4d7f-8f44-75f8ab742991 | sh |
| 728 | privilege-escalation | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 5 | Disable tty_tickets for sudo caching | 91a60b03-fb75-4d24-a42e-2eb8956e8de1 | sh |
| 729 | privilege-escalation | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 6 | Disable tty_tickets for sudo caching (freebsd) | 4df6a0fe-2bdd-4be8-8618-a6a19654a57a | sh |
| 730 | privilege-escalation | T1574.011 | Hijack Execution Flow: Services Registry Permissions Weakness | 1 | Service Registry Permissions Weakness | f7536d63-7fd4-466f-89da-7e48d550752a | powershell |
| 731 | privilege-escalation | T1574.011 | Hijack Execution Flow: Services Registry Permissions Weakness | 2 | Service ImagePath Change with reg.exe | f38e9eea-e1d7-4ba6-b716-584791963827 | command_prompt |
| 732 | privilege-escalation | T1547 | Boot or Logon Autostart Execution | 1 | Add a driver | cb01b3da-b0e7-4e24-bf6d-de5223526785 | command_prompt |
| 733 | privilege-escalation | T1547 | Boot or Logon Autostart Execution | 2 | Driver Installation Using pnputil.exe | 5cb0b071-8a5a-412f-839d-116beb2ed9f7 | powershell |
| 734 | privilege-escalation | T1547 | Boot or Logon Autostart Execution | 3 | Leverage Virtual Channels to execute custom DLL during successful RDP session | fdd45306-74f6-4ade-9a97-0a4895961228 | command_prompt |
| 735 | privilege-escalation | T1547.014 | Active Setup | 1 | HKLM - Add atomic_test key to launch executable as part of user setup | deff4586-0517-49c2-981d-bbea24d48d71 | powershell |
| 736 | privilege-escalation | T1547.014 | Active Setup | 2 | HKLM - Add malicious StubPath value to existing Active Setup Entry | 39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a | powershell |
| 737 | privilege-escalation | T1547.014 | Active Setup | 3 | HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number | 04d55cef-f283-40ba-ae2a-316bc3b5e78c | powershell |
| 738 | privilege-escalation | T1484.002 | Domain Trust Modification | 1 | Add Federation to Azure AD | 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 | powershell |
| 739 | privilege-escalation | T1543.003 | Create or Modify System Process: Windows Service | 1 | Modify Fax service to run PowerShell | ed366cde-7d12-49df-a833-671904770b9f | command_prompt |
| 740 | privilege-escalation | T1543.003 | Create or Modify System Process: Windows Service | 2 | Service Installation CMD | 981e2942-e433-44e9-afc1-8c957a1496b6 | command_prompt |
| 741 | privilege-escalation | T1543.003 | Create or Modify System Process: Windows Service | 3 | Service Installation PowerShell | 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 | powershell |
| 742 | privilege-escalation | T1543.003 | Create or Modify System Process: Windows Service | 4 | TinyTurla backdoor service w64time | ef0581fd-528e-4662-87bc-4c2affb86940 | command_prompt |
| 743 | privilege-escalation | T1543.003 | Create or Modify System Process: Windows Service | 5 | Remote Service Installation CMD | fb4151a2-db33-4f8c-b7f8-78ea8790f961 | command_prompt |
| 744 | privilege-escalation | T1543.003 | Create or Modify System Process: Windows Service | 6 | Modify Service to Run Arbitrary Binary (Powershell) | 1f896ce4-8070-4959-8a25-2658856a70c9 | powershell |
| 745 | privilege-escalation | T1053.003 | Scheduled Task/Job: Cron | 1 | Cron - Replace crontab with referenced file | 435057fb-74b1-410e-9403-d81baf194f75 | sh |
| 746 | privilege-escalation | T1053.003 | Scheduled Task/Job: Cron | 2 | Cron - Add script to all cron subfolders | b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 | bash |
| 747 | privilege-escalation | T1053.003 | Scheduled Task/Job: Cron | 3 | Cron - Add script to /etc/cron.d folder | 078e69eb-d9fb-450e-b9d0-2e118217c846 | sh |
| 748 | privilege-escalation | T1053.003 | Scheduled Task/Job: Cron | 4 | Cron - Add script to /var/spool/cron/crontabs/ folder | 2d943c18-e74a-44bf-936f-25ade6cccab4 | bash |
| 749 | privilege-escalation | T1098.003 | Account Manipulation: Additional Cloud Roles | 1 | Azure AD - Add Company Administrator Role to a user | 4d77f913-56f5-4a14-b4b1-bf7bb24298ad | powershell |
| 750 | privilege-escalation | T1098.003 | Account Manipulation: Additional Cloud Roles | 2 | Simulate - Post BEC persistence via user password reset followed by user added to company administrator role | 14f3af20-61f1-45b8-ad31-4637815f3f44 | powershell |
| 751 | privilege-escalation | T1547.012 | Boot or Logon Autostart Execution: Print Processors | 1 | Print Processors | f7d38f47-c61b-47cc-a59d-fc0368f47ed0 | powershell |
| 752 | privilege-escalation | T1574.001 | Hijack Execution Flow: DLL | 1 | DLL Search Order Hijacking - amsi.dll | 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 | command_prompt |
| 753 | privilege-escalation | T1574.001 | Hijack Execution Flow: DLL | 2 | Phantom Dll Hijacking - WinAppXRT.dll | 46ed938b-c617-429a-88dc-d49b5c9ffedb | command_prompt |
| 754 | privilege-escalation | T1574.001 | Hijack Execution Flow: DLL | 3 | Phantom Dll Hijacking - ualapi.dll | 5898902d-c5ad-479a-8545-6f5ab3cfc87f | command_prompt |
| 755 | privilege-escalation | T1574.001 | Hijack Execution Flow: DLL | 4 | DLL Side-Loading using the Notepad++ GUP.exe binary | 65526037-7079-44a9-bda1-2cb624838040 | command_prompt |
| 756 | privilege-escalation | T1574.001 | Hijack Execution Flow: DLL | 5 | DLL Side-Loading using the dotnet startup hook environment variable | d322cdd7-7d60-46e3-9111-648848da7c02 | command_prompt |
| 757 | privilege-escalation | T1574.001 | Hijack Execution Flow: DLL | 6 | DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE | c095ad8e-4469-4d33-be9d-6f6d1fb21585 | powershell |
| 758 | privilege-escalation | T1055.003 | Thread Execution Hijacking | 1 | Thread Execution Hijacking | 578025d5-faa9-4f6d-8390-aae527d503e1 | powershell |
| 759 | privilege-escalation | T1546.011 | Event Triggered Execution: Application Shimming | 1 | Application Shim Installation | 9ab27e22-ee62-4211-962b-d36d9a0e6a18 | command_prompt |
| 760 | privilege-escalation | T1546.011 | Event Triggered Execution: Application Shimming | 2 | New shim database files created in the default shim database directory | aefd6866-d753-431f-a7a4-215ca7e3f13d | powershell |
| 761 | privilege-escalation | T1546.011 | Event Triggered Execution: Application Shimming | 3 | Registry key creation and/or modification events for SDB | 9b6a06f9-ab5e-4e8d-8289-1df4289db02f | powershell |
| 762 | privilege-escalation | T1547.010 | Boot or Logon Autostart Execution: Port Monitors | 1 | Add Port Monitor persistence in Registry | d34ef297-f178-4462-871e-9ce618d44e50 | command_prompt |
| 763 | privilege-escalation | T1037.002 | Boot or Logon Initialization Scripts: Logon Script (Mac) | 1 | Logon Scripts - Mac | f047c7de-a2d9-406e-a62b-12a09d9516f4 | manual |
| 764 | privilege-escalation | T1055 | Process Injection | 1 | Shellcode execution via VBA | 1c91e740-1729-4329-b779-feba6e71d048 | powershell |
| 765 | privilege-escalation | T1055 | Process Injection | 2 | Remote Process Injection in LSASS via mimikatz | 3203ad24-168e-4bec-be36-f79b13ef8a83 | command_prompt |
| 766 | privilege-escalation | T1055 | Process Injection | 3 | Section View Injection | c6952f41-6cf0-450a-b352-2ca8dae7c178 | powershell |
| 767 | privilege-escalation | T1055 | Process Injection | 4 | Dirty Vanity process Injection | 49543237-25db-497b-90df-d0a0a6e8fe2c | powershell |
| 768 | privilege-escalation | T1055 | Process Injection | 5 | Read-Write-Execute process Injection | 0128e48e-8c1a-433a-a11a-a5387384f1e1 | powershell |
| 769 | privilege-escalation | T1055 | Process Injection | 6 | Process Injection with Go using UuidFromStringA WinAPI | 2315ce15-38b6-46ac-a3eb-5e21abef2545 | powershell |
| 770 | privilege-escalation | T1055 | Process Injection | 7 | Process Injection with Go using EtwpCreateEtwThread WinAPI | 7362ecef-6461-402e-8716-7410e1566400 | powershell |
| 771 | privilege-escalation | T1055 | Process Injection | 8 | Remote Process Injection with Go using RtlCreateUserThread WinAPI | a0c1725f-abcd-40d6-baac-020f3cf94ecd | powershell |
| 772 | privilege-escalation | T1055 | Process Injection | 9 | Remote Process Injection with Go using CreateRemoteThread WinAPI | 69534efc-d5f5-4550-89e6-12c6457b9edd | powershell |
| 773 | privilege-escalation | T1055 | Process Injection | 10 | Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively) | 2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39 | powershell |
| 774 | privilege-escalation | T1055 | Process Injection | 11 | Process Injection with Go using CreateThread WinAPI | 2871ed59-3837-4a52-9107-99500ebc87cb | powershell |
| 775 | privilege-escalation | T1055 | Process Injection | 12 | Process Injection with Go using CreateThread WinAPI (Natively) | 2a3c7035-d14f-467a-af94-933e49fe6786 | powershell |
| 776 | privilege-escalation | T1055 | Process Injection | 13 | UUID custom process Injection | 0128e48e-8c1a-433a-a11a-a5304734f1e1 | powershell |
| 777 | privilege-escalation | T1611 | Escape to Host | 1 | Deploy container using nsenter container escape | 0b2f9520-a17a-4671-9dba-3bd034099fff | sh |
| 778 | privilege-escalation | T1611 | Escape to Host | 2 | Mount host filesystem to escape privileged Docker container | 6c499943-b098-4bc6-8d38-0956fc182984 | sh |
| 779 | privilege-escalation | T1611 | Escape to Host | 3 | Privilege Escalation via Docker Volume Mapping | 39fab1bc-fcb9-406f-bc2e-fe03e42ff0e4 | sh |
| 780 | privilege-escalation | T1547.009 | Boot or Logon Autostart Execution: Shortcut Modification | 1 | Shortcut Modification | ce4fc678-364f-4282-af16-2fb4c78005ce | command_prompt |
| 781 | privilege-escalation | T1547.009 | Boot or Logon Autostart Execution: Shortcut Modification | 2 | Create shortcut to cmd in startup folders | cfdc954d-4bb0-4027-875b-a1893ce406f2 | powershell |
| 782 | privilege-escalation | T1547.005 | Boot or Logon Autostart Execution: Security Support Provider | 1 | Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry | afdfd7e3-8a0b-409f-85f7-886fdf249c9e | powershell |
| 783 | privilege-escalation | T1547.005 | Boot or Logon Autostart Execution: Security Support Provider | 2 | Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry | de3f8e74-3351-4fdb-a442-265dbf231738 | powershell |
| 784 | privilege-escalation | T1543.004 | Create or Modify System Process: Launch Daemon | 1 | Launch Daemon | 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf | bash |
| 785 | privilege-escalation | T1574.008 | Hijack Execution Flow: Path Interception by Search Order Hijacking | 1 | powerShell Persistence via hijacking default modules - Get-Variable.exe | 1561de08-0b4b-498e-8261-e922f3494aae | powershell |
| 786 | privilege-escalation | T1484.001 | Domain Policy Modification: Group Policy Modification | 1 | LockBit Black - Modify Group policy settings -cmd | 9ab80952-74ee-43da-a98c-1e740a985f28 | command_prompt |
| 787 | privilege-escalation | T1484.001 | Domain Policy Modification: Group Policy Modification | 2 | LockBit Black - Modify Group policy settings -Powershell | b51eae65-5441-4789-b8e8-64783c26c1d1 | powershell |
| 788 | privilege-escalation | T1078.001 | Valid Accounts: Default Accounts | 1 | Enable Guest account with RDP capability and admin privileges | 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 | command_prompt |
| 789 | privilege-escalation | T1078.001 | Valid Accounts: Default Accounts | 2 | Activate Guest Account | aa6cb8c4-b582-4f8e-b677-37733914abda | command_prompt |
| 790 | privilege-escalation | T1078.001 | Valid Accounts: Default Accounts | 3 | Enable Guest Account on macOS | 0315bdff-4178-47e9-81e4-f31a6d23f7e4 | sh |
| 791 | privilege-escalation | T1547.003 | Time Providers | 1 | Create a new time provider | df1efab7-bc6d-4b88-8be9-91f55ae017aa | powershell |
| 792 | privilege-escalation | T1547.003 | Time Providers | 2 | Edit an existing time provider | 29e0afca-8d1d-471a-8d34-25512fc48315 | powershell |
| 793 | privilege-escalation | T1546.005 | Event Triggered Execution: Trap | 1 | Trap EXIT | a74b2e07-5952-4c03-8b56-56274b076b61 | sh |
| 794 | privilege-escalation | T1546.005 | Event Triggered Execution: Trap | 2 | Trap EXIT (freebsd) | be1a5d70-6865-44aa-ab50-42244c9fd16f | sh |
| 795 | privilege-escalation | T1546.005 | Event Triggered Execution: Trap | 3 | Trap SIGINT | a547d1ba-1d7a-4cc5-a9cb-8d65e8809636 | sh |
| 796 | privilege-escalation | T1546.005 | Event Triggered Execution: Trap | 4 | Trap SIGINT (freebsd) | ade10242-1eac-43df-8412-be0d4c704ada | sh |
| 797 | privilege-escalation | T1574.006 | Hijack Execution Flow: LD_PRELOAD | 1 | Shared Library Injection via /etc/ld.so.preload | 39cb0e67-dd0d-4b74-a74b-c072db7ae991 | bash |
| 798 | privilege-escalation | T1574.006 | Hijack Execution Flow: LD_PRELOAD | 2 | Shared Library Injection via LD_PRELOAD | bc219ff7-789f-4d51-9142-ecae3397deae | bash |
| 799 | privilege-escalation | T1574.006 | Hijack Execution Flow: LD_PRELOAD | 3 | Dylib Injection via DYLD_INSERT_LIBRARIES | 4d66029d-7355-43fd-93a4-b63ba92ea1be | bash |
| 800 | privilege-escalation | T1134.002 | Create Process with Token | 1 | Access Token Manipulation | dbf4f5a9-b8e0-46a3-9841-9ad71247239e | powershell |
| 801 | privilege-escalation | T1134.002 | Create Process with Token | 2 | WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique | ccf4ac39-ec93-42be-9035-90e2f26bcd92 | powershell |
| 802 | privilege-escalation | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 1 | Make and modify binary from C source | 896dfe97-ae43-4101-8e96-9a7996555d80 | sh |
| 803 | privilege-escalation | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 2 | Make and modify binary from C source (freebsd) | dd580455-d84b-481b-b8b0-ac96f3b1dc4c | sh |
| 804 | privilege-escalation | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 3 | Set a SetUID flag on file | 759055b3-3885-4582-a8ec-c00c9d64dd79 | sh |
| 805 | privilege-escalation | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 4 | Set a SetUID flag on file (freebsd) | 9be9b827-ff47-4e1b-bef8-217db6fb7283 | sh |
| 806 | privilege-escalation | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 5 | Set a SetGID flag on file | db55f666-7cba-46c6-9fe6-205a05c3242c | sh |
| 807 | privilege-escalation | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 6 | Set a SetGID flag on file (freebsd) | 1f73af33-62a8-4bf1-bd10-3bea931f2c0d | sh |
| 808 | privilege-escalation | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 7 | Make and modify capabilities of a binary | db53959c-207d-4000-9e7a-cd8eb417e072 | sh |
| 809 | privilege-escalation | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 8 | Provide the SetUID capability to a file | 1ac3272f-9bcf-443a-9888-4b1d3de785c1 | sh |
| 810 | privilege-escalation | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 9 | Do reconnaissance for files that have the setuid bit set | 8e36da01-cd29-45fd-be72-8a0fcaad4481 | sh |
| 811 | privilege-escalation | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 10 | Do reconnaissance for files that have the setgid bit set | 3fb46e17-f337-4c14-9f9a-a471946533e2 | sh |
| 812 | privilege-escalation | T1547.004 | Boot or Logon Autostart Execution: Winlogon Helper DLL | 1 | Winlogon Shell Key Persistence - PowerShell | bf9f9d65-ee4d-4c3e-a843-777d04f19c38 | powershell |
| 813 | privilege-escalation | T1547.004 | Boot or Logon Autostart Execution: Winlogon Helper DLL | 2 | Winlogon Userinit Key Persistence - PowerShell | fb32c935-ee2e-454b-8fa3-1c46b42e8dfb | powershell |
| 814 | privilege-escalation | T1547.004 | Boot or Logon Autostart Execution: Winlogon Helper DLL | 3 | Winlogon Notify Key Logon Persistence - PowerShell | d40da266-e073-4e5a-bb8b-2b385023e5f9 | powershell |
| 815 | privilege-escalation | T1547.004 | Boot or Logon Autostart Execution: Winlogon Helper DLL | 4 | Winlogon HKLM Shell Key Persistence - PowerShell | 95a3c42f-8c88-4952-ad60-13b81d929a9d | powershell |
| 816 | privilege-escalation | T1547.004 | Boot or Logon Autostart Execution: Winlogon Helper DLL | 5 | Winlogon HKLM Userinit Key Persistence - PowerShell | f9b8daff-8fa7-4e6a-a1a7-7c14675a545b | powershell |
| 817 | privilege-escalation | T1098.004 | SSH Authorized Keys | 1 | Modify SSH Authorized Keys | 342cc723-127c-4d3a-8292-9c0c6b4ecadc | sh |
| 818 | privilege-escalation | T1546.012 | Event Triggered Execution: Image File Execution Options Injection | 1 | IFEO Add Debugger | fdda2626-5234-4c90-b163-60849a24c0b8 | command_prompt |
| 819 | privilege-escalation | T1546.012 | Event Triggered Execution: Image File Execution Options Injection | 2 | IFEO Global Flags | 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 | command_prompt |
| 820 | privilege-escalation | T1546.012 | Event Triggered Execution: Image File Execution Options Injection | 3 | GlobalFlags in Image File Execution Options | 13117939-c9b2-4a43-999e-0a543df92f0d | powershell |
| 821 | privilege-escalation | T1546.008 | Event Triggered Execution: Accessibility Features | 1 | Attaches Command Prompt as a Debugger to a List of Target Processes | 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 | powershell |
| 822 | privilege-escalation | T1546.008 | Event Triggered Execution: Accessibility Features | 2 | Replace binary of sticky keys | 934e90cf-29ca-48b3-863c-411737ad44e3 | command_prompt |
| 823 | privilege-escalation | T1546.008 | Event Triggered Execution: Accessibility Features | 3 | Create Symbolic Link From osk.exe to cmd.exe | 51ef369c-5e87-4f33-88cd-6d61be63edf2 | command_prompt |
| 824 | privilege-escalation | T1546.008 | Event Triggered Execution: Accessibility Features | 4 | Atbroker.exe (AT) Executes Arbitrary Command via Registry Key | 444ff124-4c83-4e28-8df6-6efd3ece6bd4 | command_prompt |
| 825 | privilege-escalation | T1546.008 | Event Triggered Execution: Accessibility Features | 5 | Auto-start application on user logon | 7125eba8-7b30-426b-9147-781d152be6fb | command_prompt |
| 826 | privilege-escalation | T1546.008 | Event Triggered Execution: Accessibility Features | 6 | Replace utilman.exe (Ease of Access Binary) with cmd.exe | 1db380da-3422-481d-a3c8-6d5770dba580 | command_prompt |
| 827 | privilege-escalation | T1546.008 | Event Triggered Execution: Accessibility Features | 7 | Replace Magnify.exe (Magnifier binary) with cmd.exe | 5e4fa70d-c789-470e-85e1-6992b92bb321 | command_prompt |
| 828 | privilege-escalation | T1546.008 | Event Triggered Execution: Accessibility Features | 8 | Replace Narrator.exe (Narrator binary) with cmd.exe | 2002f5ea-cd13-4c82-bf73-e46722e5dc5e | command_prompt |
| 829 | privilege-escalation | T1546.008 | Event Triggered Execution: Accessibility Features | 9 | Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe | 825ba8ca-71cc-436b-b1dd-ea0d5e109086 | command_prompt |
| 830 | privilege-escalation | T1546.008 | Event Triggered Execution: Accessibility Features | 10 | Replace AtBroker.exe (App Switcher binary) with cmd.exe | 210be7ea-d841-40ec-b3e1-ff610bb62744 | command_prompt |
| 831 | privilege-escalation | T1055.004 | Process Injection: Asynchronous Procedure Call | 1 | Process Injection via C# | 611b39b7-e243-4c81-87a4-7145a90358b1 | command_prompt |
| 832 | privilege-escalation | T1055.004 | Process Injection: Asynchronous Procedure Call | 2 | EarlyBird APC Queue Injection in Go | 73785dd2-323b-4205-ab16-bb6f06677e14 | powershell |
| 833 | privilege-escalation | T1055.004 | Process Injection: Asynchronous Procedure Call | 3 | Remote Process Injection with Go using NtQueueApcThreadEx WinAPI | 4cc571b1-f450-414a-850f-879baf36aa06 | powershell |
| 834 | privilege-escalation | T1546.009 | Event Triggered Execution: AppCert DLLs | 1 | Create registry persistence via AppCert DLL | a5ad6104-5bab-4c43-b295-b4c44c7c6b05 | powershell |
| 835 | privilege-escalation | T1055.002 | Process Injection: Portable Executable Injection | 1 | Portable Executable Injection | 578025d5-faa9-4f6d-8390-aae739d503e1 | powershell |
| 836 | privilege-escalation | T1547.015 | Boot or Logon Autostart Execution: Login Items | 1 | Persistence by modifying Windows Terminal profile | ec5d76ef-82fe-48da-b931-bdb25a62bc65 | powershell |
| 837 | privilege-escalation | T1547.015 | Boot or Logon Autostart Execution: Login Items | 2 | Add macOS LoginItem using Applescript | 716e756a-607b-41f3-8204-b214baf37c1d | bash |
| 838 | privilege-escalation | T1134.001 | Access Token Manipulation: Token Impersonation/Theft | 1 | Named pipe client impersonation | 90db9e27-8e7c-4c04-b602-a45927884966 | powershell |
| 839 | privilege-escalation | T1134.001 | Access Token Manipulation: Token Impersonation/Theft | 2 | `SeDebugPrivilege` token duplication | 34f0a430-9d04-4d98-bcb5-1989f14719f0 | powershell |
| 840 | privilege-escalation | T1134.001 | Access Token Manipulation: Token Impersonation/Theft | 3 | Launch NSudo Executable | 7be1bc0f-d8e5-4345-9333-f5f67d742cb9 | powershell |
| 841 | privilege-escalation | T1134.001 | Access Token Manipulation: Token Impersonation/Theft | 4 | Bad Potato | 9c6d799b-c111-4749-a42f-ec2f8cb51448 | powershell |
| 842 | privilege-escalation | T1134.001 | Access Token Manipulation: Token Impersonation/Theft | 5 | Juicy Potato | f095e373-b936-4eb4-8d22-f47ccbfbe64a | powershell |
| 843 | privilege-escalation | T1098.001 | Account Manipulation: Additional Cloud Credentials | 1 | Azure AD Application Hijacking - Service Principal | b8e747c3-bdf7-4d71-bce2-f1df2a057406 | powershell |
| 844 | privilege-escalation | T1098.001 | Account Manipulation: Additional Cloud Credentials | 2 | Azure AD Application Hijacking - App Registration | a12b5531-acab-4618-a470-0dafb294a87a | powershell |
| 845 | privilege-escalation | T1098.001 | Account Manipulation: Additional Cloud Credentials | 3 | AWS - Create Access Key and Secret Key | 8822c3b0-d9f9-4daf-a043-491160a31122 | sh |
| 846 | privilege-escalation | T1546.003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription | 1 | Persistence via WMI Event Subscription - CommandLineEventConsumer | 3c64f177-28e2-49eb-a799-d767b24dd1e0 | powershell |
| 847 | privilege-escalation | T1546.003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription | 2 | Persistence via WMI Event Subscription - ActiveScriptEventConsumer | fecd0dfd-fb55-45fa-a10b-6250272d0832 | powershell |
| 848 | privilege-escalation | T1546.003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription | 3 | Windows MOFComp.exe Load MOF File | 29786d7e-8916-4de6-9c55-be7b093b2706 | powershell |
| 849 | privilege-escalation | T1134.004 | Access Token Manipulation: Parent PID Spoofing | 1 | Parent PID Spoofing using PowerShell | 069258f4-2162-46e9-9a25-c9c6c56150d2 | powershell |
| 850 | privilege-escalation | T1134.004 | Access Token Manipulation: Parent PID Spoofing | 2 | Parent PID Spoofing - Spawn from Current Process | 14920ebd-1d61-491a-85e0-fe98efe37f25 | powershell |
| 851 | privilege-escalation | T1134.004 | Access Token Manipulation: Parent PID Spoofing | 3 | Parent PID Spoofing - Spawn from Specified Process | cbbff285-9051-444a-9d17-c07cd2d230eb | powershell |
| 852 | privilege-escalation | T1134.004 | Access Token Manipulation: Parent PID Spoofing | 4 | Parent PID Spoofing - Spawn from svchost.exe | e9f2b777-3123-430b-805d-5cedc66ab591 | powershell |
| 853 | privilege-escalation | T1134.004 | Access Token Manipulation: Parent PID Spoofing | 5 | Parent PID Spoofing - Spawn from New Process | 2988133e-561c-4e42-a15f-6281e6a9b2db | powershell |
| 854 | privilege-escalation | T1546.001 | Event Triggered Execution: Change Default File Association | 1 | Change Default File Association | 10a08978-2045-4d62-8c42-1957bbbea102 | command_prompt |
| 855 | privilege-escalation | T1546.014 | Event Triggered Execution: Emond | 1 | Persistance with Event Monitor - emond | 23c9c127-322b-4c75-95ca-eff464906114 | sh |
| 856 | privilege-escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 1 | Reg Key Run | e55be3fd-3521-4610-9d1a-e210e42dcf05 | command_prompt |
| 857 | privilege-escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 2 | Reg Key RunOnce | 554cbd88-cde1-4b56-8168-0be552eed9eb | command_prompt |
| 858 | privilege-escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 3 | PowerShell Registry RunOnce | eb44f842-0457-4ddc-9b92-c4caa144ac42 | powershell |
| 859 | privilege-escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 4 | Suspicious vbs file run from startup Folder | 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 | powershell |
| 860 | privilege-escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 5 | Suspicious jse file run from startup Folder | dade9447-791e-4c8f-b04b-3a35855dfa06 | powershell |
| 861 | privilege-escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 6 | Suspicious bat file run from startup Folder | 5b6768e4-44d2-44f0-89da-a01d1430fd5e | powershell |
| 862 | privilege-escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 7 | Add Executable Shortcut Link to User Startup Folder | 24e55612-85f6-4bd6-ae74-a73d02e3441d | powershell |
| 863 | privilege-escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 8 | Add persistance via Recycle bin | bda6a3d6-7aa7-4e89-908b-306772e9662f | command_prompt |
| 864 | privilege-escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 9 | SystemBC Malware-as-a-Service Registry | 9dc7767b-30c1-4cc4-b999-50cab5e27891 | powershell |
| 865 | privilege-escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 10 | Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value | acfef903-7662-447e-a391-9c91c2f00f7b | powershell |
| 866 | privilege-escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 11 | Change Startup Folder - HKCU Modify User Shell Folders Startup Value | 8834b65a-f808-4ece-ad7e-2acdf647aafa | powershell |
| 867 | privilege-escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 12 | HKCU - Policy Settings Explorer Run Key | a70faea1-e206-4f6f-8d9a-67379be8f6f1 | powershell |
| 868 | privilege-escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 13 | HKLM - Policy Settings Explorer Run Key | b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f | powershell |
| 869 | privilege-escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 14 | HKLM - Append Command to Winlogon Userinit KEY Value | f7fab6cc-8ece-4ca7-a0f1-30a22fccd374 | powershell |
| 870 | privilege-escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 15 | HKLM - Modify default System Shell - Winlogon Shell KEY Value | 1d958c61-09c6-4d9e-b26b-4130314e520e | powershell |
| 871 | privilege-escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 16 | secedit used to create a Run key in the HKLM Hive | 14fdc3f1-6fc3-4556-8d36-aa89d9d42d02 | command_prompt |
| 872 | privilege-escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 17 | Modify BootExecute Value | befc2b40-d487-4a5a-8813-c11085fb5672 | powershell |
| 873 | privilege-escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 18 | Allowing custom application to execute during new RDP logon session | b051b3c0-66e7-4a81-916d-e6383bd3a669 | command_prompt |
| 874 | privilege-escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 19 | Creating Boot Verification Program Key for application execution during successful boot | 6e1666d5-3f2b-4b9a-80aa-f011322380d4 | command_prompt |
| 875 | privilege-escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 20 | Add persistence via Windows Context Menu | de47f4a0-2acb-416d-9a6b-cee584a4c4d1 | command_prompt |
| 876 | privilege-escalation | T1098 | Account Manipulation | 1 | Admin Account Manipulate | 5598f7cb-cf43-455e-883a-f6008c5d46af | powershell |
| 877 | privilege-escalation | T1098 | Account Manipulation | 2 | Domain Account and Group Manipulate | a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 | powershell |
| 878 | privilege-escalation | T1098 | Account Manipulation | 3 | AWS - Create a group and add a user to that group | 8822c3b0-d9f9-4daf-a043-49f110a31122 | sh |
| 879 | privilege-escalation | T1098 | Account Manipulation | 4 | Azure AD - adding user to Azure AD role | 0e65ae27-5385-46b4-98ac-607a8ee82261 | powershell |
| 880 | privilege-escalation | T1098 | Account Manipulation | 5 | Azure AD - adding service principal to Azure AD role | 92c40b3f-c406-4d1f-8d2b-c039bf5009e4 | powershell |
| 881 | privilege-escalation | T1098 | Account Manipulation | 6 | Azure - adding user to Azure role in subscription | 1a94b3fc-b080-450a-b3d8-6d9b57b472ea | powershell |
| 882 | privilege-escalation | T1098 | Account Manipulation | 7 | Azure - adding service principal to Azure role in subscription | c8f4bc29-a151-48da-b3be-4680af56f404 | powershell |
| 883 | privilege-escalation | T1098 | Account Manipulation | 8 | Azure AD - adding permission to application | 94ea9cc3-81f9-4111-8dde-3fb54f36af4b | powershell |
| 884 | privilege-escalation | T1098 | Account Manipulation | 9 | Password Change on Directory Service Restore Mode (DSRM) Account | d5b886d9-d1c7-4b6e-a7b0-460041bf2823 | command_prompt |
| 885 | privilege-escalation | T1098 | Account Manipulation | 10 | Domain Password Policy Check: Short Password | fc5f9414-bd67-4f5f-a08e-e5381e29cbd1 | powershell |
| 886 | privilege-escalation | T1098 | Account Manipulation | 11 | Domain Password Policy Check: No Number in Password | 68190529-069b-4ffc-a942-919704158065 | powershell |
| 887 | privilege-escalation | T1098 | Account Manipulation | 12 | Domain Password Policy Check: No Special Character in Password | 7d984ef2-2db2-4cec-b090-e637e1698f61 | powershell |
| 888 | privilege-escalation | T1098 | Account Manipulation | 13 | Domain Password Policy Check: No Uppercase Character in Password | b299c120-44a7-4d68-b8e2-8ba5a28511ec | powershell |
| 889 | privilege-escalation | T1098 | Account Manipulation | 14 | Domain Password Policy Check: No Lowercase Character in Password | 945da11e-977e-4dab-85d2-f394d03c5887 | powershell |
| 890 | privilege-escalation | T1098 | Account Manipulation | 15 | Domain Password Policy Check: Only Two Character Classes | 784d1349-5a26-4d20-af5e-d6af53bae460 | powershell |
| 891 | privilege-escalation | T1098 | Account Manipulation | 16 | Domain Password Policy Check: Common Password Use | 81959d03-c51f-49a1-bb24-23f1ec885578 | powershell |
| 892 | privilege-escalation | T1098 | Account Manipulation | 17 | GCP - Delete Service Account Key | 7ece1dea-49f1-4d62-bdcc-5801e3292510 | sh |
| 893 | privilege-escalation | T1547.006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions | 1 | Linux - Load Kernel Module via insmod | 687dcb93-9656-4853-9c36-9977315e9d23 | bash |
| 894 | privilege-escalation | T1547.006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions | 2 | MacOS - Load Kernel Module via kextload and kmutil | f4391089-d3a5-4dd1-ab22-0419527f2672 | bash |
| 895 | privilege-escalation | T1547.006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions | 3 | MacOS - Load Kernel Module via KextManagerLoadKextWithURL() | f0007753-beb3-41ea-9948-760785e4c1e5 | bash |
| 896 | privilege-escalation | T1547.006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions | 4 | Snake Malware Kernel Driver Comadmin | e5cb5564-cc7b-4050-86e8-f2d9eec1941f | powershell |
| 897 | privilege-escalation | T1053.006 | Scheduled Task/Job: Systemd Timers | 1 | Create Systemd Service and Timer | f4983098-bb13-44fb-9b2c-46149961807b | bash |
| 898 | privilege-escalation | T1053.006 | Scheduled Task/Job: Systemd Timers | 2 | Create a user level transient systemd service and timer | 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec | sh |
| 899 | privilege-escalation | T1053.006 | Scheduled Task/Job: Systemd Timers | 3 | Create a system level transient systemd service and timer | d3eda496-1fc0-49e9-aff5-3bec5da9fa22 | sh |
| 900 | privilege-escalation | T1055.012 | Process Injection: Process Hollowing | 1 | Process Hollowing using PowerShell | 562427b4-39ef-4e8c-af88-463a78e70b9c | powershell |
| 901 | privilege-escalation | T1055.012 | Process Injection: Process Hollowing | 2 | RunPE via VBA | 3ad4a037-1598-4136-837c-4027e4fa319b | powershell |
| 902 | privilege-escalation | T1055.012 | Process Injection: Process Hollowing | 3 | Process Hollowing in Go using CreateProcessW WinAPI | c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a | powershell |
| 903 | privilege-escalation | T1055.012 | Process Injection: Process Hollowing | 4 | Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012) | 94903cc5-d462-498a-b919-b1e5ab155fee | powershell |
| 904 | privilege-escalation | T1546 | Event Triggered Execution | 1 | Persistence with Custom AutodialDLL | aca9ae16-7425-4b6d-8c30-cad306fdbd5b | powershell |
| 905 | privilege-escalation | T1546 | Event Triggered Execution | 2 | HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) | a574dafe-a903-4cce-9701-14040f4f3532 | powershell |
| 906 | privilege-escalation | T1546 | Event Triggered Execution | 3 | HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) | 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01 | powershell |
| 907 | privilege-escalation | T1546 | Event Triggered Execution | 4 | WMI Invoke-CimMethod Start Process | adae83d3-0df6-45e7-b2c3-575f91584577 | powershell |
| 908 | privilege-escalation | T1546 | Event Triggered Execution | 5 | Adding custom debugger for Windows Error Reporting | 17d1a3cc-3373-495a-857a-e5dd005fb302 | command_prompt |
| 909 | privilege-escalation | T1546 | Event Triggered Execution | 6 | Load custom DLL on mstsc execution | 2db7852e-5a32-4ec7-937f-f4e027881700 | command_prompt |
| 910 | privilege-escalation | T1546 | Event Triggered Execution | 7 | Persistence using automatic execution of custom DLL during RDP session | b7fc4c3f-fe6e-479a-ba27-ef91b88536e3 | command_prompt |
| 911 | privilege-escalation | T1546 | Event Triggered Execution | 8 | Persistence via ErrorHandler.cmd script execution | 547a4736-dd1c-4b48-b4fe-e916190bb2e7 | powershell |
| 912 | privilege-escalation | T1546 | Event Triggered Execution | 9 | Persistence using STARTUP-PATH in MS-WORD | f0027655-25ef-47b0-acaf-3d83d106156c | command_prompt |
| 913 | privilege-escalation | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 1 | Add command to .bash_profile | 94500ae1-7e31-47e3-886b-c328da46872f | sh |
| 914 | privilege-escalation | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 2 | Add command to .bashrc | 0a898315-4cfa-4007-bafe-33a4646d115f | sh |
| 915 | privilege-escalation | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 3 | Add command to .shrc | 41502021-591a-4649-8b6e-83c9192aff53 | sh |
| 916 | privilege-escalation | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 4 | Append to the system shell profile | 694b3cc8-6a78-4d35-9e74-0123d009e94b | sh |
| 917 | privilege-escalation | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 5 | Append commands user shell profile | bbdb06bc-bab6-4f5b-8232-ba3fbed51d77 | sh |
| 918 | privilege-escalation | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 6 | System shell profile scripts | 8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4 | sh |
| 919 | privilege-escalation | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 7 | Create/Append to .bash_logout | 37ad2f24-7c53-4a50-92da-427a4ad13f58 | bash |
| 920 | privilege-escalation | T1134.005 | Access Token Manipulation: SID-History Injection | 1 | Injection SID-History with mimikatz | 6bef32e5-9456-4072-8f14-35566fb85401 | command_prompt |
| 921 | privilege-escalation | T1547.002 | Authentication Package | 1 | Authentication Package | be2590e8-4ac3-47ac-b4b5-945820f2fbe9 | powershell |
| 922 | privilege-escalation | T1546.015 | Event Triggered Execution: Component Object Model Hijacking | 1 | COM Hijacking - InprocServer32 | 48117158-d7be-441b-bc6a-d9e36e47b52b | powershell |
| 923 | privilege-escalation | T1546.015 | Event Triggered Execution: Component Object Model Hijacking | 2 | Powershell Execute COM Object | 752191b1-7c71-445c-9dbe-21bb031b18eb | powershell |
| 924 | privilege-escalation | T1546.015 | Event Triggered Execution: Component Object Model Hijacking | 3 | COM Hijacking with RunDLL32 (Local Server Switch) | 123520cc-e998-471b-a920-bd28e3feafa0 | powershell |
| 925 | privilege-escalation | T1546.015 | Event Triggered Execution: Component Object Model Hijacking | 4 | COM hijacking via TreatAs | 33eacead-f117-4863-8eb0-5c6304fbfaa9 | powershell |
| 926 | privilege-escalation | T1574.009 | Hijack Execution Flow: Path Interception by Unquoted Path | 1 | Execution of program.exe as service with unquoted service path | 2770dea7-c50f-457b-84c4-c40a47460d9f | command_prompt |
| 927 | privilege-escalation | T1037.005 | Boot or Logon Initialization Scripts: Startup Items | 1 | Add file to Local Library StartupItems | 134627c3-75db-410e-bff8-7a920075f198 | sh |
| 928 | privilege-escalation | T1037.005 | Boot or Logon Initialization Scripts: Startup Items | 2 | Add launch script to launch daemon | fc369906-90c7-4a15-86fd-d37da624dde6 | bash |
| 929 | privilege-escalation | T1037.005 | Boot or Logon Initialization Scripts: Startup Items | 3 | Add launch script to launch agent | 10cf5bec-49dd-4ebf-8077-8f47e420096f | bash |
| 930 | privilege-escalation | T1546.010 | Event Triggered Execution: AppInit DLLs | 1 | Install AppInit Shim | a58d9386-3080-4242-ab5f-454c16503d18 | command_prompt |
| 931 | privilege-escalation | T1546.002 | Event Triggered Execution: Screensaver | 1 | Set Arbitrary Binary as Screensaver | 281201e7-de41-4dc9-b73d-f288938cbb64 | command_prompt |
| 932 | privilege-escalation | T1543.001 | Create or Modify System Process: Launch Agent | 1 | Launch Agent | a5983dee-bf6c-4eaf-951c-dbc1a7b90900 | bash |
| 933 | privilege-escalation | T1543.001 | Create or Modify System Process: Launch Agent | 2 | Event Monitor Daemon Persistence | 11979f23-9b9d-482a-9935-6fc9cd022c3e | bash |
| 934 | privilege-escalation | T1543.001 | Create or Modify System Process: Launch Agent | 3 | Launch Agent - Root Directory | 66774fa8-c562-4bae-a58d-5264a0dd9dd7 | bash |
| 935 | privilege-escalation | T1037.004 | Boot or Logon Initialization Scripts: Rc.common | 1 | rc.common | 97a48daa-8bca-4bc0-b1a9-c1d163e762de | bash |
| 936 | privilege-escalation | T1037.004 | Boot or Logon Initialization Scripts: Rc.common | 2 | rc.common | c33f3d80-5f04-419b-a13a-854d1cbdbf3a | bash |
| 937 | privilege-escalation | T1037.004 | Boot or Logon Initialization Scripts: Rc.common | 3 | rc.local | 126f71af-e1c9-405c-94ef-26a47b16c102 | sh |
| 938 | privilege-escalation | T1543.002 | Create or Modify System Process: SysV/Systemd Service | 1 | Create Systemd Service | d9e4f24f-aa67-4c6e-bcbf-85622b697a7c | bash |
| 939 | privilege-escalation | T1543.002 | Create or Modify System Process: SysV/Systemd Service | 2 | Create SysV Service | 760fe8d2-79d9-494f-905e-a239a3df86f6 | sh |
| 940 | privilege-escalation | T1543.002 | Create or Modify System Process: SysV/Systemd Service | 3 | Create Systemd Service file, Enable the service , Modify and Reload the service. | c35ac4a8-19de-43af-b9f8-755da7e89c89 | bash |
| 941 | privilege-escalation | T1547.007 | Boot or Logon Autostart Execution: Re-opened Applications | 1 | Copy in loginwindow.plist for Re-Opened Applications | 5fefd767-ef54-4ac6-84d3-751ab85e8aba | sh |
| 942 | privilege-escalation | T1547.007 | Boot or Logon Autostart Execution: Re-opened Applications | 2 | Re-Opened Applications using LoginHook | 5f5b71da-e03f-42e7-ac98-d63f9e0465cb | sh |
| 943 | privilege-escalation | T1547.007 | Boot or Logon Autostart Execution: Re-opened Applications | 3 | Append to existing loginwindow for Re-Opened Applications | 766b6c3c-9353-4033-8b7e-38b309fa3a93 | sh |
| 944 | privilege-escalation | T1098.002 | Account Manipulation: Additional Email Delegate Permissions | 1 | EXO - Full access mailbox permission granted to a user | 17d046be-fdd0-4cbb-b5c7-55c85d9d0714 | powershell |
| 945 | privilege-escalation | T1037.001 | Boot or Logon Initialization Scripts: Logon Script (Windows) | 1 | Logon Scripts | d6042746-07d4-4c92-9ad8-e644c114a231 | command_prompt |
| 946 | privilege-escalation | T1055.015 | Process Injection: ListPlanting | 1 | Process injection ListPlanting | 4f3c7502-b111-4dfe-8a6e-529307891a59 | powershell |
| 947 | privilege-escalation | T1547.008 | Boot or Logon Autostart Execution: LSASS Driver | 1 | Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt | 8ecef16d-d289-46b4-917b-0dba6dc81cf1 | powershell |
| 948 | privilege-escalation | T1078.004 | Valid Accounts: Cloud Accounts | 1 | Creating GCP Service Account and Service Account Key | 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e | sh |
| 949 | privilege-escalation | T1078.004 | Valid Accounts: Cloud Accounts | 2 | Azure Persistence Automation Runbook Created or Modified | 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac | powershell |
| 950 | privilege-escalation | T1078.004 | Valid Accounts: Cloud Accounts | 3 | GCP - Create Custom IAM Role | 3a159042-69e6-4398-9a69-3308a4841c85 | sh |
| 951 | privilege-escalation | T1053.002 | Scheduled Task/Job: At | 1 | At.exe Scheduled task | 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 | command_prompt |
| 952 | privilege-escalation | T1053.002 | Scheduled Task/Job: At | 2 | At - Schedule a job | 7266d898-ac82-4ec0-97c7-436075d0d08e | sh |
| 953 | privilege-escalation | T1053.002 | Scheduled Task/Job: At | 3 | At - Schedule a job via kubectl in a Pod | 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213 | bash |
| 954 | privilege-escalation | T1055.001 | Process Injection: Dynamic-link Library Injection | 1 | Process Injection via mavinject.exe | 74496461-11a1-4982-b439-4d87a550d254 | powershell |
| 955 | privilege-escalation | T1055.001 | Process Injection: Dynamic-link Library Injection | 2 | WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique | 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5 | powershell |
| 956 | privilege-escalation | T1546.007 | Event Triggered Execution: Netsh Helper DLL | 1 | Netsh Helper DLL Registration | 3244697d-5a3a-4dfc-941c-550f69f91a4d | command_prompt |
| 957 | privilege-escalation | T1078.003 | Valid Accounts: Local Accounts | 1 | Create local account with admin privileges | a524ce99-86de-4db6-b4f9-e08f35a47a15 | command_prompt |
| 958 | privilege-escalation | T1078.003 | Valid Accounts: Local Accounts | 2 | Create local account with admin privileges - MacOS | f1275566-1c26-4b66-83e3-7f9f7f964daa | bash |
| 959 | privilege-escalation | T1078.003 | Valid Accounts: Local Accounts | 3 | Create local account with admin privileges using sysadminctl utility - MacOS | 191db57d-091a-47d5-99f3-97fde53de505 | bash |
| 960 | privilege-escalation | T1078.003 | Valid Accounts: Local Accounts | 4 | Enable root account using dsenableroot utility - MacOS | 20b40ea9-0e17-4155-b8e6-244911a678ac | bash |
| 961 | privilege-escalation | T1078.003 | Valid Accounts: Local Accounts | 5 | Add a new/existing user to the admin group using dseditgroup utility - macOS | 433842ba-e796-4fd5-a14f-95d3a1970875 | bash |
| 962 | privilege-escalation | T1078.003 | Valid Accounts: Local Accounts | 6 | WinPwn - Loot local Credentials - powerhell kittie | 9e9fd066-453d-442f-88c1-ad7911d32912 | powershell |
| 963 | privilege-escalation | T1078.003 | Valid Accounts: Local Accounts | 7 | WinPwn - Loot local Credentials - Safetykatz | e9fdb899-a980-4ba4-934b-486ad22e22f4 | powershell |
| 964 | privilege-escalation | T1078.003 | Valid Accounts: Local Accounts | 8 | Create local account (Linux) | 02a91c34-8a5b-4bed-87af-501103eb5357 | bash |
| 965 | privilege-escalation | T1078.003 | Valid Accounts: Local Accounts | 9 | Reactivate a locked/expired account (Linux) | d2b95631-62d7-45a3-aaef-0972cea97931 | bash |
| 966 | privilege-escalation | T1078.003 | Valid Accounts: Local Accounts | 10 | Reactivate a locked/expired account (FreeBSD) | 09e3380a-fae5-4255-8b19-9950be0252cf | sh |
| 967 | privilege-escalation | T1078.003 | Valid Accounts: Local Accounts | 11 | Login as nobody (Linux) | 3d2cd093-ee05-41bd-a802-59ee5c301b85 | bash |
| 968 | privilege-escalation | T1078.003 | Valid Accounts: Local Accounts | 12 | Login as nobody (freebsd) | 16f6374f-7600-459a-9b16-6a88fd96d310 | sh |
| 969 | privilege-escalation | T1078.003 | Valid Accounts: Local Accounts | 13 | Use PsExec to elevate to NT Authority\SYSTEM account | 6904235f-0f55-4039-8aed-41c300ff7733 | command_prompt |
| 970 | privilege-escalation | T1574.012 | Hijack Execution Flow: COR_PROFILER | 1 | User scope COR_PROFILER | 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a | powershell |
| 971 | privilege-escalation | T1574.012 | Hijack Execution Flow: COR_PROFILER | 2 | System Scope COR_PROFILER | f373b482-48c8-4ce4-85ed-d40c8b3f7310 | powershell |
| 972 | privilege-escalation | T1574.012 | Hijack Execution Flow: COR_PROFILER | 3 | Registry-free process scope COR_PROFILER | 79d57242-bbef-41db-b301-9d01d9f6e817 | powershell |
| 973 | execution | T1053.005 | Scheduled Task/Job: Scheduled Task | 1 | Scheduled Task Startup Script | fec27f65-db86-4c2d-b66c-61945aee87c2 | command_prompt |
| 974 | execution | T1053.005 | Scheduled Task/Job: Scheduled Task | 2 | Scheduled task Local | 42f53695-ad4a-4546-abb6-7d837f644a71 | command_prompt |
| 975 | execution | T1053.005 | Scheduled Task/Job: Scheduled Task | 3 | Scheduled task Remote | 2e5eac3e-327b-4a88-a0c0-c4057039a8dd | command_prompt |
| 976 | execution | T1053.005 | Scheduled Task/Job: Scheduled Task | 4 | Powershell Cmdlet Scheduled Task | af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd | powershell |
| 977 | execution | T1053.005 | Scheduled Task/Job: Scheduled Task | 5 | Task Scheduler via VBA | ecd3fa21-7792-41a2-8726-2c5c673414d3 | powershell |
| 978 | execution | T1053.005 | Scheduled Task/Job: Scheduled Task | 6 | WMI Invoke-CimMethod Scheduled Task | e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b | powershell |
| 979 | execution | T1053.005 | Scheduled Task/Job: Scheduled Task | 7 | Scheduled Task Executing Base64 Encoded Commands From Registry | e895677d-4f06-49ab-91b6-ae3742d0a2ba | command_prompt |
| 980 | execution | T1053.005 | Scheduled Task/Job: Scheduled Task | 8 | Import XML Schedule Task with Hidden Attribute | cd925593-fbb4-486d-8def-16cbdf944bf4 | powershell |
| 981 | execution | T1053.005 | Scheduled Task/Job: Scheduled Task | 9 | PowerShell Modify A Scheduled Task | dda6fc7b-c9a6-4c18-b98d-95ec6542af6d | powershell |
| 982 | execution | T1053.005 | Scheduled Task/Job: Scheduled Task | 10 | Scheduled Task ("Ghost Task") via Registry Key Manipulation | 704333ca-cc12-4bcf-9916-101844881f54 | command_prompt |
| 983 | execution | T1053.005 | Scheduled Task/Job: Scheduled Task | 11 | Scheduled Task Persistence via CompMgmt.msc | 8fcfa3d5-ea7d-4e1c-bd3e-3c4ed315b7d2 | command_prompt |
| 984 | execution | T1053.005 | Scheduled Task/Job: Scheduled Task | 12 | Scheduled Task Persistence via Eventviewer.msc | 02124c37-767e-4b76-9383-c9fc366d9d4c | command_prompt |
| 985 | execution | T1047 | Windows Management Instrumentation | 1 | WMI Reconnaissance Users | c107778c-dcf5-47c5-af2e-1d058a3df3ea | command_prompt |
| 986 | execution | T1047 | Windows Management Instrumentation | 2 | WMI Reconnaissance Processes | 5750aa16-0e59-4410-8b9a-8a47ca2788e2 | command_prompt |
| 987 | execution | T1047 | Windows Management Instrumentation | 3 | WMI Reconnaissance Software | 718aebaa-d0e0-471a-8241-c5afa69c7414 | command_prompt |
| 988 | execution | T1047 | Windows Management Instrumentation | 4 | WMI Reconnaissance List Remote Services | 0fd48ef7-d890-4e93-a533-f7dedd5191d3 | command_prompt |
| 989 | execution | T1047 | Windows Management Instrumentation | 5 | WMI Execute Local Process | b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3 | command_prompt |
| 990 | execution | T1047 | Windows Management Instrumentation | 6 | WMI Execute Remote Process | 9c8ef159-c666-472f-9874-90c8d60d136b | command_prompt |
| 991 | execution | T1047 | Windows Management Instrumentation | 7 | Create a Process using WMI Query and an Encoded Command | 7db7a7f9-9531-4840-9b30-46220135441c | command_prompt |
| 992 | execution | T1047 | Windows Management Instrumentation | 8 | Create a Process using obfuscated Win32_Process | 10447c83-fc38-462a-a936-5102363b1c43 | powershell |
| 993 | execution | T1047 | Windows Management Instrumentation | 9 | WMI Execute rundll32 | 00738d2a-4651-4d76-adf2-c43a41dfb243 | command_prompt |
| 994 | execution | T1047 | Windows Management Instrumentation | 10 | Application uninstall using WMIC | c510d25b-1667-467d-8331-a56d3e9bc4ff | command_prompt |
| 995 | execution | T1129 | Server Software Component | 1 | ESXi - Install a custom VIB on an ESXi host | 7f843046-abf2-443f-b880-07a83cf968ec | command_prompt |
| 996 | execution | T1059.007 | Command and Scripting Interpreter: JavaScript | 1 | JScript execution to gather local computer information via cscript | 01d75adf-ca1b-4dd1-ac96-7c9550ad1035 | command_prompt |
| 997 | execution | T1059.007 | Command and Scripting Interpreter: JavaScript | 2 | JScript execution to gather local computer information via wscript | 0709945e-4fec-4c49-9faf-c3c292a74484 | command_prompt |
| 998 | execution | T1053.007 | Kubernetes Cronjob | 1 | ListCronjobs | ddfb0bc1-3c3f-47e9-a298-550ecfefacbd | bash |
| 999 | execution | T1053.007 | Kubernetes Cronjob | 2 | CreateCronjob | f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 | bash |
| 1000 | execution | T1559.002 | Inter-Process Communication: Dynamic Data Exchange | 1 | Execute Commands | f592ba2a-e9e8-4d62-a459-ef63abd819fd | manual |
| 1001 | execution | T1559.002 | Inter-Process Communication: Dynamic Data Exchange | 2 | Execute PowerShell script via Word DDE | 47c21fb6-085e-4b0d-b4d2-26d72c3830b3 | command_prompt |
| 1002 | execution | T1559.002 | Inter-Process Communication: Dynamic Data Exchange | 3 | DDEAUTO | cf91174c-4e74-414e-bec0-8d60a104d181 | manual |
| 1003 | execution | T1204.002 | User Execution: Malicious File | 1 | OSTap Style Macro Execution | 8bebc690-18c7-4549-bc98-210f7019efff | powershell |
| 1004 | execution | T1204.002 | User Execution: Malicious File | 2 | OSTap Payload Download | 3f3af983-118a-4fa1-85d3-ba4daa739d80 | command_prompt |
| 1005 | execution | T1204.002 | User Execution: Malicious File | 3 | Maldoc choice flags command execution | 0330a5d2-a45a-4272-a9ee-e364411c4b18 | powershell |
| 1006 | execution | T1204.002 | User Execution: Malicious File | 4 | OSTAP JS version | add560ef-20d6-4011-a937-2c340f930911 | powershell |
| 1007 | execution | T1204.002 | User Execution: Malicious File | 5 | Office launching .bat file from AppData | 9215ea92-1ded-41b7-9cd6-79f9a78397aa | powershell |
| 1008 | execution | T1204.002 | User Execution: Malicious File | 6 | Excel 4 Macro | 4ea1fc97-8a46-4b4e-ba48-af43d2a98052 | powershell |
| 1009 | execution | T1204.002 | User Execution: Malicious File | 7 | Headless Chrome code execution via VBA | a19ee671-ed98-4e9d-b19c-d1954a51585a | powershell |
| 1010 | execution | T1204.002 | User Execution: Malicious File | 8 | Potentially Unwanted Applications (PUA) | 02f35d62-9fdc-4a97-b899-a5d9a876d295 | powershell |
| 1011 | execution | T1204.002 | User Execution: Malicious File | 9 | Office Generic Payload Download | 5202ee05-c420-4148-bf5e-fd7f7d24850c | powershell |
| 1012 | execution | T1204.002 | User Execution: Malicious File | 10 | LNK Payload Download | 581d7521-9c4b-420e-9695-2aec5241167f | powershell |
| 1013 | execution | T1204.002 | User Execution: Malicious File | 11 | Mirror Blast Emulation | 24fd9719-7419-42dd-bce6-ab3463110b3c | powershell |
| 1014 | execution | T1204.002 | User Execution: Malicious File | 12 | ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell | 3f3120f0-7e50-4be2-88ae-54c61230cb9f | powershell |
| 1015 | execution | T1204.002 | User Execution: Malicious File | 13 | Simulate Click-Fix via Downloaded BAT File | 22386853-f68d-4b50-a362-de235127c443 | powershell |
| 1016 | execution | T1053.003 | Scheduled Task/Job: Cron | 1 | Cron - Replace crontab with referenced file | 435057fb-74b1-410e-9403-d81baf194f75 | sh |
| 1017 | execution | T1053.003 | Scheduled Task/Job: Cron | 2 | Cron - Add script to all cron subfolders | b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 | bash |
| 1018 | execution | T1053.003 | Scheduled Task/Job: Cron | 3 | Cron - Add script to /etc/cron.d folder | 078e69eb-d9fb-450e-b9d0-2e118217c846 | sh |
| 1019 | execution | T1053.003 | Scheduled Task/Job: Cron | 4 | Cron - Add script to /var/spool/cron/crontabs/ folder | 2d943c18-e74a-44bf-936f-25ade6cccab4 | bash |
| 1020 | execution | T1059.002 | Command and Scripting Interpreter: AppleScript | 1 | AppleScript | 3600d97d-81b9-4171-ab96-e4386506e2c2 | sh |
| 1021 | execution | T1106 | Native API | 1 | Execution through API - CreateProcess | 99be2089-c52d-4a4a-b5c3-261ee42c8b62 | command_prompt |
| 1022 | execution | T1106 | Native API | 2 | WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique | ce4e76e6-de70-4392-9efe-b281fc2b4087 | powershell |
| 1023 | execution | T1106 | Native API | 3 | WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique | 7ec5b74e-8289-4ff2-a162-b6f286a33abd | powershell |
| 1024 | execution | T1106 | Native API | 4 | WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique | e1f93a06-1649-4f07-89a8-f57279a7d60e | powershell |
| 1025 | execution | T1106 | Native API | 5 | Run Shellcode via Syscall in Go | ae56083f-28d0-417d-84da-df4242da1f7c | powershell |
| 1026 | execution | T1059.010 | Command and Scripting Interpreter: AutoHotKey & AutoIT | 1 | AutoHotKey script execution | 7b5d350e-f758-43cc-a761-8e3f6b052a03 | powershell |
| 1027 | execution | T1610 | Deploy a container | 1 | Deploy Docker container | 59aa6f26-7620-417e-9318-589e0fb7a372 | bash |
| 1028 | execution | T1059 | Command and Scripting Interpreter | 1 | AutoIt Script Execution | a9b93f17-31cb-435d-a462-5e838a2a6026 | powershell |
| 1029 | execution | T1609 | Kubernetes Exec Into Container | 1 | ExecIntoContainer | d03bfcd3-ed87-49c8-8880-44bb772dea4b | bash |
| 1030 | execution | T1609 | Kubernetes Exec Into Container | 2 | Docker Exec Into Container | 900e2c49-221b-42ec-ae3c-4717e41e6219 | bash |
| 1031 | execution | T1569.001 | System Services: Launchctl | 1 | Launchctl | 6fb61988-724e-4755-a595-07743749d4e2 | bash |
| 1032 | execution | T1072 | Software Deployment Tools | 1 | Radmin Viewer Utility | b4988cad-6ed2-434d-ace5-ea2670782129 | command_prompt |
| 1033 | execution | T1072 | Software Deployment Tools | 2 | PDQ Deploy RAT | e447b83b-a698-4feb-bed1-a7aaf45c3443 | command_prompt |
| 1034 | execution | T1072 | Software Deployment Tools | 3 | Deploy 7-Zip Using Chocolatey | 2169e8b0-2ee7-44cb-8a6e-d816a5db7d8a | powershell |
| 1035 | execution | T1059.001 | Command and Scripting Interpreter: PowerShell | 1 | Mimikatz | f3132740-55bc-48c4-bcc0-758a459cd027 | command_prompt |
| 1036 | execution | T1059.001 | Command and Scripting Interpreter: PowerShell | 2 | Run BloodHound from local disk | a21bb23e-e677-4ee7-af90-6931b57b6350 | powershell |
| 1037 | execution | T1059.001 | Command and Scripting Interpreter: PowerShell | 3 | Run Bloodhound from Memory using Download Cradle | bf8c1441-4674-4dab-8e4e-39d93d08f9b7 | powershell |
| 1038 | execution | T1059.001 | Command and Scripting Interpreter: PowerShell | 4 | Mimikatz - Cradlecraft PsSendKeys | af1800cf-9f9d-4fd1-a709-14b1e6de020d | powershell |
| 1039 | execution | T1059.001 | Command and Scripting Interpreter: PowerShell | 5 | Invoke-AppPathBypass | 06a220b6-7e29-4bd8-9d07-5b4d86742372 | command_prompt |
| 1040 | execution | T1059.001 | Command and Scripting Interpreter: PowerShell | 6 | Powershell MsXml COM object - with prompt | 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da | command_prompt |
| 1041 | execution | T1059.001 | Command and Scripting Interpreter: PowerShell | 7 | Powershell XML requests | 4396927f-e503-427b-b023-31049b9b09a6 | command_prompt |
| 1042 | execution | T1059.001 | Command and Scripting Interpreter: PowerShell | 8 | Powershell invoke mshta.exe download | 8a2ad40b-12c7-4b25-8521-2737b0a415af | command_prompt |
| 1043 | execution | T1059.001 | Command and Scripting Interpreter: PowerShell | 9 | Powershell Invoke-DownloadCradle | cc50fa2a-a4be-42af-a88f-e347ba0bf4d7 | manual |
| 1044 | execution | T1059.001 | Command and Scripting Interpreter: PowerShell | 10 | PowerShell Fileless Script Execution | fa050f5e-bc75-4230-af73-b6fd7852cd73 | powershell |
| 1045 | execution | T1059.001 | Command and Scripting Interpreter: PowerShell | 11 | NTFS Alternate Data Stream Access | 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680 | powershell |
| 1046 | execution | T1059.001 | Command and Scripting Interpreter: PowerShell | 12 | PowerShell Session Creation and Use | 7c1acec2-78fa-4305-a3e0-db2a54cddecd | powershell |
| 1047 | execution | T1059.001 | Command and Scripting Interpreter: PowerShell | 13 | ATHPowerShellCommandLineParameter -Command parameter variations | 686a9785-f99b-41d4-90df-66ed515f81d7 | powershell |
| 1048 | execution | T1059.001 | Command and Scripting Interpreter: PowerShell | 14 | ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments | 1c0a870f-dc74-49cf-9afc-eccc45e58790 | powershell |
| 1049 | execution | T1059.001 | Command and Scripting Interpreter: PowerShell | 15 | ATHPowerShellCommandLineParameter -EncodedCommand parameter variations | 86a43bad-12e3-4e85-b97c-4d5cf25b95c3 | powershell |
| 1050 | execution | T1059.001 | Command and Scripting Interpreter: PowerShell | 16 | ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments | 0d181431-ddf3-4826-8055-2dbf63ae848b | powershell |
| 1051 | execution | T1059.001 | Command and Scripting Interpreter: PowerShell | 17 | PowerShell Command Execution | a538de64-1c74-46ed-aa60-b995ed302598 | command_prompt |
| 1052 | execution | T1059.001 | Command and Scripting Interpreter: PowerShell | 18 | PowerShell Invoke Known Malicious Cmdlets | 49eb9404-5e0f-4031-a179-b40f7be385e3 | powershell |
| 1053 | execution | T1059.001 | Command and Scripting Interpreter: PowerShell | 19 | PowerUp Invoke-AllChecks | 1289f78d-22d2-4590-ac76-166737e1811b | powershell |
| 1054 | execution | T1059.001 | Command and Scripting Interpreter: PowerShell | 20 | Abuse Nslookup with DNS Records | 999bff6d-dc15-44c9-9f5c-e1051bfc86e1 | powershell |
| 1055 | execution | T1059.001 | Command and Scripting Interpreter: PowerShell | 21 | SOAPHound - Dump BloodHound Data | 6a5b2a50-d037-4879-bf01-43d4d6cbf73f | powershell |
| 1056 | execution | T1059.001 | Command and Scripting Interpreter: PowerShell | 22 | SOAPHound - Build Cache | 4099086c-1470-4223-8085-8186e1ed5948 | powershell |
| 1057 | execution | T1053.006 | Scheduled Task/Job: Systemd Timers | 1 | Create Systemd Service and Timer | f4983098-bb13-44fb-9b2c-46149961807b | bash |
| 1058 | execution | T1053.006 | Scheduled Task/Job: Systemd Timers | 2 | Create a user level transient systemd service and timer | 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec | sh |
| 1059 | execution | T1053.006 | Scheduled Task/Job: Systemd Timers | 3 | Create a system level transient systemd service and timer | d3eda496-1fc0-49e9-aff5-3bec5da9fa22 | sh |
| 1060 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 1 | Create and Execute Bash Shell Script | 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 | sh |
| 1061 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 2 | Command-Line Interface | d0c88567-803d-4dca-99b4-7ce65e7b257c | sh |
| 1062 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 3 | Harvest SUID executable files | 46274fc6-08a7-4956-861b-24cbbaa0503c | sh |
| 1063 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 4 | LinEnum tool execution | a2b35a63-9df1-4806-9a4d-5fe0500845f2 | sh |
| 1064 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 5 | New script file in the tmp directory | 8cd1947b-4a54-41fb-b5ea-07d0ace04f81 | sh |
| 1065 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 6 | What shell is running | 7b38e5cc-47be-44f0-a425-390305c76c17 | sh |
| 1066 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 7 | What shells are available | bf23c7dc-1004-4949-8262-4c1d1ef87702 | sh |
| 1067 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 8 | Command line scripts | b04ed73c-7d43-4dc8-b563-a2fc595cba1a | sh |
| 1068 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 9 | Obfuscated command line scripts | 5bec4cc8-f41e-437b-b417-33ff60acf9af | sh |
| 1069 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 10 | Change login shell | c7ac59cb-13cc-4622-81dc-6d2fee9bfac7 | bash |
| 1070 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 11 | Environment variable scripts | bdaebd56-368b-4970-a523-f905ff4a8a51 | sh |
| 1071 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 12 | Detecting pipe-to-shell | fca246a8-a585-4f28-a2df-6495973976a1 | sh |
| 1072 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 13 | Current kernel information enumeration | 3a53734a-9e26-4f4b-ad15-059e767f5f14 | sh |
| 1073 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 14 | Shell Creation using awk command | ee72b37d-b8f5-46a5-a9e7-0ff50035ffd5 | sh |
| 1074 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 15 | Creating shell using cpan command | bcd4c2bc-490b-4f91-bd31-3709fe75bbdf | sh |
| 1075 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 16 | Shell Creation using busybox command | ab4d04af-68dc-4fee-9c16-6545265b3276 | sh |
| 1076 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 17 | emacs spawning an interactive system shell | e0742e38-6efe-4dd4-ba5c-2078095b6156 | sh |
| 1077 | execution | T1559 | Inter-Process Communication | 1 | Cobalt Strike Artifact Kit pipe | bd13b9fc-b758-496a-b81a-397462f82c72 | command_prompt |
| 1078 | execution | T1559 | Inter-Process Communication | 2 | Cobalt Strike Lateral Movement (psexec_psh) pipe | 830c8b6c-7a70-4f40-b975-8bbe74558acd | command_prompt |
| 1079 | execution | T1559 | Inter-Process Communication | 3 | Cobalt Strike SSH (postex_ssh) pipe | d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6 | command_prompt |
| 1080 | execution | T1559 | Inter-Process Communication | 4 | Cobalt Strike post-exploitation pipe (4.2 and later) | 7a48f482-246f-4aeb-9837-21c271ebf244 | command_prompt |
| 1081 | execution | T1559 | Inter-Process Communication | 5 | Cobalt Strike post-exploitation pipe (before 4.2) | 8dbfc15c-527b-4ab0-a272-019f469d367f | command_prompt |
| 1082 | execution | T1204.003 | User Execution: Malicious Image | 1 | Malicious Execution from Mounted ISO Image | e9795c8d-42aa-4ed4-ad80-551ed793d006 | powershell |
| 1083 | execution | T1059.006 | Command and Scripting Interpreter: Python | 1 | Execute shell script via python's command mode arguement | 3a95cdb2-c6ea-4761-b24e-02b71889b8bb | sh |
| 1084 | execution | T1059.006 | Command and Scripting Interpreter: Python | 2 | Execute Python via scripts | 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 | sh |
| 1085 | execution | T1059.006 | Command and Scripting Interpreter: Python | 3 | Execute Python via Python executables | 0b44d79b-570a-4b27-a31f-3bf2156e5eaa | sh |
| 1086 | execution | T1059.006 | Command and Scripting Interpreter: Python | 4 | Python pty module and spawn function used to spawn sh or bash | 161d694c-b543-4434-85c3-c3a433e33792 | sh |
| 1087 | execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell | 1 | Create and Execute Batch Script | 9e8894c0-50bd-4525-a96c-d4ac78ece388 | powershell |
| 1088 | execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell | 2 | Writes text to a file and displays it. | 127b4afe-2346-4192-815c-69042bec570e | command_prompt |
| 1089 | execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell | 3 | Suspicious Execution via Windows Command Shell | d0eb3597-a1b3-4d65-b33b-2cda8d397f20 | command_prompt |
| 1090 | execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell | 4 | Simulate BlackByte Ransomware Print Bombing | 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9 | powershell |
| 1091 | execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell | 5 | Command Prompt read contents from CMD file and execute | df81db1b-066c-4802-9bc8-b6d030c3ba8e | command_prompt |
| 1092 | execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell | 6 | Command prompt writing script to file then executes it | 00682c9f-7df4-4df8-950b-6dcaaa3ad9af | command_prompt |
| 1093 | execution | T1651 | Cloud Administration Command | 1 | AWS Run Command (and Control) | a3cc9c95-c160-4b86-af6f-84fba87bfd30 | powershell |
| 1094 | execution | T1059.005 | Command and Scripting Interpreter: Visual Basic | 1 | Visual Basic script execution to gather local computer information | 1620de42-160a-4fe5-bbaf-d3fef0181ce9 | powershell |
| 1095 | execution | T1059.005 | Command and Scripting Interpreter: Visual Basic | 2 | Encoded VBS code execution | e8209d5f-e42d-45e6-9c2f-633ac4f1eefa | powershell |
| 1096 | execution | T1059.005 | Command and Scripting Interpreter: Visual Basic | 3 | Extract Memory via VBA | 8faff437-a114-4547-9a60-749652a03df6 | powershell |
| 1097 | execution | T1648 | Serverless Execution | 1 | Lambda Function Hijack | 87a4a141-c2bb-49d1-a604-8679082d8b91 | powershell |
| 1098 | execution | T1569.002 | System Services: Service Execution | 1 | Execute a Command as a Service | 2382dee2-a75f-49aa-9378-f52df6ed3fb1 | command_prompt |
| 1099 | execution | T1569.002 | System Services: Service Execution | 2 | Use PsExec to execute a command on a remote host | 873106b7-cfed-454b-8680-fa9f6400431c | command_prompt |
| 1100 | execution | T1569.002 | System Services: Service Execution | 3 | psexec.py (Impacket) | edbcd8c9-3639-4844-afad-455c91e95a35 | bash |
| 1101 | execution | T1569.002 | System Services: Service Execution | 4 | BlackCat pre-encryption cmds with Lateral Movement | 31eb7828-97d7-4067-9c1e-c6feb85edc4b | powershell |
| 1102 | execution | T1569.002 | System Services: Service Execution | 5 | Use RemCom to execute a command on a remote host | a5d8cdeb-be90-43a9-8b26-cc618deac1e0 | command_prompt |
| 1103 | execution | T1569.002 | System Services: Service Execution | 6 | Snake Malware Service Create | b8db787e-dbea-493c-96cb-9272296ddc49 | command_prompt |
| 1104 | execution | T1569.002 | System Services: Service Execution | 7 | Modifying ACL of Service Control Manager via SDET | bf07f520-3909-4ef5-aa22-877a50f2f77b | command_prompt |
| 1105 | execution | T1569.002 | System Services: Service Execution | 8 | Pipe Creation - PsExec Tool Execution From Suspicious Locations | 004a5d68-627b-452d-af3d-43bd1fc75a3b | powershell |
| 1106 | execution | T1053.002 | Scheduled Task/Job: At | 1 | At.exe Scheduled task | 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 | command_prompt |
| 1107 | execution | T1053.002 | Scheduled Task/Job: At | 2 | At - Schedule a job | 7266d898-ac82-4ec0-97c7-436075d0d08e | sh |
| 1108 | execution | T1053.002 | Scheduled Task/Job: At | 3 | At - Schedule a job via kubectl in a Pod | 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213 | bash |
| 1109 | persistence | T1053.005 | Scheduled Task/Job: Scheduled Task | 1 | Scheduled Task Startup Script | fec27f65-db86-4c2d-b66c-61945aee87c2 | command_prompt |
| 1110 | persistence | T1053.005 | Scheduled Task/Job: Scheduled Task | 2 | Scheduled task Local | 42f53695-ad4a-4546-abb6-7d837f644a71 | command_prompt |
| 1111 | persistence | T1053.005 | Scheduled Task/Job: Scheduled Task | 3 | Scheduled task Remote | 2e5eac3e-327b-4a88-a0c0-c4057039a8dd | command_prompt |
| 1112 | persistence | T1053.005 | Scheduled Task/Job: Scheduled Task | 4 | Powershell Cmdlet Scheduled Task | af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd | powershell |
| 1113 | persistence | T1053.005 | Scheduled Task/Job: Scheduled Task | 5 | Task Scheduler via VBA | ecd3fa21-7792-41a2-8726-2c5c673414d3 | powershell |
| 1114 | persistence | T1053.005 | Scheduled Task/Job: Scheduled Task | 6 | WMI Invoke-CimMethod Scheduled Task | e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b | powershell |
| 1115 | persistence | T1053.005 | Scheduled Task/Job: Scheduled Task | 7 | Scheduled Task Executing Base64 Encoded Commands From Registry | e895677d-4f06-49ab-91b6-ae3742d0a2ba | command_prompt |
| 1116 | persistence | T1053.005 | Scheduled Task/Job: Scheduled Task | 8 | Import XML Schedule Task with Hidden Attribute | cd925593-fbb4-486d-8def-16cbdf944bf4 | powershell |
| 1117 | persistence | T1053.005 | Scheduled Task/Job: Scheduled Task | 9 | PowerShell Modify A Scheduled Task | dda6fc7b-c9a6-4c18-b98d-95ec6542af6d | powershell |
| 1118 | persistence | T1053.005 | Scheduled Task/Job: Scheduled Task | 10 | Scheduled Task ("Ghost Task") via Registry Key Manipulation | 704333ca-cc12-4bcf-9916-101844881f54 | command_prompt |
| 1119 | persistence | T1053.005 | Scheduled Task/Job: Scheduled Task | 11 | Scheduled Task Persistence via CompMgmt.msc | 8fcfa3d5-ea7d-4e1c-bd3e-3c4ed315b7d2 | command_prompt |
| 1120 | persistence | T1053.005 | Scheduled Task/Job: Scheduled Task | 12 | Scheduled Task Persistence via Eventviewer.msc | 02124c37-767e-4b76-9383-c9fc366d9d4c | command_prompt |
| 1121 | persistence | T1556.003 | Modify Authentication Process: Pluggable Authentication Modules | 1 | Malicious PAM rule | 4b9dde80-ae22-44b1-a82a-644bf009eb9c | sh |
| 1122 | persistence | T1556.003 | Modify Authentication Process: Pluggable Authentication Modules | 2 | Malicious PAM rule (freebsd) | b17eacac-282d-4ca8-a240-46602cf863e3 | sh |
| 1123 | persistence | T1556.003 | Modify Authentication Process: Pluggable Authentication Modules | 3 | Malicious PAM module | 65208808-3125-4a2e-8389-a0a00e9ab326 | sh |
| 1124 | persistence | T1546.013 | Event Triggered Execution: PowerShell Profile | 1 | Append malicious start-process cmdlet | 090e5aa5-32b6-473b-a49b-21e843a56896 | powershell |
| 1125 | persistence | T1133 | External Remote Services | 1 | Running Chrome VPN Extensions via the Registry 2 vpn extension | 4c8db261-a58b-42a6-a866-0a294deedde4 | powershell |
| 1126 | persistence | T1053.007 | Kubernetes Cronjob | 1 | ListCronjobs | ddfb0bc1-3c3f-47e9-a298-550ecfefacbd | bash |
| 1127 | persistence | T1053.007 | Kubernetes Cronjob | 2 | CreateCronjob | f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 | bash |
| 1128 | persistence | T1542.001 | Pre-OS Boot: System Firmware | 1 | UEFI Persistence via Wpbbin.exe File Creation | b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1 | powershell |
| 1129 | persistence | T1574.011 | Hijack Execution Flow: Services Registry Permissions Weakness | 1 | Service Registry Permissions Weakness | f7536d63-7fd4-466f-89da-7e48d550752a | powershell |
| 1130 | persistence | T1574.011 | Hijack Execution Flow: Services Registry Permissions Weakness | 2 | Service ImagePath Change with reg.exe | f38e9eea-e1d7-4ba6-b716-584791963827 | command_prompt |
| 1131 | persistence | T1547 | Boot or Logon Autostart Execution | 1 | Add a driver | cb01b3da-b0e7-4e24-bf6d-de5223526785 | command_prompt |
| 1132 | persistence | T1547 | Boot or Logon Autostart Execution | 2 | Driver Installation Using pnputil.exe | 5cb0b071-8a5a-412f-839d-116beb2ed9f7 | powershell |
| 1133 | persistence | T1547 | Boot or Logon Autostart Execution | 3 | Leverage Virtual Channels to execute custom DLL during successful RDP session | fdd45306-74f6-4ade-9a97-0a4895961228 | command_prompt |
| 1134 | persistence | T1547.014 | Active Setup | 1 | HKLM - Add atomic_test key to launch executable as part of user setup | deff4586-0517-49c2-981d-bbea24d48d71 | powershell |
| 1135 | persistence | T1547.014 | Active Setup | 2 | HKLM - Add malicious StubPath value to existing Active Setup Entry | 39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a | powershell |
| 1136 | persistence | T1547.014 | Active Setup | 3 | HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number | 04d55cef-f283-40ba-ae2a-316bc3b5e78c | powershell |
| 1137 | persistence | T1543.003 | Create or Modify System Process: Windows Service | 1 | Modify Fax service to run PowerShell | ed366cde-7d12-49df-a833-671904770b9f | command_prompt |
| 1138 | persistence | T1543.003 | Create or Modify System Process: Windows Service | 2 | Service Installation CMD | 981e2942-e433-44e9-afc1-8c957a1496b6 | command_prompt |
| 1139 | persistence | T1543.003 | Create or Modify System Process: Windows Service | 3 | Service Installation PowerShell | 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 | powershell |
| 1140 | persistence | T1543.003 | Create or Modify System Process: Windows Service | 4 | TinyTurla backdoor service w64time | ef0581fd-528e-4662-87bc-4c2affb86940 | command_prompt |
| 1141 | persistence | T1543.003 | Create or Modify System Process: Windows Service | 5 | Remote Service Installation CMD | fb4151a2-db33-4f8c-b7f8-78ea8790f961 | command_prompt |
| 1142 | persistence | T1543.003 | Create or Modify System Process: Windows Service | 6 | Modify Service to Run Arbitrary Binary (Powershell) | 1f896ce4-8070-4959-8a25-2658856a70c9 | powershell |
| 1143 | persistence | T1053.003 | Scheduled Task/Job: Cron | 1 | Cron - Replace crontab with referenced file | 435057fb-74b1-410e-9403-d81baf194f75 | sh |
| 1144 | persistence | T1053.003 | Scheduled Task/Job: Cron | 2 | Cron - Add script to all cron subfolders | b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 | bash |
| 1145 | persistence | T1053.003 | Scheduled Task/Job: Cron | 3 | Cron - Add script to /etc/cron.d folder | 078e69eb-d9fb-450e-b9d0-2e118217c846 | sh |
| 1146 | persistence | T1053.003 | Scheduled Task/Job: Cron | 4 | Cron - Add script to /var/spool/cron/crontabs/ folder | 2d943c18-e74a-44bf-936f-25ade6cccab4 | bash |
| 1147 | persistence | T1137 | Office Application Startup | 1 | Office Application Startup - Outlook as a C2 | bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c | command_prompt |
| 1148 | persistence | T1098.003 | Account Manipulation: Additional Cloud Roles | 1 | Azure AD - Add Company Administrator Role to a user | 4d77f913-56f5-4a14-b4b1-bf7bb24298ad | powershell |
| 1149 | persistence | T1098.003 | Account Manipulation: Additional Cloud Roles | 2 | Simulate - Post BEC persistence via user password reset followed by user added to company administrator role | 14f3af20-61f1-45b8-ad31-4637815f3f44 | powershell |
| 1150 | persistence | T1547.012 | Boot or Logon Autostart Execution: Print Processors | 1 | Print Processors | f7d38f47-c61b-47cc-a59d-fc0368f47ed0 | powershell |
| 1151 | persistence | T1574.001 | Hijack Execution Flow: DLL | 1 | DLL Search Order Hijacking - amsi.dll | 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 | command_prompt |
| 1152 | persistence | T1574.001 | Hijack Execution Flow: DLL | 2 | Phantom Dll Hijacking - WinAppXRT.dll | 46ed938b-c617-429a-88dc-d49b5c9ffedb | command_prompt |
| 1153 | persistence | T1574.001 | Hijack Execution Flow: DLL | 3 | Phantom Dll Hijacking - ualapi.dll | 5898902d-c5ad-479a-8545-6f5ab3cfc87f | command_prompt |
| 1154 | persistence | T1574.001 | Hijack Execution Flow: DLL | 4 | DLL Side-Loading using the Notepad++ GUP.exe binary | 65526037-7079-44a9-bda1-2cb624838040 | command_prompt |
| 1155 | persistence | T1574.001 | Hijack Execution Flow: DLL | 5 | DLL Side-Loading using the dotnet startup hook environment variable | d322cdd7-7d60-46e3-9111-648848da7c02 | command_prompt |
| 1156 | persistence | T1574.001 | Hijack Execution Flow: DLL | 6 | DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE | c095ad8e-4469-4d33-be9d-6f6d1fb21585 | powershell |
| 1157 | persistence | T1137.006 | Office Application Startup: Add-ins | 1 | Code Executed Via Excel Add-in File (XLL) | 441b1a0f-a771-428a-8af0-e99e4698cda3 | powershell |
| 1158 | persistence | T1137.006 | Office Application Startup: Add-ins | 2 | Persistent Code Execution Via Excel Add-in File (XLL) | 9c307886-9fef-41d5-b344-073a0f5b2f5f | powershell |
| 1159 | persistence | T1137.006 | Office Application Startup: Add-ins | 3 | Persistent Code Execution Via Word Add-in File (WLL) | 95408a99-4fa7-4cd6-a7ef-cb65f86351cf | powershell |
| 1160 | persistence | T1137.006 | Office Application Startup: Add-ins | 4 | Persistent Code Execution Via Excel VBA Add-in File (XLAM) | 082141ed-b048-4c86-99c7-2b8da5b5bf48 | powershell |
| 1161 | persistence | T1137.006 | Office Application Startup: Add-ins | 5 | Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM) | f89e58f9-2b49-423b-ac95-1f3e7cfd8277 | powershell |
| 1162 | persistence | T1505.002 | Server Software Component: Transport Agent | 1 | Install MS Exchange Transport Agent Persistence | 43e92449-ff60-46e9-83a3-1a38089df94d | powershell |
| 1163 | persistence | T1556.002 | Modify Authentication Process: Password Filter DLL | 1 | Install and Register Password Filter DLL | a7961770-beb5-4134-9674-83d7e1fa865c | powershell |
| 1164 | persistence | T1556.002 | Modify Authentication Process: Password Filter DLL | 2 | Install Additional Authentication Packages | 91580da6-bc6e-431b-8b88-ac77180005f2 | powershell |
| 1165 | persistence | T1505.005 | Server Software Component: Terminal Services DLL | 1 | Simulate Patching termsrv.dll | 0b2eadeb-4a64-4449-9d43-3d999f4a317b | powershell |
| 1166 | persistence | T1505.005 | Server Software Component: Terminal Services DLL | 2 | Modify Terminal Services DLL Path | 18136e38-0530-49b2-b309-eed173787471 | powershell |
| 1167 | persistence | T1176 | Browser Extensions | 1 | Chrome/Chromium (Developer Mode) | 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 | manual |
| 1168 | persistence | T1176 | Browser Extensions | 2 | Chrome/Chromium (Chrome Web Store) | 4c83940d-8ca5-4bb2-8100-f46dc914bc3f | manual |
| 1169 | persistence | T1176 | Browser Extensions | 3 | Firefox | cb790029-17e6-4c43-b96f-002ce5f10938 | manual |
| 1170 | persistence | T1176 | Browser Extensions | 4 | Edge Chromium Addon - VPN | 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 | manual |
| 1171 | persistence | T1176 | Browser Extensions | 5 | Google Chrome Load Unpacked Extension With Command Line | 7a714703-9f6b-461c-b06d-e6aeac650f27 | powershell |
| 1172 | persistence | T1546.011 | Event Triggered Execution: Application Shimming | 1 | Application Shim Installation | 9ab27e22-ee62-4211-962b-d36d9a0e6a18 | command_prompt |
| 1173 | persistence | T1546.011 | Event Triggered Execution: Application Shimming | 2 | New shim database files created in the default shim database directory | aefd6866-d753-431f-a7a4-215ca7e3f13d | powershell |
| 1174 | persistence | T1546.011 | Event Triggered Execution: Application Shimming | 3 | Registry key creation and/or modification events for SDB | 9b6a06f9-ab5e-4e8d-8289-1df4289db02f | powershell |
| 1175 | persistence | T1547.010 | Boot or Logon Autostart Execution: Port Monitors | 1 | Add Port Monitor persistence in Registry | d34ef297-f178-4462-871e-9ce618d44e50 | command_prompt |
| 1176 | persistence | T1037.002 | Boot or Logon Initialization Scripts: Logon Script (Mac) | 1 | Logon Scripts - Mac | f047c7de-a2d9-406e-a62b-12a09d9516f4 | manual |
| 1177 | persistence | T1547.009 | Boot or Logon Autostart Execution: Shortcut Modification | 1 | Shortcut Modification | ce4fc678-364f-4282-af16-2fb4c78005ce | command_prompt |
| 1178 | persistence | T1547.009 | Boot or Logon Autostart Execution: Shortcut Modification | 2 | Create shortcut to cmd in startup folders | cfdc954d-4bb0-4027-875b-a1893ce406f2 | powershell |
| 1179 | persistence | T1547.005 | Boot or Logon Autostart Execution: Security Support Provider | 1 | Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry | afdfd7e3-8a0b-409f-85f7-886fdf249c9e | powershell |
| 1180 | persistence | T1547.005 | Boot or Logon Autostart Execution: Security Support Provider | 2 | Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry | de3f8e74-3351-4fdb-a442-265dbf231738 | powershell |
| 1181 | persistence | T1112 | Modify Registry | 1 | Modify Registry of Current User Profile - cmd | 1324796b-d0f6-455a-b4ae-21ffee6aa6b9 | command_prompt |
| 1182 | persistence | T1112 | Modify Registry | 2 | Modify Registry of Local Machine - cmd | 282f929a-6bc5-42b8-bd93-960c3ba35afe | command_prompt |
| 1183 | persistence | T1112 | Modify Registry | 3 | Modify registry to store logon credentials | c0413fb5-33e2-40b7-9b6f-60b29f4a7a18 | command_prompt |
| 1184 | persistence | T1112 | Modify Registry | 4 | Use Powershell to Modify registry to store logon credentials | 68254a85-aa42-4312-a695-38b7276307f8 | powershell |
| 1185 | persistence | T1112 | Modify Registry | 5 | Add domain to Trusted sites Zone | cf447677-5a4e-4937-a82c-e47d254afd57 | powershell |
| 1186 | persistence | T1112 | Modify Registry | 6 | Javascript in registry | 15f44ea9-4571-4837-be9e-802431a7bfae | powershell |
| 1187 | persistence | T1112 | Modify Registry | 7 | Change Powershell Execution Policy to Bypass | f3a6cceb-06c9-48e5-8df8-8867a6814245 | powershell |
| 1188 | persistence | T1112 | Modify Registry | 8 | BlackByte Ransomware Registry Changes - CMD | 4f4e2f9f-6209-4fcf-9b15-3b7455706f5b | command_prompt |
| 1189 | persistence | T1112 | Modify Registry | 9 | BlackByte Ransomware Registry Changes - Powershell | 0b79c06f-c788-44a2-8630-d69051f1123d | powershell |
| 1190 | persistence | T1112 | Modify Registry | 10 | Disable Windows Registry Tool | ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8 | command_prompt |
| 1191 | persistence | T1112 | Modify Registry | 11 | Disable Windows CMD application | d2561a6d-72bd-408c-b150-13efe1801c2a | powershell |
| 1192 | persistence | T1112 | Modify Registry | 12 | Disable Windows Task Manager application | af254e70-dd0e-4de6-9afe-a994d9ea8b62 | command_prompt |
| 1193 | persistence | T1112 | Modify Registry | 13 | Disable Windows Notification Center | c0d6d67f-1f63-42cc-95c0-5fd6b20082ad | command_prompt |
| 1194 | persistence | T1112 | Modify Registry | 14 | Disable Windows Shutdown Button | 6e0d1131-2d7e-4905-8ca5-d6172f05d03d | command_prompt |
| 1195 | persistence | T1112 | Modify Registry | 15 | Disable Windows LogOff Button | e246578a-c24d-46a7-9237-0213ff86fb0c | command_prompt |
| 1196 | persistence | T1112 | Modify Registry | 16 | Disable Windows Change Password Feature | d4a6da40-618f-454d-9a9e-26af552aaeb0 | command_prompt |
| 1197 | persistence | T1112 | Modify Registry | 17 | Disable Windows Lock Workstation Feature | 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56 | command_prompt |
| 1198 | persistence | T1112 | Modify Registry | 18 | Activate Windows NoDesktop Group Policy Feature | 93386d41-525c-4a1b-8235-134a628dee17 | command_prompt |
| 1199 | persistence | T1112 | Modify Registry | 19 | Activate Windows NoRun Group Policy Feature | d49ff3cc-8168-4123-b5b3-f057d9abbd55 | command_prompt |
| 1200 | persistence | T1112 | Modify Registry | 20 | Activate Windows NoFind Group Policy Feature | ffbb407e-7f1d-4c95-b22e-548169db1fbd | command_prompt |
| 1201 | persistence | T1112 | Modify Registry | 21 | Activate Windows NoControlPanel Group Policy Feature | a450e469-ba54-4de1-9deb-9023a6111690 | command_prompt |
| 1202 | persistence | T1112 | Modify Registry | 22 | Activate Windows NoFileMenu Group Policy Feature | 5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4 | command_prompt |
| 1203 | persistence | T1112 | Modify Registry | 23 | Activate Windows NoClose Group Policy Feature | 12f50e15-dbc6-478b-a801-a746e8ba1723 | command_prompt |
| 1204 | persistence | T1112 | Modify Registry | 24 | Activate Windows NoSetTaskbar Group Policy Feature | d29b7faf-7355-4036-9ed3-719bd17951ed | command_prompt |
| 1205 | persistence | T1112 | Modify Registry | 25 | Activate Windows NoTrayContextMenu Group Policy Feature | 4d72d4b1-fa7b-4374-b423-0fe326da49d2 | command_prompt |
| 1206 | persistence | T1112 | Modify Registry | 26 | Activate Windows NoPropertiesMyDocuments Group Policy Feature | 20fc9daa-bd48-4325-9aff-81b967a84b1d | command_prompt |
| 1207 | persistence | T1112 | Modify Registry | 27 | Hide Windows Clock Group Policy Feature | 8023db1e-ad06-4966-934b-b6a0ae52689e | command_prompt |
| 1208 | persistence | T1112 | Modify Registry | 28 | Windows HideSCAHealth Group Policy Feature | a4637291-40b1-4a96-8c82-b28f1d73e54e | command_prompt |
| 1209 | persistence | T1112 | Modify Registry | 29 | Windows HideSCANetwork Group Policy Feature | 3e757ce7-eca0-411a-9583-1c33b8508d52 | command_prompt |
| 1210 | persistence | T1112 | Modify Registry | 30 | Windows HideSCAPower Group Policy Feature | 8d85a5d8-702f-436f-bc78-fcd9119496fc | command_prompt |
| 1211 | persistence | T1112 | Modify Registry | 31 | Windows HideSCAVolume Group Policy Feature | 7f037590-b4c6-4f13-b3cc-e424c5ab8ade | command_prompt |
| 1212 | persistence | T1112 | Modify Registry | 32 | Windows Modify Show Compress Color And Info Tip Registry | 795d3248-0394-4d4d-8e86-4e8df2a2693f | command_prompt |
| 1213 | persistence | T1112 | Modify Registry | 33 | Windows Powershell Logging Disabled | 95b25212-91a7-42ff-9613-124aca6845a8 | command_prompt |
| 1214 | persistence | T1112 | Modify Registry | 34 | Windows Add Registry Value to Load Service in Safe Mode without Network | 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5 | command_prompt |
| 1215 | persistence | T1112 | Modify Registry | 35 | Windows Add Registry Value to Load Service in Safe Mode with Network | c173c948-65e5-499c-afbe-433722ed5bd4 | command_prompt |
| 1216 | persistence | T1112 | Modify Registry | 36 | Disable Windows Toast Notifications | 003f466a-6010-4b15-803a-cbb478a314d7 | command_prompt |
| 1217 | persistence | T1112 | Modify Registry | 37 | Disable Windows Security Center Notifications | 45914594-8df6-4ea9-b3cc-7eb9321a807e | command_prompt |
| 1218 | persistence | T1112 | Modify Registry | 38 | Suppress Win Defender Notifications | c30dada3-7777-4590-b970-dc890b8cf113 | command_prompt |
| 1219 | persistence | T1112 | Modify Registry | 39 | Allow RDP Remote Assistance Feature | 86677d0e-0b5e-4a2b-b302-454175f9aa9e | command_prompt |
| 1220 | persistence | T1112 | Modify Registry | 40 | NetWire RAT Registry Key Creation | 65704cd4-6e36-4b90-b6c1-dc29a82c8e56 | command_prompt |
| 1221 | persistence | T1112 | Modify Registry | 41 | Ursnif Malware Registry Key Creation | c375558d-7c25-45e9-bd64-7b23a97c1db0 | command_prompt |
| 1222 | persistence | T1112 | Modify Registry | 42 | Terminal Server Client Connection History Cleared | 3448824b-3c35-4a9e-a8f5-f887f68bea21 | command_prompt |
| 1223 | persistence | T1112 | Modify Registry | 43 | Disable Windows Error Reporting Settings | d2c9e41e-cd86-473d-980d-b6403562e3e1 | command_prompt |
| 1224 | persistence | T1112 | Modify Registry | 44 | DisallowRun Execution Of Certain Applications | 71db768a-5a9c-4047-b5e7-59e01f188e84 | command_prompt |
| 1225 | persistence | T1112 | Modify Registry | 45 | Enabling Restricted Admin Mode via Command_Prompt | fe7974e5-5813-477b-a7bd-311d4f535e83 | command_prompt |
| 1226 | persistence | T1112 | Modify Registry | 46 | Mimic Ransomware - Enable Multiple User Sessions | 39f1f378-ba8a-42b3-96dc-2a6540cfc1e3 | command_prompt |
| 1227 | persistence | T1112 | Modify Registry | 47 | Mimic Ransomware - Allow Multiple RDP Sessions per User | 35727d9e-7a7f-4d0c-a259-dc3906d6e8b9 | command_prompt |
| 1228 | persistence | T1112 | Modify Registry | 48 | Event Viewer Registry Modification - Redirection URL | 6174be7f-5153-4afd-92c5-e0c3b7cdb5ae | command_prompt |
| 1229 | persistence | T1112 | Modify Registry | 49 | Event Viewer Registry Modification - Redirection Program | 81483501-b8a5-4225-8b32-52128e2f69db | command_prompt |
| 1230 | persistence | T1112 | Modify Registry | 50 | Enabling Remote Desktop Protocol via Remote Registry | e3ad8e83-3089-49ff-817f-e52f8c948090 | command_prompt |
| 1231 | persistence | T1112 | Modify Registry | 51 | Disable Win Defender Notification | 12e03af7-79f9-4f95-af48-d3f12f28a260 | command_prompt |
| 1232 | persistence | T1112 | Modify Registry | 52 | Disable Windows OS Auto Update | 01b20ca8-c7a3-4d86-af59-059f15ed5474 | command_prompt |
| 1233 | persistence | T1112 | Modify Registry | 53 | Disable Windows Auto Reboot for current logon user | 396f997b-c5f8-4a96-bb2c-3c8795cf459d | command_prompt |
| 1234 | persistence | T1112 | Modify Registry | 54 | Windows Auto Update Option to Notify before download | 335a6b15-b8d2-4a3f-a973-ad69aa2620d7 | command_prompt |
| 1235 | persistence | T1112 | Modify Registry | 55 | Do Not Connect To Win Update | d1de3767-99c2-4c6c-8c5a-4ba4586474c8 | command_prompt |
| 1236 | persistence | T1112 | Modify Registry | 56 | Tamper Win Defender Protection | 3b625eaa-c10d-4635-af96-3eae7d2a2f3c | command_prompt |
| 1237 | persistence | T1112 | Modify Registry | 57 | Snake Malware Registry Blob | 8318ad20-0488-4a64-98f4-72525a012f6b | powershell |
| 1238 | persistence | T1112 | Modify Registry | 58 | Allow Simultaneous Download Registry | 37950714-e923-4f92-8c7c-51e4b6fffbf6 | command_prompt |
| 1239 | persistence | T1112 | Modify Registry | 59 | Modify Internet Zone Protocol Defaults in Current User Registry - cmd | c88ef166-50fa-40d5-a80c-e2b87d4180f7 | command_prompt |
| 1240 | persistence | T1112 | Modify Registry | 60 | Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell | b1a4d687-ba52-4057-81ab-757c3dc0d3b5 | powershell |
| 1241 | persistence | T1112 | Modify Registry | 61 | Activities To Disable Secondary Authentication Detected By Modified Registry Value. | c26fb85a-fa50-4fab-a64a-c51f5dc538d5 | command_prompt |
| 1242 | persistence | T1112 | Modify Registry | 62 | Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. | ffeddced-bb9f-49c6-97f0-3d07a509bf94 | command_prompt |
| 1243 | persistence | T1112 | Modify Registry | 63 | Scarab Ransomware Defense Evasion Activities | ca8ba39c-3c5a-459f-8e15-280aec65a910 | command_prompt |
| 1244 | persistence | T1112 | Modify Registry | 64 | Disable Remote Desktop Anti-Alias Setting Through Registry | 61d35188-f113-4334-8245-8c6556d43909 | command_prompt |
| 1245 | persistence | T1112 | Modify Registry | 65 | Disable Remote Desktop Security Settings Through Registry | 4b81bcfa-fb0a-45e9-90c2-e3efe5160140 | command_prompt |
| 1246 | persistence | T1112 | Modify Registry | 66 | Disabling ShowUI Settings of Windows Error Reporting (WER) | 09147b61-40f6-4b2a-b6fb-9e73a3437c96 | command_prompt |
| 1247 | persistence | T1112 | Modify Registry | 67 | Enable Proxy Settings | eb0ba433-63e5-4a8c-a9f0-27c4192e1336 | command_prompt |
| 1248 | persistence | T1112 | Modify Registry | 68 | Set-Up Proxy Server | d88a3d3b-d016-4939-a745-03638aafd21b | command_prompt |
| 1249 | persistence | T1112 | Modify Registry | 69 | RDP Authentication Level Override | 7e7b62e9-5f83-477d-8935-48600f38a3c6 | command_prompt |
| 1250 | persistence | T1112 | Modify Registry | 70 | Enable RDP via Registry (fDenyTSConnections) | 16bdbe52-371c-4ccf-b708-79fba61f1db4 | command_prompt |
| 1251 | persistence | T1112 | Modify Registry | 71 | Disable Windows Prefetch Through Registry | 7979dd41-2045-48b2-a54e-b1bc2415c9da | command_prompt |
| 1252 | persistence | T1112 | Modify Registry | 72 | Setting Shadow key in Registry for RDP Shadowing | ac494fe5-81a4-4897-af42-e774cf005ecb | powershell |
| 1253 | persistence | T1112 | Modify Registry | 73 | Flush Shimcache | ecbd533e-b45d-4239-aeff-b857c6f6d68b | command_prompt |
| 1254 | persistence | T1112 | Modify Registry | 74 | Disable Windows Remote Desktop Protocol | 5f8e36de-37ca-455e-b054-a2584f043c06 | command_prompt |
| 1255 | persistence | T1112 | Modify Registry | 75 | Enforce Smart Card Authentication Through Registry | 4c4bf587-fe7f-448f-ba8d-1ecec9db88be | command_prompt |
| 1256 | persistence | T1112 | Modify Registry | 76 | Requires the BitLocker PIN for Pre-boot authentication | 26fc7375-a551-4336-90d7-3f2817564304 | command_prompt |
| 1257 | persistence | T1112 | Modify Registry | 77 | Modify EnableBDEWithNoTPM Registry entry | bacb3e73-8161-43a9-8204-a69fe0e4b482 | command_prompt |
| 1258 | persistence | T1112 | Modify Registry | 78 | Modify UseTPM Registry entry | 7c8c7bd8-0a5c-4514-a6a3-0814c5a98cf0 | command_prompt |
| 1259 | persistence | T1112 | Modify Registry | 79 | Modify UseTPMPIN Registry entry | 10b33fb0-c58b-44cd-8599-b6da5ad6384c | command_prompt |
| 1260 | persistence | T1112 | Modify Registry | 80 | Modify UseTPMKey Registry entry | c8480c83-a932-446e-a919-06a1fd1e512a | command_prompt |
| 1261 | persistence | T1112 | Modify Registry | 81 | Modify UseTPMKeyPIN Registry entry | 02d8b9f7-1a51-4011-8901-2d55cca667f9 | command_prompt |
| 1262 | persistence | T1112 | Modify Registry | 82 | Modify EnableNonTPM Registry entry | e672a340-a933-447c-954c-d68db38a09b1 | command_prompt |
| 1263 | persistence | T1112 | Modify Registry | 83 | Modify UsePartialEncryptionKey Registry entry | b5169fd5-85c8-4b2c-a9b6-64cc0b9febef | command_prompt |
| 1264 | persistence | T1112 | Modify Registry | 84 | Modify UsePIN Registry entry | 3ac0b30f-532f-43c6-8f01-fb657aaed7e4 | command_prompt |
| 1265 | persistence | T1112 | Modify Registry | 85 | Abusing Windows TelemetryController Registry Key for Persistence | 4469192c-2d2d-4a3a-9758-1f31d937a92b | command_prompt |
| 1266 | persistence | T1112 | Modify Registry | 86 | Modify RDP-Tcp Initial Program Registry Entry | c691cee2-8d17-4395-b22f-00644c7f1c2d | command_prompt |
| 1267 | persistence | T1112 | Modify Registry | 87 | Abusing MyComputer Disk Cleanup Path for Persistence | f2915249-4485-42e2-96b7-9bf34328d497 | command_prompt |
| 1268 | persistence | T1112 | Modify Registry | 88 | Abusing MyComputer Disk Fragmentation Path for Persistence | 3235aafe-b49d-451b-a1f1-d979fa65ddaf | command_prompt |
| 1269 | persistence | T1112 | Modify Registry | 89 | Abusing MyComputer Disk Backup Path for Persistence | 599f3b5c-0323-44ed-bb63-4551623bf675 | command_prompt |
| 1270 | persistence | T1112 | Modify Registry | 90 | Adding custom paths for application execution | 573d15da-c34e-4c59-a7d2-18f20d92dfa3 | command_prompt |
| 1271 | persistence | T1543.004 | Create or Modify System Process: Launch Daemon | 1 | Launch Daemon | 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf | bash |
| 1272 | persistence | T1574.008 | Hijack Execution Flow: Path Interception by Search Order Hijacking | 1 | powerShell Persistence via hijacking default modules - Get-Variable.exe | 1561de08-0b4b-498e-8261-e922f3494aae | powershell |
| 1273 | persistence | T1505.003 | Server Software Component: Web Shell | 1 | Web Shell Written to Disk | 0a2ce662-1efa-496f-a472-2fe7b080db16 | command_prompt |
| 1274 | persistence | T1078.001 | Valid Accounts: Default Accounts | 1 | Enable Guest account with RDP capability and admin privileges | 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 | command_prompt |
| 1275 | persistence | T1078.001 | Valid Accounts: Default Accounts | 2 | Activate Guest Account | aa6cb8c4-b582-4f8e-b677-37733914abda | command_prompt |
| 1276 | persistence | T1078.001 | Valid Accounts: Default Accounts | 3 | Enable Guest Account on macOS | 0315bdff-4178-47e9-81e4-f31a6d23f7e4 | sh |
| 1277 | persistence | T1547.003 | Time Providers | 1 | Create a new time provider | df1efab7-bc6d-4b88-8be9-91f55ae017aa | powershell |
| 1278 | persistence | T1547.003 | Time Providers | 2 | Edit an existing time provider | 29e0afca-8d1d-471a-8d34-25512fc48315 | powershell |
| 1279 | persistence | T1546.005 | Event Triggered Execution: Trap | 1 | Trap EXIT | a74b2e07-5952-4c03-8b56-56274b076b61 | sh |
| 1280 | persistence | T1546.005 | Event Triggered Execution: Trap | 2 | Trap EXIT (freebsd) | be1a5d70-6865-44aa-ab50-42244c9fd16f | sh |
| 1281 | persistence | T1546.005 | Event Triggered Execution: Trap | 3 | Trap SIGINT | a547d1ba-1d7a-4cc5-a9cb-8d65e8809636 | sh |
| 1282 | persistence | T1546.005 | Event Triggered Execution: Trap | 4 | Trap SIGINT (freebsd) | ade10242-1eac-43df-8412-be0d4c704ada | sh |
| 1283 | persistence | T1574.006 | Hijack Execution Flow: LD_PRELOAD | 1 | Shared Library Injection via /etc/ld.so.preload | 39cb0e67-dd0d-4b74-a74b-c072db7ae991 | bash |
| 1284 | persistence | T1574.006 | Hijack Execution Flow: LD_PRELOAD | 2 | Shared Library Injection via LD_PRELOAD | bc219ff7-789f-4d51-9142-ecae3397deae | bash |
| 1285 | persistence | T1574.006 | Hijack Execution Flow: LD_PRELOAD | 3 | Dylib Injection via DYLD_INSERT_LIBRARIES | 4d66029d-7355-43fd-93a4-b63ba92ea1be | bash |
| 1286 | persistence | T1136.001 | Create Account: Local Account | 1 | Create a user account on a Linux system | 40d8eabd-e394-46f6-8785-b9bfa1d011d2 | bash |
| 1287 | persistence | T1136.001 | Create Account: Local Account | 2 | Create a user account on a FreeBSD system | a39ee1bc-b8c1-4331-8e5f-1859eb408518 | sh |
| 1288 | persistence | T1136.001 | Create Account: Local Account | 3 | Create a user account on a MacOS system | 01993ba5-1da3-4e15-a719-b690d4f0f0b2 | bash |
| 1289 | persistence | T1136.001 | Create Account: Local Account | 4 | Create a new user in a command prompt | 6657864e-0323-4206-9344-ac9cd7265a4f | command_prompt |
| 1290 | persistence | T1136.001 | Create Account: Local Account | 5 | Create a new user in PowerShell | bc8be0ac-475c-4fbf-9b1d-9fffd77afbde | powershell |
| 1291 | persistence | T1136.001 | Create Account: Local Account | 6 | Create a new user in Linux with `root` UID and GID. | a1040a30-d28b-4eda-bd99-bb2861a4616c | bash |
| 1292 | persistence | T1136.001 | Create Account: Local Account | 7 | Create a new user in FreeBSD with `root` GID. | d141afeb-d2bc-4934-8dd5-b7dba0f9f67a | sh |
| 1293 | persistence | T1136.001 | Create Account: Local Account | 8 | Create a new Windows admin user | fda74566-a604-4581-a4cc-fbbe21d66559 | command_prompt |
| 1294 | persistence | T1136.001 | Create Account: Local Account | 9 | Create a new Windows admin user via .NET | 2170d9b5-bacd-4819-a952-da76dae0815f | powershell |
| 1295 | persistence | T1136.001 | Create Account: Local Account | 10 | Create a Linux user via kubectl in a Pod | d9efa6c7-6518-42b2-809a-4f2a8e242b9b | bash |
| 1296 | persistence | T1547.004 | Boot or Logon Autostart Execution: Winlogon Helper DLL | 1 | Winlogon Shell Key Persistence - PowerShell | bf9f9d65-ee4d-4c3e-a843-777d04f19c38 | powershell |
| 1297 | persistence | T1547.004 | Boot or Logon Autostart Execution: Winlogon Helper DLL | 2 | Winlogon Userinit Key Persistence - PowerShell | fb32c935-ee2e-454b-8fa3-1c46b42e8dfb | powershell |
| 1298 | persistence | T1547.004 | Boot or Logon Autostart Execution: Winlogon Helper DLL | 3 | Winlogon Notify Key Logon Persistence - PowerShell | d40da266-e073-4e5a-bb8b-2b385023e5f9 | powershell |
| 1299 | persistence | T1547.004 | Boot or Logon Autostart Execution: Winlogon Helper DLL | 4 | Winlogon HKLM Shell Key Persistence - PowerShell | 95a3c42f-8c88-4952-ad60-13b81d929a9d | powershell |
| 1300 | persistence | T1547.004 | Boot or Logon Autostart Execution: Winlogon Helper DLL | 5 | Winlogon HKLM Userinit Key Persistence - PowerShell | f9b8daff-8fa7-4e6a-a1a7-7c14675a545b | powershell |
| 1301 | persistence | T1098.004 | SSH Authorized Keys | 1 | Modify SSH Authorized Keys | 342cc723-127c-4d3a-8292-9c0c6b4ecadc | sh |
| 1302 | persistence | T1546.012 | Event Triggered Execution: Image File Execution Options Injection | 1 | IFEO Add Debugger | fdda2626-5234-4c90-b163-60849a24c0b8 | command_prompt |
| 1303 | persistence | T1546.012 | Event Triggered Execution: Image File Execution Options Injection | 2 | IFEO Global Flags | 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 | command_prompt |
| 1304 | persistence | T1546.012 | Event Triggered Execution: Image File Execution Options Injection | 3 | GlobalFlags in Image File Execution Options | 13117939-c9b2-4a43-999e-0a543df92f0d | powershell |
| 1305 | persistence | T1546.008 | Event Triggered Execution: Accessibility Features | 1 | Attaches Command Prompt as a Debugger to a List of Target Processes | 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 | powershell |
| 1306 | persistence | T1546.008 | Event Triggered Execution: Accessibility Features | 2 | Replace binary of sticky keys | 934e90cf-29ca-48b3-863c-411737ad44e3 | command_prompt |
| 1307 | persistence | T1546.008 | Event Triggered Execution: Accessibility Features | 3 | Create Symbolic Link From osk.exe to cmd.exe | 51ef369c-5e87-4f33-88cd-6d61be63edf2 | command_prompt |
| 1308 | persistence | T1546.008 | Event Triggered Execution: Accessibility Features | 4 | Atbroker.exe (AT) Executes Arbitrary Command via Registry Key | 444ff124-4c83-4e28-8df6-6efd3ece6bd4 | command_prompt |
| 1309 | persistence | T1546.008 | Event Triggered Execution: Accessibility Features | 5 | Auto-start application on user logon | 7125eba8-7b30-426b-9147-781d152be6fb | command_prompt |
| 1310 | persistence | T1546.008 | Event Triggered Execution: Accessibility Features | 6 | Replace utilman.exe (Ease of Access Binary) with cmd.exe | 1db380da-3422-481d-a3c8-6d5770dba580 | command_prompt |
| 1311 | persistence | T1546.008 | Event Triggered Execution: Accessibility Features | 7 | Replace Magnify.exe (Magnifier binary) with cmd.exe | 5e4fa70d-c789-470e-85e1-6992b92bb321 | command_prompt |
| 1312 | persistence | T1546.008 | Event Triggered Execution: Accessibility Features | 8 | Replace Narrator.exe (Narrator binary) with cmd.exe | 2002f5ea-cd13-4c82-bf73-e46722e5dc5e | command_prompt |
| 1313 | persistence | T1546.008 | Event Triggered Execution: Accessibility Features | 9 | Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe | 825ba8ca-71cc-436b-b1dd-ea0d5e109086 | command_prompt |
| 1314 | persistence | T1546.008 | Event Triggered Execution: Accessibility Features | 10 | Replace AtBroker.exe (App Switcher binary) with cmd.exe | 210be7ea-d841-40ec-b3e1-ff610bb62744 | command_prompt |
| 1315 | persistence | T1136.002 | Create Account: Domain Account | 1 | Create a new Windows domain admin user | fcec2963-9951-4173-9bfa-98d8b7834e62 | command_prompt |
| 1316 | persistence | T1136.002 | Create Account: Domain Account | 2 | Create a new account similar to ANONYMOUS LOGON | dc7726d2-8ccb-4cc6-af22-0d5afb53a548 | command_prompt |
| 1317 | persistence | T1136.002 | Create Account: Domain Account | 3 | Create a new Domain Account using PowerShell | 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 | powershell |
| 1318 | persistence | T1136.002 | Create Account: Domain Account | 4 | Active Directory Create Admin Account | 562aa072-524e-459a-ba2b-91f1afccf5ab | sh |
| 1319 | persistence | T1136.002 | Create Account: Domain Account | 5 | Active Directory Create User Account (Non-elevated) | 8c992cb3-a46e-4fd5-b005-b1bab185af31 | sh |
| 1320 | persistence | T1137.001 | Office Application Startup: Office Template Macros. | 1 | Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell | 940db09e-80b6-4dd0-8d4d-7764f89b47a8 | powershell |
| 1321 | persistence | T1546.009 | Event Triggered Execution: AppCert DLLs | 1 | Create registry persistence via AppCert DLL | a5ad6104-5bab-4c43-b295-b4c44c7c6b05 | powershell |
| 1322 | persistence | T1547.015 | Boot or Logon Autostart Execution: Login Items | 1 | Persistence by modifying Windows Terminal profile | ec5d76ef-82fe-48da-b931-bdb25a62bc65 | powershell |
| 1323 | persistence | T1547.015 | Boot or Logon Autostart Execution: Login Items | 2 | Add macOS LoginItem using Applescript | 716e756a-607b-41f3-8204-b214baf37c1d | bash |
| 1324 | persistence | T1098.001 | Account Manipulation: Additional Cloud Credentials | 1 | Azure AD Application Hijacking - Service Principal | b8e747c3-bdf7-4d71-bce2-f1df2a057406 | powershell |
| 1325 | persistence | T1098.001 | Account Manipulation: Additional Cloud Credentials | 2 | Azure AD Application Hijacking - App Registration | a12b5531-acab-4618-a470-0dafb294a87a | powershell |
| 1326 | persistence | T1098.001 | Account Manipulation: Additional Cloud Credentials | 3 | AWS - Create Access Key and Secret Key | 8822c3b0-d9f9-4daf-a043-491160a31122 | sh |
| 1327 | persistence | T1546.003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription | 1 | Persistence via WMI Event Subscription - CommandLineEventConsumer | 3c64f177-28e2-49eb-a799-d767b24dd1e0 | powershell |
| 1328 | persistence | T1546.003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription | 2 | Persistence via WMI Event Subscription - ActiveScriptEventConsumer | fecd0dfd-fb55-45fa-a10b-6250272d0832 | powershell |
| 1329 | persistence | T1546.003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription | 3 | Windows MOFComp.exe Load MOF File | 29786d7e-8916-4de6-9c55-be7b093b2706 | powershell |
| 1330 | persistence | T1546.001 | Event Triggered Execution: Change Default File Association | 1 | Change Default File Association | 10a08978-2045-4d62-8c42-1957bbbea102 | command_prompt |
| 1331 | persistence | T1546.014 | Event Triggered Execution: Emond | 1 | Persistance with Event Monitor - emond | 23c9c127-322b-4c75-95ca-eff464906114 | sh |
| 1332 | persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 1 | Reg Key Run | e55be3fd-3521-4610-9d1a-e210e42dcf05 | command_prompt |
| 1333 | persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 2 | Reg Key RunOnce | 554cbd88-cde1-4b56-8168-0be552eed9eb | command_prompt |
| 1334 | persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 3 | PowerShell Registry RunOnce | eb44f842-0457-4ddc-9b92-c4caa144ac42 | powershell |
| 1335 | persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 4 | Suspicious vbs file run from startup Folder | 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 | powershell |
| 1336 | persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 5 | Suspicious jse file run from startup Folder | dade9447-791e-4c8f-b04b-3a35855dfa06 | powershell |
| 1337 | persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 6 | Suspicious bat file run from startup Folder | 5b6768e4-44d2-44f0-89da-a01d1430fd5e | powershell |
| 1338 | persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 7 | Add Executable Shortcut Link to User Startup Folder | 24e55612-85f6-4bd6-ae74-a73d02e3441d | powershell |
| 1339 | persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 8 | Add persistance via Recycle bin | bda6a3d6-7aa7-4e89-908b-306772e9662f | command_prompt |
| 1340 | persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 9 | SystemBC Malware-as-a-Service Registry | 9dc7767b-30c1-4cc4-b999-50cab5e27891 | powershell |
| 1341 | persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 10 | Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value | acfef903-7662-447e-a391-9c91c2f00f7b | powershell |
| 1342 | persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 11 | Change Startup Folder - HKCU Modify User Shell Folders Startup Value | 8834b65a-f808-4ece-ad7e-2acdf647aafa | powershell |
| 1343 | persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 12 | HKCU - Policy Settings Explorer Run Key | a70faea1-e206-4f6f-8d9a-67379be8f6f1 | powershell |
| 1344 | persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 13 | HKLM - Policy Settings Explorer Run Key | b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f | powershell |
| 1345 | persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 14 | HKLM - Append Command to Winlogon Userinit KEY Value | f7fab6cc-8ece-4ca7-a0f1-30a22fccd374 | powershell |
| 1346 | persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 15 | HKLM - Modify default System Shell - Winlogon Shell KEY Value | 1d958c61-09c6-4d9e-b26b-4130314e520e | powershell |
| 1347 | persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 16 | secedit used to create a Run key in the HKLM Hive | 14fdc3f1-6fc3-4556-8d36-aa89d9d42d02 | command_prompt |
| 1348 | persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 17 | Modify BootExecute Value | befc2b40-d487-4a5a-8813-c11085fb5672 | powershell |
| 1349 | persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 18 | Allowing custom application to execute during new RDP logon session | b051b3c0-66e7-4a81-916d-e6383bd3a669 | command_prompt |
| 1350 | persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 19 | Creating Boot Verification Program Key for application execution during successful boot | 6e1666d5-3f2b-4b9a-80aa-f011322380d4 | command_prompt |
| 1351 | persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | 20 | Add persistence via Windows Context Menu | de47f4a0-2acb-416d-9a6b-cee584a4c4d1 | command_prompt |
| 1352 | persistence | T1136.003 | Create Account: Cloud Account | 1 | AWS - Create a new IAM user | 8d1c2368-b503-40c9-9057-8e42f21c58ad | sh |
| 1353 | persistence | T1136.003 | Create Account: Cloud Account | 2 | Azure AD - Create a new user | e62d23ef-3153-4837-8625-fa4a3829134d | powershell |
| 1354 | persistence | T1136.003 | Create Account: Cloud Account | 3 | Azure AD - Create a new user via Azure CLI | 228c7498-be31-48e9-83b7-9cb906504ec8 | powershell |
| 1355 | persistence | T1098 | Account Manipulation | 1 | Admin Account Manipulate | 5598f7cb-cf43-455e-883a-f6008c5d46af | powershell |
| 1356 | persistence | T1098 | Account Manipulation | 2 | Domain Account and Group Manipulate | a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 | powershell |
| 1357 | persistence | T1098 | Account Manipulation | 3 | AWS - Create a group and add a user to that group | 8822c3b0-d9f9-4daf-a043-49f110a31122 | sh |
| 1358 | persistence | T1098 | Account Manipulation | 4 | Azure AD - adding user to Azure AD role | 0e65ae27-5385-46b4-98ac-607a8ee82261 | powershell |
| 1359 | persistence | T1098 | Account Manipulation | 5 | Azure AD - adding service principal to Azure AD role | 92c40b3f-c406-4d1f-8d2b-c039bf5009e4 | powershell |
| 1360 | persistence | T1098 | Account Manipulation | 6 | Azure - adding user to Azure role in subscription | 1a94b3fc-b080-450a-b3d8-6d9b57b472ea | powershell |
| 1361 | persistence | T1098 | Account Manipulation | 7 | Azure - adding service principal to Azure role in subscription | c8f4bc29-a151-48da-b3be-4680af56f404 | powershell |
| 1362 | persistence | T1098 | Account Manipulation | 8 | Azure AD - adding permission to application | 94ea9cc3-81f9-4111-8dde-3fb54f36af4b | powershell |
| 1363 | persistence | T1098 | Account Manipulation | 9 | Password Change on Directory Service Restore Mode (DSRM) Account | d5b886d9-d1c7-4b6e-a7b0-460041bf2823 | command_prompt |
| 1364 | persistence | T1098 | Account Manipulation | 10 | Domain Password Policy Check: Short Password | fc5f9414-bd67-4f5f-a08e-e5381e29cbd1 | powershell |
| 1365 | persistence | T1098 | Account Manipulation | 11 | Domain Password Policy Check: No Number in Password | 68190529-069b-4ffc-a942-919704158065 | powershell |
| 1366 | persistence | T1098 | Account Manipulation | 12 | Domain Password Policy Check: No Special Character in Password | 7d984ef2-2db2-4cec-b090-e637e1698f61 | powershell |
| 1367 | persistence | T1098 | Account Manipulation | 13 | Domain Password Policy Check: No Uppercase Character in Password | b299c120-44a7-4d68-b8e2-8ba5a28511ec | powershell |
| 1368 | persistence | T1098 | Account Manipulation | 14 | Domain Password Policy Check: No Lowercase Character in Password | 945da11e-977e-4dab-85d2-f394d03c5887 | powershell |
| 1369 | persistence | T1098 | Account Manipulation | 15 | Domain Password Policy Check: Only Two Character Classes | 784d1349-5a26-4d20-af5e-d6af53bae460 | powershell |
| 1370 | persistence | T1098 | Account Manipulation | 16 | Domain Password Policy Check: Common Password Use | 81959d03-c51f-49a1-bb24-23f1ec885578 | powershell |
| 1371 | persistence | T1098 | Account Manipulation | 17 | GCP - Delete Service Account Key | 7ece1dea-49f1-4d62-bdcc-5801e3292510 | sh |
| 1372 | persistence | T1547.006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions | 1 | Linux - Load Kernel Module via insmod | 687dcb93-9656-4853-9c36-9977315e9d23 | bash |
| 1373 | persistence | T1547.006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions | 2 | MacOS - Load Kernel Module via kextload and kmutil | f4391089-d3a5-4dd1-ab22-0419527f2672 | bash |
| 1374 | persistence | T1547.006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions | 3 | MacOS - Load Kernel Module via KextManagerLoadKextWithURL() | f0007753-beb3-41ea-9948-760785e4c1e5 | bash |
| 1375 | persistence | T1547.006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions | 4 | Snake Malware Kernel Driver Comadmin | e5cb5564-cc7b-4050-86e8-f2d9eec1941f | powershell |
| 1376 | persistence | T1053.006 | Scheduled Task/Job: Systemd Timers | 1 | Create Systemd Service and Timer | f4983098-bb13-44fb-9b2c-46149961807b | bash |
| 1377 | persistence | T1053.006 | Scheduled Task/Job: Systemd Timers | 2 | Create a user level transient systemd service and timer | 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec | sh |
| 1378 | persistence | T1053.006 | Scheduled Task/Job: Systemd Timers | 3 | Create a system level transient systemd service and timer | d3eda496-1fc0-49e9-aff5-3bec5da9fa22 | sh |
| 1379 | persistence | T1505.004 | IIS Components | 1 | Install IIS Module using AppCmd.exe | 53adbdfa-8200-490c-871c-d3b1ab3324b2 | command_prompt |
| 1380 | persistence | T1505.004 | IIS Components | 2 | Install IIS Module using PowerShell Cmdlet New-WebGlobalModule | cc3381fb-4bd0-405c-a8e4-6cacfac3b06c | powershell |
| 1381 | persistence | T1546 | Event Triggered Execution | 1 | Persistence with Custom AutodialDLL | aca9ae16-7425-4b6d-8c30-cad306fdbd5b | powershell |
| 1382 | persistence | T1546 | Event Triggered Execution | 2 | HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) | a574dafe-a903-4cce-9701-14040f4f3532 | powershell |
| 1383 | persistence | T1546 | Event Triggered Execution | 3 | HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) | 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01 | powershell |
| 1384 | persistence | T1546 | Event Triggered Execution | 4 | WMI Invoke-CimMethod Start Process | adae83d3-0df6-45e7-b2c3-575f91584577 | powershell |
| 1385 | persistence | T1546 | Event Triggered Execution | 5 | Adding custom debugger for Windows Error Reporting | 17d1a3cc-3373-495a-857a-e5dd005fb302 | command_prompt |
| 1386 | persistence | T1546 | Event Triggered Execution | 6 | Load custom DLL on mstsc execution | 2db7852e-5a32-4ec7-937f-f4e027881700 | command_prompt |
| 1387 | persistence | T1546 | Event Triggered Execution | 7 | Persistence using automatic execution of custom DLL during RDP session | b7fc4c3f-fe6e-479a-ba27-ef91b88536e3 | command_prompt |
| 1388 | persistence | T1546 | Event Triggered Execution | 8 | Persistence via ErrorHandler.cmd script execution | 547a4736-dd1c-4b48-b4fe-e916190bb2e7 | powershell |
| 1389 | persistence | T1546 | Event Triggered Execution | 9 | Persistence using STARTUP-PATH in MS-WORD | f0027655-25ef-47b0-acaf-3d83d106156c | command_prompt |
| 1390 | persistence | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 1 | Add command to .bash_profile | 94500ae1-7e31-47e3-886b-c328da46872f | sh |
| 1391 | persistence | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 2 | Add command to .bashrc | 0a898315-4cfa-4007-bafe-33a4646d115f | sh |
| 1392 | persistence | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 3 | Add command to .shrc | 41502021-591a-4649-8b6e-83c9192aff53 | sh |
| 1393 | persistence | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 4 | Append to the system shell profile | 694b3cc8-6a78-4d35-9e74-0123d009e94b | sh |
| 1394 | persistence | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 5 | Append commands user shell profile | bbdb06bc-bab6-4f5b-8232-ba3fbed51d77 | sh |
| 1395 | persistence | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 6 | System shell profile scripts | 8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4 | sh |
| 1396 | persistence | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 7 | Create/Append to .bash_logout | 37ad2f24-7c53-4a50-92da-427a4ad13f58 | bash |
| 1397 | persistence | T1547.002 | Authentication Package | 1 | Authentication Package | be2590e8-4ac3-47ac-b4b5-945820f2fbe9 | powershell |
| 1398 | persistence | T1546.015 | Event Triggered Execution: Component Object Model Hijacking | 1 | COM Hijacking - InprocServer32 | 48117158-d7be-441b-bc6a-d9e36e47b52b | powershell |
| 1399 | persistence | T1546.015 | Event Triggered Execution: Component Object Model Hijacking | 2 | Powershell Execute COM Object | 752191b1-7c71-445c-9dbe-21bb031b18eb | powershell |
| 1400 | persistence | T1546.015 | Event Triggered Execution: Component Object Model Hijacking | 3 | COM Hijacking with RunDLL32 (Local Server Switch) | 123520cc-e998-471b-a920-bd28e3feafa0 | powershell |
| 1401 | persistence | T1546.015 | Event Triggered Execution: Component Object Model Hijacking | 4 | COM hijacking via TreatAs | 33eacead-f117-4863-8eb0-5c6304fbfaa9 | powershell |
| 1402 | persistence | T1137.004 | Office Application Startup: Outlook Home Page | 1 | Install Outlook Home Page Persistence | 7a91ad51-e6d2-4d43-9471-f26362f5738e | command_prompt |
| 1403 | persistence | T1574.009 | Hijack Execution Flow: Path Interception by Unquoted Path | 1 | Execution of program.exe as service with unquoted service path | 2770dea7-c50f-457b-84c4-c40a47460d9f | command_prompt |
| 1404 | persistence | T1037.005 | Boot or Logon Initialization Scripts: Startup Items | 1 | Add file to Local Library StartupItems | 134627c3-75db-410e-bff8-7a920075f198 | sh |
| 1405 | persistence | T1037.005 | Boot or Logon Initialization Scripts: Startup Items | 2 | Add launch script to launch daemon | fc369906-90c7-4a15-86fd-d37da624dde6 | bash |
| 1406 | persistence | T1037.005 | Boot or Logon Initialization Scripts: Startup Items | 3 | Add launch script to launch agent | 10cf5bec-49dd-4ebf-8077-8f47e420096f | bash |
| 1407 | persistence | T1197 | BITS Jobs | 1 | Bitsadmin Download (cmd) | 3c73d728-75fb-4180-a12f-6712864d7421 | command_prompt |
| 1408 | persistence | T1197 | BITS Jobs | 2 | Bitsadmin Download (PowerShell) | f63b8bc4-07e5-4112-acba-56f646f3f0bc | powershell |
| 1409 | persistence | T1197 | BITS Jobs | 3 | Persist, Download, & Execute | 62a06ec5-5754-47d2-bcfc-123d8314c6ae | command_prompt |
| 1410 | persistence | T1197 | BITS Jobs | 4 | Bits download using desktopimgdownldr.exe (cmd) | afb5e09e-e385-4dee-9a94-6ee60979d114 | command_prompt |
| 1411 | persistence | T1546.010 | Event Triggered Execution: AppInit DLLs | 1 | Install AppInit Shim | a58d9386-3080-4242-ab5f-454c16503d18 | command_prompt |
| 1412 | persistence | T1546.002 | Event Triggered Execution: Screensaver | 1 | Set Arbitrary Binary as Screensaver | 281201e7-de41-4dc9-b73d-f288938cbb64 | command_prompt |
| 1413 | persistence | T1543.001 | Create or Modify System Process: Launch Agent | 1 | Launch Agent | a5983dee-bf6c-4eaf-951c-dbc1a7b90900 | bash |
| 1414 | persistence | T1543.001 | Create or Modify System Process: Launch Agent | 2 | Event Monitor Daemon Persistence | 11979f23-9b9d-482a-9935-6fc9cd022c3e | bash |
| 1415 | persistence | T1543.001 | Create or Modify System Process: Launch Agent | 3 | Launch Agent - Root Directory | 66774fa8-c562-4bae-a58d-5264a0dd9dd7 | bash |
| 1416 | persistence | T1037.004 | Boot or Logon Initialization Scripts: Rc.common | 1 | rc.common | 97a48daa-8bca-4bc0-b1a9-c1d163e762de | bash |
| 1417 | persistence | T1037.004 | Boot or Logon Initialization Scripts: Rc.common | 2 | rc.common | c33f3d80-5f04-419b-a13a-854d1cbdbf3a | bash |
| 1418 | persistence | T1037.004 | Boot or Logon Initialization Scripts: Rc.common | 3 | rc.local | 126f71af-e1c9-405c-94ef-26a47b16c102 | sh |
| 1419 | persistence | T1543.002 | Create or Modify System Process: SysV/Systemd Service | 1 | Create Systemd Service | d9e4f24f-aa67-4c6e-bcbf-85622b697a7c | bash |
| 1420 | persistence | T1543.002 | Create or Modify System Process: SysV/Systemd Service | 2 | Create SysV Service | 760fe8d2-79d9-494f-905e-a239a3df86f6 | sh |
| 1421 | persistence | T1543.002 | Create or Modify System Process: SysV/Systemd Service | 3 | Create Systemd Service file, Enable the service , Modify and Reload the service. | c35ac4a8-19de-43af-b9f8-755da7e89c89 | bash |
| 1422 | persistence | T1547.007 | Boot or Logon Autostart Execution: Re-opened Applications | 1 | Copy in loginwindow.plist for Re-Opened Applications | 5fefd767-ef54-4ac6-84d3-751ab85e8aba | sh |
| 1423 | persistence | T1547.007 | Boot or Logon Autostart Execution: Re-opened Applications | 2 | Re-Opened Applications using LoginHook | 5f5b71da-e03f-42e7-ac98-d63f9e0465cb | sh |
| 1424 | persistence | T1547.007 | Boot or Logon Autostart Execution: Re-opened Applications | 3 | Append to existing loginwindow for Re-Opened Applications | 766b6c3c-9353-4033-8b7e-38b309fa3a93 | sh |
| 1425 | persistence | T1098.002 | Account Manipulation: Additional Email Delegate Permissions | 1 | EXO - Full access mailbox permission granted to a user | 17d046be-fdd0-4cbb-b5c7-55c85d9d0714 | powershell |
| 1426 | persistence | T1037.001 | Boot or Logon Initialization Scripts: Logon Script (Windows) | 1 | Logon Scripts | d6042746-07d4-4c92-9ad8-e644c114a231 | command_prompt |
| 1427 | persistence | T1137.002 | Office Application Startup: Office Test | 1 | Office Application Startup Test Persistence (HKCU) | c3e35b58-fe1c-480b-b540-7600fb612563 | powershell |
| 1428 | persistence | T1547.008 | Boot or Logon Autostart Execution: LSASS Driver | 1 | Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt | 8ecef16d-d289-46b4-917b-0dba6dc81cf1 | powershell |
| 1429 | persistence | T1078.004 | Valid Accounts: Cloud Accounts | 1 | Creating GCP Service Account and Service Account Key | 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e | sh |
| 1430 | persistence | T1078.004 | Valid Accounts: Cloud Accounts | 2 | Azure Persistence Automation Runbook Created or Modified | 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac | powershell |
| 1431 | persistence | T1078.004 | Valid Accounts: Cloud Accounts | 3 | GCP - Create Custom IAM Role | 3a159042-69e6-4398-9a69-3308a4841c85 | sh |
| 1432 | persistence | T1053.002 | Scheduled Task/Job: At | 1 | At.exe Scheduled task | 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 | command_prompt |
| 1433 | persistence | T1053.002 | Scheduled Task/Job: At | 2 | At - Schedule a job | 7266d898-ac82-4ec0-97c7-436075d0d08e | sh |
| 1434 | persistence | T1053.002 | Scheduled Task/Job: At | 3 | At - Schedule a job via kubectl in a Pod | 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213 | bash |
| 1435 | persistence | T1546.007 | Event Triggered Execution: Netsh Helper DLL | 1 | Netsh Helper DLL Registration | 3244697d-5a3a-4dfc-941c-550f69f91a4d | command_prompt |
| 1436 | persistence | T1078.003 | Valid Accounts: Local Accounts | 1 | Create local account with admin privileges | a524ce99-86de-4db6-b4f9-e08f35a47a15 | command_prompt |
| 1437 | persistence | T1078.003 | Valid Accounts: Local Accounts | 2 | Create local account with admin privileges - MacOS | f1275566-1c26-4b66-83e3-7f9f7f964daa | bash |
| 1438 | persistence | T1078.003 | Valid Accounts: Local Accounts | 3 | Create local account with admin privileges using sysadminctl utility - MacOS | 191db57d-091a-47d5-99f3-97fde53de505 | bash |
| 1439 | persistence | T1078.003 | Valid Accounts: Local Accounts | 4 | Enable root account using dsenableroot utility - MacOS | 20b40ea9-0e17-4155-b8e6-244911a678ac | bash |
| 1440 | persistence | T1078.003 | Valid Accounts: Local Accounts | 5 | Add a new/existing user to the admin group using dseditgroup utility - macOS | 433842ba-e796-4fd5-a14f-95d3a1970875 | bash |
| 1441 | persistence | T1078.003 | Valid Accounts: Local Accounts | 6 | WinPwn - Loot local Credentials - powerhell kittie | 9e9fd066-453d-442f-88c1-ad7911d32912 | powershell |
| 1442 | persistence | T1078.003 | Valid Accounts: Local Accounts | 7 | WinPwn - Loot local Credentials - Safetykatz | e9fdb899-a980-4ba4-934b-486ad22e22f4 | powershell |
| 1443 | persistence | T1078.003 | Valid Accounts: Local Accounts | 8 | Create local account (Linux) | 02a91c34-8a5b-4bed-87af-501103eb5357 | bash |
| 1444 | persistence | T1078.003 | Valid Accounts: Local Accounts | 9 | Reactivate a locked/expired account (Linux) | d2b95631-62d7-45a3-aaef-0972cea97931 | bash |
| 1445 | persistence | T1078.003 | Valid Accounts: Local Accounts | 10 | Reactivate a locked/expired account (FreeBSD) | 09e3380a-fae5-4255-8b19-9950be0252cf | sh |
| 1446 | persistence | T1078.003 | Valid Accounts: Local Accounts | 11 | Login as nobody (Linux) | 3d2cd093-ee05-41bd-a802-59ee5c301b85 | bash |
| 1447 | persistence | T1078.003 | Valid Accounts: Local Accounts | 12 | Login as nobody (freebsd) | 16f6374f-7600-459a-9b16-6a88fd96d310 | sh |
| 1448 | persistence | T1078.003 | Valid Accounts: Local Accounts | 13 | Use PsExec to elevate to NT Authority\SYSTEM account | 6904235f-0f55-4039-8aed-41c300ff7733 | command_prompt |
| 1449 | persistence | T1574.012 | Hijack Execution Flow: COR_PROFILER | 1 | User scope COR_PROFILER | 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a | powershell |
| 1450 | persistence | T1574.012 | Hijack Execution Flow: COR_PROFILER | 2 | System Scope COR_PROFILER | f373b482-48c8-4ce4-85ed-d40c8b3f7310 | powershell |
| 1451 | persistence | T1574.012 | Hijack Execution Flow: COR_PROFILER | 3 | Registry-free process scope COR_PROFILER | 79d57242-bbef-41db-b301-9d01d9f6e817 | powershell |
| 1452 | command-and-control | T1132.001 | Data Encoding: Standard Encoding | 1 | Base64 Encoded data. | 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 | sh |
| 1453 | command-and-control | T1132.001 | Data Encoding: Standard Encoding | 2 | Base64 Encoded data (freebsd) | 2d97c626-7652-449e-a986-b02d9051c298 | sh |
| 1454 | command-and-control | T1132.001 | Data Encoding: Standard Encoding | 3 | XOR Encoded data. | c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08 | powershell |
| 1455 | command-and-control | T1071.004 | Application Layer Protocol: DNS | 1 | DNS Large Query Volume | 1700f5d6-5a44-487b-84de-bc66f507b0a6 | powershell |
| 1456 | command-and-control | T1071.004 | Application Layer Protocol: DNS | 2 | DNS Regular Beaconing | 3efc144e-1af8-46bb-8ca2-1376bb6db8b6 | powershell |
| 1457 | command-and-control | T1071.004 | Application Layer Protocol: DNS | 3 | DNS Long Domain Query | fef31710-223a-40ee-8462-a396d6b66978 | powershell |
| 1458 | command-and-control | T1071.004 | Application Layer Protocol: DNS | 4 | DNS C2 | e7bf9802-2e78-4db9-93b5-181b7bcd37d7 | powershell |
| 1459 | command-and-control | T1071 | Application Layer Protocol | 1 | Telnet C2 | 3b0df731-030c-4768-b492-2a3216d90e53 | powershell |
| 1460 | command-and-control | T1219 | Remote Access Software | 1 | TeamViewer Files Detected Test on Windows | 8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0 | powershell |
| 1461 | command-and-control | T1219 | Remote Access Software | 2 | AnyDesk Files Detected Test on Windows | 6b8b7391-5c0a-4f8c-baee-78d8ce0ce330 | powershell |
| 1462 | command-and-control | T1219 | Remote Access Software | 3 | LogMeIn Files Detected Test on Windows | d03683ec-aae0-42f9-9b4c-534780e0f8e1 | powershell |
| 1463 | command-and-control | T1219 | Remote Access Software | 4 | GoToAssist Files Detected Test on Windows | 1b72b3bd-72f8-4b63-a30b-84e91b9c3578 | powershell |
| 1464 | command-and-control | T1219 | Remote Access Software | 5 | ScreenConnect Application Download and Install on Windows | 4a18cc4e-416f-4966-9a9d-75731c4684c0 | powershell |
| 1465 | command-and-control | T1219 | Remote Access Software | 6 | Ammyy Admin Software Execution | 0ae9e327-3251-465a-a53b-485d4e3f58fa | powershell |
| 1466 | command-and-control | T1219 | Remote Access Software | 7 | RemotePC Software Execution | fbff3f1f-b0bf-448e-840f-7e1687affdce | powershell |
| 1467 | command-and-control | T1219 | Remote Access Software | 8 | NetSupport - RAT Execution | ecca999b-e0c8-40e8-8416-ad320b146a75 | powershell |
| 1468 | command-and-control | T1219 | Remote Access Software | 9 | UltraViewer - RAT Execution | 19acf63b-55c4-4b6a-8552-00a8865105c8 | powershell |
| 1469 | command-and-control | T1219 | Remote Access Software | 10 | UltraVNC Execution | 42e51815-a6cc-4c75-b970-3f0ff54b610e | powershell |
| 1470 | command-and-control | T1219 | Remote Access Software | 11 | MSP360 Connect Execution | b1b8128b-c5d4-4de9-bf70-e60419274562 | powershell |
| 1471 | command-and-control | T1219 | Remote Access Software | 12 | RustDesk Files Detected Test on Windows | f1641ba9-919a-4323-b74f-33372333bf0e | powershell |
| 1472 | command-and-control | T1219 | Remote Access Software | 13 | Splashtop Execution | b025c580-029e-4023-888d-a42710d76934 | powershell |
| 1473 | command-and-control | T1219 | Remote Access Software | 14 | Splashtop Streamer Execution | 3e1858ee-3550-401c-86ec-5e70ed79295b | powershell |
| 1474 | command-and-control | T1219 | Remote Access Software | 15 | Microsoft App Quick Assist Execution | 1aea6d15-70f1-4b4e-8b02-397b5d5ffe75 | powershell |
| 1475 | command-and-control | T1572 | Protocol Tunneling | 1 | DNS over HTTPS Large Query Volume | ae9ef4b0-d8c1-49d4-8758-06206f19af0a | powershell |
| 1476 | command-and-control | T1572 | Protocol Tunneling | 2 | DNS over HTTPS Regular Beaconing | 0c5f9705-c575-42a6-9609-cbbff4b2fc9b | powershell |
| 1477 | command-and-control | T1572 | Protocol Tunneling | 3 | DNS over HTTPS Long Domain Query | 748a73d5-cea4-4f34-84d8-839da5baa99c | powershell |
| 1478 | command-and-control | T1572 | Protocol Tunneling | 4 | run ngrok | 4cdc9fc7-53fb-4894-9f0c-64836943ea60 | powershell |
| 1479 | command-and-control | T1572 | Protocol Tunneling | 5 | Microsoft Dev tunnels (Linux/macOS) | 9f94a112-1ce2-464d-a63b-83c1f465f801 | bash |
| 1480 | command-and-control | T1572 | Protocol Tunneling | 6 | VSCode tunnels (Linux/macOS) | b877943f-0377-44f4-8477-f79db7f07c4d | sh |
| 1481 | command-and-control | T1572 | Protocol Tunneling | 7 | Cloudflare tunnels (Linux/macOS) | 228c336a-2f79-4043-8aef-bfa453a611d5 | sh |
| 1482 | command-and-control | T1090.003 | Proxy: Multi-hop Proxy | 1 | Psiphon | 14d55ca0-920e-4b44-8425-37eedd72b173 | powershell |
| 1483 | command-and-control | T1090.003 | Proxy: Multi-hop Proxy | 2 | Tor Proxy Usage - Windows | 7b9d85e5-c4ce-4434-8060-d3de83595e69 | powershell |
| 1484 | command-and-control | T1090.003 | Proxy: Multi-hop Proxy | 3 | Tor Proxy Usage - Debian/Ubuntu/FreeBSD | 5ff9d047-6e9c-4357-b39b-5cf89d9b59c7 | sh |
| 1485 | command-and-control | T1090.003 | Proxy: Multi-hop Proxy | 4 | Tor Proxy Usage - MacOS | 12631354-fdbc-4164-92be-402527e748da | sh |
| 1486 | command-and-control | T1571 | Non-Standard Port | 1 | Testing usage of uncommonly used port with PowerShell | 21fe622f-8e53-4b31-ba83-6d333c2583f4 | powershell |
| 1487 | command-and-control | T1571 | Non-Standard Port | 2 | Testing usage of uncommonly used port | 5db21e1d-dd9c-4a50-b885-b1e748912767 | sh |
| 1488 | command-and-control | T1573 | Encrypted Channel | 1 | OpenSSL C2 | 21caf58e-87ad-440c-a6b8-3ac259964003 | powershell |
| 1489 | command-and-control | T1095 | Non-Application Layer Protocol | 1 | ICMP C2 | 0268e63c-e244-42db-bef7-72a9e59fc1fc | powershell |
| 1490 | command-and-control | T1095 | Non-Application Layer Protocol | 2 | Netcat C2 | bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37 | powershell |
| 1491 | command-and-control | T1095 | Non-Application Layer Protocol | 3 | Powercat C2 | 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e | powershell |
| 1492 | command-and-control | T1095 | Non-Application Layer Protocol | 4 | Linux ICMP Reverse Shell using icmp-cnc | 8e139e1f-1f3a-4be7-901d-afae9738c064 | manual |
| 1493 | command-and-control | T1071.001 | Application Layer Protocol: Web Protocols | 1 | Malicious User Agents - Powershell | 81c13829-f6c9-45b8-85a6-053366d55297 | powershell |
| 1494 | command-and-control | T1071.001 | Application Layer Protocol: Web Protocols | 2 | Malicious User Agents - CMD | dc3488b0-08c7-4fea-b585-905c83b48180 | command_prompt |
| 1495 | command-and-control | T1071.001 | Application Layer Protocol: Web Protocols | 3 | Malicious User Agents - Nix | 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 | sh |
| 1496 | command-and-control | T1105 | Ingress Tool Transfer | 1 | rsync remote file copy (push) | 0fc6e977-cb12-44f6-b263-2824ba917409 | sh |
| 1497 | command-and-control | T1105 | Ingress Tool Transfer | 2 | rsync remote file copy (pull) | 3180f7d5-52c0-4493-9ea0-e3431a84773f | sh |
| 1498 | command-and-control | T1105 | Ingress Tool Transfer | 3 | scp remote file copy (push) | 83a49600-222b-4866-80a0-37736ad29344 | sh |
| 1499 | command-and-control | T1105 | Ingress Tool Transfer | 4 | scp remote file copy (pull) | b9d22b9a-9778-4426-abf0-568ea64e9c33 | sh |
| 1500 | command-and-control | T1105 | Ingress Tool Transfer | 5 | sftp remote file copy (push) | f564c297-7978-4aa9-b37a-d90477feea4e | bash |
| 1501 | command-and-control | T1105 | Ingress Tool Transfer | 6 | sftp remote file copy (pull) | 0139dba1-f391-405e-a4f5-f3989f2c88ef | sh |
| 1502 | command-and-control | T1105 | Ingress Tool Transfer | 7 | certutil download (urlcache) | dd3b61dd-7bbc-48cd-ab51-49ad1a776df0 | command_prompt |
| 1503 | command-and-control | T1105 | Ingress Tool Transfer | 8 | certutil download (verifyctl) | ffd492e3-0455-4518-9fb1-46527c9f241b | powershell |
| 1504 | command-and-control | T1105 | Ingress Tool Transfer | 9 | Windows - BITSAdmin BITS Download | a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b | command_prompt |
| 1505 | command-and-control | T1105 | Ingress Tool Transfer | 10 | Windows - PowerShell Download | 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8 | powershell |
| 1506 | command-and-control | T1105 | Ingress Tool Transfer | 11 | OSTAP Worming Activity | 2ca61766-b456-4fcf-a35a-1233685e1cad | command_prompt |
| 1507 | command-and-control | T1105 | Ingress Tool Transfer | 12 | svchost writing a file to a UNC path | fa5a2759-41d7-4e13-a19c-e8f28a53566f | command_prompt |
| 1508 | command-and-control | T1105 | Ingress Tool Transfer | 13 | Download a File with Windows Defender MpCmdRun.exe | 815bef8b-bf91-4b67-be4c-abe4c2a94ccc | command_prompt |
| 1509 | command-and-control | T1105 | Ingress Tool Transfer | 14 | whois file download | c99a829f-0bb8-4187-b2c6-d47d1df74cab | sh |
| 1510 | command-and-control | T1105 | Ingress Tool Transfer | 15 | File Download via PowerShell | 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 | powershell |
| 1511 | command-and-control | T1105 | Ingress Tool Transfer | 16 | File download with finger.exe on Windows | 5f507e45-8411-4f99-84e7-e38530c45d01 | command_prompt |
| 1512 | command-and-control | T1105 | Ingress Tool Transfer | 17 | Download a file with IMEWDBLD.exe | 1a02df58-09af-4064-a765-0babe1a0d1e2 | powershell |
| 1513 | command-and-control | T1105 | Ingress Tool Transfer | 18 | Curl Download File | 2b080b99-0deb-4d51-af0f-833d37c4ca6a | command_prompt |
| 1514 | command-and-control | T1105 | Ingress Tool Transfer | 19 | Curl Upload File | 635c9a38-6cbf-47dc-8615-3810bc1167cf | command_prompt |
| 1515 | command-and-control | T1105 | Ingress Tool Transfer | 20 | Download a file with Microsoft Connection Manager Auto-Download | d239772b-88e2-4a2e-8473-897503401bcc | command_prompt |
| 1516 | command-and-control | T1105 | Ingress Tool Transfer | 21 | MAZE Propagation Script | 70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf | powershell |
| 1517 | command-and-control | T1105 | Ingress Tool Transfer | 22 | Printer Migration Command-Line Tool UNC share folder into a zip file | 49845fc1-7961-4590-a0f0-3dbcf065ae7e | command_prompt |
| 1518 | command-and-control | T1105 | Ingress Tool Transfer | 23 | Lolbas replace.exe use to copy file | 54782d65-12f0-47a5-b4c1-b70ee23de6df | command_prompt |
| 1519 | command-and-control | T1105 | Ingress Tool Transfer | 24 | Lolbas replace.exe use to copy UNC file | ed0335ac-0354-400c-8148-f6151d20035a | command_prompt |
| 1520 | command-and-control | T1105 | Ingress Tool Transfer | 25 | certreq download | 6fdaae87-c05b-42f8-842e-991a74e8376b | command_prompt |
| 1521 | command-and-control | T1105 | Ingress Tool Transfer | 26 | Download a file using wscript | 97116a3f-efac-4b26-8336-b9cb18c45188 | command_prompt |
| 1522 | command-and-control | T1105 | Ingress Tool Transfer | 27 | Linux Download File and Run | bdc373c5-e9cf-4563-8a7b-a9ba720a90f3 | sh |
| 1523 | command-and-control | T1105 | Ingress Tool Transfer | 28 | Nimgrab - Transfer Files | b1729c57-9384-4d1c-9b99-9b220afb384e | command_prompt |
| 1524 | command-and-control | T1105 | Ingress Tool Transfer | 29 | iwr or Invoke Web-Request download | c01cad7f-7a4c-49df-985e-b190dcf6a279 | command_prompt |
| 1525 | command-and-control | T1105 | Ingress Tool Transfer | 30 | Arbitrary file download using the Notepad++ GUP.exe binary | 66ee226e-64cb-4dae-80e3-5bf5763e4a51 | command_prompt |
| 1526 | command-and-control | T1105 | Ingress Tool Transfer | 31 | File download via nscurl | 5bcefe5f-3f30-4f1c-a61a-8d7db3f4450c | sh |
| 1527 | command-and-control | T1105 | Ingress Tool Transfer | 32 | File Download with Sqlcmd.exe | 6934c16e-0b3a-4e7f-ab8c-c414acd32181 | powershell |
| 1528 | command-and-control | T1105 | Ingress Tool Transfer | 33 | Remote File Copy using PSCP | c82b1e60-c549-406f-9b00-0a8ae31c9cfe | command_prompt |
| 1529 | command-and-control | T1105 | Ingress Tool Transfer | 34 | Windows push file using scp.exe | 2a4b0d29-e5dd-4b66-b729-07423ba1cd9d | powershell |
| 1530 | command-and-control | T1105 | Ingress Tool Transfer | 35 | Windows pull file using scp.exe | 401667dc-05a6-4da0-a2a7-acfe4819559c | powershell |
| 1531 | command-and-control | T1105 | Ingress Tool Transfer | 36 | Windows push file using sftp.exe | 205e676e-0401-4bae-83a5-94b8c5daeb22 | powershell |
| 1532 | command-and-control | T1105 | Ingress Tool Transfer | 37 | Windows pull file using sftp.exe | 3d25f1f2-55cb-4a41-a523-d17ad4cfba19 | powershell |
| 1533 | command-and-control | T1105 | Ingress Tool Transfer | 38 | Download a file with OneDrive Standalone Updater | 3dd6a6cf-9c78-462c-bd75-e9b54fc8925b | powershell |
| 1534 | command-and-control | T1105 | Ingress Tool Transfer | 39 | Curl Insecure Connection from a Pod | 7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3 | bash |
| 1535 | command-and-control | T1001.002 | Data Obfuscation via Steganography | 1 | Steganographic Tarball Embedding | c7921449-8b62-4c4d-8a83-d9281ac0190b | powershell |
| 1536 | command-and-control | T1001.002 | Data Obfuscation via Steganography | 2 | Embedded Script in Image Execution via Extract-Invoke-PSImage | 04bb8e3d-1670-46ab-a3f1-5cee64da29b6 | powershell |
| 1537 | command-and-control | T1001.002 | Data Obfuscation via Steganography | 3 | Execute Embedded Script in Image via Steganography | 4ff61684-ad91-405c-9fbc-048354ff1d07 | sh |
| 1538 | command-and-control | T1090.001 | Proxy: Internal Proxy | 1 | Connection Proxy | 0ac21132-4485-4212-a681-349e8a6637cd | sh |
| 1539 | command-and-control | T1090.001 | Proxy: Internal Proxy | 2 | Connection Proxy for macOS UI | 648d68c1-8bcd-4486-9abe-71c6655b6a2c | sh |
| 1540 | command-and-control | T1090.001 | Proxy: Internal Proxy | 3 | portproxy reg key | b8223ea9-4be2-44a6-b50a-9657a3d4e72a | powershell |
| 1541 | collection | T1560.001 | Archive Collected Data: Archive via Utility | 1 | Compress Data for Exfiltration With Rar | 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0 | command_prompt |
| 1542 | collection | T1560.001 | Archive Collected Data: Archive via Utility | 2 | Compress Data and lock with password for Exfiltration with winrar | 8dd61a55-44c6-43cc-af0c-8bdda276860c | command_prompt |
| 1543 | collection | T1560.001 | Archive Collected Data: Archive via Utility | 3 | Compress Data and lock with password for Exfiltration with winzip | 01df0353-d531-408d-a0c5-3161bf822134 | command_prompt |
| 1544 | collection | T1560.001 | Archive Collected Data: Archive via Utility | 4 | Compress Data and lock with password for Exfiltration with 7zip | d1334303-59cb-4a03-8313-b3e24d02c198 | command_prompt |
| 1545 | collection | T1560.001 | Archive Collected Data: Archive via Utility | 5 | Data Compressed - nix - zip | c51cec55-28dd-4ad2-9461-1eacbc82c3a0 | bash |
| 1546 | collection | T1560.001 | Archive Collected Data: Archive via Utility | 6 | Data Compressed - nix - gzip Single File | cde3c2af-3485-49eb-9c1f-0ed60e9cc0af | sh |
| 1547 | collection | T1560.001 | Archive Collected Data: Archive via Utility | 7 | Data Compressed - nix - tar Folder or File | 7af2b51e-ad1c-498c-aca8-d3290c19535a | sh |
| 1548 | collection | T1560.001 | Archive Collected Data: Archive via Utility | 8 | Data Encrypted with zip and gpg symmetric | 0286eb44-e7ce-41a0-b109-3da516e05a5f | sh |
| 1549 | collection | T1560.001 | Archive Collected Data: Archive via Utility | 9 | Encrypts collected data with AES-256 and Base64 | a743e3a6-e8b2-4a30-abe7-ca85d201b5d3 | bash |
| 1550 | collection | T1560.001 | Archive Collected Data: Archive via Utility | 10 | ESXi - Remove Syslog remote IP | 36c62584-d360-41d6-886f-d194654be7c2 | powershell |
| 1551 | collection | T1560.001 | Archive Collected Data: Archive via Utility | 11 | Compress a File for Exfiltration using Makecab | 2a7bc405-9555-4f49-ace2-b2ae2941d629 | command_prompt |
| 1552 | collection | T1560.001 | Archive Collected Data: Archive via Utility | 12 | Copy and Compress AppData Folder | 05e8942e-f04f-460a-b560-f7781257feec | powershell |
| 1553 | collection | T1113 | Screen Capture | 1 | Screencapture | 0f47ceb1-720f-4275-96b8-21f0562217ac | bash |
| 1554 | collection | T1113 | Screen Capture | 2 | Screencapture (silent) | deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 | bash |
| 1555 | collection | T1113 | Screen Capture | 3 | X Windows Capture | 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac | bash |
| 1556 | collection | T1113 | Screen Capture | 4 | X Windows Capture (freebsd) | 562f3bc2-74e8-46c5-95c7-0e01f9ccc65c | sh |
| 1557 | collection | T1113 | Screen Capture | 5 | Capture Linux Desktop using Import Tool | 9cd1cccb-91e4-4550-9139-e20a586fcea1 | bash |
| 1558 | collection | T1113 | Screen Capture | 6 | Capture Linux Desktop using Import Tool (freebsd) | 18397d87-38aa-4443-a098-8a48a8ca5d8d | sh |
| 1559 | collection | T1113 | Screen Capture | 7 | Windows Screencapture | 3c898f62-626c-47d5-aad2-6de873d69153 | powershell |
| 1560 | collection | T1113 | Screen Capture | 8 | Windows Screen Capture (CopyFromScreen) | e9313014-985a-48ef-80d9-cde604ffc187 | powershell |
| 1561 | collection | T1113 | Screen Capture | 9 | Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted | 5a496325-0115-4274-8eb9-755b649ad0fb | powershell |
| 1562 | collection | T1056.001 | Input Capture: Keylogging | 1 | Input Capture | d9b633ca-8efb-45e6-b838-70f595c6ae26 | powershell |
| 1563 | collection | T1056.001 | Input Capture: Keylogging | 2 | Living off the land Terminal Input Capture on Linux with pam.d | 9c6bdb34-a89f-4b90-acb1-5970614c711b | sh |
| 1564 | collection | T1056.001 | Input Capture: Keylogging | 3 | Logging bash history to syslog | 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 | sh |
| 1565 | collection | T1056.001 | Input Capture: Keylogging | 4 | Logging sh history to syslog/messages | b04284dc-3bd9-4840-8d21-61b8d31c99f2 | sh |
| 1566 | collection | T1056.001 | Input Capture: Keylogging | 5 | Bash session based keylogger | 7f85a946-a0ea-48aa-b6ac-8ff539278258 | bash |
| 1567 | collection | T1056.001 | Input Capture: Keylogging | 6 | SSHD PAM keylogger | 81d7d2ad-d644-4b6a-bea7-28ffe43becca | sh |
| 1568 | collection | T1056.001 | Input Capture: Keylogging | 7 | Auditd keylogger | a668edb9-334e-48eb-8c2e-5413a40867af | sh |
| 1569 | collection | T1056.001 | Input Capture: Keylogging | 8 | MacOS Swift Keylogger | aee3a097-4c5c-4fff-bbd3-0a705867ae29 | bash |
| 1570 | collection | T1123 | Audio Capture | 1 | using device audio capture commandlet | 9c3ad250-b185-4444-b5a9-d69218a10c95 | powershell |
| 1571 | collection | T1123 | Audio Capture | 2 | Registry artefact when application use microphone | 7a21cce2-6ada-4f7c-afd9-e1e9c481e44a | command_prompt |
| 1572 | collection | T1123 | Audio Capture | 3 | using Quicktime Player | c7a0bb71-70ce-4a53-b115-881f241b795b | sh |
| 1573 | collection | T1025 | Data from Removable Media | 1 | Identify Documents on USB and Removable Media via PowerShell | 0b29f7e3-a050-44b7-bf05-9fb86af1ec2e | command_prompt |
| 1574 | collection | T1074.001 | Data Staged: Local Data Staging | 1 | Stage data from Discovery.bat | 107706a5-6f9f-451a-adae-bab8c667829f | powershell |
| 1575 | collection | T1074.001 | Data Staged: Local Data Staging | 2 | Stage data from Discovery.sh | 39ce0303-ae16-4b9e-bb5b-4f53e8262066 | sh |
| 1576 | collection | T1074.001 | Data Staged: Local Data Staging | 3 | Zip a Folder with PowerShell for Staging in Temp | a57fbe4b-3440-452a-88a7-943531ac872a | powershell |
| 1577 | collection | T1114.001 | Email Collection: Local Email Collection | 1 | Email Collection with PowerShell Get-Inbox | 3f1b5096-0139-4736-9b78-19bcb02bb1cb | powershell |
| 1578 | collection | T1119 | Automated Collection | 1 | Automated Collection Command Prompt | cb379146-53f1-43e0-b884-7ce2c635ff5b | command_prompt |
| 1579 | collection | T1119 | Automated Collection | 2 | Automated Collection PowerShell | 634bd9b9-dc83-4229-b19f-7f83ba9ad313 | powershell |
| 1580 | collection | T1119 | Automated Collection | 3 | Recon information for export with PowerShell | c3f6d794-50dd-482f-b640-0384fbb7db26 | powershell |
| 1581 | collection | T1119 | Automated Collection | 4 | Recon information for export with Command Prompt | aa1180e2-f329-4e1e-8625-2472ec0bfaf3 | command_prompt |
| 1582 | collection | T1115 | Clipboard Data | 1 | Utilize Clipboard to store or execute commands from | 0cd14633-58d4-4422-9ede-daa2c9474ae7 | command_prompt |
| 1583 | collection | T1115 | Clipboard Data | 2 | Execute Commands from Clipboard using PowerShell | d6dc21af-bec9-4152-be86-326b6babd416 | powershell |
| 1584 | collection | T1115 | Clipboard Data | 3 | Execute commands from clipboard | 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff | bash |
| 1585 | collection | T1115 | Clipboard Data | 4 | Collect Clipboard Data via VBA | 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52 | powershell |
| 1586 | collection | T1115 | Clipboard Data | 5 | Add or copy content to clipboard with xClip | ee363e53-b083-4230-aff3-f8d955f2d5bb | sh |
| 1587 | collection | T1530 | Data from Cloud Storage Object | 1 | AWS - Scan for Anonymous Access to S3 | 979356b9-b588-4e49-bba4-c35517c484f5 | sh |
| 1588 | collection | T1530 | Data from Cloud Storage Object | 2 | Azure - Dump Azure Storage Account Objects via Azure CLI | 67374845-b4c8-4204-adcc-9b217b65d4f1 | powershell |
| 1589 | collection | T1005 | Data from Local System | 1 | Search files of interest and save them to a single zip file (Windows) | d3d9af44-b8ad-4375-8b0a-4bff4b7e419c | powershell |
| 1590 | collection | T1005 | Data from Local System | 2 | Find and dump sqlite databases (Linux) | 00cbb875-7ae4-4cf1-b638-e543fd825300 | bash |
| 1591 | collection | T1005 | Data from Local System | 3 | Copy Apple Notes database files using AppleScript | cfb6d400-a269-4c06-a347-6d88d584d5f7 | sh |
| 1592 | collection | T1560.002 | Archive Collected Data: Archive via Library | 1 | Compressing data using GZip in Python (FreeBSD/Linux) | 391f5298-b12d-4636-8482-35d9c17d53a8 | sh |
| 1593 | collection | T1560.002 | Archive Collected Data: Archive via Library | 2 | Compressing data using bz2 in Python (FreeBSD/Linux) | c75612b2-9de0-4d7c-879c-10d7b077072d | sh |
| 1594 | collection | T1560.002 | Archive Collected Data: Archive via Library | 3 | Compressing data using zipfile in Python (FreeBSD/Linux) | 001a042b-859f-44d9-bf81-fd1c4e2200b0 | sh |
| 1595 | collection | T1560.002 | Archive Collected Data: Archive via Library | 4 | Compressing data using tarfile in Python (FreeBSD/Linux) | e86f1b4b-fcc1-4a2a-ae10-b49da01458db | sh |
| 1596 | collection | T1560 | Archive Collected Data | 1 | Compress Data for Exfiltration With PowerShell | 41410c60-614d-4b9d-b66e-b0192dd9c597 | powershell |
| 1597 | collection | T1557.001 | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay | 1 | LLMNR Poisoning with Inveigh (PowerShell) | deecd55f-afe0-4a62-9fba-4d1ba2deb321 | powershell |
| 1598 | collection | T1125 | Video Capture | 1 | Registry artefact when application use webcam | 6581e4a7-42e3-43c5-a0d2-5a0d62f9702a | command_prompt |
| 1599 | collection | T1114.003 | Email Collection: Email Forwarding Rule | 1 | Office365 - Email Forwarding | 3234117e-151d-4254-9150-3d0bac41e38c | powershell |
| 1600 | collection | T1056.002 | Input Capture: GUI Input Capture | 1 | AppleScript - Prompt User for Password | 76628574-0bc1-4646-8fe2-8f4427b47d15 | bash |
| 1601 | collection | T1056.002 | Input Capture: GUI Input Capture | 2 | PowerShell - Prompt User for Password | 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 | powershell |
| 1602 | collection | T1056.002 | Input Capture: GUI Input Capture | 3 | AppleScript - Spoofing a credential prompt using osascript | b7037b89-947a-427a-ba29-e7e9f09bc045 | bash |
| 1603 | collection | T1039 | Data from Network Shared Drive | 1 | Copy a sensitive File over Administrative share with copy | 6ed67921-1774-44ba-bac6-adb51ed60660 | command_prompt |
| 1604 | collection | T1039 | Data from Network Shared Drive | 2 | Copy a sensitive File over Administrative share with Powershell | 7762e120-5879-44ff-97f8-008b401b9a98 | powershell |
| 1605 | collection | T1114.002 | Email Collection: Remote Email Collection | 1 | Office365 - Remote Mail Collected | 36657d95-d9d6-4fbf-8a31-f4085607bafd | powershell |
| 1606 | collection | T1056.004 | Input Capture: Credential API Hooking | 1 | Hook PowerShell TLS Encrypt/Decrypt Messages | de1934ea-1fbf-425b-8795-65fb27dd7e33 | powershell |
| 1607 | lateral-movement | T1021.005 | Remote Services:VNC | 1 | Enable Apple Remote Desktop Agent | 8a930abe-841c-4d4f-a877-72e9fe90b9ea | sh |
| 1608 | lateral-movement | T1021.004 | Remote Services: SSH | 1 | ESXi - Enable SSH via PowerCLI | 8f6c14d1-f13d-4616-b7fc-98cc69fe56ec | powershell |
| 1609 | lateral-movement | T1021.004 | Remote Services: SSH | 2 | ESXi - Enable SSH via VIM-CMD | 280812c8-4dae-43e9-a74e-1d08ab997c0e | command_prompt |
| 1610 | lateral-movement | T1091 | Replication Through Removable Media | 1 | USB Malware Spread Simulation | d44b7297-622c-4be8-ad88-ec40d7563c75 | powershell |
| 1611 | lateral-movement | T1021.002 | Remote Services: SMB/Windows Admin Shares | 1 | Map admin share | 3386975b-367a-4fbb-9d77-4dcf3639ffd3 | command_prompt |
| 1612 | lateral-movement | T1021.002 | Remote Services: SMB/Windows Admin Shares | 2 | Map Admin Share PowerShell | 514e9cd7-9207-4882-98b1-c8f791bae3c5 | powershell |
| 1613 | lateral-movement | T1021.002 | Remote Services: SMB/Windows Admin Shares | 3 | Copy and Execute File with PsExec | 0eb03d41-79e4-4393-8e57-6344856be1cf | command_prompt |
| 1614 | lateral-movement | T1021.002 | Remote Services: SMB/Windows Admin Shares | 4 | Execute command writing output to local Admin Share | d41aaab5-bdfe-431d-a3d5-c29e9136ff46 | command_prompt |
| 1615 | lateral-movement | T1021.006 | Remote Services: Windows Remote Management | 1 | Enable Windows Remote Management | 9059e8de-3d7d-4954-a322-46161880b9cf | powershell |
| 1616 | lateral-movement | T1021.006 | Remote Services: Windows Remote Management | 2 | Remote Code Execution with PS Credentials Using Invoke-Command | 5295bd61-bd7e-4744-9d52-85962a4cf2d6 | powershell |
| 1617 | lateral-movement | T1021.006 | Remote Services: Windows Remote Management | 3 | WinRM Access with Evil-WinRM | efe86d95-44c4-4509-ae42-7bfd9d1f5b3d | powershell |
| 1618 | lateral-movement | T1021.003 | Remote Services: Distributed Component Object Model | 1 | PowerShell Lateral Movement using MMC20 | 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 | powershell |
| 1619 | lateral-movement | T1021.003 | Remote Services: Distributed Component Object Model | 2 | PowerShell Lateral Movement Using Excel Application Object | 505f24be-1c11-4694-b614-e01ae1cd2570 | powershell |
| 1620 | lateral-movement | T1550.003 | Use Alternate Authentication Material: Pass the Ticket | 1 | Mimikatz Kerberos Ticket Attack | dbf38128-7ba7-4776-bedf-cc2eed432098 | command_prompt |
| 1621 | lateral-movement | T1550.003 | Use Alternate Authentication Material: Pass the Ticket | 2 | Rubeus Kerberos Pass The Ticket | a2fc4ec5-12c6-4fb4-b661-961f23f359cb | powershell |
| 1622 | lateral-movement | T1072 | Software Deployment Tools | 1 | Radmin Viewer Utility | b4988cad-6ed2-434d-ace5-ea2670782129 | command_prompt |
| 1623 | lateral-movement | T1072 | Software Deployment Tools | 2 | PDQ Deploy RAT | e447b83b-a698-4feb-bed1-a7aaf45c3443 | command_prompt |
| 1624 | lateral-movement | T1072 | Software Deployment Tools | 3 | Deploy 7-Zip Using Chocolatey | 2169e8b0-2ee7-44cb-8a6e-d816a5db7d8a | powershell |
| 1625 | lateral-movement | T1570 | Lateral Tool Transfer | 1 | Exfiltration Over SMB over QUIC (New-SmbMapping) | d8d13303-159e-4f33-89f4-9f07812d016f | powershell |
| 1626 | lateral-movement | T1570 | Lateral Tool Transfer | 2 | Exfiltration Over SMB over QUIC (NET USE) | 183235ca-8e6c-422c-88c2-3aa28c4825d9 | powershell |
| 1627 | lateral-movement | T1563.002 | Remote Service Session Hijacking: RDP Hijacking | 1 | RDP hijacking | a37ac520-b911-458e-8aed-c5f1576d9f46 | command_prompt |
| 1628 | lateral-movement | T1550.002 | Use Alternate Authentication Material: Pass the Hash | 1 | Mimikatz Pass the Hash | ec23cef9-27d9-46e4-a68d-6f75f7b86908 | command_prompt |
| 1629 | lateral-movement | T1550.002 | Use Alternate Authentication Material: Pass the Hash | 2 | crackmapexec Pass the Hash | eb05b028-16c8-4ad8-adea-6f5b219da9a9 | command_prompt |
| 1630 | lateral-movement | T1550.002 | Use Alternate Authentication Material: Pass the Hash | 3 | Invoke-WMIExec Pass the Hash | f8757545-b00a-4e4e-8cfb-8cfb961ee713 | powershell |
| 1631 | lateral-movement | T1021.001 | Remote Services: Remote Desktop Protocol | 1 | RDP to DomainController | 355d4632-8cb9-449d-91ce-b566d0253d3e | powershell |
| 1632 | lateral-movement | T1021.001 | Remote Services: Remote Desktop Protocol | 2 | Changing RDP Port to Non Standard Port via Powershell | 2f840dd4-8a2e-4f44-beb3-6b2399ea3771 | powershell |
| 1633 | lateral-movement | T1021.001 | Remote Services: Remote Desktop Protocol | 3 | Changing RDP Port to Non Standard Port via Command_Prompt | 74ace21e-a31c-4f7d-b540-53e4eb6d1f73 | command_prompt |
| 1634 | lateral-movement | T1021.001 | Remote Services: Remote Desktop Protocol | 4 | Disable NLA for RDP via Command Prompt | 01d1c6c0-faf0-408e-b368-752a02285cb2 | command_prompt |
| 1635 | credential-access | T1556.003 | Modify Authentication Process: Pluggable Authentication Modules | 1 | Malicious PAM rule | 4b9dde80-ae22-44b1-a82a-644bf009eb9c | sh |
| 1636 | credential-access | T1556.003 | Modify Authentication Process: Pluggable Authentication Modules | 2 | Malicious PAM rule (freebsd) | b17eacac-282d-4ca8-a240-46602cf863e3 | sh |
| 1637 | credential-access | T1556.003 | Modify Authentication Process: Pluggable Authentication Modules | 3 | Malicious PAM module | 65208808-3125-4a2e-8389-a0a00e9ab326 | sh |
| 1638 | credential-access | T1056.001 | Input Capture: Keylogging | 1 | Input Capture | d9b633ca-8efb-45e6-b838-70f595c6ae26 | powershell |
| 1639 | credential-access | T1056.001 | Input Capture: Keylogging | 2 | Living off the land Terminal Input Capture on Linux with pam.d | 9c6bdb34-a89f-4b90-acb1-5970614c711b | sh |
| 1640 | credential-access | T1056.001 | Input Capture: Keylogging | 3 | Logging bash history to syslog | 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 | sh |
| 1641 | credential-access | T1056.001 | Input Capture: Keylogging | 4 | Logging sh history to syslog/messages | b04284dc-3bd9-4840-8d21-61b8d31c99f2 | sh |
| 1642 | credential-access | T1056.001 | Input Capture: Keylogging | 5 | Bash session based keylogger | 7f85a946-a0ea-48aa-b6ac-8ff539278258 | bash |
| 1643 | credential-access | T1056.001 | Input Capture: Keylogging | 6 | SSHD PAM keylogger | 81d7d2ad-d644-4b6a-bea7-28ffe43becca | sh |
| 1644 | credential-access | T1056.001 | Input Capture: Keylogging | 7 | Auditd keylogger | a668edb9-334e-48eb-8c2e-5413a40867af | sh |
| 1645 | credential-access | T1056.001 | Input Capture: Keylogging | 8 | MacOS Swift Keylogger | aee3a097-4c5c-4fff-bbd3-0a705867ae29 | bash |
| 1646 | credential-access | T1110.001 | Brute Force: Password Guessing | 1 | Brute Force Credentials of single Active Directory domain users via SMB | 09480053-2f98-4854-be6e-71ae5f672224 | command_prompt |
| 1647 | credential-access | T1110.001 | Brute Force: Password Guessing | 2 | Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) | c2969434-672b-4ec8-8df0-bbb91f40e250 | powershell |
| 1648 | credential-access | T1110.001 | Brute Force: Password Guessing | 3 | Brute Force Credentials of single Azure AD user | 5a51ef57-299e-4d62-8e11-2d440df55e69 | powershell |
| 1649 | credential-access | T1110.001 | Brute Force: Password Guessing | 4 | Password Brute User using Kerbrute Tool | 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4 | powershell |
| 1650 | credential-access | T1110.001 | Brute Force: Password Guessing | 5 | SUDO Brute Force - Debian | ba1bf0b6-f32b-4db0-b7cc-d78cacc76700 | bash |
| 1651 | credential-access | T1110.001 | Brute Force: Password Guessing | 6 | SUDO Brute Force - Redhat | 4097bc00-5eeb-4d56-aaf9-287d60351d95 | bash |
| 1652 | credential-access | T1110.001 | Brute Force: Password Guessing | 7 | SUDO Brute Force - FreeBSD | abcde488-e083-4ee7-bc85-a5684edd7541 | bash |
| 1653 | credential-access | T1110.001 | Brute Force: Password Guessing | 8 | ESXi - Brute Force Until Account Lockout | ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5 | powershell |
| 1654 | credential-access | T1003 | OS Credential Dumping | 1 | Gsecdump | 96345bfc-8ae7-4b6a-80b7-223200f24ef9 | command_prompt |
| 1655 | credential-access | T1003 | OS Credential Dumping | 2 | Credential Dumping with NPPSpy | 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 | powershell |
| 1656 | credential-access | T1003 | OS Credential Dumping | 3 | Dump svchost.exe to gather RDP credentials | d400090a-d8ca-4be0-982e-c70598a23de9 | powershell |
| 1657 | credential-access | T1003 | OS Credential Dumping | 4 | Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list) | 6c7a4fd3-5b0b-4b30-a93e-39411b25d889 | powershell |
| 1658 | credential-access | T1003 | OS Credential Dumping | 5 | Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config) | 42510244-5019-48fa-a0e5-66c3b76e6049 | powershell |
| 1659 | credential-access | T1003 | OS Credential Dumping | 6 | Dump Credential Manager using keymgr.dll and rundll32.exe | 84113186-ed3c-4d0d-8a3c-8980c86c1f4a | powershell |
| 1660 | credential-access | T1003 | OS Credential Dumping | 7 | Send NTLM Hash with RPC Test Connection | 0b207037-813c-4444-ac3f-b597cf280a67 | powershell |
| 1661 | credential-access | T1539 | Steal Web Session Cookie | 1 | Steal Firefox Cookies (Windows) | 4b437357-f4e9-4c84-9fa6-9bcee6f826aa | powershell |
| 1662 | credential-access | T1539 | Steal Web Session Cookie | 2 | Steal Chrome Cookies (Windows) | 26a6b840-4943-4965-8df5-ef1f9a282440 | powershell |
| 1663 | credential-access | T1539 | Steal Web Session Cookie | 3 | Steal Chrome Cookies via Remote Debugging (Mac) | e43cfdaf-3fb8-4a45-8de0-7eee8741d072 | bash |
| 1664 | credential-access | T1539 | Steal Web Session Cookie | 4 | Steal Chrome v127+ cookies via Remote Debugging (Windows) | b647f4ee-88de-40ac-9419-f17fac9489a7 | powershell |
| 1665 | credential-access | T1539 | Steal Web Session Cookie | 5 | Copy Safari BinaryCookies files using AppleScript | e57ba07b-3a33-40cd-a892-748273b9b49a | sh |
| 1666 | credential-access | T1003.002 | OS Credential Dumping: Security Account Manager | 1 | Registry dump of SAM, creds, and secrets | 5c2571d0-1572-416d-9676-812e64ca9f44 | command_prompt |
| 1667 | credential-access | T1003.002 | OS Credential Dumping: Security Account Manager | 2 | Registry parse with pypykatz | a96872b2-cbf3-46cf-8eb4-27e8c0e85263 | command_prompt |
| 1668 | credential-access | T1003.002 | OS Credential Dumping: Security Account Manager | 3 | esentutl.exe SAM copy | a90c2f4d-6726-444e-99d2-a00cd7c20480 | command_prompt |
| 1669 | credential-access | T1003.002 | OS Credential Dumping: Security Account Manager | 4 | PowerDump Hashes and Usernames from Registry | 804f28fc-68fc-40da-b5a2-e9d0bce5c193 | powershell |
| 1670 | credential-access | T1003.002 | OS Credential Dumping: Security Account Manager | 5 | dump volume shadow copy hives with certutil | eeb9751a-d598-42d3-b11c-c122d9c3f6c7 | command_prompt |
| 1671 | credential-access | T1003.002 | OS Credential Dumping: Security Account Manager | 6 | dump volume shadow copy hives with System.IO.File | 9d77fed7-05f8-476e-a81b-8ff0472c64d0 | powershell |
| 1672 | credential-access | T1003.002 | OS Credential Dumping: Security Account Manager | 7 | WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes | 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb | powershell |
| 1673 | credential-access | T1003.002 | OS Credential Dumping: Security Account Manager | 8 | Dumping of SAM, creds, and secrets(Reg Export) | 21df41be-cdd8-4695-a650-c3981113aa3c | command_prompt |
| 1674 | credential-access | T1552.005 | Unsecured Credentials: Cloud Instance Metadata API | 1 | Azure - Search Azure AD User Attributes for Passwords | ae9b2e3e-efa1-4483-86e2-fae529ab9fb6 | powershell |
| 1675 | credential-access | T1552.005 | Unsecured Credentials: Cloud Instance Metadata API | 2 | Azure - Dump Azure Instance Metadata from Virtual Machines | cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7 | powershell |
| 1676 | credential-access | T1110.002 | Brute Force: Password Cracking | 1 | Password Cracking with Hashcat | 6d27df5d-69d4-4c91-bc33-5983ffe91692 | command_prompt |
| 1677 | credential-access | T1555.001 | Credentials from Password Stores: Keychain | 1 | Keychain Dump | 88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6 | sh |
| 1678 | credential-access | T1555.001 | Credentials from Password Stores: Keychain | 2 | Export Certificate Item(s) | 1864fdec-ff86-4452-8c30-f12507582a93 | sh |
| 1679 | credential-access | T1555.001 | Credentials from Password Stores: Keychain | 3 | Import Certificate Item(s) into Keychain | e544bbcb-c4e0-4bd0-b614-b92131635f59 | sh |
| 1680 | credential-access | T1555.001 | Credentials from Password Stores: Keychain | 4 | Copy Keychain using cat utility | 5c32102a-c508-49d3-978f-288f8a9f6617 | sh |
| 1681 | credential-access | T1003.004 | OS Credential Dumping: LSA Secrets | 1 | Dumping LSA Secrets | 55295ab0-a703-433b-9ca4-ae13807de12f | command_prompt |
| 1682 | credential-access | T1003.004 | OS Credential Dumping: LSA Secrets | 2 | Dump Kerberos Tickets from LSA using dumper.ps1 | 2dfa3bff-9a27-46db-ab75-7faefdaca732 | powershell |
| 1683 | credential-access | T1606.002 | Forge Web Credentials: SAML token | 1 | Golden SAML | b16a03bc-1089-4dcc-ad98-30fe8f3a2b31 | powershell |
| 1684 | credential-access | T1003.007 | OS Credential Dumping: Proc Filesystem | 1 | Dump individual process memory with sh (Local) | 7e91138a-8e74-456d-a007-973d67a0bb80 | sh |
| 1685 | credential-access | T1003.007 | OS Credential Dumping: Proc Filesystem | 2 | Dump individual process memory with sh on FreeBSD (Local) | fa37b633-e097-4415-b2b8-c5bf4c86e423 | sh |
| 1686 | credential-access | T1003.007 | OS Credential Dumping: Proc Filesystem | 3 | Dump individual process memory with Python (Local) | 437b2003-a20d-4ed8-834c-4964f24eec63 | sh |
| 1687 | credential-access | T1003.007 | OS Credential Dumping: Proc Filesystem | 4 | Capture Passwords with MimiPenguin | a27418de-bdce-4ebd-b655-38f04842bf0c | bash |
| 1688 | credential-access | T1040 | Network Sniffing | 1 | Packet Capture Linux using tshark or tcpdump | 7fe741f7-b265-4951-a7c7-320889083b3e | bash |
| 1689 | credential-access | T1040 | Network Sniffing | 2 | Packet Capture FreeBSD using tshark or tcpdump | c93f2492-9ebe-44b5-8b45-36574cccfe67 | sh |
| 1690 | credential-access | T1040 | Network Sniffing | 3 | Packet Capture macOS using tcpdump or tshark | 9d04efee-eff5-4240-b8d2-07792b873608 | bash |
| 1691 | credential-access | T1040 | Network Sniffing | 4 | Packet Capture Windows Command Prompt | a5b2f6a0-24b4-493e-9590-c699f75723ca | command_prompt |
| 1692 | credential-access | T1040 | Network Sniffing | 5 | Windows Internal Packet Capture | b5656f67-d67f-4de8-8e62-b5581630f528 | command_prompt |
| 1693 | credential-access | T1040 | Network Sniffing | 6 | Windows Internal pktmon capture | c67ba807-f48b-446e-b955-e4928cd1bf91 | command_prompt |
| 1694 | credential-access | T1040 | Network Sniffing | 7 | Windows Internal pktmon set filter | 855fb8b4-b8ab-4785-ae77-09f5df7bff55 | command_prompt |
| 1695 | credential-access | T1040 | Network Sniffing | 8 | Packet Capture macOS using /dev/bpfN with sudo | e6fe5095-545d-4c8b-a0ae-e863914be3aa | bash |
| 1696 | credential-access | T1040 | Network Sniffing | 9 | Filtered Packet Capture macOS using /dev/bpfN with sudo | e2480aee-23f3-4f34-80ce-de221e27cd19 | bash |
| 1697 | credential-access | T1040 | Network Sniffing | 10 | Packet Capture FreeBSD using /dev/bpfN with sudo | e2028771-1bfb-48f5-b5e6-e50ee0942a14 | sh |
| 1698 | credential-access | T1040 | Network Sniffing | 11 | Filtered Packet Capture FreeBSD using /dev/bpfN with sudo | a3a0d4c9-c068-4563-a08d-583bd05b884c | sh |
| 1699 | credential-access | T1040 | Network Sniffing | 12 | Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo | 10c710c9-9104-4d5f-8829-5b65391e2a29 | bash |
| 1700 | credential-access | T1040 | Network Sniffing | 13 | Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo | 7a0895f0-84c1-4adf-8491-a21510b1d4c1 | bash |
| 1701 | credential-access | T1040 | Network Sniffing | 14 | Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo | 515575ab-d213-42b1-aa64-ef6a2dd4641b | bash |
| 1702 | credential-access | T1040 | Network Sniffing | 15 | Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo | b1cbdf8b-6078-48f5-a890-11ea19d7f8e9 | bash |
| 1703 | credential-access | T1040 | Network Sniffing | 16 | PowerShell Network Sniffing | 9c15a7de-de14-46c3-bc2a-6d94130986ae | powershell |
| 1704 | credential-access | T1552.002 | Unsecured Credentials: Credentials in Registry | 1 | Enumeration for Credentials in Registry | b6ec082c-7384-46b3-a111-9a9b8b14e5e7 | command_prompt |
| 1705 | credential-access | T1552.002 | Unsecured Credentials: Credentials in Registry | 2 | Enumeration for PuTTY Credentials in Registry | af197fd7-e868-448e-9bd5-05d1bcd9d9e5 | command_prompt |
| 1706 | credential-access | T1556.002 | Modify Authentication Process: Password Filter DLL | 1 | Install and Register Password Filter DLL | a7961770-beb5-4134-9674-83d7e1fa865c | powershell |
| 1707 | credential-access | T1556.002 | Modify Authentication Process: Password Filter DLL | 2 | Install Additional Authentication Packages | 91580da6-bc6e-431b-8b88-ac77180005f2 | powershell |
| 1708 | credential-access | T1558.004 | Steal or Forge Kerberos Tickets: AS-REP Roasting | 1 | Rubeus asreproast | 615bd568-2859-41b5-9aed-61f6a88e48dd | powershell |
| 1709 | credential-access | T1558.004 | Steal or Forge Kerberos Tickets: AS-REP Roasting | 2 | Get-DomainUser with PowerView | d6139549-7b72-4e48-9ea1-324fc9bdf88a | powershell |
| 1710 | credential-access | T1558.004 | Steal or Forge Kerberos Tickets: AS-REP Roasting | 3 | WinPwn - PowerSharpPack - Kerberoasting Using Rubeus | 8c385f88-4d47-4c9a-814d-93d9deec8c71 | powershell |
| 1711 | credential-access | T1555 | Credentials from Password Stores | 1 | Extract Windows Credential Manager via VBA | 234f9b7c-b53d-4f32-897b-b880a6c9ea7b | powershell |
| 1712 | credential-access | T1555 | Credentials from Password Stores | 2 | Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] | c89becbe-1758-4e7d-a0f4-97d2188a23e3 | powershell |
| 1713 | credential-access | T1555 | Credentials from Password Stores | 3 | Dump credentials from Windows Credential Manager With PowerShell [web Credentials] | 8fd5a296-6772-4766-9991-ff4e92af7240 | powershell |
| 1714 | credential-access | T1555 | Credentials from Password Stores | 4 | Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] | 36753ded-e5c4-4eb5-bc3c-e8fba236878d | powershell |
| 1715 | credential-access | T1555 | Credentials from Password Stores | 5 | Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] | bc071188-459f-44d5-901a-f8f2625b2d2e | powershell |
| 1716 | credential-access | T1555 | Credentials from Password Stores | 6 | WinPwn - Loot local Credentials - lazagne | 079ee2e9-6f16-47ca-a635-14efcd994118 | powershell |
| 1717 | credential-access | T1555 | Credentials from Password Stores | 7 | WinPwn - Loot local Credentials - Wifi Credentials | afe369c2-b42e-447f-98a3-fb1f4e2b8552 | powershell |
| 1718 | credential-access | T1555 | Credentials from Password Stores | 8 | WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords | db965264-3117-4bad-b7b7-2523b7856b92 | powershell |
| 1719 | credential-access | T1552 | Unsecured Credentials | 1 | AWS - Retrieve EC2 Password Data using stratus | a21118de-b11e-4ebd-b655-42f11142df0c | sh |
| 1720 | credential-access | T1552 | Unsecured Credentials | 2 | Search for Passwords in Powershell History | f9c3d0ab-479b-4019-945f-22ace2b1731a | powershell |
| 1721 | credential-access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | 1 | Run Chrome-password Collector | 8c05b133-d438-47ca-a630-19cc464c4622 | powershell |
| 1722 | credential-access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | 2 | Search macOS Safari Cookies | c1402f7b-67ca-43a8-b5f3-3143abedc01b | sh |
| 1723 | credential-access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | 3 | LaZagne - Credentials from Browser | 9a2915b3-3954-4cce-8c76-00fbf4dbd014 | command_prompt |
| 1724 | credential-access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | 4 | Simulating access to Chrome Login Data | 3d111226-d09a-4911-8715-fe11664f960d | powershell |
| 1725 | credential-access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | 5 | Simulating access to Opera Login Data | 28498c17-57e4-495a-b0be-cc1e36de408b | powershell |
| 1726 | credential-access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | 6 | Simulating access to Windows Firefox Login Data | eb8da98a-2e16-4551-b3dd-83de49baa14c | powershell |
| 1727 | credential-access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | 7 | Simulating access to Windows Edge Login Data | a6a5ec26-a2d1-4109-9d35-58b867689329 | powershell |
| 1728 | credential-access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | 8 | Decrypt Mozilla Passwords with Firepwd.py | dc9cd677-c70f-4df5-bd1c-f114af3c2381 | powershell |
| 1729 | credential-access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | 9 | LaZagne.py - Dump Credentials from Firefox Browser | 87e88698-621b-4c45-8a89-4eaebdeaabb1 | sh |
| 1730 | credential-access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | 10 | Stage Popular Credential Files for Exfiltration | f543635c-1705-42c3-b180-efd6dc6e7ee7 | powershell |
| 1731 | credential-access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | 11 | WinPwn - BrowserPwn | 764ea176-fb71-494c-90ea-72e9d85dce76 | powershell |
| 1732 | credential-access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | 12 | WinPwn - Loot local Credentials - mimi-kittenz | ec1d0b37-f659-4186-869f-31a554891611 | powershell |
| 1733 | credential-access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | 13 | WinPwn - PowerSharpPack - Sharpweb for Browser Credentials | e5e3d639-6ea8-4408-9ecd-d5a286268ca0 | powershell |
| 1734 | credential-access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | 14 | Simulating Access to Chrome Login Data - MacOS | 124e13e5-d8a1-4378-a6ee-a53cd0c7e369 | sh |
| 1735 | credential-access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | 15 | WebBrowserPassView - Credentials from Browser | e359627f-2d90-4320-ba5e-b0f878155bbe | powershell |
| 1736 | credential-access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | 16 | BrowserStealer (Chrome / Firefox / Microsoft Edge) | 6f2c5c87-a4d5-4898-9bd1-47a55ecaf1dd | powershell |
| 1737 | credential-access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | 17 | Dump Chrome Login Data with esentutl | 70422253-8198-4019-b617-6be401b49fce | command_prompt |
| 1738 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 1 | Private Keys | 520ce462-7ca7-441e-b5a5-f8347f632696 | command_prompt |
| 1739 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 2 | Discover Private SSH Keys | 46959285-906d-40fa-9437-5a439accd878 | sh |
| 1740 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 3 | Copy Private SSH Keys with CP | 7c247dc7-5128-4643-907b-73a76d9135c3 | sh |
| 1741 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 4 | Copy Private SSH Keys with CP (freebsd) | 12e4a260-a7fd-4ed8-bf18-1a28c1395775 | sh |
| 1742 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 5 | Copy Private SSH Keys with rsync | 864bb0b2-6bb5-489a-b43b-a77b3a16d68a | sh |
| 1743 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 6 | Copy Private SSH Keys with rsync (freebsd) | 922b1080-0b95-42b0-9585-b9a5ea0af044 | sh |
| 1744 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 7 | Copy the users GnuPG directory with rsync | 2a5a0601-f5fb-4e2e-aa09-73282ae6afca | sh |
| 1745 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 8 | Copy the users GnuPG directory with rsync (freebsd) | b05ac39b-515f-48e9-88e9-2f141b5bcad0 | sh |
| 1746 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 9 | ADFS token signing and encryption certificates theft - Local | 78e95057-d429-4e66-8f82-0f060c1ac96f | powershell |
| 1747 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 10 | ADFS token signing and encryption certificates theft - Remote | cab413d8-9e4a-4b8d-9b84-c985bd73a442 | powershell |
| 1748 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 11 | CertUtil ExportPFX | 336b25bf-4514-4684-8924-474974f28137 | powershell |
| 1749 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 12 | Export Root Certificate with Export-PFXCertificate | 7617f689-bbd8-44bc-adcd-6f8968897848 | powershell |
| 1750 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 13 | Export Root Certificate with Export-Certificate | 78b274f8-acb0-428b-b1f7-7b0d0e73330a | powershell |
| 1751 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 14 | Export Certificates with Mimikatz | 290df60e-4b5d-4a5e-b0c7-dc5348ea0c86 | command_prompt |
| 1752 | credential-access | T1557.001 | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay | 1 | LLMNR Poisoning with Inveigh (PowerShell) | deecd55f-afe0-4a62-9fba-4d1ba2deb321 | powershell |
| 1753 | credential-access | T1003.001 | OS Credential Dumping: LSASS Memory | 1 | Dump LSASS.exe Memory using ProcDump | 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8 | command_prompt |
| 1754 | credential-access | T1003.001 | OS Credential Dumping: LSASS Memory | 2 | Dump LSASS.exe Memory using comsvcs.dll | 2536dee2-12fb-459a-8c37-971844fa73be | powershell |
| 1755 | credential-access | T1003.001 | OS Credential Dumping: LSASS Memory | 3 | Dump LSASS.exe Memory using direct system calls and API unhooking | 7ae7102c-a099-45c8-b985-4c7a2d05790d | command_prompt |
| 1756 | credential-access | T1003.001 | OS Credential Dumping: LSASS Memory | 4 | Dump LSASS.exe Memory using NanoDump | dddd4aca-bbed-46f0-984d-e4c5971c51ea | command_prompt |
| 1757 | credential-access | T1003.001 | OS Credential Dumping: LSASS Memory | 5 | Dump LSASS.exe Memory using Windows Task Manager | dea6c349-f1c6-44f3-87a1-1ed33a59a607 | manual |
| 1758 | credential-access | T1003.001 | OS Credential Dumping: LSASS Memory | 6 | Offline Credential Theft With Mimikatz | 453acf13-1dbd-47d7-b28a-172ce9228023 | command_prompt |
| 1759 | credential-access | T1003.001 | OS Credential Dumping: LSASS Memory | 7 | LSASS read with pypykatz | c37bc535-5c62-4195-9cc3-0517673171d8 | command_prompt |
| 1760 | credential-access | T1003.001 | OS Credential Dumping: LSASS Memory | 8 | Dump LSASS.exe Memory using Out-Minidump.ps1 | 6502c8f0-b775-4dbd-9193-1298f56b6781 | powershell |
| 1761 | credential-access | T1003.001 | OS Credential Dumping: LSASS Memory | 9 | Create Mini Dump of LSASS.exe using ProcDump | 7cede33f-0acd-44ef-9774-15511300b24b | command_prompt |
| 1762 | credential-access | T1003.001 | OS Credential Dumping: LSASS Memory | 10 | Powershell Mimikatz | 66fb0bc1-3c3f-47e9-a298-550ecfefacbc | powershell |
| 1763 | credential-access | T1003.001 | OS Credential Dumping: LSASS Memory | 11 | Dump LSASS with createdump.exe from .Net v5 | 9d0072c8-7cca-45c4-bd14-f852cfa35cf0 | powershell |
| 1764 | credential-access | T1003.001 | OS Credential Dumping: LSASS Memory | 12 | Dump LSASS.exe using imported Microsoft DLLs | 86fc3f40-237f-4701-b155-81c01c48d697 | powershell |
| 1765 | credential-access | T1003.001 | OS Credential Dumping: LSASS Memory | 13 | Dump LSASS.exe using lolbin rdrleakdiag.exe | 47a539d1-61b9-4364-bf49-a68bc2a95ef0 | powershell |
| 1766 | credential-access | T1003.001 | OS Credential Dumping: LSASS Memory | 14 | Dump LSASS.exe Memory through Silent Process Exit | eb5adf16-b601-4926-bca7-dad22adffb37 | command_prompt |
| 1767 | credential-access | T1110.003 | Brute Force: Password Spraying | 1 | Password Spray all Domain Users | 90bc2e54-6c84-47a5-9439-0a2a92b4b175 | command_prompt |
| 1768 | credential-access | T1110.003 | Brute Force: Password Spraying | 2 | Password Spray (DomainPasswordSpray) | 263ae743-515f-4786-ac7d-41ef3a0d4b2b | powershell |
| 1769 | credential-access | T1110.003 | Brute Force: Password Spraying | 3 | Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) | f14d956a-5b6e-4a93-847f-0c415142f07d | powershell |
| 1770 | credential-access | T1110.003 | Brute Force: Password Spraying | 4 | Password spray all Azure AD users with a single password | a8aa2d3e-1c52-4016-bc73-0f8854cfa80a | powershell |
| 1771 | credential-access | T1110.003 | Brute Force: Password Spraying | 5 | WinPwn - DomainPasswordSpray Attacks | 5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82 | powershell |
| 1772 | credential-access | T1110.003 | Brute Force: Password Spraying | 6 | Password Spray Invoke-DomainPasswordSpray Light | b15bc9a5-a4f3-4879-9304-ea0011ace63a | powershell |
| 1773 | credential-access | T1110.003 | Brute Force: Password Spraying | 7 | Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365) | f3a10056-0160-4785-8744-d9bd7c12dc39 | powershell |
| 1774 | credential-access | T1110.003 | Brute Force: Password Spraying | 8 | Password Spray using Kerbrute Tool | c6f25ec3-6475-47a9-b75d-09ac593c5ecb | powershell |
| 1775 | credential-access | T1110.003 | Brute Force: Password Spraying | 9 | AWS - Password Spray an AWS using GoAWSConsoleSpray | 9c10d16b-20b1-403a-8e67-50ef7117ed4e | sh |
| 1776 | credential-access | T1003.005 | OS Credential Dumping: Cached Domain Credentials | 1 | Cached Credential Dump via Cmdkey | 56506854-89d6-46a3-9804-b7fde90791f9 | command_prompt |
| 1777 | credential-access | T1558.001 | Steal or Forge Kerberos Tickets: Golden Ticket | 1 | Crafting Active Directory golden tickets with mimikatz | 9726592a-dabc-4d4d-81cd-44070008b3af | powershell |
| 1778 | credential-access | T1558.001 | Steal or Forge Kerberos Tickets: Golden Ticket | 2 | Crafting Active Directory golden tickets with Rubeus | e42d33cd-205c-4acf-ab59-a9f38f6bad9c | powershell |
| 1779 | credential-access | T1649 | Steal or Forge Authentication Certificates | 1 | Staging Local Certificates via Export-Certificate | eb121494-82d1-4148-9e2b-e624e03fbf3d | powershell |
| 1780 | credential-access | T1552.003 | Unsecured Credentials: Bash History | 1 | Search Through Bash History | 3cfde62b-7c33-4b26-a61e-755d6131c8ce | sh |
| 1781 | credential-access | T1552.003 | Unsecured Credentials: Bash History | 2 | Search Through sh History | d87d3b94-05b4-40f2-a80f-99864ffa6803 | sh |
| 1782 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 1 | Find AWS credentials | 37807632-d3da-442e-8c2e-00f44928ff8f | sh |
| 1783 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 2 | Extract Browser and System credentials with LaZagne | 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79 | bash |
| 1784 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 3 | Extract passwords with grep | bd4cf0d1-7646-474e-8610-78ccf5a097c4 | sh |
| 1785 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 4 | Extracting passwords with findstr | 0e56bf29-ff49-4ea5-9af4-3b81283fd513 | powershell |
| 1786 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 5 | Access unattend.xml | 367d4004-5fc0-446d-823f-960c74ae52c3 | command_prompt |
| 1787 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 6 | Find and Access Github Credentials | da4f751a-020b-40d7-b9ff-d433b7799803 | bash |
| 1788 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 7 | WinPwn - sensitivefiles | 114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0 | powershell |
| 1789 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 8 | WinPwn - Snaffler | fdd0c913-714b-4c13-b40f-1824d6c015f2 | powershell |
| 1790 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 9 | WinPwn - powershellsensitive | 75f66e03-37d3-4704-9520-3210efbe33ce | powershell |
| 1791 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 10 | WinPwn - passhunt | 00e3e3c7-6c3c-455e-bd4b-461c7f0e7797 | powershell |
| 1792 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 11 | WinPwn - SessionGopher | c9dc9de3-f961-4284-bd2d-f959c9f9fda5 | powershell |
| 1793 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 12 | WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials | aaa87b0e-5232-4649-ae5c-f1724a4b2798 | powershell |
| 1794 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 13 | List Credential Files via PowerShell | 0d4f2281-f720-4572-adc8-d5bb1618affe | powershell |
| 1795 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 14 | List Credential Files via Command Prompt | b0cdacf6-8949-4ffe-9274-a9643a788e55 | command_prompt |
| 1796 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 15 | Find Azure credentials | a8f6148d-478a-4f43-bc62-5efee9f931a4 | sh |
| 1797 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 16 | Find GCP credentials | aa12eb29-2dbb-414e-8b20-33d34af93543 | sh |
| 1798 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 17 | Find OCI credentials | 9d9c22c9-fa97-4008-a204-478cf68c40af | sh |
| 1799 | credential-access | T1528 | Steal Application Access Token | 1 | Azure - Functions code upload - Functions code injection via Blob upload | 9a5352e4-56e5-45c2-9b3f-41a46d3b3a43 | powershell |
| 1800 | credential-access | T1528 | Steal Application Access Token | 2 | Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token | 67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1 | powershell |
| 1801 | credential-access | T1552.006 | Unsecured Credentials: Group Policy Preferences | 1 | GPP Passwords (findstr) | 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f | command_prompt |
| 1802 | credential-access | T1552.006 | Unsecured Credentials: Group Policy Preferences | 2 | GPP Passwords (Get-GPPPassword) | e9584f82-322c-474a-b831-940fd8b4455c | powershell |
| 1803 | credential-access | T1056.002 | Input Capture: GUI Input Capture | 1 | AppleScript - Prompt User for Password | 76628574-0bc1-4646-8fe2-8f4427b47d15 | bash |
| 1804 | credential-access | T1056.002 | Input Capture: GUI Input Capture | 2 | PowerShell - Prompt User for Password | 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 | powershell |
| 1805 | credential-access | T1056.002 | Input Capture: GUI Input Capture | 3 | AppleScript - Spoofing a credential prompt using osascript | b7037b89-947a-427a-ba29-e7e9f09bc045 | bash |
| 1806 | credential-access | T1110.004 | Brute Force: Credential Stuffing | 1 | SSH Credential Stuffing From Linux | 4f08197a-2a8a-472d-9589-cd2895ef22ad | bash |
| 1807 | credential-access | T1110.004 | Brute Force: Credential Stuffing | 2 | SSH Credential Stuffing From MacOS | d546a3d9-0be5-40c7-ad82-5a7d79e1b66b | bash |
| 1808 | credential-access | T1110.004 | Brute Force: Credential Stuffing | 3 | SSH Credential Stuffing From FreeBSD | a790d50e-7ebf-48de-8daa-d9367e0911d4 | sh |
| 1809 | credential-access | T1110.004 | Brute Force: Credential Stuffing | 4 | Brute Force:Credential Stuffing using Kerbrute Tool | 4852c630-87a9-409b-bb5e-5dc12c9ebcde | powershell |
| 1810 | credential-access | T1187 | Forced Authentication | 1 | PetitPotam | 485ce873-2e65-4706-9c7e-ae3ab9e14213 | powershell |
| 1811 | credential-access | T1187 | Forced Authentication | 2 | WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS | 7f06b25c-799e-40f1-89db-999c9cc84317 | powershell |
| 1812 | credential-access | T1187 | Forced Authentication | 3 | Trigger an authenticated RPC call to a target server with no Sign flag set | 81cfdd7f-1f41-4cc5-9845-bb5149438e37 | powershell |
| 1813 | credential-access | T1555.006 | Credentials from Password Stores: Cloud Secrets Management Stores | 1 | Azure - Dump All Azure Key Vaults with Microburst | 1b83cddb-eaa7-45aa-98a5-85fb0a8807ea | powershell |
| 1814 | credential-access | T1003.008 | OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow | 1 | Access /etc/shadow (Local) | 3723ab77-c546-403c-8fb4-bb577033b235 | bash |
| 1815 | credential-access | T1003.008 | OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow | 2 | Access /etc/master.passwd (Local) | 5076874f-a8e6-4077-8ace-9e5ab54114a5 | sh |
| 1816 | credential-access | T1003.008 | OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow | 3 | Access /etc/passwd (Local) | 60e860b6-8ae6-49db-ad07-5e73edd88f5d | sh |
| 1817 | credential-access | T1003.008 | OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow | 4 | Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat | df1a55ae-019d-4120-bc35-94f4bc5c4b0a | sh |
| 1818 | credential-access | T1003.008 | OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow | 5 | Access /etc/{shadow,passwd,master.passwd} with shell builtins | f5aa6543-6cb2-4fae-b9c2-b96e14721713 | sh |
| 1819 | credential-access | T1558.002 | Steal or Forge Kerberos Tickets: Silver Ticket | 1 | Crafting Active Directory silver tickets with mimikatz | 385e59aa-113e-4711-84d9-f637aef01f2c | powershell |
| 1820 | credential-access | T1555.004 | Credentials from Password Stores: Windows Credential Manager | 1 | Access Saved Credentials via VaultCmd | 9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439 | command_prompt |
| 1821 | credential-access | T1555.004 | Credentials from Password Stores: Windows Credential Manager | 2 | WinPwn - Loot local Credentials - Invoke-WCMDump | fa714db1-63dd-479e-a58e-7b2b52ca5997 | powershell |
| 1822 | credential-access | T1003.003 | OS Credential Dumping: NTDS | 1 | Create Volume Shadow Copy with vssadmin | dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f | command_prompt |
| 1823 | credential-access | T1003.003 | OS Credential Dumping: NTDS | 2 | Copy NTDS.dit from Volume Shadow Copy | c6237146-9ea6-4711-85c9-c56d263a6b03 | command_prompt |
| 1824 | credential-access | T1003.003 | OS Credential Dumping: NTDS | 3 | Dump Active Directory Database with NTDSUtil | 2364e33d-ceab-4641-8468-bfb1d7cc2723 | command_prompt |
| 1825 | credential-access | T1003.003 | OS Credential Dumping: NTDS | 4 | Create Volume Shadow Copy with WMI | 224f7de0-8f0a-4a94-b5d8-989b036c86da | command_prompt |
| 1826 | credential-access | T1003.003 | OS Credential Dumping: NTDS | 5 | Create Volume Shadow Copy remotely with WMI | d893459f-71f0-484d-9808-ec83b2b64226 | command_prompt |
| 1827 | credential-access | T1003.003 | OS Credential Dumping: NTDS | 6 | Create Volume Shadow Copy remotely (WMI) with esentutl | 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865 | command_prompt |
| 1828 | credential-access | T1003.003 | OS Credential Dumping: NTDS | 7 | Create Volume Shadow Copy with Powershell | 542bb97e-da53-436b-8e43-e0a7d31a6c24 | powershell |
| 1829 | credential-access | T1003.003 | OS Credential Dumping: NTDS | 8 | Create Symlink to Volume Shadow Copy | 21748c28-2793-4284-9e07-d6d028b66702 | command_prompt |
| 1830 | credential-access | T1003.003 | OS Credential Dumping: NTDS | 9 | Create Volume Shadow Copy with diskshadow | b385996c-0e7d-4e27-95a4-aca046b119a7 | command_prompt |
| 1831 | credential-access | T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | 1 | Request for service tickets | 3f987809-3681-43c8-bcd8-b3ff3a28533a | powershell |
| 1832 | credential-access | T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | 2 | Rubeus kerberoast | 14625569-6def-4497-99ac-8e7817105b55 | powershell |
| 1833 | credential-access | T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | 3 | Extract all accounts in use as SPN using setspn | e6f4affd-d826-4871-9a62-6c9004b8fe06 | command_prompt |
| 1834 | credential-access | T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | 4 | Request A Single Ticket via PowerShell | 988539bc-2ed7-4e62-aec6-7c5cf6680863 | powershell |
| 1835 | credential-access | T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | 5 | Request All Tickets via PowerShell | 902f4ed2-1aba-4133-90f2-cff6d299d6da | powershell |
| 1836 | credential-access | T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | 6 | WinPwn - Kerberoasting | 78d10e20-c874-45f2-a9df-6fea0120ec27 | powershell |
| 1837 | credential-access | T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | 7 | WinPwn - PowerSharpPack - Kerberoasting Using Rubeus | 29094950-2c96-4cbd-b5e4-f7c65079678f | powershell |
| 1838 | credential-access | T1003.006 | OS Credential Dumping: DCSync | 1 | DCSync (Active Directory) | 129efd28-8497-4c87-a1b0-73b9a870ca3e | command_prompt |
| 1839 | credential-access | T1003.006 | OS Credential Dumping: DCSync | 2 | Run DSInternals Get-ADReplAccount | a0bced08-3fc5-4d8b-93b7-e8344739376e | powershell |
| 1840 | credential-access | T1056.004 | Input Capture: Credential API Hooking | 1 | Hook PowerShell TLS Encrypt/Decrypt Messages | de1934ea-1fbf-425b-8795-65fb27dd7e33 | powershell |
| 1841 | credential-access | T1552.007 | Kubernetes List Secrets | 1 | List All Secrets | 31e794c4-48fd-4a76-aca4-6587c155bc11 | bash |
| 1842 | credential-access | T1552.007 | Kubernetes List Secrets | 2 | ListSecrets | 43c3a49d-d15c-45e6-b303-f6e177e44a9a | bash |
| 1843 | credential-access | T1552.007 | Kubernetes List Secrets | 3 | Cat the contents of a Kubernetes service account token file | 788e0019-a483-45da-bcfe-96353d46820f | sh |
| 1844 | discovery | T1033 | System Owner/User Discovery | 1 | System Owner/User Discovery | 4c4959bf-addf-4b4a-be86-8d09cc1857aa | command_prompt |
| 1845 | discovery | T1033 | System Owner/User Discovery | 2 | System Owner/User Discovery | 2a9b677d-a230-44f4-ad86-782df1ef108c | sh |
| 1846 | discovery | T1033 | System Owner/User Discovery | 3 | Find computers where user has session - Stealth mode (PowerView) | 29857f27-a36f-4f7e-8084-4557cd6207ca | powershell |
| 1847 | discovery | T1033 | System Owner/User Discovery | 4 | User Discovery With Env Vars PowerShell Script | dcb6cdee-1fb0-4087-8bf8-88cfd136ba51 | powershell |
| 1848 | discovery | T1033 | System Owner/User Discovery | 5 | GetCurrent User with PowerShell Script | 1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b | powershell |
| 1849 | discovery | T1033 | System Owner/User Discovery | 6 | System Discovery - SocGholish whoami | 3d257a03-eb80-41c5-b744-bb37ac7f65c7 | powershell |
| 1850 | discovery | T1033 | System Owner/User Discovery | 7 | System Owner/User Discovery Using Command Prompt | ba38e193-37a6-4c41-b214-61b33277fe36 | command_prompt |
| 1851 | discovery | T1613 | Container and Resource Discovery | 1 | Docker Container and Resource Discovery | ea2255df-d781-493b-9693-ac328f9afc3f | sh |
| 1852 | discovery | T1613 | Container and Resource Discovery | 2 | Podman Container and Resource Discovery | fc631702-3f03-4f2b-8d8a-6b3d055580a1 | sh |
| 1853 | discovery | T1016.001 | System Network Configuration Discovery: Internet Connection Discovery | 1 | Check internet connection using ping Windows | e184b6bd-fb28-48aa-9a59-13012e33d7dc | command_prompt |
| 1854 | discovery | T1016.001 | System Network Configuration Discovery: Internet Connection Discovery | 2 | Check internet connection using ping freebsd, linux or macos | be8f4019-d8b6-434c-a814-53123cdcc11e | bash |
| 1855 | discovery | T1016.001 | System Network Configuration Discovery: Internet Connection Discovery | 3 | Check internet connection using Test-NetConnection in PowerShell (ICMP-Ping) | f8160cde-4e16-4c8b-8450-6042d5363eb0 | powershell |
| 1856 | discovery | T1016.001 | System Network Configuration Discovery: Internet Connection Discovery | 4 | Check internet connection using Test-NetConnection in PowerShell (TCP-HTTP) | 7c35779d-42ec-42ab-a283-6255b28e9d68 | powershell |
| 1857 | discovery | T1016.001 | System Network Configuration Discovery: Internet Connection Discovery | 5 | Check internet connection using Test-NetConnection in PowerShell (TCP-SMB) | d9c32b3b-7916-45ad-aca5-6c902da80319 | powershell |
| 1858 | discovery | T1615 | Group Policy Discovery | 1 | Display group policy information via gpresult | 0976990f-53b1-4d3f-a185-6df5be429d3b | command_prompt |
| 1859 | discovery | T1615 | Group Policy Discovery | 2 | Get-DomainGPO to display group policy information via PowerView | 4e524c4e-0e02-49aa-8df5-93f3f7959b9f | powershell |
| 1860 | discovery | T1615 | Group Policy Discovery | 3 | WinPwn - GPOAudit | bc25c04b-841e-4965-855f-d1f645d7ab73 | powershell |
| 1861 | discovery | T1615 | Group Policy Discovery | 4 | WinPwn - GPORemoteAccessPolicy | 7230d01a-0a72-4bd5-9d7f-c6d472bc6a59 | powershell |
| 1862 | discovery | T1615 | Group Policy Discovery | 5 | MSFT Get-GPO Cmdlet | 52778a8f-a10b-41a4-9eae-52ddb74072bf | powershell |
| 1863 | discovery | T1652 | Device Driver Discovery | 1 | Device Driver Discovery | 235b30a2-e5b1-441f-9705-be6231c88ddd | powershell |
| 1864 | discovery | T1087.002 | Account Discovery: Domain Account | 1 | Enumerate all accounts (Domain) | 6fbc9e68-5ad7-444a-bd11-8bf3136c477e | command_prompt |
| 1865 | discovery | T1087.002 | Account Discovery: Domain Account | 2 | Enumerate all accounts via PowerShell (Domain) | 8b8a6449-be98-4f42-afd2-dedddc7453b2 | powershell |
| 1866 | discovery | T1087.002 | Account Discovery: Domain Account | 3 | Enumerate logged on users via CMD (Domain) | 161dcd85-d014-4f5e-900c-d3eaae82a0f7 | command_prompt |
| 1867 | discovery | T1087.002 | Account Discovery: Domain Account | 4 | Automated AD Recon (ADRecon) | 95018438-454a-468c-a0fa-59c800149b59 | powershell |
| 1868 | discovery | T1087.002 | Account Discovery: Domain Account | 5 | Adfind -Listing password policy | 736b4f53-f400-4c22-855d-1a6b5a551600 | command_prompt |
| 1869 | discovery | T1087.002 | Account Discovery: Domain Account | 6 | Adfind - Enumerate Active Directory Admins | b95fd967-4e62-4109-b48d-265edfd28c3a | command_prompt |
| 1870 | discovery | T1087.002 | Account Discovery: Domain Account | 7 | Adfind - Enumerate Active Directory User Objects | e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 | command_prompt |
| 1871 | discovery | T1087.002 | Account Discovery: Domain Account | 8 | Adfind - Enumerate Active Directory Exchange AD Objects | 5e2938fb-f919-47b6-8b29-2f6a1f718e99 | command_prompt |
| 1872 | discovery | T1087.002 | Account Discovery: Domain Account | 9 | Enumerate Default Domain Admin Details (Domain) | c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef | command_prompt |
| 1873 | discovery | T1087.002 | Account Discovery: Domain Account | 10 | Enumerate Active Directory for Unconstrained Delegation | 46f8dbe9-22a5-4770-8513-66119c5be63b | powershell |
| 1874 | discovery | T1087.002 | Account Discovery: Domain Account | 11 | Get-DomainUser with PowerView | 93662494-5ed7-4454-a04c-8c8372808ac2 | powershell |
| 1875 | discovery | T1087.002 | Account Discovery: Domain Account | 12 | Enumerate Active Directory Users with ADSISearcher | 02e8be5a-3065-4e54-8cc8-a14d138834d3 | powershell |
| 1876 | discovery | T1087.002 | Account Discovery: Domain Account | 13 | Enumerate Linked Policies In ADSISearcher Discovery | 7ab0205a-34e4-4a44-9b04-e1541d1a57be | powershell |
| 1877 | discovery | T1087.002 | Account Discovery: Domain Account | 14 | Enumerate Root Domain linked policies Discovery | 00c652e2-0750-4ca6-82ff-0204684a6fe4 | powershell |
| 1878 | discovery | T1087.002 | Account Discovery: Domain Account | 15 | WinPwn - generaldomaininfo | ce483c35-c74b-45a7-a670-631d1e69db3d | powershell |
| 1879 | discovery | T1087.002 | Account Discovery: Domain Account | 16 | Kerbrute - userenum | f450461c-18d1-4452-9f0d-2c42c3f08624 | powershell |
| 1880 | discovery | T1087.002 | Account Discovery: Domain Account | 17 | Wevtutil - Discover NTLM Users Remote | b8a563d4-a836-4993-a74e-0a19b8481bfe | powershell |
| 1881 | discovery | T1087.002 | Account Discovery: Domain Account | 18 | Suspicious LAPS Attributes Query with Get-ADComputer all properties | 394012d9-2164-4d4f-b9e5-acf30ba933fe | powershell |
| 1882 | discovery | T1087.002 | Account Discovery: Domain Account | 19 | Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property | 6e85bdf9-7bc4-4259-ac0f-f0cb39964443 | powershell |
| 1883 | discovery | T1087.002 | Account Discovery: Domain Account | 20 | Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope | ffbcfd62-15d6-4989-a21a-80bfc8e58bb5 | powershell |
| 1884 | discovery | T1087.002 | Account Discovery: Domain Account | 21 | Suspicious LAPS Attributes Query with adfind all properties | abf00f6c-9983-4d9a-afbc-6b1c6c6448e1 | powershell |
| 1885 | discovery | T1087.002 | Account Discovery: Domain Account | 22 | Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd | 51a98f96-0269-4e09-a10f-e307779a8b05 | powershell |
| 1886 | discovery | T1087.002 | Account Discovery: Domain Account | 23 | Active Directory Domain Search | 096b6d2a-b63f-4100-8fa0-525da4cd25ca | sh |
| 1887 | discovery | T1087.002 | Account Discovery: Domain Account | 24 | Account Enumeration with LDAPDomainDump | a54d497e-8dbe-4558-9895-44944baa395f | sh |
| 1888 | discovery | T1087.001 | Account Discovery: Local Account | 1 | Enumerate all accounts (Local) | f8aab3dd-5990-4bf8-b8ab-2226c951696f | sh |
| 1889 | discovery | T1087.001 | Account Discovery: Local Account | 2 | View sudoers access | fed9be70-0186-4bde-9f8a-20945f9370c2 | sh |
| 1890 | discovery | T1087.001 | Account Discovery: Local Account | 3 | View accounts with UID 0 | c955a599-3653-4fe5-b631-f11c00eb0397 | sh |
| 1891 | discovery | T1087.001 | Account Discovery: Local Account | 4 | List opened files by user | 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb | sh |
| 1892 | discovery | T1087.001 | Account Discovery: Local Account | 5 | Show if a user account has ever logged in remotely | 0f0b6a29-08c3-44ad-a30b-47fd996b2110 | sh |
| 1893 | discovery | T1087.001 | Account Discovery: Local Account | 6 | Enumerate users and groups | e6f36545-dc1e-47f0-9f48-7f730f54a02e | sh |
| 1894 | discovery | T1087.001 | Account Discovery: Local Account | 7 | Enumerate users and groups | 319e9f6c-7a9e-432e-8c62-9385c803b6f2 | sh |
| 1895 | discovery | T1087.001 | Account Discovery: Local Account | 8 | Enumerate all accounts on Windows (Local) | 80887bec-5a9b-4efc-a81d-f83eb2eb32ab | command_prompt |
| 1896 | discovery | T1087.001 | Account Discovery: Local Account | 9 | Enumerate all accounts via PowerShell (Local) | ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b | powershell |
| 1897 | discovery | T1087.001 | Account Discovery: Local Account | 10 | Enumerate logged on users via CMD (Local) | a138085e-bfe5-46ba-a242-74a6fb884af3 | command_prompt |
| 1898 | discovery | T1087.001 | Account Discovery: Local Account | 11 | ESXi - Local Account Discovery via ESXCLI | 9762ac6e-aa60-4449-a2f0-cbbd0e1fd22c | command_prompt |
| 1899 | discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 1 | Detect Virtualization Environment (Linux) | dfbd1a21-540d-4574-9731-e852bd6fe840 | sh |
| 1900 | discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 2 | Detect Virtualization Environment (FreeBSD) | e129d73b-3e03-4ae9-bf1e-67fc8921e0fd | sh |
| 1901 | discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 3 | Detect Virtualization Environment (Windows) | 502a7dc4-9d6f-4d28-abf2-f0e84692562d | powershell |
| 1902 | discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 4 | Detect Virtualization Environment via ioreg | a960185f-aef6-4547-8350-d1ce16680d09 | sh |
| 1903 | discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 5 | Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) | 4a41089a-48e0-47aa-82cb-5b81a463bc78 | powershell |
| 1904 | discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 6 | Detect Virtualization Environment using sysctl (hw.model) | 6beae646-eb4c-4730-95be-691a4094408c | sh |
| 1905 | discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 7 | Check if System Integrity Protection is enabled | 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945 | sh |
| 1906 | discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 8 | Detect Virtualization Environment using system_profiler | e04d2e89-de15-4d90-92f9-a335c7337f0f | sh |
| 1907 | discovery | T1069.002 | Permission Groups Discovery: Domain Groups | 1 | Basic Permission Groups Discovery Windows (Domain) | dd66d77d-8998-48c0-8024-df263dc2ce5d | command_prompt |
| 1908 | discovery | T1069.002 | Permission Groups Discovery: Domain Groups | 2 | Permission Groups Discovery PowerShell (Domain) | 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7 | powershell |
| 1909 | discovery | T1069.002 | Permission Groups Discovery: Domain Groups | 3 | Elevated group enumeration using net group (Domain) | 0afb5163-8181-432e-9405-4322710c0c37 | command_prompt |
| 1910 | discovery | T1069.002 | Permission Groups Discovery: Domain Groups | 4 | Find machines where user has local admin access (PowerView) | a2d71eee-a353-4232-9f86-54f4288dd8c1 | powershell |
| 1911 | discovery | T1069.002 | Permission Groups Discovery: Domain Groups | 5 | Find local admins on all machines in domain (PowerView) | a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd | powershell |
| 1912 | discovery | T1069.002 | Permission Groups Discovery: Domain Groups | 6 | Find Local Admins via Group Policy (PowerView) | 64fdb43b-5259-467a-b000-1b02c00e510a | powershell |
| 1913 | discovery | T1069.002 | Permission Groups Discovery: Domain Groups | 7 | Enumerate Users Not Requiring Pre Auth (ASRepRoast) | 870ba71e-6858-4f6d-895c-bb6237f6121b | powershell |
| 1914 | discovery | T1069.002 | Permission Groups Discovery: Domain Groups | 8 | Adfind - Query Active Directory Groups | 48ddc687-82af-40b7-8472-ff1e742e8274 | command_prompt |
| 1915 | discovery | T1069.002 | Permission Groups Discovery: Domain Groups | 9 | Enumerate Active Directory Groups with Get-AdGroup | 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8 | powershell |
| 1916 | discovery | T1069.002 | Permission Groups Discovery: Domain Groups | 10 | Enumerate Active Directory Groups with ADSISearcher | 9f4e344b-8434-41b3-85b1-d38f29d148d0 | powershell |
| 1917 | discovery | T1069.002 | Permission Groups Discovery: Domain Groups | 11 | Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) | 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8 | powershell |
| 1918 | discovery | T1069.002 | Permission Groups Discovery: Domain Groups | 12 | Get-DomainGroupMember with PowerView | 46352f40-f283-4fe5-b56d-d9a71750e145 | powershell |
| 1919 | discovery | T1069.002 | Permission Groups Discovery: Domain Groups | 13 | Get-DomainGroup with PowerView | 5a8a181c-2c8e-478d-a943-549305a01230 | powershell |
| 1920 | discovery | T1069.002 | Permission Groups Discovery: Domain Groups | 14 | Active Directory Enumeration with LDIFDE | 22cf8cb9-adb1-4e8c-80ca-7c723dfc8784 | command_prompt |
| 1921 | discovery | T1069.002 | Permission Groups Discovery: Domain Groups | 15 | Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS | d58d749c-4450-4975-a9e9-8b1d562755c2 | sh |
| 1922 | discovery | T1007 | System Service Discovery | 1 | System Service Discovery | 89676ba1-b1f8-47ee-b940-2e1a113ebc71 | command_prompt |
| 1923 | discovery | T1007 | System Service Discovery | 2 | System Service Discovery - net.exe | 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3 | command_prompt |
| 1924 | discovery | T1007 | System Service Discovery | 3 | System Service Discovery - systemctl/service | f4b26bce-4c2c-46c0-bcc5-fce062d38bef | bash |
| 1925 | discovery | T1007 | System Service Discovery | 4 | Get-Service Execution | 51f17016-d8fa-4360-888a-df4bf92c4a04 | command_prompt |
| 1926 | discovery | T1040 | Network Sniffing | 1 | Packet Capture Linux using tshark or tcpdump | 7fe741f7-b265-4951-a7c7-320889083b3e | bash |
| 1927 | discovery | T1040 | Network Sniffing | 2 | Packet Capture FreeBSD using tshark or tcpdump | c93f2492-9ebe-44b5-8b45-36574cccfe67 | sh |
| 1928 | discovery | T1040 | Network Sniffing | 3 | Packet Capture macOS using tcpdump or tshark | 9d04efee-eff5-4240-b8d2-07792b873608 | bash |
| 1929 | discovery | T1040 | Network Sniffing | 4 | Packet Capture Windows Command Prompt | a5b2f6a0-24b4-493e-9590-c699f75723ca | command_prompt |
| 1930 | discovery | T1040 | Network Sniffing | 5 | Windows Internal Packet Capture | b5656f67-d67f-4de8-8e62-b5581630f528 | command_prompt |
| 1931 | discovery | T1040 | Network Sniffing | 6 | Windows Internal pktmon capture | c67ba807-f48b-446e-b955-e4928cd1bf91 | command_prompt |
| 1932 | discovery | T1040 | Network Sniffing | 7 | Windows Internal pktmon set filter | 855fb8b4-b8ab-4785-ae77-09f5df7bff55 | command_prompt |
| 1933 | discovery | T1040 | Network Sniffing | 8 | Packet Capture macOS using /dev/bpfN with sudo | e6fe5095-545d-4c8b-a0ae-e863914be3aa | bash |
| 1934 | discovery | T1040 | Network Sniffing | 9 | Filtered Packet Capture macOS using /dev/bpfN with sudo | e2480aee-23f3-4f34-80ce-de221e27cd19 | bash |
| 1935 | discovery | T1040 | Network Sniffing | 10 | Packet Capture FreeBSD using /dev/bpfN with sudo | e2028771-1bfb-48f5-b5e6-e50ee0942a14 | sh |
| 1936 | discovery | T1040 | Network Sniffing | 11 | Filtered Packet Capture FreeBSD using /dev/bpfN with sudo | a3a0d4c9-c068-4563-a08d-583bd05b884c | sh |
| 1937 | discovery | T1040 | Network Sniffing | 12 | Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo | 10c710c9-9104-4d5f-8829-5b65391e2a29 | bash |
| 1938 | discovery | T1040 | Network Sniffing | 13 | Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo | 7a0895f0-84c1-4adf-8491-a21510b1d4c1 | bash |
| 1939 | discovery | T1040 | Network Sniffing | 14 | Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo | 515575ab-d213-42b1-aa64-ef6a2dd4641b | bash |
| 1940 | discovery | T1040 | Network Sniffing | 15 | Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo | b1cbdf8b-6078-48f5-a890-11ea19d7f8e9 | bash |
| 1941 | discovery | T1040 | Network Sniffing | 16 | PowerShell Network Sniffing | 9c15a7de-de14-46c3-bc2a-6d94130986ae | powershell |
| 1942 | discovery | T1135 | Network Share Discovery | 1 | Network Share Discovery | f94b5ad9-911c-4eff-9718-fd21899db4f7 | sh |
| 1943 | discovery | T1135 | Network Share Discovery | 2 | Network Share Discovery - linux | 875805bc-9e86-4e87-be86-3a5527315cae | bash |
| 1944 | discovery | T1135 | Network Share Discovery | 3 | Network Share Discovery - FreeBSD | 77e468a6-3e5c-45a1-9948-c4b5603747cb | sh |
| 1945 | discovery | T1135 | Network Share Discovery | 4 | Network Share Discovery command prompt | 20f1097d-81c1-405c-8380-32174d493bbb | command_prompt |
| 1946 | discovery | T1135 | Network Share Discovery | 5 | Network Share Discovery PowerShell | 1b0814d1-bb24-402d-9615-1b20c50733fb | powershell |
| 1947 | discovery | T1135 | Network Share Discovery | 6 | View available share drives | ab39a04f-0c93-4540-9ff2-83f862c385ae | command_prompt |
| 1948 | discovery | T1135 | Network Share Discovery | 7 | Share Discovery with PowerView | b1636f0a-ba82-435c-b699-0d78794d8bfd | powershell |
| 1949 | discovery | T1135 | Network Share Discovery | 8 | PowerView ShareFinder | d07e4cc1-98ae-447e-9d31-36cb430d28c4 | powershell |
| 1950 | discovery | T1135 | Network Share Discovery | 9 | WinPwn - shareenumeration | 987901d1-5b87-4558-a6d9-cffcabc638b8 | powershell |
| 1951 | discovery | T1135 | Network Share Discovery | 10 | Network Share Discovery via dir command | 13daa2cf-195a-43df-a8bd-7dd5ffb607b5 | command_prompt |
| 1952 | discovery | T1135 | Network Share Discovery | 11 | Enumerate All Network Shares with SharpShares | d1fa2a69-b0a2-4e8a-9112-529b00c19a41 | powershell |
| 1953 | discovery | T1135 | Network Share Discovery | 12 | Enumerate All Network Shares with Snaffler | b19d74b7-5e72-450a-8499-82e49e379d1a | powershell |
| 1954 | discovery | T1120 | Peripheral Device Discovery | 1 | Win32_PnPEntity Hardware Inventory | 2cb4dbf2-2dca-4597-8678-4d39d207a3a5 | powershell |
| 1955 | discovery | T1120 | Peripheral Device Discovery | 2 | WinPwn - printercheck | cb6e76ca-861e-4a7f-be08-564caa3e6f75 | powershell |
| 1956 | discovery | T1120 | Peripheral Device Discovery | 3 | Peripheral Device Discovery via fsutil | 424e18fd-48b8-4201-8d3a-bf591523a686 | command_prompt |
| 1957 | discovery | T1120 | Peripheral Device Discovery | 4 | Get Printer Device List via PowerShell Command | 5c876daf-db1e-41cf-988d-139a7443ccd4 | powershell |
| 1958 | discovery | T1082 | System Information Discovery | 1 | System Information Discovery | 66703791-c902-4560-8770-42b8a91f7667 | command_prompt |
| 1959 | discovery | T1082 | System Information Discovery | 2 | System Information Discovery | edff98ec-0f73-4f63-9890-6b117092aff6 | sh |
| 1960 | discovery | T1082 | System Information Discovery | 3 | List OS Information | cccb070c-df86-4216-a5bc-9fb60c74e27c | sh |
| 1961 | discovery | T1082 | System Information Discovery | 4 | Linux VM Check via Hardware | 31dad7ad-2286-4c02-ae92-274418c85fec | bash |
| 1962 | discovery | T1082 | System Information Discovery | 5 | Linux VM Check via Kernel Modules | 8057d484-0fae-49a4-8302-4812c4f1e64e | bash |
| 1963 | discovery | T1082 | System Information Discovery | 6 | FreeBSD VM Check via Kernel Modules | eefe6a49-d88b-41d8-8fc2-b46822da90d3 | sh |
| 1964 | discovery | T1082 | System Information Discovery | 7 | Hostname Discovery (Windows) | 85cfbf23-4a1e-4342-8792-007e004b975f | command_prompt |
| 1965 | discovery | T1082 | System Information Discovery | 8 | Hostname Discovery | 486e88ea-4f56-470f-9b57-3f4d73f39133 | sh |
| 1966 | discovery | T1082 | System Information Discovery | 9 | Windows MachineGUID Discovery | 224b4daf-db44-404e-b6b2-f4d1f0126ef8 | command_prompt |
| 1967 | discovery | T1082 | System Information Discovery | 10 | Griffon Recon | 69bd4abe-8759-49a6-8d21-0f15822d6370 | powershell |
| 1968 | discovery | T1082 | System Information Discovery | 11 | Environment variables discovery on windows | f400d1c0-1804-4ff8-b069-ef5ddd2adbf3 | command_prompt |
| 1969 | discovery | T1082 | System Information Discovery | 12 | Environment variables discovery on freebsd, macos and linux | fcbdd43f-f4ad-42d5-98f3-0218097e2720 | sh |
| 1970 | discovery | T1082 | System Information Discovery | 13 | Show System Integrity Protection status (MacOS) | 327cc050-9e99-4c8e-99b5-1d15f2fb6b96 | sh |
| 1971 | discovery | T1082 | System Information Discovery | 14 | WinPwn - winPEAS | eea1d918-825e-47dd-acc2-814d6c58c0e1 | powershell |
| 1972 | discovery | T1082 | System Information Discovery | 15 | WinPwn - itm4nprivesc | 3d256a2f-5e57-4003-8eb6-64d91b1da7ce | powershell |
| 1973 | discovery | T1082 | System Information Discovery | 16 | WinPwn - Powersploits privesc checks | 345cb8e4-d2de-4011-a580-619cf5a9e2d7 | powershell |
| 1974 | discovery | T1082 | System Information Discovery | 17 | WinPwn - General privesc checks | 5b6f39a2-6ec7-4783-a5fd-2c54a55409ed | powershell |
| 1975 | discovery | T1082 | System Information Discovery | 18 | WinPwn - GeneralRecon | 7804659b-fdbf-4cf6-b06a-c03e758590e8 | powershell |
| 1976 | discovery | T1082 | System Information Discovery | 19 | WinPwn - Morerecon | 3278b2f6-f733-4875-9ef4-bfed34244f0a | powershell |
| 1977 | discovery | T1082 | System Information Discovery | 20 | WinPwn - RBCD-Check | dec6a0d8-bcaf-4c22-9d48-2aee59fb692b | powershell |
| 1978 | discovery | T1082 | System Information Discovery | 21 | WinPwn - PowerSharpPack - Watson searching for missing windows patches | 07b18a66-6304-47d2-bad0-ef421eb2e107 | powershell |
| 1979 | discovery | T1082 | System Information Discovery | 22 | WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors | efb79454-1101-4224-a4d0-30c9c8b29ffc | powershell |
| 1980 | discovery | T1082 | System Information Discovery | 23 | WinPwn - PowerSharpPack - Seatbelt | 5c16ceb4-ba3a-43d7-b848-a13c1f216d95 | powershell |
| 1981 | discovery | T1082 | System Information Discovery | 24 | Azure Security Scan with SkyArk | 26a18d3d-f8bc-486b-9a33-d6df5d78a594 | powershell |
| 1982 | discovery | T1082 | System Information Discovery | 25 | Linux List Kernel Modules | 034fe21c-3186-49dd-8d5d-128b35f181c7 | sh |
| 1983 | discovery | T1082 | System Information Discovery | 26 | FreeBSD List Kernel Modules | 4947897f-643a-4b75-b3f5-bed6885749f6 | sh |
| 1984 | discovery | T1082 | System Information Discovery | 27 | System Information Discovery with WMIC | 8851b73a-3624-4bf7-8704-aa312411565c | command_prompt |
| 1985 | discovery | T1082 | System Information Discovery | 28 | System Information Discovery | 4060ee98-01ae-4c8e-8aad-af8300519cc7 | command_prompt |
| 1986 | discovery | T1082 | System Information Discovery | 29 | Check computer location | 96be6002-9200-47db-94cb-c3e27de1cb36 | command_prompt |
| 1987 | discovery | T1082 | System Information Discovery | 30 | BIOS Information Discovery through Registry | f2f91612-d904-49d7-87c2-6c165d23bead | command_prompt |
| 1988 | discovery | T1082 | System Information Discovery | 31 | ESXi - VM Discovery using ESXCLI | 2040405c-eea6-4c1c-aef3-c2acc430fac9 | command_prompt |
| 1989 | discovery | T1082 | System Information Discovery | 32 | ESXi - Darkside system information discovery | f89812e5-67d1-4f49-86fa-cbc6609ea86a | command_prompt |
| 1990 | discovery | T1082 | System Information Discovery | 33 | sysctl to gather macOS hardware info | c8d40da9-31bd-47da-a497-11ea55d1ef6c | sh |
| 1991 | discovery | T1082 | System Information Discovery | 34 | operating system discovery | 70e13ef4-5a74-47e4-9d16-760b41b0e2db | powershell |
| 1992 | discovery | T1082 | System Information Discovery | 35 | Check OS version via "ver" command | f6ecb109-df24-4303-8d85-1987dbae6160 | command_prompt |
| 1993 | discovery | T1082 | System Information Discovery | 36 | Display volume shadow copies with "vssadmin" | 7161b085-816a-491f-bab4-d68e974b7995 | command_prompt |
| 1994 | discovery | T1082 | System Information Discovery | 37 | Identify System Locale and Regional Settings with PowerShell | ce479c1a-e8fa-42b2-812a-96b0f2f4d28a | command_prompt |
| 1995 | discovery | T1082 | System Information Discovery | 38 | Enumerate Available Drives via gdr | c187c9bc-4511-40b3-aa10-487b2c70b6a5 | command_prompt |
| 1996 | discovery | T1082 | System Information Discovery | 39 | Discover OS Product Name via Registry | be3b5fe3-a575-4fb8-83f6-ad4a68dd5ce7 | command_prompt |
| 1997 | discovery | T1082 | System Information Discovery | 40 | Discover OS Build Number via Registry | acfcd709-0013-4f1e-b9ee-bc1e7bafaaec | command_prompt |
| 1998 | discovery | T1016.002 | System Network Configuration Discovery: Wi-Fi Discovery | 1 | Enumerate Stored Wi-Fi Profiles And Passwords via netsh | 53cf1903-0fa7-4177-ab14-f358ae809eec | command_prompt |
| 1999 | discovery | T1010 | Application Window Discovery | 1 | List Process Main Windows - C# .NET | fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4 | command_prompt |
| 2000 | discovery | T1497.003 | Time Based Evasion | 1 | Delay execution with ping | 8b87dd03-8204-478c-bac3-3959f6528de3 | sh |
| 2001 | discovery | T1580 | Cloud Infrastructure Discovery | 1 | AWS - EC2 Enumeration from Cloud Instance | 99ee161b-dcb1-4276-8ecb-7cfdcb207820 | sh |
| 2002 | discovery | T1580 | Cloud Infrastructure Discovery | 2 | AWS - EC2 Security Group Enumeration | 99b38f24-5acc-4aa3-85e5-b7f97a5d37ac | command_prompt |
| 2003 | discovery | T1217 | Browser Bookmark Discovery | 1 | List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux | 3a41f169-a5ab-407f-9269-abafdb5da6c2 | sh |
| 2004 | discovery | T1217 | Browser Bookmark Discovery | 2 | List Mozilla Firefox Bookmark Database Files on macOS | 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b | sh |
| 2005 | discovery | T1217 | Browser Bookmark Discovery | 3 | List Google Chrome Bookmark JSON Files on macOS | b789d341-154b-4a42-a071-9111588be9bc | sh |
| 2006 | discovery | T1217 | Browser Bookmark Discovery | 4 | List Google Chromium Bookmark JSON Files on FreeBSD | 88ca025b-3040-44eb-9168-bd8af22b82fa | sh |
| 2007 | discovery | T1217 | Browser Bookmark Discovery | 5 | List Google Chrome / Opera Bookmarks on Windows with powershell | faab755e-4299-48ec-8202-fc7885eb6545 | powershell |
| 2008 | discovery | T1217 | Browser Bookmark Discovery | 6 | List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt | 76f71e2f-480e-4bed-b61e-398fe17499d5 | command_prompt |
| 2009 | discovery | T1217 | Browser Bookmark Discovery | 7 | List Mozilla Firefox bookmarks on Windows with command prompt | 4312cdbc-79fc-4a9c-becc-53d49c734bc5 | command_prompt |
| 2010 | discovery | T1217 | Browser Bookmark Discovery | 8 | List Internet Explorer Bookmarks using the command prompt | 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 | command_prompt |
| 2011 | discovery | T1217 | Browser Bookmark Discovery | 9 | List Safari Bookmarks on MacOS | 5fc528dd-79de-47f5-8188-25572b7fafe0 | sh |
| 2012 | discovery | T1217 | Browser Bookmark Discovery | 10 | Extract Edge Browsing History | 74094120-e1f5-47c9-b162-a418a0f624d5 | powershell |
| 2013 | discovery | T1217 | Browser Bookmark Discovery | 11 | Extract chrome Browsing History | cfe6315c-4945-40f7-b5a4-48f7af2262af | powershell |
| 2014 | discovery | T1016 | System Network Configuration Discovery | 1 | System Network Configuration Discovery on Windows | 970ab6a1-0157-4f3f-9a73-ec4166754b23 | command_prompt |
| 2015 | discovery | T1016 | System Network Configuration Discovery | 2 | List Windows Firewall Rules | 038263cb-00f4-4b0a-98ae-0696c67e1752 | command_prompt |
| 2016 | discovery | T1016 | System Network Configuration Discovery | 3 | System Network Configuration Discovery | c141bbdb-7fca-4254-9fd6-f47e79447e17 | sh |
| 2017 | discovery | T1016 | System Network Configuration Discovery | 4 | System Network Configuration Discovery (TrickBot Style) | dafaf052-5508-402d-bf77-51e0700c02e2 | command_prompt |
| 2018 | discovery | T1016 | System Network Configuration Discovery | 5 | List Open Egress Ports | 4b467538-f102-491d-ace7-ed487b853bf5 | powershell |
| 2019 | discovery | T1016 | System Network Configuration Discovery | 6 | Adfind - Enumerate Active Directory Subnet Objects | 9bb45dd7-c466-4f93-83a1-be30e56033ee | command_prompt |
| 2020 | discovery | T1016 | System Network Configuration Discovery | 7 | Qakbot Recon | 121de5c6-5818-4868-b8a7-8fd07c455c1b | command_prompt |
| 2021 | discovery | T1016 | System Network Configuration Discovery | 8 | List macOS Firewall Rules | ff1d8c25-2aa4-4f18-a425-fede4a41ee88 | bash |
| 2022 | discovery | T1016 | System Network Configuration Discovery | 9 | DNS Server Discovery Using nslookup | 34557863-344a-468f-808b-a1bfb89b4fa9 | command_prompt |
| 2023 | discovery | T1482 | Domain Trust Discovery | 1 | Windows - Discover domain trusts with dsquery | 4700a710-c821-4e17-a3ec-9e4c81d6845f | command_prompt |
| 2024 | discovery | T1482 | Domain Trust Discovery | 2 | Windows - Discover domain trusts with nltest | 2e22641d-0498-48d2-b9ff-c71e496ccdbe | command_prompt |
| 2025 | discovery | T1482 | Domain Trust Discovery | 3 | Powershell enumerate domains and forests | c58fbc62-8a62-489e-8f2d-3565d7d96f30 | powershell |
| 2026 | discovery | T1482 | Domain Trust Discovery | 4 | Adfind - Enumerate Active Directory OUs | d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec | command_prompt |
| 2027 | discovery | T1482 | Domain Trust Discovery | 5 | Adfind - Enumerate Active Directory Trusts | 15fe436d-e771-4ff3-b655-2dca9ba52834 | command_prompt |
| 2028 | discovery | T1482 | Domain Trust Discovery | 6 | Get-DomainTrust with PowerView | f974894c-5991-4b19-aaf5-7cc2fe298c5d | powershell |
| 2029 | discovery | T1482 | Domain Trust Discovery | 7 | Get-ForestTrust with PowerView | 58ed10e8-0738-4651-8408-3a3e9a526279 | powershell |
| 2030 | discovery | T1482 | Domain Trust Discovery | 8 | TruffleSnout - Listing AD Infrastructure | ea1b4f2d-5b82-4006-b64f-f2845608a3bf | command_prompt |
| 2031 | discovery | T1083 | File and Directory Discovery | 1 | File and Directory Discovery (cmd.exe) | 0e36303b-6762-4500-b003-127743b80ba6 | command_prompt |
| 2032 | discovery | T1083 | File and Directory Discovery | 2 | File and Directory Discovery (PowerShell) | 2158908e-b7ef-4c21-8a83-3ce4dd05a924 | powershell |
| 2033 | discovery | T1083 | File and Directory Discovery | 3 | Nix File and Directory Discovery | ffc8b249-372a-4b74-adcd-e4c0430842de | sh |
| 2034 | discovery | T1083 | File and Directory Discovery | 4 | Nix File and Directory Discovery 2 | 13c5e1ae-605b-46c4-a79f-db28c77ff24e | sh |
| 2035 | discovery | T1083 | File and Directory Discovery | 5 | Simulating MAZE Directory Enumeration | c6c34f61-1c3e-40fb-8a58-d017d88286d8 | powershell |
| 2036 | discovery | T1083 | File and Directory Discovery | 6 | Launch DirLister Executable | c5bec457-43c9-4a18-9a24-fe151d8971b7 | powershell |
| 2037 | discovery | T1083 | File and Directory Discovery | 7 | ESXi - Enumerate VMDKs available on an ESXi Host | 4a233a40-caf7-4cf1-890a-c6331bbc72cf | command_prompt |
| 2038 | discovery | T1083 | File and Directory Discovery | 8 | Identifying Network Shares - Linux | 361fe49d-0c19-46ec-a483-ccb92d38e88e | sh |
| 2039 | discovery | T1083 | File and Directory Discovery | 9 | Recursive Enumerate Files And Directories By Powershell | 95a21323-770d-434c-80cd-6f6fbf7af432 | powershell |
| 2040 | discovery | T1049 | System Network Connections Discovery | 1 | System Network Connections Discovery | 0940a971-809a-48f1-9c4d-b1d785e96ee5 | command_prompt |
| 2041 | discovery | T1049 | System Network Connections Discovery | 2 | System Network Connections Discovery with PowerShell | f069f0f1-baad-4831-aa2b-eddac4baac4a | powershell |
| 2042 | discovery | T1049 | System Network Connections Discovery | 3 | System Network Connections Discovery FreeBSD, Linux & MacOS | 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 | sh |
| 2043 | discovery | T1049 | System Network Connections Discovery | 4 | System Discovery using SharpView | 96f974bb-a0da-4d87-a744-ff33e73367e9 | powershell |
| 2044 | discovery | T1619 | Cloud Storage Object Discovery | 1 | AWS S3 Enumeration | 3c7094f8-71ec-4917-aeb8-a633d7ec4ef5 | sh |
| 2045 | discovery | T1619 | Cloud Storage Object Discovery | 2 | Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI | 070322a4-2c60-4c50-8ffb-c450a34fe7bf | powershell |
| 2046 | discovery | T1619 | Cloud Storage Object Discovery | 3 | Azure - Scan for Anonymous Access to Azure Storage (Powershell) | 146af1f1-b74e-4aa7-9895-505eb559b4b0 | powershell |
| 2047 | discovery | T1619 | Cloud Storage Object Discovery | 4 | Azure - Enumerate Azure Blobs with MicroBurst | 3dab4bcc-667f-4459-aea7-4162dd2d6590 | powershell |
| 2048 | discovery | T1654 | Log Enumeration | 1 | Get-EventLog To Enumerate Windows Security Log | a9030b20-dd4b-4405-875e-3462c6078fdc | powershell |
| 2049 | discovery | T1654 | Log Enumeration | 2 | Enumerate Windows Security Log via WevtUtil | fef0ace1-3550-4bf1-a075-9fea55a778dd | command_prompt |
| 2050 | discovery | T1057 | Process Discovery | 1 | Process Discovery - ps | 4ff64f0b-aaf2-4866-b39d-38d9791407cc | sh |
| 2051 | discovery | T1057 | Process Discovery | 2 | Process Discovery - tasklist | c5806a4f-62b8-4900-980b-c7ec004e9908 | command_prompt |
| 2052 | discovery | T1057 | Process Discovery | 3 | Process Discovery - Get-Process | 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34 | powershell |
| 2053 | discovery | T1057 | Process Discovery | 4 | Process Discovery - get-wmiObject | b51239b4-0129-474f-a2b4-70f855b9f2c2 | powershell |
| 2054 | discovery | T1057 | Process Discovery | 5 | Process Discovery - wmic process | 640cbf6d-659b-498b-ba53-f6dd1a1cc02c | command_prompt |
| 2055 | discovery | T1057 | Process Discovery | 6 | Discover Specific Process - tasklist | 11ba69ee-902e-4a0f-b3b6-418aed7d7ddb | command_prompt |
| 2056 | discovery | T1057 | Process Discovery | 7 | Process Discovery - Process Hacker | 966f4c16-1925-4d9b-8ce0-01334ee0867d | powershell |
| 2057 | discovery | T1057 | Process Discovery | 8 | Process Discovery - PC Hunter | b4ca838d-d013-4461-bf2c-f7132617b409 | powershell |
| 2058 | discovery | T1057 | Process Discovery | 9 | Launch Taskmgr from cmd to View running processes | 4fd35378-39aa-481e-b7c4-e3bf49375c67 | command_prompt |
| 2059 | discovery | T1069.001 | Permission Groups Discovery: Local Groups | 1 | Permission Groups Discovery (Local) | 952931a4-af0b-4335-bbbe-73c8c5b327ae | sh |
| 2060 | discovery | T1069.001 | Permission Groups Discovery: Local Groups | 2 | Basic Permission Groups Discovery Windows (Local) | 1f454dd6-e134-44df-bebb-67de70fb6cd8 | command_prompt |
| 2061 | discovery | T1069.001 | Permission Groups Discovery: Local Groups | 3 | Permission Groups Discovery PowerShell (Local) | a580462d-2c19-4bc7-8b9a-57a41b7d3ba4 | powershell |
| 2062 | discovery | T1069.001 | Permission Groups Discovery: Local Groups | 4 | SharpHound3 - LocalAdmin | e03ada14-0980-4107-aff1-7783b2b59bb1 | powershell |
| 2063 | discovery | T1069.001 | Permission Groups Discovery: Local Groups | 5 | Wmic Group Discovery | 7413be50-be8e-430f-ad4d-07bf197884b2 | command_prompt |
| 2064 | discovery | T1069.001 | Permission Groups Discovery: Local Groups | 6 | WMIObject Group Discovery | 69119e58-96db-4110-ad27-954e48f3bb13 | powershell |
| 2065 | discovery | T1069.001 | Permission Groups Discovery: Local Groups | 7 | Permission Groups Discovery for Containers- Local Groups | 007d7aa4-8c4d-4f55-ba6a-7c965d51219c | sh |
| 2066 | discovery | T1201 | Password Policy Discovery | 1 | Examine password complexity policy - Ubuntu | 085fe567-ac84-47c7-ac4c-2688ce28265b | bash |
| 2067 | discovery | T1201 | Password Policy Discovery | 2 | Examine password complexity policy - FreeBSD | a7893624-a3d7-4aed-9676-80498f31820f | sh |
| 2068 | discovery | T1201 | Password Policy Discovery | 3 | Examine password complexity policy - CentOS/RHEL 7.x | 78a12e65-efff-4617-bc01-88f17d71315d | bash |
| 2069 | discovery | T1201 | Password Policy Discovery | 4 | Examine password complexity policy - CentOS/RHEL 6.x | 6ce12552-0adb-4f56-89ff-95ce268f6358 | bash |
| 2070 | discovery | T1201 | Password Policy Discovery | 5 | Examine password expiration policy - All Linux | 7c86c55c-70fa-4a05-83c9-3aa19b145d1a | bash |
| 2071 | discovery | T1201 | Password Policy Discovery | 6 | Examine local password policy - Windows | 4588d243-f24e-4549-b2e3-e627acc089f6 | command_prompt |
| 2072 | discovery | T1201 | Password Policy Discovery | 7 | Examine domain password policy - Windows | 46c2c362-2679-4ef5-aec9-0e958e135be4 | command_prompt |
| 2073 | discovery | T1201 | Password Policy Discovery | 8 | Examine password policy - macOS | 4b7fa042-9482-45e1-b348-4b756b2a0742 | bash |
| 2074 | discovery | T1201 | Password Policy Discovery | 9 | Get-DomainPolicy with PowerView | 3177f4da-3d4b-4592-8bdc-aa23d0b2e843 | powershell |
| 2075 | discovery | T1201 | Password Policy Discovery | 10 | Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy | b2698b33-984c-4a1c-93bb-e4ba72a0babb | powershell |
| 2076 | discovery | T1201 | Password Policy Discovery | 11 | Use of SecEdit.exe to export the local security policy (including the password policy) | 510cc97f-56ac-4cd3-a198-d3218c23d889 | command_prompt |
| 2077 | discovery | T1201 | Password Policy Discovery | 12 | Examine AWS Password Policy | 15330820-d405-450b-bd08-16b5be5be9f4 | sh |
| 2078 | discovery | T1614.001 | System Location Discovery: System Language Discovery | 1 | Discover System Language by Registry Query | 631d4cf1-42c9-4209-8fe9-6bd4de9421be | command_prompt |
| 2079 | discovery | T1614.001 | System Location Discovery: System Language Discovery | 2 | Discover System Language with chcp | d91473ca-944e-477a-b484-0e80217cd789 | command_prompt |
| 2080 | discovery | T1614.001 | System Location Discovery: System Language Discovery | 3 | Discover System Language with locale | 837d609b-845e-4519-90ce-edc3b4b0e138 | sh |
| 2081 | discovery | T1614.001 | System Location Discovery: System Language Discovery | 4 | Discover System Language with localectl | 07ce871a-b3c3-44a3-97fa-a20118fdc7c9 | sh |
| 2082 | discovery | T1614.001 | System Location Discovery: System Language Discovery | 5 | Discover System Language by locale file | 5d7057c9-2c8a-4026-91dd-13b5584daa69 | sh |
| 2083 | discovery | T1614.001 | System Location Discovery: System Language Discovery | 6 | Discover System Language by Environment Variable Query | cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a | sh |
| 2084 | discovery | T1614.001 | System Location Discovery: System Language Discovery | 7 | Discover System Language with dism.exe | 69f625ba-938f-4900-bdff-82ada3df5d9c | command_prompt |
| 2085 | discovery | T1614.001 | System Location Discovery: System Language Discovery | 8 | Discover System Language by Windows API Query | e39b99e9-ce7f-4b24-9c88-0fbad069e6c6 | command_prompt |
| 2086 | discovery | T1614.001 | System Location Discovery: System Language Discovery | 9 | Discover System Language with WMIC | 4758003d-db14-4959-9c0f-9e87558ac69e | command_prompt |
| 2087 | discovery | T1614.001 | System Location Discovery: System Language Discovery | 10 | Discover System Language with Powershell | 1f23bfe8-36d4-49ce-903a-19a1e8c6631b | powershell |
| 2088 | discovery | T1012 | Query Registry | 1 | Query Registry | 8f7578c4-9863-4d83-875c-a565573bbdf0 | command_prompt |
| 2089 | discovery | T1012 | Query Registry | 2 | Query Registry with Powershell cmdlets | 0434d081-bb32-42ce-bcbb-3548e4f2628f | powershell |
| 2090 | discovery | T1012 | Query Registry | 3 | Enumerate COM Objects in Registry with Powershell | 0d80d088-a84c-4353-af1a-fc8b439f1564 | powershell |
| 2091 | discovery | T1012 | Query Registry | 4 | Reg query for AlwaysInstallElevated status | 6fb4c4c5-f949-4fd2-8af5-ddbc61595223 | command_prompt |
| 2092 | discovery | T1012 | Query Registry | 5 | Check Software Inventory Logging (SIL) status via Registry | 5c784969-1d43-4ac7-8c3d-ed6d025ed10d | command_prompt |
| 2093 | discovery | T1012 | Query Registry | 6 | Inspect SystemStartOptions Value in Registry | 96257079-cdc1-4aba-8705-3146e94b6dce | command_prompt |
| 2094 | discovery | T1614 | System Location Discovery | 1 | Get geolocation info through IP-Lookup services using curl Windows | fe53e878-10a3-477b-963e-4367348f5af5 | command_prompt |
| 2095 | discovery | T1614 | System Location Discovery | 2 | Get geolocation info through IP-Lookup services using curl freebsd, linux or macos | 552b4db3-8850-412c-abce-ab5cc8a86604 | bash |
| 2096 | discovery | T1518.001 | Software Discovery: Security Software Discovery | 1 | Security Software Discovery | f92a380f-ced9-491f-b338-95a991418ce2 | command_prompt |
| 2097 | discovery | T1518.001 | Software Discovery: Security Software Discovery | 2 | Security Software Discovery - powershell | 7f566051-f033-49fb-89de-b6bacab730f0 | powershell |
| 2098 | discovery | T1518.001 | Software Discovery: Security Software Discovery | 3 | Security Software Discovery - ps (macOS) | ba62ce11-e820-485f-9c17-6f3c857cd840 | sh |
| 2099 | discovery | T1518.001 | Software Discovery: Security Software Discovery | 4 | Security Software Discovery - ps (Linux) | 23b91cd2-c99c-4002-9e41-317c63e024a2 | sh |
| 2100 | discovery | T1518.001 | Software Discovery: Security Software Discovery | 5 | Security Software Discovery - pgrep (FreeBSD) | fa96c21c-5fd6-4428-aa28-51a2fbecdbdc | sh |
| 2101 | discovery | T1518.001 | Software Discovery: Security Software Discovery | 6 | Security Software Discovery - Sysmon Service | fe613cf3-8009-4446-9a0f-bc78a15b66c9 | command_prompt |
| 2102 | discovery | T1518.001 | Software Discovery: Security Software Discovery | 7 | Security Software Discovery - AV Discovery via WMI | 1553252f-14ea-4d3b-8a08-d7a4211aa945 | command_prompt |
| 2103 | discovery | T1518.001 | Software Discovery: Security Software Discovery | 8 | Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets | 015cd268-996e-4c32-8347-94c80c6286ee | command_prompt |
| 2104 | discovery | T1518.001 | Software Discovery: Security Software Discovery | 9 | Security Software Discovery - Windows Defender Enumeration | d3415a0e-66ef-429b-acf4-a768876954f6 | powershell |
| 2105 | discovery | T1518.001 | Software Discovery: Security Software Discovery | 10 | Security Software Discovery - Windows Firewall Enumeration | 9dca5a1d-f78c-4a8d-accb-d6de67cfed6b | powershell |
| 2106 | discovery | T1518.001 | Software Discovery: Security Software Discovery | 11 | Get Windows Defender exclusion settings using WMIC | e31564c8-4c60-40cd-a8f4-9261307e8336 | command_prompt |
| 2107 | discovery | T1526 | Cloud Service Discovery | 1 | Azure - Dump Subscription Data with MicroBurst | 1e40bb1d-195e-401e-a86b-c192f55e005c | powershell |
| 2108 | discovery | T1526 | Cloud Service Discovery | 2 | AWS - Enumerate common cloud services | aa8b9bcc-46fa-4a59-9237-73c7b93a980c | powershell |
| 2109 | discovery | T1526 | Cloud Service Discovery | 3 | Azure - Enumerate common cloud services | 58f57c8f-db14-4e62-a4d3-5aaf556755d7 | powershell |
| 2110 | discovery | T1018 | Remote System Discovery | 1 | Remote System Discovery - net | 85321a9c-897f-4a60-9f20-29788e50bccd | command_prompt |
| 2111 | discovery | T1018 | Remote System Discovery | 2 | Remote System Discovery - net group Domain Computers | f1bf6c8f-9016-4edf-aff9-80b65f5d711f | command_prompt |
| 2112 | discovery | T1018 | Remote System Discovery | 3 | Remote System Discovery - nltest | 52ab5108-3f6f-42fb-8ba3-73bc054f22c8 | command_prompt |
| 2113 | discovery | T1018 | Remote System Discovery | 4 | Remote System Discovery - ping sweep | 6db1f57f-d1d5-4223-8a66-55c9c65a9592 | command_prompt |
| 2114 | discovery | T1018 | Remote System Discovery | 5 | Remote System Discovery - arp | 2d5a61f5-0447-4be4-944a-1f8530ed6574 | command_prompt |
| 2115 | discovery | T1018 | Remote System Discovery | 6 | Remote System Discovery - arp nix | acb6b1ff-e2ad-4d64-806c-6c35fe73b951 | sh |
| 2116 | discovery | T1018 | Remote System Discovery | 7 | Remote System Discovery - sweep | 96db2632-8417-4dbb-b8bb-a8b92ba391de | sh |
| 2117 | discovery | T1018 | Remote System Discovery | 8 | Remote System Discovery - nslookup | baa01aaa-5e13-45ec-8a0d-e46c93c9760f | powershell |
| 2118 | discovery | T1018 | Remote System Discovery | 9 | Remote System Discovery - adidnsdump | 95e19466-469e-4316-86d2-1dc401b5a959 | command_prompt |
| 2119 | discovery | T1018 | Remote System Discovery | 10 | Adfind - Enumerate Active Directory Computer Objects | a889f5be-2d54-4050-bd05-884578748bb4 | command_prompt |
| 2120 | discovery | T1018 | Remote System Discovery | 11 | Adfind - Enumerate Active Directory Domain Controller Objects | 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e | command_prompt |
| 2121 | discovery | T1018 | Remote System Discovery | 12 | Remote System Discovery - ip neighbour | 158bd4dd-6359-40ab-b13c-285b9ef6fa25 | sh |
| 2122 | discovery | T1018 | Remote System Discovery | 13 | Remote System Discovery - ip route | 1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1 | sh |
| 2123 | discovery | T1018 | Remote System Discovery | 14 | Remote System Discovery - netstat | d2791d72-b67f-4615-814f-ec824a91f514 | sh |
| 2124 | discovery | T1018 | Remote System Discovery | 15 | Remote System Discovery - ip tcp_metrics | 6c2da894-0b57-43cb-87af-46ea3b501388 | sh |
| 2125 | discovery | T1018 | Remote System Discovery | 16 | Enumerate domain computers within Active Directory using DirectorySearcher | 962a6017-1c09-45a6-880b-adc9c57cb22e | powershell |
| 2126 | discovery | T1018 | Remote System Discovery | 17 | Enumerate Active Directory Computers with Get-AdComputer | 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf | powershell |
| 2127 | discovery | T1018 | Remote System Discovery | 18 | Enumerate Active Directory Computers with ADSISearcher | 64ede6ac-b57a-41c2-a7d1-32c6cd35397d | powershell |
| 2128 | discovery | T1018 | Remote System Discovery | 19 | Get-DomainController with PowerView | b9d2e8ca-5520-4737-8076-4f08913da2c4 | powershell |
| 2129 | discovery | T1018 | Remote System Discovery | 20 | Get-WmiObject to Enumerate Domain Controllers | e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad | powershell |
| 2130 | discovery | T1018 | Remote System Discovery | 21 | Remote System Discovery - net group Domain Controller | 5843529a-5056-4bc1-9c13-a311e2af4ca0 | command_prompt |
| 2131 | discovery | T1018 | Remote System Discovery | 22 | Enumerate Remote Hosts with Netscan | b8147c9a-84db-4ec1-8eee-4e0da75f0de5 | powershell |
| 2132 | discovery | T1046 | Network Service Discovery | 1 | Port Scan | 68e907da-2539-48f6-9fc9-257a78c05540 | bash |
| 2133 | discovery | T1046 | Network Service Discovery | 2 | Port Scan Nmap | 515942b0-a09f-4163-a7bb-22fefb6f185f | sh |
| 2134 | discovery | T1046 | Network Service Discovery | 3 | Port Scan NMap for Windows | d696a3cb-d7a8-4976-8eb5-5af4abf2e3df | powershell |
| 2135 | discovery | T1046 | Network Service Discovery | 4 | Port Scan using python | 6ca45b04-9f15-4424-b9d3-84a217285a5c | powershell |
| 2136 | discovery | T1046 | Network Service Discovery | 5 | WinPwn - spoolvulnscan | 54574908-f1de-4356-9021-8053dd57439a | powershell |
| 2137 | discovery | T1046 | Network Service Discovery | 6 | WinPwn - MS17-10 | 97585b04-5be2-40e9-8c31-82157b8af2d6 | powershell |
| 2138 | discovery | T1046 | Network Service Discovery | 7 | WinPwn - bluekeep | 1cca5640-32a9-46e6-b8e0-fabbe2384a73 | powershell |
| 2139 | discovery | T1046 | Network Service Discovery | 8 | WinPwn - fruit | bb037826-cbe8-4a41-93ea-b94059d6bb98 | powershell |
| 2140 | discovery | T1046 | Network Service Discovery | 9 | Network Service Discovery for Containers | 06eaafdb-8982-426e-8a31-d572da633caa | sh |
| 2141 | discovery | T1046 | Network Service Discovery | 10 | Port-Scanning /24 Subnet with PowerShell | 05df2a79-dba6-4088-a804-9ca0802ca8e4 | powershell |
| 2142 | discovery | T1046 | Network Service Discovery | 11 | Remote Desktop Services Discovery via PowerShell | 9e55750e-4cbf-4013-9627-e9a045b541bf | powershell |
| 2143 | discovery | T1046 | Network Service Discovery | 12 | Port Scan using nmap (Port range) | 0d5a2b03-3a26-45e4-96ae-89485b4d1f97 | sh |
| 2144 | discovery | T1518 | Software Discovery | 1 | Find and Display Internet Explorer Browser Version | 68981660-6670-47ee-a5fa-7e74806420a4 | command_prompt |
| 2145 | discovery | T1518 | Software Discovery | 2 | Applications Installed | c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b | powershell |
| 2146 | discovery | T1518 | Software Discovery | 3 | Find and Display Safari Browser Version | 103d6533-fd2a-4d08-976a-4a598565280f | sh |
| 2147 | discovery | T1518 | Software Discovery | 4 | WinPwn - Dotnetsearch | 7e79a1b6-519e-433c-ad55-3ff293667101 | powershell |
| 2148 | discovery | T1518 | Software Discovery | 5 | WinPwn - DotNet | 10ba02d0-ab76-4f80-940d-451633f24c5b | powershell |
| 2149 | discovery | T1518 | Software Discovery | 6 | WinPwn - powerSQL | 0bb64470-582a-4155-bde2-d6003a95ed34 | powershell |
| 2150 | discovery | T1622 | Debugger Evasion | 1 | Detect a Debugger Presence in the Machine | 58bd8c8d-3a1a-4467-a69c-439c75469b07 | powershell |
| 2151 | discovery | T1124 | System Time Discovery | 1 | System Time Discovery | 20aba24b-e61f-4b26-b4ce-4784f763ca20 | command_prompt |
| 2152 | discovery | T1124 | System Time Discovery | 2 | System Time Discovery - PowerShell | 1d5711d6-655c-4a47-ae9c-6503c74fa877 | powershell |
| 2153 | discovery | T1124 | System Time Discovery | 3 | System Time Discovery in FreeBSD/macOS | f449c933-0891-407f-821e-7916a21a1a6f | sh |
| 2154 | discovery | T1124 | System Time Discovery | 4 | System Time Discovery W32tm as a Delay | d5d5a6b0-0f92-42d8-985d-47aafa2dd4db | command_prompt |
| 2155 | discovery | T1124 | System Time Discovery | 5 | System Time with Windows time Command | 53ead5db-7098-4111-bb3f-563be390e72e | command_prompt |
| 2156 | discovery | T1124 | System Time Discovery | 6 | Discover System Time Zone via Registry | 25c5d1f1-a24b-494a-a6c5-5f50a1ae7f47 | command_prompt |
| 2157 | reconnaissance | T1592.001 | Gather Victim Host Information: Hardware | 1 | Enumerate PlugNPlay Camera | d430bf85-b656-40e7-b238-42db01df0183 | powershell |
| 2158 | reconnaissance | T1595.003 | Active Scanning: Wordlist Scanning | 1 | Web Server Wordlist Scan | 89a83c3e-0b39-4c80-99f5-c2aa084098bd | powershell |
| 2159 | impact | T1489 | Service Stop | 1 | Windows - Stop service using Service Controller | 21dfb440-830d-4c86-a3e5-2a491d5a8d04 | command_prompt |
| 2160 | impact | T1489 | Service Stop | 2 | Windows - Stop service using net.exe | 41274289-ec9c-4213-bea4-e43c4aa57954 | command_prompt |
| 2161 | impact | T1489 | Service Stop | 3 | Windows - Stop service by killing process | f3191b84-c38b-400b-867e-3a217a27795f | command_prompt |
| 2162 | impact | T1489 | Service Stop | 4 | Linux - Stop service using systemctl | 42e3a5bd-1e45-427f-aa08-2a65fa29a820 | sh |
| 2163 | impact | T1489 | Service Stop | 5 | Linux - Stop service by killing process using killall | e5d95be6-02ee-4ff1-aebe-cf86013b6189 | sh |
| 2164 | impact | T1489 | Service Stop | 6 | Linux - Stop service by killing process using kill | 332f4c76-7e96-41a6-8cc2-7361c49db8be | sh |
| 2165 | impact | T1489 | Service Stop | 7 | Linux - Stop service by killing process using pkill | 08b4718f-a8bf-4bb5-a552-294fc5178fea | sh |
| 2166 | impact | T1489 | Service Stop | 8 | Abuse of linux magic system request key for Send a SIGTERM to all processes | 6e76f56f-2373-4a6c-a63f-98b7b72761f1 | bash |
| 2167 | impact | T1491.001 | Defacement: Internal Defacement | 1 | Replace Desktop Wallpaper | 30558d53-9d76-41c4-9267-a7bd5184bed3 | powershell |
| 2168 | impact | T1491.001 | Defacement: Internal Defacement | 2 | Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message | ffcbfaab-c9ff-470b-928c-f086b326089b | powershell |
| 2169 | impact | T1491.001 | Defacement: Internal Defacement | 3 | ESXi - Change Welcome Message on Direct Console User Interface (DCUI) | 30905f21-34f3-4504-8b4c-f7a5e314b810 | command_prompt |
| 2170 | impact | T1491.001 | Defacement: Internal Defacement | 4 | Windows - Display a simulated ransom note via Notepad (non-destructive) | 0eeb68ce-e64c-4420-8d53-ad5bdc6f86d5 | powershell |
| 2171 | impact | T1531 | Account Access Removal | 1 | Change User Password - Windows | 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2 | command_prompt |
| 2172 | impact | T1531 | Account Access Removal | 2 | Delete User - Windows | f21a1d7d-a62f-442a-8c3a-2440d43b19e5 | command_prompt |
| 2173 | impact | T1531 | Account Access Removal | 3 | Remove Account From Domain Admin Group | 43f71395-6c37-498e-ab17-897d814a0947 | powershell |
| 2174 | impact | T1531 | Account Access Removal | 4 | Change User Password via passwd | 3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6 | sh |
| 2175 | impact | T1531 | Account Access Removal | 5 | Delete User via dscl utility | 4d938c43-2fe8-4d70-a5b3-5bf239aa7846 | sh |
| 2176 | impact | T1531 | Account Access Removal | 6 | Delete User via sysadminctl utility | d3812c4e-30ee-466a-a0aa-07e355b561d6 | sh |
| 2177 | impact | T1531 | Account Access Removal | 7 | Azure AD - Delete user via Azure AD PowerShell | 4f577511-dc1c-4045-bcb8-75d2457f01f4 | powershell |
| 2178 | impact | T1531 | Account Access Removal | 8 | Azure AD - Delete user via Azure CLI | c955c1c7-3145-4a22-af2d-63eea0d967f0 | powershell |
| 2179 | impact | T1486 | Data Encrypted for Impact | 1 | Encrypt files using gpg (FreeBSD/Linux) | 7b8ce084-3922-4618-8d22-95f996173765 | sh |
| 2180 | impact | T1486 | Data Encrypted for Impact | 2 | Encrypt files using 7z (FreeBSD/Linux) | 53e6735a-4727-44cc-b35b-237682a151ad | sh |
| 2181 | impact | T1486 | Data Encrypted for Impact | 3 | Encrypt files using ccrypt (FreeBSD/Linux) | 08cbf59f-85da-4369-a5f4-049cffd7709f | sh |
| 2182 | impact | T1486 | Data Encrypted for Impact | 4 | Encrypt files using openssl (FreeBSD/Linux) | 142752dc-ca71-443b-9359-cf6f497315f1 | sh |
| 2183 | impact | T1486 | Data Encrypted for Impact | 5 | PureLocker Ransom Note | 649349c7-9abf-493b-a7a2-b1aa4d141528 | command_prompt |
| 2184 | impact | T1486 | Data Encrypted for Impact | 6 | Encrypt files using 7z utility - macOS | 645f0f5a-ef09-48d8-b9bc-f0e24c642d72 | sh |
| 2185 | impact | T1486 | Data Encrypted for Impact | 7 | Encrypt files using openssl utility - macOS | 1a01f6b8-b1e8-418e-bbe3-78a6f822759e | sh |
| 2186 | impact | T1486 | Data Encrypted for Impact | 8 | Data Encrypted with GPG4Win | 4541e2c2-33c8-44b1-be79-9161440f1718 | powershell |
| 2187 | impact | T1486 | Data Encrypted for Impact | 9 | Data Encrypt Using DiskCryptor | 44b68e11-9da2-4d45-a0d9-893dabd60f30 | command_prompt |
| 2188 | impact | T1486 | Data Encrypted for Impact | 10 | Akira Ransomware drop Files with .akira Extension and Ransomnote | ab3f793f-2dcc-4da5-9c71-34988307263f | powershell |
| 2189 | impact | T1496 | Resource Hijacking | 1 | FreeBSD/macOS/Linux - Simulate CPU Load with Yes | 904a5a0e-fb02-490d-9f8d-0e256eb37549 | sh |
| 2190 | impact | T1485 | Data Destruction | 1 | Windows - Overwrite file with SysInternals SDelete | 476419b5-aebf-4366-a131-ae3e8dae5fc2 | powershell |
| 2191 | impact | T1485 | Data Destruction | 2 | FreeBSD/macOS/Linux - Overwrite file with DD | 38deee99-fd65-4031-bec8-bfa4f9f26146 | sh |
| 2192 | impact | T1485 | Data Destruction | 3 | Overwrite deleted data on C drive | 321fd25e-0007-417f-adec-33232252be19 | command_prompt |
| 2193 | impact | T1485 | Data Destruction | 4 | GCP - Delete Bucket | 4ac71389-40f4-448a-b73f-754346b3f928 | sh |
| 2194 | impact | T1485 | Data Destruction | 5 | ESXi - Delete VM Snapshots | 1207ddff-f25b-41b3-aa0e-7c26d2b546d1 | command_prompt |
| 2195 | impact | T1490 | Inhibit System Recovery | 1 | Windows - Delete Volume Shadow Copies | 43819286-91a9-4369-90ed-d31fb4da2c01 | command_prompt |
| 2196 | impact | T1490 | Inhibit System Recovery | 2 | Windows - Delete Volume Shadow Copies via WMI | 6a3ff8dd-f49c-4272-a658-11c2fe58bd88 | command_prompt |
| 2197 | impact | T1490 | Inhibit System Recovery | 3 | Windows - wbadmin Delete Windows Backup Catalog | 263ba6cb-ea2b-41c9-9d4e-b652dadd002c | command_prompt |
| 2198 | impact | T1490 | Inhibit System Recovery | 4 | Windows - Disable Windows Recovery Console Repair | cf21060a-80b3-4238-a595-22525de4ab81 | command_prompt |
| 2199 | impact | T1490 | Inhibit System Recovery | 5 | Windows - Delete Volume Shadow Copies via WMI with PowerShell | 39a295ca-7059-4a88-86f6-09556c1211e7 | powershell |
| 2200 | impact | T1490 | Inhibit System Recovery | 6 | Windows - Delete Backup Files | 6b1dbaf6-cc8a-4ea6-891f-6058569653bf | command_prompt |
| 2201 | impact | T1490 | Inhibit System Recovery | 7 | Windows - wbadmin Delete systemstatebackup | 584331dd-75bc-4c02-9e0b-17f5fd81c748 | command_prompt |
| 2202 | impact | T1490 | Inhibit System Recovery | 8 | Windows - Disable the SR scheduled task | 1c68c68d-83a4-4981-974e-8993055fa034 | command_prompt |
| 2203 | impact | T1490 | Inhibit System Recovery | 9 | Disable System Restore Through Registry | 66e647d1-8741-4e43-b7c1-334760c2047f | command_prompt |
| 2204 | impact | T1490 | Inhibit System Recovery | 10 | Windows - vssadmin Resize Shadowstorage Volume | da558b07-69ae-41b9-b9d4-4d98154a7049 | powershell |
| 2205 | impact | T1490 | Inhibit System Recovery | 11 | Modify VSS Service Permissions | a4420f93-5386-4290-b780-f4f66abc7070 | command_prompt |
| 2206 | impact | T1490 | Inhibit System Recovery | 12 | Disable Time Machine | ed952f70-91d4-445a-b7ff-30966bfb1aff | sh |
| 2207 | impact | T1529 | System Shutdown/Reboot | 1 | Shutdown System - Windows | ad254fa8-45c0-403b-8c77-e00b3d3e7a64 | command_prompt |
| 2208 | impact | T1529 | System Shutdown/Reboot | 2 | Restart System - Windows | f4648f0d-bf78-483c-bafc-3ec99cd1c302 | command_prompt |
| 2209 | impact | T1529 | System Shutdown/Reboot | 3 | Restart System via `shutdown` - FreeBSD/macOS/Linux | 6326dbc4-444b-4c04-88f4-27e94d0327cb | sh |
| 2210 | impact | T1529 | System Shutdown/Reboot | 4 | Shutdown System via `shutdown` - FreeBSD/macOS/Linux | 4963a81e-a3ad-4f02-adda-812343b351de | sh |
| 2211 | impact | T1529 | System Shutdown/Reboot | 5 | Restart System via `reboot` - FreeBSD/macOS/Linux | 47d0b042-a918-40ab-8cf9-150ffe919027 | sh |
| 2212 | impact | T1529 | System Shutdown/Reboot | 6 | Shutdown System via `halt` - FreeBSD/Linux | 918f70ab-e1ef-49ff-bc57-b27021df84dd | sh |
| 2213 | impact | T1529 | System Shutdown/Reboot | 7 | Reboot System via `halt` - FreeBSD | 7b1cee42-320f-4890-b056-d65c8b884ba5 | sh |
| 2214 | impact | T1529 | System Shutdown/Reboot | 8 | Reboot System via `halt` - Linux | 78f92e14-f1e9-4446-b3e9-f1b921f2459e | bash |
| 2215 | impact | T1529 | System Shutdown/Reboot | 9 | Shutdown System via `poweroff` - FreeBSD/Linux | 73a90cd2-48a2-4ac5-8594-2af35fa909fa | sh |
| 2216 | impact | T1529 | System Shutdown/Reboot | 10 | Reboot System via `poweroff` - FreeBSD | 5a282e50-86ff-438d-8cef-8ae01c9e62e1 | sh |
| 2217 | impact | T1529 | System Shutdown/Reboot | 11 | Reboot System via `poweroff` - Linux | 61303105-ff60-427b-999e-efb90b314e41 | bash |
| 2218 | impact | T1529 | System Shutdown/Reboot | 12 | Logoff System - Windows | 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4 | command_prompt |
| 2219 | impact | T1529 | System Shutdown/Reboot | 13 | ESXi - Terminates VMs using pkill | 987c9b4d-a637-42db-b1cb-e9e242c3991b | command_prompt |
| 2220 | impact | T1529 | System Shutdown/Reboot | 14 | ESXi - Avoslocker enumerates VMs and forcefully kills VMs | 189f7d6e-9442-4160-9bc3-5e4104d93ece | command_prompt |
| 2221 | impact | T1529 | System Shutdown/Reboot | 15 | ESXi - vim-cmd Used to Power Off VMs | 622cc1a0-45e7-428c-aed7-c96dd605fbe6 | command_prompt |
| 2222 | impact | T1529 | System Shutdown/Reboot | 16 | Abuse of Linux Magic System Request Key for Reboot | d2a1f4bc-a064-4223-8281-a086dce5423c | bash |
| 2223 | initial-access | T1133 | External Remote Services | 1 | Running Chrome VPN Extensions via the Registry 2 vpn extension | 4c8db261-a58b-42a6-a866-0a294deedde4 | powershell |
| 2224 | initial-access | T1566.002 | Phishing: Spearphishing Link | 1 | Paste and run technique | bc177ef9-6a12-4ebc-a2ec-d41e19c2791d | powershell |
| 2225 | initial-access | T1566.001 | Phishing: Spearphishing Attachment | 1 | Download Macro-Enabled Phishing Attachment | 114ccff9-ae6d-4547-9ead-4cd69f687306 | powershell |
| 2226 | initial-access | T1566.001 | Phishing: Spearphishing Attachment | 2 | Word spawned a command shell and used an IP address in the command line | cbb6799a-425c-4f83-9194-5447a909d67f | powershell |
| 2227 | initial-access | T1091 | Replication Through Removable Media | 1 | USB Malware Spread Simulation | d44b7297-622c-4be8-ad88-ec40d7563c75 | powershell |
| 2228 | initial-access | T1195 | Supply Chain Compromise | 1 | Octopus Scanner Malware Open Source Supply Chain | 82a9f001-94c5-495e-9ed5-f530dbded5e2 | command_prompt |
| 2229 | initial-access | T1078.001 | Valid Accounts: Default Accounts | 1 | Enable Guest account with RDP capability and admin privileges | 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 | command_prompt |
| 2230 | initial-access | T1078.001 | Valid Accounts: Default Accounts | 2 | Activate Guest Account | aa6cb8c4-b582-4f8e-b677-37733914abda | command_prompt |
| 2231 | initial-access | T1078.001 | Valid Accounts: Default Accounts | 3 | Enable Guest Account on macOS | 0315bdff-4178-47e9-81e4-f31a6d23f7e4 | sh |
| 2232 | initial-access | T1195.002 | Compromise Software Supply Chain | 1 | Simulate npm package installation on a Linux system | a9604672-cd46-493b-b58f-fd4124c22dd3 | bash |
| 2233 | initial-access | T1078.004 | Valid Accounts: Cloud Accounts | 1 | Creating GCP Service Account and Service Account Key | 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e | sh |
| 2234 | initial-access | T1078.004 | Valid Accounts: Cloud Accounts | 2 | Azure Persistence Automation Runbook Created or Modified | 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac | powershell |
| 2235 | initial-access | T1078.004 | Valid Accounts: Cloud Accounts | 3 | GCP - Create Custom IAM Role | 3a159042-69e6-4398-9a69-3308a4841c85 | sh |
| 2236 | initial-access | T1078.003 | Valid Accounts: Local Accounts | 1 | Create local account with admin privileges | a524ce99-86de-4db6-b4f9-e08f35a47a15 | command_prompt |
| 2237 | initial-access | T1078.003 | Valid Accounts: Local Accounts | 2 | Create local account with admin privileges - MacOS | f1275566-1c26-4b66-83e3-7f9f7f964daa | bash |
| 2238 | initial-access | T1078.003 | Valid Accounts: Local Accounts | 3 | Create local account with admin privileges using sysadminctl utility - MacOS | 191db57d-091a-47d5-99f3-97fde53de505 | bash |
| 2239 | initial-access | T1078.003 | Valid Accounts: Local Accounts | 4 | Enable root account using dsenableroot utility - MacOS | 20b40ea9-0e17-4155-b8e6-244911a678ac | bash |
| 2240 | initial-access | T1078.003 | Valid Accounts: Local Accounts | 5 | Add a new/existing user to the admin group using dseditgroup utility - macOS | 433842ba-e796-4fd5-a14f-95d3a1970875 | bash |
| 2241 | initial-access | T1078.003 | Valid Accounts: Local Accounts | 6 | WinPwn - Loot local Credentials - powerhell kittie | 9e9fd066-453d-442f-88c1-ad7911d32912 | powershell |
| 2242 | initial-access | T1078.003 | Valid Accounts: Local Accounts | 7 | WinPwn - Loot local Credentials - Safetykatz | e9fdb899-a980-4ba4-934b-486ad22e22f4 | powershell |
| 2243 | initial-access | T1078.003 | Valid Accounts: Local Accounts | 8 | Create local account (Linux) | 02a91c34-8a5b-4bed-87af-501103eb5357 | bash |
| 2244 | initial-access | T1078.003 | Valid Accounts: Local Accounts | 9 | Reactivate a locked/expired account (Linux) | d2b95631-62d7-45a3-aaef-0972cea97931 | bash |
| 2245 | initial-access | T1078.003 | Valid Accounts: Local Accounts | 10 | Reactivate a locked/expired account (FreeBSD) | 09e3380a-fae5-4255-8b19-9950be0252cf | sh |
| 2246 | initial-access | T1078.003 | Valid Accounts: Local Accounts | 11 | Login as nobody (Linux) | 3d2cd093-ee05-41bd-a802-59ee5c301b85 | bash |
| 2247 | initial-access | T1078.003 | Valid Accounts: Local Accounts | 12 | Login as nobody (freebsd) | 16f6374f-7600-459a-9b16-6a88fd96d310 | sh |
| 2248 | initial-access | T1078.003 | Valid Accounts: Local Accounts | 13 | Use PsExec to elevate to NT Authority\SYSTEM account | 6904235f-0f55-4039-8aed-41c300ff7733 | command_prompt |
| 2249 | exfiltration | T1020 | Automated Exfiltration | 1 | IcedID Botnet HTTP PUT | 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0 | powershell |
| 2250 | exfiltration | T1020 | Automated Exfiltration | 2 | Exfiltration via Encrypted FTP | 5b380e96-b0ef-4072-8a8e-f194cb9eb9ac | powershell |
| 2251 | exfiltration | T1048.002 | Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | 1 | Exfiltrate data HTTPS using curl windows | 1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0 | command_prompt |
| 2252 | exfiltration | T1048.002 | Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | 2 | Exfiltrate data HTTPS using curl freebsd,linux or macos | 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01 | bash |
| 2253 | exfiltration | T1048.002 | Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | 3 | Exfiltrate data in a file over HTTPS using wget | 7ccdfcfa-6707-46bc-b812-007ab6ff951c | sh |
| 2254 | exfiltration | T1048.002 | Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | 4 | Exfiltrate data as text over HTTPS using wget | 8bec51da-7a6d-4346-b941-51eca448c4b0 | sh |
| 2255 | exfiltration | T1041 | Exfiltration Over C2 Channel | 1 | C2 Data Exfiltration | d1253f6e-c29b-49dc-b466-2147a6191932 | powershell |
| 2256 | exfiltration | T1041 | Exfiltration Over C2 Channel | 2 | Text Based Data Exfiltration using DNS subdomains | c9207f3e-213d-4cc7-ad2a-7697a7237df9 | powershell |
| 2257 | exfiltration | T1048 | Exfiltration Over Alternative Protocol | 1 | Exfiltration Over Alternative Protocol - SSH | f6786cc8-beda-4915-a4d6-ac2f193bb988 | sh |
| 2258 | exfiltration | T1048 | Exfiltration Over Alternative Protocol | 2 | Exfiltration Over Alternative Protocol - SSH | 7c3cb337-35ae-4d06-bf03-3032ed2ec268 | sh |
| 2259 | exfiltration | T1048 | Exfiltration Over Alternative Protocol | 3 | DNSExfiltration (doh) | c943d285-ada3-45ca-b3aa-7cd6500c6a48 | powershell |
| 2260 | exfiltration | T1048 | Exfiltration Over Alternative Protocol | 4 | Exfiltrate Data using DNS Queries via dig | a27916da-05f2-4316-a3ee-feec67a437be | bash |
| 2261 | exfiltration | T1567.003 | Exfiltration Over Web Service: Exfiltration to Text Storage Sites | 1 | Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows) | c2e8ab6e-431e-460a-a2aa-3bc6a32022e3 | powershell |
| 2262 | exfiltration | T1567.002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage | 1 | Exfiltrate data with rclone to cloud Storage - Mega (Windows) | 8529ee44-279a-4a19-80bf-b846a40dda58 | powershell |
| 2263 | exfiltration | T1567.002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage | 2 | Exfiltrate data with rclone to cloud Storage - AWS S3 | a4b74723-5cee-4300-91c3-5e34166909b4 | powershell |
| 2264 | exfiltration | T1030 | Data Transfer Size Limits | 1 | Data Transfer Size Limits | ab936c51-10f4-46ce-9144-e02137b2016a | sh |
| 2265 | exfiltration | T1030 | Data Transfer Size Limits | 2 | Network-Based Data Transfer in Small Chunks | f0287b58-f4bc-40f6-87eb-692e126e7f8f | powershell |
| 2266 | exfiltration | T1048.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | 1 | Exfiltration Over Alternative Protocol - HTTP | 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff | manual |
| 2267 | exfiltration | T1048.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | 2 | Exfiltration Over Alternative Protocol - ICMP | dd4b4421-2e25-4593-90ae-7021947ad12e | powershell |
| 2268 | exfiltration | T1048.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | 3 | Exfiltration Over Alternative Protocol - DNS | c403b5a4-b5fc-49f2-b181-d1c80d27db45 | manual |
| 2269 | exfiltration | T1048.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | 4 | Exfiltration Over Alternative Protocol - HTTP | 6aa58451-1121-4490-a8e9-1dada3f1c68c | powershell |
| 2270 | exfiltration | T1048.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | 5 | Exfiltration Over Alternative Protocol - SMTP | ec3a835e-adca-4c7c-88d2-853b69c11bb9 | powershell |
| 2271 | exfiltration | T1048.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | 6 | MAZE FTP Upload | 57799bc2-ad1e-4130-a793-fb0c385130ba | powershell |
| 2272 | exfiltration | T1048.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | 7 | Exfiltration Over Alternative Protocol - FTP - Rclone | b854eb97-bf9b-45ab-a1b5-b94e4880c56b | powershell |
| 2273 | exfiltration | T1048.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | 8 | Python3 http.server | 3ea1f938-f80a-4305-9aa8-431bc4867313 | sh |