CircleCI Atomic Red Team doc generator
35 KiB
35 KiB
| 1 | Tactic | Technique # | Test # | Test Name |
|---|---|---|---|---|
| 2 | persistence | T1156 | 1 | Add command to .bash_profile |
| 3 | persistence | T1156 | 2 | Add command to .bashrc |
| 4 | persistence | T1015 | 1 | Attaches Command Prompt as a Debugger to a List of Target Processes |
| 5 | persistence | T1098 | 1 | Admin Account Manipulate |
| 6 | persistence | T1103 | 1 | Install AppInit Shim |
| 7 | persistence | T1138 | 1 | Application Shim Installation |
| 8 | persistence | T1138 | 2 | New shim database files created in the default shim database directory |
| 9 | persistence | T1138 | 3 | Registry key creation and/or modification events for SDB |
| 10 | persistence | T1197 | 1 | Bitsadmin Download (cmd) |
| 11 | persistence | T1197 | 2 | Bitsadmin Download (PowerShell) |
| 12 | persistence | T1197 | 3 | Persist, Download, & Execute |
| 13 | persistence | T1176 | 1 | Chrome (Developer Mode) |
| 14 | persistence | T1176 | 2 | Chrome (Chrome Web Store) |
| 15 | persistence | T1176 | 3 | Firefox |
| 16 | persistence | T1042 | 1 | Change Default File Association |
| 17 | persistence | T1136 | 1 | Create a user account on a Linux system |
| 18 | persistence | T1136 | 2 | Create a user account on a MacOS system |
| 19 | persistence | T1136 | 3 | Create a new user in a command prompt |
| 20 | persistence | T1136 | 4 | Create a new user in PowerShell |
| 21 | persistence | T1136 | 5 | Create a new user in Linux with `root` UID and GID. |
| 22 | persistence | T1038 | 1 | DLL Search Order Hijacking - amsi.dll |
| 23 | persistence | T1519 | 1 | Persistance with Event Monitor - emond |
| 24 | persistence | T1044 | 1 | File System Permissions Weakness |
| 25 | persistence | T1158 | 1 | Create a hidden file in a hidden directory |
| 26 | persistence | T1158 | 2 | Mac Hidden file |
| 27 | persistence | T1158 | 3 | Create Windows System File with Attrib |
| 28 | persistence | T1158 | 4 | Create Windows Hidden File with Attrib |
| 29 | persistence | T1158 | 5 | Hidden files |
| 30 | persistence | T1158 | 6 | Hide a Directory |
| 31 | persistence | T1158 | 7 | Show all hidden files |
| 32 | persistence | T1158 | 8 | Create ADS command prompt |
| 33 | persistence | T1158 | 9 | Create ADS PowerShell |
| 34 | persistence | T1179 | 1 | Hook PowerShell TLS Encrypt/Decrypt Messages |
| 35 | persistence | T1062 | 1 | Installing Hyper-V Feature |
| 36 | persistence | T1183 | 1 | IFEO Add Debugger |
| 37 | persistence | T1183 | 2 | IFEO Global Flags |
| 38 | persistence | T1215 | 1 | Linux - Load Kernel Module via insmod |
| 39 | persistence | T1159 | 1 | Launch Agent |
| 40 | persistence | T1160 | 1 | Launch Daemon |
| 41 | persistence | T1152 | 1 | Launchctl |
| 42 | persistence | T1168 | 1 | Cron - Replace crontab with referenced file |
| 43 | persistence | T1168 | 2 | Cron - Add script to cron folder |
| 44 | persistence | T1168 | 3 | Event Monitor Daemon Persistence |
| 45 | persistence | T1037 | 1 | Logon Scripts |
| 46 | persistence | T1037 | 2 | Scheduled Task Startup Script |
| 47 | persistence | T1037 | 3 | Logon Scripts - Mac |
| 48 | persistence | T1037 | 4 | Supicious vbs file run from startup Folder |
| 49 | persistence | T1037 | 5 | Supicious jse file run from startup Folder |
| 50 | persistence | T1037 | 6 | Supicious bat file run from startup Folder |
| 51 | persistence | T1031 | 1 | Modify Fax service to run PowerShell |
| 52 | persistence | T1128 | 1 | Netsh Helper DLL Registration |
| 53 | persistence | T1050 | 1 | Service Installation |
| 54 | persistence | T1050 | 2 | Service Installation PowerShell |
| 55 | persistence | T1137 | 1 | DDEAUTO |
| 56 | persistence | T1150 | 1 | Plist Modification |
| 57 | persistence | T1504 | 1 | Append malicious start-process cmdlet |
| 58 | persistence | T1163 | 1 | rc.common |
| 59 | persistence | T1164 | 1 | Re-Opened Applications |
| 60 | persistence | T1164 | 2 | Re-Opened Applications |
| 61 | persistence | T1060 | 1 | Reg Key Run |
| 62 | persistence | T1060 | 2 | Reg Key RunOnce |
| 63 | persistence | T1060 | 3 | PowerShell Registry RunOnce |
| 64 | persistence | T1053 | 1 | At.exe Scheduled task |
| 65 | persistence | T1053 | 2 | Scheduled task Local |
| 66 | persistence | T1053 | 3 | Scheduled task Remote |
| 67 | persistence | T1053 | 4 | Powershell Cmdlet Scheduled Task |
| 68 | persistence | T1180 | 1 | Set Arbitrary Binary as Screensaver |
| 69 | persistence | T1101 | 1 | Modify SSP configuration in registry |
| 70 | persistence | T1505 | 1 | Install MS Exchange Transport Agent Persistence |
| 71 | persistence | T1058 | 1 | Service Registry Permissions Weakness |
| 72 | persistence | T1166 | 1 | Make and modify binary from C source |
| 73 | persistence | T1166 | 2 | Set a SetUID flag on file |
| 74 | persistence | T1166 | 3 | Set a SetGID flag on file |
| 75 | persistence | T1023 | 1 | Shortcut Modification |
| 76 | persistence | T1023 | 2 | Create shortcut to cmd in startup folders |
| 77 | persistence | T1165 | 1 | add file to Local Library StartupItems |
| 78 | persistence | T1501 | 1 | Create Systemd Service |
| 79 | persistence | T1154 | 1 | Trap |
| 80 | persistence | T1100 | 1 | Web Shell Written to Disk |
| 81 | persistence | T1084 | 1 | Persistence via WMI Event Subscription |
| 82 | persistence | T1004 | 1 | Winlogon Shell Key Persistence - PowerShell |
| 83 | persistence | T1004 | 2 | Winlogon Userinit Key Persistence - PowerShell |
| 84 | persistence | T1004 | 3 | Winlogon Notify Key Logon Persistence - PowerShell |
| 85 | defense-evasion | T1197 | 1 | Bitsadmin Download (cmd) |
| 86 | defense-evasion | T1197 | 2 | Bitsadmin Download (PowerShell) |
| 87 | defense-evasion | T1197 | 3 | Persist, Download, & Execute |
| 88 | defense-evasion | T1009 | 1 | Pad Binary to Change Hash - Linux/macOS dd |
| 89 | defense-evasion | T1088 | 1 | Bypass UAC using Event Viewer (cmd) |
| 90 | defense-evasion | T1088 | 2 | Bypass UAC using Event Viewer (PowerShell) |
| 91 | defense-evasion | T1088 | 3 | Bypass UAC using Fodhelper |
| 92 | defense-evasion | T1088 | 4 | Bypass UAC using Fodhelper - PowerShell |
| 93 | defense-evasion | T1088 | 5 | Bypass UAC using ComputerDefaults (PowerShell) |
| 94 | defense-evasion | T1088 | 6 | Bypass UAC by Mocking Trusted Directories |
| 95 | defense-evasion | T1191 | 1 | CMSTP Executing Remote Scriptlet |
| 96 | defense-evasion | T1191 | 2 | CMSTP Executing UAC Bypass |
| 97 | defense-evasion | T1146 | 1 | Clear Bash history (rm) |
| 98 | defense-evasion | T1146 | 2 | Clear Bash history (echo) |
| 99 | defense-evasion | T1146 | 3 | Clear Bash history (cat dev/null) |
| 100 | defense-evasion | T1146 | 4 | Clear Bash history (ln dev/null) |
| 101 | defense-evasion | T1146 | 5 | Clear Bash history (truncate) |
| 102 | defense-evasion | T1146 | 6 | Clear history of a bunch of shells |
| 103 | defense-evasion | T1500 | 1 | Compile After Delivery using csc.exe |
| 104 | defense-evasion | T1223 | 1 | Compiled HTML Help Local Payload |
| 105 | defense-evasion | T1223 | 2 | Compiled HTML Help Remote Payload |
| 106 | defense-evasion | T1090 | 1 | Connection Proxy |
| 107 | defense-evasion | T1090 | 2 | portproxy reg key |
| 108 | defense-evasion | T1196 | 1 | Control Panel Items |
| 109 | defense-evasion | T1207 | 1 | DCShadow - Mimikatz |
| 110 | defense-evasion | T1038 | 1 | DLL Search Order Hijacking - amsi.dll |
| 111 | defense-evasion | T1073 | 1 | DLL Side-Loading using the Notepad++ GUP.exe binary |
| 112 | defense-evasion | T1140 | 1 | Deobfuscate/Decode Files Or Information |
| 113 | defense-evasion | T1140 | 2 | Certutil Rename and Decode |
| 114 | defense-evasion | T1089 | 1 | Disable iptables firewall |
| 115 | defense-evasion | T1089 | 2 | Disable syslog |
| 116 | defense-evasion | T1089 | 3 | Disable Cb Response |
| 117 | defense-evasion | T1089 | 4 | Disable SELinux |
| 118 | defense-evasion | T1089 | 5 | Disable Carbon Black Response |
| 119 | defense-evasion | T1089 | 6 | Disable LittleSnitch |
| 120 | defense-evasion | T1089 | 7 | Disable OpenDNS Umbrella |
| 121 | defense-evasion | T1089 | 8 | Unload Sysmon Filter Driver |
| 122 | defense-evasion | T1089 | 9 | Disable Windows IIS HTTP Logging |
| 123 | defense-evasion | T1089 | 10 | Uninstall Sysmon |
| 124 | defense-evasion | T1089 | 11 | AMSI Bypass - AMSI InitFailed |
| 125 | defense-evasion | T1089 | 12 | AMSI Bypass - Remove AMSI Provider Reg Key |
| 126 | defense-evasion | T1089 | 13 | Disable Arbitrary Security Windows Service |
| 127 | defense-evasion | T1089 | 14 | Disable PowerShell Script Block Logging |
| 128 | defense-evasion | T1089 | 15 | PowerShell Bypass of AntiMalware Scripting Interface |
| 129 | defense-evasion | T1089 | 16 | Tamper with Windows Defender ATP PowerShell |
| 130 | defense-evasion | T1089 | 17 | Tamper with Windows Defender Command Prompt |
| 131 | defense-evasion | T1089 | 18 | Tamper with Windows Defender Registry |
| 132 | defense-evasion | T1089 | 19 | Disable Microft Office Security Features |
| 133 | defense-evasion | T1089 | 20 | Remove Windows Defender Definition Files |
| 134 | defense-evasion | T1107 | 1 | Delete a single file - Linux/macOS |
| 135 | defense-evasion | T1107 | 2 | Delete an entire folder - Linux/macOS |
| 136 | defense-evasion | T1107 | 3 | Overwrite and delete a file with shred |
| 137 | defense-evasion | T1107 | 4 | Delete a single file - Windows cmd |
| 138 | defense-evasion | T1107 | 5 | Delete an entire folder - Windows cmd |
| 139 | defense-evasion | T1107 | 6 | Delete a single file - Windows PowerShell |
| 140 | defense-evasion | T1107 | 7 | Delete an entire folder - Windows PowerShell |
| 141 | defense-evasion | T1107 | 8 | Delete Filesystem - Linux |
| 142 | defense-evasion | T1107 | 9 | Delete-PrefetchFile |
| 143 | defense-evasion | T1107 | 10 | Delete TeamViewer Log Files |
| 144 | defense-evasion | T1222 | 1 | Take ownership using takeown utility |
| 145 | defense-evasion | T1222 | 2 | Take ownership recursively using takeown utility |
| 146 | defense-evasion | T1222 | 3 | cacls - Grant permission to specified user or group |
| 147 | defense-evasion | T1222 | 4 | cacls - Grant permission to specified user or group recursively |
| 148 | defense-evasion | T1222 | 5 | icacls - Grant permission to specified user or group |
| 149 | defense-evasion | T1222 | 6 | icacls - Grant permission to specified user or group recursively |
| 150 | defense-evasion | T1222 | 7 | attrib - Remove read-only attribute |
| 151 | defense-evasion | T1222 | 8 | chmod - Change file or folder mode (numeric mode) |
| 152 | defense-evasion | T1222 | 9 | chmod - Change file or folder mode (symbolic mode) |
| 153 | defense-evasion | T1222 | 10 | chmod - Change file or folder mode (numeric mode) recursively |
| 154 | defense-evasion | T1222 | 11 | chmod - Change file or folder mode (symbolic mode) recursively |
| 155 | defense-evasion | T1222 | 12 | chown - Change file or folder ownership and group |
| 156 | defense-evasion | T1222 | 13 | chown - Change file or folder ownership and group recursively |
| 157 | defense-evasion | T1222 | 14 | chown - Change file or folder mode ownership only |
| 158 | defense-evasion | T1222 | 15 | chown - Change file or folder ownership recursively |
| 159 | defense-evasion | T1222 | 16 | chattr - Remove immutable file attribute |
| 160 | defense-evasion | T1144 | 1 | Gatekeeper Bypass |
| 161 | defense-evasion | T1148 | 1 | Disable history collection |
| 162 | defense-evasion | T1148 | 2 | Mac HISTCONTROL |
| 163 | defense-evasion | T1158 | 1 | Create a hidden file in a hidden directory |
| 164 | defense-evasion | T1158 | 2 | Mac Hidden file |
| 165 | defense-evasion | T1158 | 3 | Create Windows System File with Attrib |
| 166 | defense-evasion | T1158 | 4 | Create Windows Hidden File with Attrib |
| 167 | defense-evasion | T1158 | 5 | Hidden files |
| 168 | defense-evasion | T1158 | 6 | Hide a Directory |
| 169 | defense-evasion | T1158 | 7 | Show all hidden files |
| 170 | defense-evasion | T1158 | 8 | Create ADS command prompt |
| 171 | defense-evasion | T1158 | 9 | Create ADS PowerShell |
| 172 | defense-evasion | T1147 | 1 | Hidden Users |
| 173 | defense-evasion | T1143 | 1 | Hidden Window |
| 174 | defense-evasion | T1183 | 1 | IFEO Add Debugger |
| 175 | defense-evasion | T1183 | 2 | IFEO Global Flags |
| 176 | defense-evasion | T1070 | 1 | Clear Logs |
| 177 | defense-evasion | T1070 | 2 | FSUtil |
| 178 | defense-evasion | T1070 | 3 | rm -rf |
| 179 | defense-evasion | T1070 | 4 | Overwrite Linux Mail Spool |
| 180 | defense-evasion | T1070 | 5 | Overwrite Linux Log |
| 181 | defense-evasion | T1070 | 6 | Delete System Logs Using PowerShell |
| 182 | defense-evasion | T1070 | 7 | Delete System Logs Using Clear-EventLogId |
| 183 | defense-evasion | T1202 | 1 | Indirect Command Execution - pcalua.exe |
| 184 | defense-evasion | T1202 | 2 | Indirect Command Execution - forfiles.exe |
| 185 | defense-evasion | T1130 | 1 | Install root CA on CentOS/RHEL |
| 186 | defense-evasion | T1118 | 1 | CheckIfInstallable method call |
| 187 | defense-evasion | T1118 | 2 | InstallHelper method call |
| 188 | defense-evasion | T1118 | 3 | InstallUtil class constructor method call |
| 189 | defense-evasion | T1118 | 4 | InstallUtil Install method call |
| 190 | defense-evasion | T1118 | 5 | InstallUtil Uninstall method call - /U variant |
| 191 | defense-evasion | T1118 | 6 | InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant |
| 192 | defense-evasion | T1118 | 7 | InstallUtil HelpText method call |
| 193 | defense-evasion | T1118 | 8 | InstallUtil evasive invocation |
| 194 | defense-evasion | T1152 | 1 | Launchctl |
| 195 | defense-evasion | T1036 | 1 | Masquerading as Windows LSASS process |
| 196 | defense-evasion | T1036 | 2 | Masquerading as Linux crond process. |
| 197 | defense-evasion | T1036 | 3 | Masquerading - cscript.exe running as notepad.exe |
| 198 | defense-evasion | T1036 | 4 | Masquerading - wscript.exe running as svchost.exe |
| 199 | defense-evasion | T1036 | 5 | Masquerading - powershell.exe running as taskhostw.exe |
| 200 | defense-evasion | T1036 | 6 | Masquerading - non-windows exe running as windows exe |
| 201 | defense-evasion | T1036 | 7 | Masquerading - windows exe running as different windows exe |
| 202 | defense-evasion | T1036 | 8 | Malicious process Masquerading as LSM.exe |
| 203 | defense-evasion | T1112 | 1 | Modify Registry of Current User Profile - cmd |
| 204 | defense-evasion | T1112 | 2 | Modify Registry of Local Machine - cmd |
| 205 | defense-evasion | T1112 | 3 | Modify registry to store logon credentials |
| 206 | defense-evasion | T1112 | 4 | Add domain to Trusted sites Zone |
| 207 | defense-evasion | T1112 | 5 | Javascript in registry |
| 208 | defense-evasion | T1170 | 1 | Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject |
| 209 | defense-evasion | T1170 | 2 | Mshta calls a local VBScript file to launch notepad.exe |
| 210 | defense-evasion | T1170 | 3 | Mshta executes VBScript to execute malicious command |
| 211 | defense-evasion | T1170 | 4 | Mshta Executes Remote HTML Application (HTA) |
| 212 | defense-evasion | T1096 | 1 | Alternate Data Streams (ADS) |
| 213 | defense-evasion | T1096 | 2 | Store file in Alternate Data Stream (ADS) |
| 214 | defense-evasion | T1126 | 1 | Add Network Share |
| 215 | defense-evasion | T1126 | 2 | Remove Network Share |
| 216 | defense-evasion | T1126 | 3 | Remove Network Share PowerShell |
| 217 | defense-evasion | T1027 | 1 | Decode base64 Data into Script |
| 218 | defense-evasion | T1027 | 2 | Execute base64-encoded PowerShell |
| 219 | defense-evasion | T1027 | 3 | Execute base64-encoded PowerShell from Windows Registry |
| 220 | defense-evasion | T1502 | 1 | Parent PID Spoofing using PowerShell |
| 221 | defense-evasion | T1150 | 1 | Plist Modification |
| 222 | defense-evasion | T1093 | 1 | Process Hollowing using PowerShell |
| 223 | defense-evasion | T1055 | 1 | Process Injection via mavinject.exe |
| 224 | defense-evasion | T1055 | 2 | Shared Library Injection via /etc/ld.so.preload |
| 225 | defense-evasion | T1055 | 3 | Shared Library Injection via LD_PRELOAD |
| 226 | defense-evasion | T1055 | 4 | Process Injection via C# |
| 227 | defense-evasion | T1055 | 5 | svchost writing a file to a UNC path |
| 228 | defense-evasion | T1121 | 1 | Regasm Uninstall Method Call Test |
| 229 | defense-evasion | T1121 | 2 | Regsvs Uninstall Method Call Test |
| 230 | defense-evasion | T1117 | 1 | Regsvr32 local COM scriptlet execution |
| 231 | defense-evasion | T1117 | 2 | Regsvr32 remote COM scriptlet execution |
| 232 | defense-evasion | T1117 | 3 | Regsvr32 local DLL execution |
| 233 | defense-evasion | T1014 | 1 | Loadable Kernel Module based Rootkit |
| 234 | defense-evasion | T1014 | 2 | Loadable Kernel Module based Rootkit |
| 235 | defense-evasion | T1014 | 3 | Windows Signed Driver Rootkit Test |
| 236 | defense-evasion | T1085 | 1 | Rundll32 execute JavaScript Remote Payload With GetObject |
| 237 | defense-evasion | T1085 | 2 | Rundll32 execute VBscript command |
| 238 | defense-evasion | T1085 | 3 | Rundll32 advpack.dll Execution |
| 239 | defense-evasion | T1085 | 4 | Rundll32 ieadvpack.dll Execution |
| 240 | defense-evasion | T1085 | 5 | Rundll32 syssetup.dll Execution |
| 241 | defense-evasion | T1085 | 6 | Rundll32 setupapi.dll Execution |
| 242 | defense-evasion | T1064 | 1 | Create and Execute Bash Shell Script |
| 243 | defense-evasion | T1064 | 2 | Create and Execute Batch Script |
| 244 | defense-evasion | T1218 | 1 | mavinject - Inject DLL into running process |
| 245 | defense-evasion | T1218 | 2 | SyncAppvPublishingServer - Execute arbitrary PowerShell code |
| 246 | defense-evasion | T1218 | 3 | Register-CimProvider - Execute evil dll |
| 247 | defense-evasion | T1218 | 4 | Msiexec.exe - Execute Local MSI file |
| 248 | defense-evasion | T1218 | 5 | Msiexec.exe - Execute Remote MSI file |
| 249 | defense-evasion | T1218 | 6 | Msiexec.exe - Execute Arbitrary DLL |
| 250 | defense-evasion | T1218 | 7 | Odbcconf.exe - Execute Arbitrary DLL |
| 251 | defense-evasion | T1218 | 8 | InfDefaultInstall.exe .inf Execution |
| 252 | defense-evasion | T1216 | 1 | PubPrn.vbs Signed Script Bypass |
| 253 | defense-evasion | T1216 | 2 | SyncAppvPublishingServer Signed Script PowerShell Command Execution |
| 254 | defense-evasion | T1216 | 3 | manage-bde.wsf Signed Script Command Execution |
| 255 | defense-evasion | T1151 | 1 | Space After Filename |
| 256 | defense-evasion | T1099 | 1 | Set a file's access timestamp |
| 257 | defense-evasion | T1099 | 2 | Set a file's modification timestamp |
| 258 | defense-evasion | T1099 | 3 | Set a file's creation timestamp |
| 259 | defense-evasion | T1099 | 4 | Modify file timestamps using reference file |
| 260 | defense-evasion | T1099 | 5 | Windows - Modify file creation timestamp with PowerShell |
| 261 | defense-evasion | T1099 | 6 | Windows - Modify file last modified timestamp with PowerShell |
| 262 | defense-evasion | T1099 | 7 | Windows - Modify file last access timestamp with PowerShell |
| 263 | defense-evasion | T1127 | 1 | MSBuild Bypass Using Inline Tasks |
| 264 | defense-evasion | T1102 | 1 | Reach out to C2 Pointer URLs via command_prompt |
| 265 | defense-evasion | T1102 | 2 | Reach out to C2 Pointer URLs via powershell |
| 266 | defense-evasion | T1220 | 1 | MSXSL Bypass using local files |
| 267 | defense-evasion | T1220 | 2 | MSXSL Bypass using remote files |
| 268 | defense-evasion | T1220 | 3 | WMIC bypass using local XSL file |
| 269 | defense-evasion | T1220 | 4 | WMIC bypass using remote XSL file |
| 270 | privilege-escalation | T1015 | 1 | Attaches Command Prompt as a Debugger to a List of Target Processes |
| 271 | privilege-escalation | T1103 | 1 | Install AppInit Shim |
| 272 | privilege-escalation | T1138 | 1 | Application Shim Installation |
| 273 | privilege-escalation | T1138 | 2 | New shim database files created in the default shim database directory |
| 274 | privilege-escalation | T1138 | 3 | Registry key creation and/or modification events for SDB |
| 275 | privilege-escalation | T1088 | 1 | Bypass UAC using Event Viewer (cmd) |
| 276 | privilege-escalation | T1088 | 2 | Bypass UAC using Event Viewer (PowerShell) |
| 277 | privilege-escalation | T1088 | 3 | Bypass UAC using Fodhelper |
| 278 | privilege-escalation | T1088 | 4 | Bypass UAC using Fodhelper - PowerShell |
| 279 | privilege-escalation | T1088 | 5 | Bypass UAC using ComputerDefaults (PowerShell) |
| 280 | privilege-escalation | T1088 | 6 | Bypass UAC by Mocking Trusted Directories |
| 281 | privilege-escalation | T1038 | 1 | DLL Search Order Hijacking - amsi.dll |
| 282 | privilege-escalation | T1519 | 1 | Persistance with Event Monitor - emond |
| 283 | privilege-escalation | T1044 | 1 | File System Permissions Weakness |
| 284 | privilege-escalation | T1179 | 1 | Hook PowerShell TLS Encrypt/Decrypt Messages |
| 285 | privilege-escalation | T1183 | 1 | IFEO Add Debugger |
| 286 | privilege-escalation | T1183 | 2 | IFEO Global Flags |
| 287 | privilege-escalation | T1160 | 1 | Launch Daemon |
| 288 | privilege-escalation | T1050 | 1 | Service Installation |
| 289 | privilege-escalation | T1050 | 2 | Service Installation PowerShell |
| 290 | privilege-escalation | T1502 | 1 | Parent PID Spoofing using PowerShell |
| 291 | privilege-escalation | T1150 | 1 | Plist Modification |
| 292 | privilege-escalation | T1504 | 1 | Append malicious start-process cmdlet |
| 293 | privilege-escalation | T1055 | 1 | Process Injection via mavinject.exe |
| 294 | privilege-escalation | T1055 | 2 | Shared Library Injection via /etc/ld.so.preload |
| 295 | privilege-escalation | T1055 | 3 | Shared Library Injection via LD_PRELOAD |
| 296 | privilege-escalation | T1055 | 4 | Process Injection via C# |
| 297 | privilege-escalation | T1055 | 5 | svchost writing a file to a UNC path |
| 298 | privilege-escalation | T1053 | 1 | At.exe Scheduled task |
| 299 | privilege-escalation | T1053 | 2 | Scheduled task Local |
| 300 | privilege-escalation | T1053 | 3 | Scheduled task Remote |
| 301 | privilege-escalation | T1053 | 4 | Powershell Cmdlet Scheduled Task |
| 302 | privilege-escalation | T1058 | 1 | Service Registry Permissions Weakness |
| 303 | privilege-escalation | T1166 | 1 | Make and modify binary from C source |
| 304 | privilege-escalation | T1166 | 2 | Set a SetUID flag on file |
| 305 | privilege-escalation | T1166 | 3 | Set a SetGID flag on file |
| 306 | privilege-escalation | T1165 | 1 | add file to Local Library StartupItems |
| 307 | privilege-escalation | T1169 | 1 | Sudo usage |
| 308 | privilege-escalation | T1206 | 1 | Unlimited sudo cache timeout |
| 309 | privilege-escalation | T1206 | 2 | Disable tty_tickets for sudo caching |
| 310 | privilege-escalation | T1100 | 1 | Web Shell Written to Disk |
| 311 | impact | T1531 | 1 | Change User Password - Windows |
| 312 | impact | T1531 | 2 | Delete User - Windows |
| 313 | impact | T1485 | 1 | Windows - Overwrite file with Sysinternals SDelete |
| 314 | impact | T1485 | 2 | macOS/Linux - Overwrite file with DD |
| 315 | impact | T1490 | 1 | Windows - Delete Volume Shadow Copies |
| 316 | impact | T1490 | 2 | Windows - Delete Volume Shadow Copies via WMI |
| 317 | impact | T1490 | 3 | Windows - Delete Windows Backup Catalog |
| 318 | impact | T1490 | 4 | Windows - Disable Windows Recovery Console Repair |
| 319 | impact | T1490 | 5 | Windows - Delete Volume Shadow Copies via WMI with PowerShell |
| 320 | impact | T1490 | 6 | Windows - Delete Backup Files |
| 321 | impact | T1496 | 1 | macOS/Linux - Simulate CPU Load with Yes |
| 322 | impact | T1489 | 1 | Windows - Stop service using Service Controller |
| 323 | impact | T1489 | 2 | Windows - Stop service using net.exe |
| 324 | impact | T1489 | 3 | Windows - Stop service by killing process |
| 325 | impact | T1529 | 1 | Shutdown System - Windows |
| 326 | impact | T1529 | 2 | Restart System - Windows |
| 327 | impact | T1529 | 3 | Restart System via `shutdown` - macOS/Linux |
| 328 | impact | T1529 | 4 | Shutdown System via `shutdown` - macOS/Linux |
| 329 | impact | T1529 | 5 | Restart System via `reboot` - macOS/Linux |
| 330 | impact | T1529 | 6 | Shutdown System via `halt` - Linux |
| 331 | impact | T1529 | 7 | Reboot System via `halt` - Linux |
| 332 | impact | T1529 | 8 | Shutdown System via `poweroff` - Linux |
| 333 | impact | T1529 | 9 | Reboot System via `poweroff` - Linux |
| 334 | discovery | T1087 | 1 | Enumerate all accounts |
| 335 | discovery | T1087 | 2 | View sudoers access |
| 336 | discovery | T1087 | 3 | View accounts with UID 0 |
| 337 | discovery | T1087 | 4 | List opened files by user |
| 338 | discovery | T1087 | 5 | Show if a user account has ever logged in remotely |
| 339 | discovery | T1087 | 6 | Enumerate users and groups |
| 340 | discovery | T1087 | 7 | Enumerate users and groups |
| 341 | discovery | T1087 | 8 | Enumerate all accounts |
| 342 | discovery | T1087 | 9 | Enumerate all accounts via PowerShell |
| 343 | discovery | T1087 | 10 | Enumerate logged on users |
| 344 | discovery | T1087 | 11 | Enumerate logged on users via PowerShell |
| 345 | discovery | T1010 | 1 | List Process Main Windows - C# .NET |
| 346 | discovery | T1217 | 1 | List Mozilla Firefox Bookmark Database Files on Linux |
| 347 | discovery | T1217 | 2 | List Mozilla Firefox Bookmark Database Files on macOS |
| 348 | discovery | T1217 | 3 | List Google Chrome Bookmark JSON Files on macOS |
| 349 | discovery | T1217 | 4 | List Google Chrome Bookmarks on Windows with powershell |
| 350 | discovery | T1217 | 5 | List Google Chrome Bookmarks on Windows with command prompt |
| 351 | discovery | T1482 | 1 | Windows - Discover domain trusts with dsquery |
| 352 | discovery | T1482 | 2 | Windows - Discover domain trusts with nltest |
| 353 | discovery | T1482 | 3 | Powershell enumerate domains and forests |
| 354 | discovery | T1083 | 1 | File and Directory Discovery (cmd.exe) |
| 355 | discovery | T1083 | 2 | File and Directory Discovery (PowerShell) |
| 356 | discovery | T1083 | 3 | Nix File and Diectory Discovery |
| 357 | discovery | T1083 | 4 | Nix File and Directory Discovery 2 |
| 358 | discovery | T1046 | 1 | Port Scan |
| 359 | discovery | T1046 | 2 | Port Scan Nmap |
| 360 | discovery | T1135 | 1 | Network Share Discovery |
| 361 | discovery | T1135 | 2 | Network Share Discovery command prompt |
| 362 | discovery | T1135 | 3 | Network Share Discovery PowerShell |
| 363 | discovery | T1135 | 4 | View available share drives |
| 364 | discovery | T1040 | 1 | Packet Capture Linux |
| 365 | discovery | T1040 | 2 | Packet Capture macOS |
| 366 | discovery | T1040 | 3 | Packet Capture Windows Command Prompt |
| 367 | discovery | T1040 | 4 | Packet Capture PowerShell |
| 368 | discovery | T1201 | 1 | Examine password complexity policy - Ubuntu |
| 369 | discovery | T1201 | 2 | Examine password complexity policy - CentOS/RHEL 7.x |
| 370 | discovery | T1201 | 3 | Examine password complexity policy - CentOS/RHEL 6.x |
| 371 | discovery | T1201 | 4 | Examine password expiration policy - All Linux |
| 372 | discovery | T1201 | 5 | Examine local password policy - Windows |
| 373 | discovery | T1201 | 6 | Examine domain password policy - Windows |
| 374 | discovery | T1201 | 7 | Examine password policy - macOS |
| 375 | discovery | T1069 | 1 | Permission Groups Discovery |
| 376 | discovery | T1069 | 2 | Basic Permission Groups Discovery Windows |
| 377 | discovery | T1069 | 3 | Permission Groups Discovery PowerShell |
| 378 | discovery | T1069 | 4 | Elevated group enumeration using net group |
| 379 | discovery | T1057 | 1 | Process Discovery - ps |
| 380 | discovery | T1057 | 2 | Process Discovery - tasklist |
| 381 | discovery | T1012 | 1 | Query Registry |
| 382 | discovery | T1018 | 1 | Remote System Discovery - net |
| 383 | discovery | T1018 | 2 | Remote System Discovery - net group Domain Computers |
| 384 | discovery | T1018 | 3 | Remote System Discovery - nltest |
| 385 | discovery | T1018 | 4 | Remote System Discovery - ping sweep |
| 386 | discovery | T1018 | 5 | Remote System Discovery - arp |
| 387 | discovery | T1018 | 6 | Remote System Discovery - arp nix |
| 388 | discovery | T1018 | 7 | Remote System Discovery - sweep |
| 389 | discovery | T1018 | 8 | Remote System Discovery - nslookup |
| 390 | discovery | T1063 | 1 | Security Software Discovery |
| 391 | discovery | T1063 | 2 | Security Software Discovery - powershell |
| 392 | discovery | T1063 | 3 | Security Software Discovery - ps |
| 393 | discovery | T1063 | 4 | Security Software Discovery - Sysmon Service |
| 394 | discovery | T1063 | 5 | Security Software Discovery - AV Discovery via WMI |
| 395 | discovery | T1518 | 1 | Find and Display Internet Explorer Browser Version |
| 396 | discovery | T1518 | 2 | Applications Installed |
| 397 | discovery | T1082 | 1 | System Information Discovery |
| 398 | discovery | T1082 | 2 | System Information Discovery |
| 399 | discovery | T1082 | 3 | List OS Information |
| 400 | discovery | T1082 | 4 | Linux VM Check via Hardware |
| 401 | discovery | T1082 | 5 | Linux VM Check via Kernel Modules |
| 402 | discovery | T1082 | 6 | Hostname Discovery (Windows) |
| 403 | discovery | T1082 | 7 | Hostname Discovery |
| 404 | discovery | T1082 | 8 | Windows MachineGUID Discovery |
| 405 | discovery | T1016 | 1 | System Network Configuration Discovery |
| 406 | discovery | T1016 | 2 | List Windows Firewall Rules |
| 407 | discovery | T1016 | 3 | System Network Configuration Discovery |
| 408 | discovery | T1016 | 4 | System Network Configuration Discovery (TrickBot Style) |
| 409 | discovery | T1016 | 5 | List Open Egress Ports |
| 410 | discovery | T1049 | 1 | System Network Connections Discovery |
| 411 | discovery | T1049 | 2 | System Network Connections Discovery with PowerShell |
| 412 | discovery | T1049 | 3 | System Network Connections Discovery Linux & MacOS |
| 413 | discovery | T1033 | 1 | System Owner/User Discovery |
| 414 | discovery | T1033 | 2 | System Owner/User Discovery |
| 415 | discovery | T1007 | 1 | System Service Discovery |
| 416 | discovery | T1007 | 2 | System Service Discovery - net.exe |
| 417 | discovery | T1124 | 1 | System Time Discovery |
| 418 | discovery | T1124 | 2 | System Time Discovery - PowerShell |
| 419 | credential-access | T1098 | 1 | Admin Account Manipulate |
| 420 | credential-access | T1139 | 1 | Search Through Bash History |
| 421 | credential-access | T1110 | 1 | Brute Force Credentials |
| 422 | credential-access | T1003 | 1 | Powershell Mimikatz |
| 423 | credential-access | T1003 | 2 | Gsecdump |
| 424 | credential-access | T1003 | 3 | Windows Credential Editor |
| 425 | credential-access | T1003 | 4 | Registry dump of SAM, creds, and secrets |
| 426 | credential-access | T1003 | 5 | Dump LSASS.exe Memory using ProcDump |
| 427 | credential-access | T1003 | 6 | Dump LSASS.exe Memory using comsvcs.dll |
| 428 | credential-access | T1003 | 7 | Dump LSASS.exe Memory using direct system calls and API unhooking |
| 429 | credential-access | T1003 | 8 | Dump LSASS.exe Memory using Windows Task Manager |
| 430 | credential-access | T1003 | 9 | Offline Credential Theft With Mimikatz |
| 431 | credential-access | T1003 | 10 | Dump Active Directory Database with NTDSUtil |
| 432 | credential-access | T1003 | 11 | Create Volume Shadow Copy with NTDS.dit |
| 433 | credential-access | T1003 | 12 | Copy NTDS.dit from Volume Shadow Copy |
| 434 | credential-access | T1003 | 13 | GPP Passwords (findstr) |
| 435 | credential-access | T1003 | 14 | GPP Passwords (Get-GPPPassword) |
| 436 | credential-access | T1003 | 15 | LSASS read with pypykatz |
| 437 | credential-access | T1003 | 16 | Registry parse with pypykatz |
| 438 | credential-access | T1081 | 1 | Extract Browser and System credentials with LaZagne |
| 439 | credential-access | T1081 | 2 | Extract passwords with grep |
| 440 | credential-access | T1081 | 3 | Extracting passwords with findstr |
| 441 | credential-access | T1081 | 4 | Access unattend.xml |
| 442 | credential-access | T1214 | 1 | Enumeration for Credentials in Registry |
| 443 | credential-access | T1214 | 2 | Enumeration for PuTTY Credentials in Registry |
| 444 | credential-access | T1179 | 1 | Hook PowerShell TLS Encrypt/Decrypt Messages |
| 445 | credential-access | T1056 | 1 | Input Capture |
| 446 | credential-access | T1141 | 1 | AppleScript - Prompt User for Password |
| 447 | credential-access | T1141 | 2 | PowerShell - Prompt User for Password |
| 448 | credential-access | T1208 | 1 | Request for service tickets |
| 449 | credential-access | T1142 | 1 | Keychain |
| 450 | credential-access | T1040 | 1 | Packet Capture Linux |
| 451 | credential-access | T1040 | 2 | Packet Capture macOS |
| 452 | credential-access | T1040 | 3 | Packet Capture Windows Command Prompt |
| 453 | credential-access | T1040 | 4 | Packet Capture PowerShell |
| 454 | credential-access | T1174 | 1 | Install and Register Password Filter DLL |
| 455 | credential-access | T1145 | 1 | Private Keys |
| 456 | credential-access | T1145 | 2 | Discover Private SSH Keys |
| 457 | credential-access | T1145 | 3 | Copy Private SSH Keys with CP |
| 458 | credential-access | T1145 | 4 | Copy Private SSH Keys with rsync |
| 459 | execution | T1155 | 1 | AppleScript |
| 460 | execution | T1191 | 1 | CMSTP Executing Remote Scriptlet |
| 461 | execution | T1191 | 2 | CMSTP Executing UAC Bypass |
| 462 | execution | T1059 | 1 | Command-Line Interface |
| 463 | execution | T1223 | 1 | Compiled HTML Help Local Payload |
| 464 | execution | T1223 | 2 | Compiled HTML Help Remote Payload |
| 465 | execution | T1196 | 1 | Control Panel Items |
| 466 | execution | T1173 | 1 | Execute Commands |
| 467 | execution | T1173 | 2 | Execute PowerShell script via Word DDE |
| 468 | execution | T1118 | 1 | CheckIfInstallable method call |
| 469 | execution | T1118 | 2 | InstallHelper method call |
| 470 | execution | T1118 | 3 | InstallUtil class constructor method call |
| 471 | execution | T1118 | 4 | InstallUtil Install method call |
| 472 | execution | T1118 | 5 | InstallUtil Uninstall method call - /U variant |
| 473 | execution | T1118 | 6 | InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant |
| 474 | execution | T1118 | 7 | InstallUtil HelpText method call |
| 475 | execution | T1118 | 8 | InstallUtil evasive invocation |
| 476 | execution | T1152 | 1 | Launchctl |
| 477 | execution | T1168 | 1 | Cron - Replace crontab with referenced file |
| 478 | execution | T1168 | 2 | Cron - Add script to cron folder |
| 479 | execution | T1168 | 3 | Event Monitor Daemon Persistence |
| 480 | execution | T1170 | 1 | Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject |
| 481 | execution | T1170 | 2 | Mshta calls a local VBScript file to launch notepad.exe |
| 482 | execution | T1170 | 3 | Mshta executes VBScript to execute malicious command |
| 483 | execution | T1170 | 4 | Mshta Executes Remote HTML Application (HTA) |
| 484 | execution | T1086 | 1 | Mimikatz |
| 485 | execution | T1086 | 2 | BloodHound |
| 486 | execution | T1086 | 3 | Obfuscation Tests |
| 487 | execution | T1086 | 4 | Mimikatz - Cradlecraft PsSendKeys |
| 488 | execution | T1086 | 5 | Invoke-AppPathBypass |
| 489 | execution | T1086 | 6 | PowerShell Add User |
| 490 | execution | T1086 | 7 | Powershell MsXml COM object - no prompt |
| 491 | execution | T1086 | 8 | Powershell MsXml COM object - with prompt |
| 492 | execution | T1086 | 9 | Powershell XML requests |
| 493 | execution | T1086 | 10 | Powershell invoke mshta.exe download |
| 494 | execution | T1086 | 11 | Powershell Invoke-DownloadCradle |
| 495 | execution | T1086 | 12 | PowerShell Fileless Script Execution |
| 496 | execution | T1086 | 13 | PowerShell Downgrade Attack |
| 497 | execution | T1086 | 14 | NTFS Alternate Data Stream Access |
| 498 | execution | T1121 | 1 | Regasm Uninstall Method Call Test |
| 499 | execution | T1121 | 2 | Regsvs Uninstall Method Call Test |
| 500 | execution | T1117 | 1 | Regsvr32 local COM scriptlet execution |
| 501 | execution | T1117 | 2 | Regsvr32 remote COM scriptlet execution |
| 502 | execution | T1117 | 3 | Regsvr32 local DLL execution |
| 503 | execution | T1085 | 1 | Rundll32 execute JavaScript Remote Payload With GetObject |
| 504 | execution | T1085 | 2 | Rundll32 execute VBscript command |
| 505 | execution | T1085 | 3 | Rundll32 advpack.dll Execution |
| 506 | execution | T1085 | 4 | Rundll32 ieadvpack.dll Execution |
| 507 | execution | T1085 | 5 | Rundll32 syssetup.dll Execution |
| 508 | execution | T1085 | 6 | Rundll32 setupapi.dll Execution |
| 509 | execution | T1053 | 1 | At.exe Scheduled task |
| 510 | execution | T1053 | 2 | Scheduled task Local |
| 511 | execution | T1053 | 3 | Scheduled task Remote |
| 512 | execution | T1053 | 4 | Powershell Cmdlet Scheduled Task |
| 513 | execution | T1064 | 1 | Create and Execute Bash Shell Script |
| 514 | execution | T1064 | 2 | Create and Execute Batch Script |
| 515 | execution | T1035 | 1 | Execute a Command as a Service |
| 516 | execution | T1035 | 2 | Use PsExec to execute a command on a remote host |
| 517 | execution | T1218 | 1 | mavinject - Inject DLL into running process |
| 518 | execution | T1218 | 2 | SyncAppvPublishingServer - Execute arbitrary PowerShell code |
| 519 | execution | T1218 | 3 | Register-CimProvider - Execute evil dll |
| 520 | execution | T1218 | 4 | Msiexec.exe - Execute Local MSI file |
| 521 | execution | T1218 | 5 | Msiexec.exe - Execute Remote MSI file |
| 522 | execution | T1218 | 6 | Msiexec.exe - Execute Arbitrary DLL |
| 523 | execution | T1218 | 7 | Odbcconf.exe - Execute Arbitrary DLL |
| 524 | execution | T1218 | 8 | InfDefaultInstall.exe .inf Execution |
| 525 | execution | T1216 | 1 | PubPrn.vbs Signed Script Bypass |
| 526 | execution | T1216 | 2 | SyncAppvPublishingServer Signed Script PowerShell Command Execution |
| 527 | execution | T1216 | 3 | manage-bde.wsf Signed Script Command Execution |
| 528 | execution | T1153 | 1 | Execute Script using Source |
| 529 | execution | T1153 | 2 | Execute Script using Source Alias |
| 530 | execution | T1151 | 1 | Space After Filename |
| 531 | execution | T1154 | 1 | Trap |
| 532 | execution | T1127 | 1 | MSBuild Bypass Using Inline Tasks |
| 533 | execution | T1204 | 1 | OSTap Style Macro Execution |
| 534 | execution | T1204 | 2 | Maldoc choice flags command execution |
| 535 | execution | T1204 | 3 | OSTAP JS version |
| 536 | execution | T1047 | 1 | WMI Reconnaissance Users |
| 537 | execution | T1047 | 2 | WMI Reconnaissance Processes |
| 538 | execution | T1047 | 3 | WMI Reconnaissance Software |
| 539 | execution | T1047 | 4 | WMI Reconnaissance List Remote Services |
| 540 | execution | T1047 | 5 | WMI Execute Local Process |
| 541 | execution | T1047 | 6 | WMI Execute Remote Process |
| 542 | execution | T1028 | 1 | Enable Windows Remote Management |
| 543 | execution | T1028 | 2 | PowerShell Lateral Movement |
| 544 | execution | T1028 | 3 | WMIC Process Call Create |
| 545 | execution | T1028 | 4 | Psexec |
| 546 | execution | T1028 | 5 | Invoke-Command |
| 547 | execution | T1220 | 1 | MSXSL Bypass using local files |
| 548 | execution | T1220 | 2 | MSXSL Bypass using remote files |
| 549 | execution | T1220 | 3 | WMIC bypass using local XSL file |
| 550 | execution | T1220 | 4 | WMIC bypass using remote XSL file |
| 551 | lateral-movement | T1155 | 1 | AppleScript |
| 552 | lateral-movement | T1037 | 1 | Logon Scripts |
| 553 | lateral-movement | T1037 | 2 | Scheduled Task Startup Script |
| 554 | lateral-movement | T1037 | 3 | Logon Scripts - Mac |
| 555 | lateral-movement | T1037 | 4 | Supicious vbs file run from startup Folder |
| 556 | lateral-movement | T1037 | 5 | Supicious jse file run from startup Folder |
| 557 | lateral-movement | T1037 | 6 | Supicious bat file run from startup Folder |
| 558 | lateral-movement | T1075 | 1 | Mimikatz Pass the Hash |
| 559 | lateral-movement | T1075 | 2 | crackmapexec Pass the Hash |
| 560 | lateral-movement | T1097 | 1 | Mimikatz Kerberos Ticket Attack |
| 561 | lateral-movement | T1076 | 1 | RDP |
| 562 | lateral-movement | T1076 | 2 | RDPto-DomainController |
| 563 | lateral-movement | T1105 | 1 | rsync remote file copy (push) |
| 564 | lateral-movement | T1105 | 2 | rsync remote file copy (pull) |
| 565 | lateral-movement | T1105 | 3 | scp remote file copy (push) |
| 566 | lateral-movement | T1105 | 4 | scp remote file copy (pull) |
| 567 | lateral-movement | T1105 | 5 | sftp remote file copy (push) |
| 568 | lateral-movement | T1105 | 6 | sftp remote file copy (pull) |
| 569 | lateral-movement | T1105 | 7 | certutil download (urlcache) |
| 570 | lateral-movement | T1105 | 8 | certutil download (verifyctl) |
| 571 | lateral-movement | T1105 | 9 | Windows - BITSAdmin BITS Download |
| 572 | lateral-movement | T1105 | 10 | Windows - PowerShell Download |
| 573 | lateral-movement | T1105 | 11 | OSTAP Worming Activity |
| 574 | lateral-movement | T1077 | 1 | Map admin share |
| 575 | lateral-movement | T1077 | 2 | Map Admin Share PowerShell |
| 576 | lateral-movement | T1077 | 3 | Copy and Execute File with PsExec |
| 577 | lateral-movement | T1077 | 4 | Execute command writing output to local Admin Share |
| 578 | lateral-movement | T1028 | 1 | Enable Windows Remote Management |
| 579 | lateral-movement | T1028 | 2 | PowerShell Lateral Movement |
| 580 | lateral-movement | T1028 | 3 | WMIC Process Call Create |
| 581 | lateral-movement | T1028 | 4 | Psexec |
| 582 | lateral-movement | T1028 | 5 | Invoke-Command |
| 583 | collection | T1123 | 1 | using device audio capture commandlet |
| 584 | collection | T1119 | 1 | Automated Collection Command Prompt |
| 585 | collection | T1119 | 2 | Automated Collection PowerShell |
| 586 | collection | T1119 | 3 | Recon information for export with PowerShell |
| 587 | collection | T1119 | 4 | Recon information for export with Command Prompt |
| 588 | collection | T1115 | 1 | Utilize Clipboard to store or execute commands from |
| 589 | collection | T1115 | 2 | PowerShell |
| 590 | collection | T1074 | 1 | Stage data from Discovery.bat |
| 591 | collection | T1074 | 2 | Stage data from Discovery.sh |
| 592 | collection | T1074 | 3 | Zip a Folder with PowerShell for Staging in Temp |
| 593 | collection | T1005 | 1 | Search macOS Safari Cookies |
| 594 | collection | T1114 | 1 | T1114 Email Collection with PowerShell |
| 595 | collection | T1056 | 1 | Input Capture |
| 596 | collection | T1113 | 1 | Screencapture |
| 597 | collection | T1113 | 2 | Screencapture (silent) |
| 598 | collection | T1113 | 3 | X Windows Capture |
| 599 | collection | T1113 | 4 | Import |
| 600 | exfiltration | T1002 | 1 | Compress Data for Exfiltration With PowerShell |
| 601 | exfiltration | T1002 | 2 | Compress Data for Exfiltration With Rar |
| 602 | exfiltration | T1002 | 3 | Data Compressed - nix - zip |
| 603 | exfiltration | T1002 | 4 | Data Compressed - nix - gzip Single File |
| 604 | exfiltration | T1002 | 5 | Data Compressed - nix - tar Folder or File |
| 605 | exfiltration | T1022 | 1 | Data Encrypted with zip and gpg symmetric |
| 606 | exfiltration | T1022 | 2 | Compress Data and lock with password for Exfiltration with winrar |
| 607 | exfiltration | T1022 | 3 | Compress Data and lock with password for Exfiltration with winzip |
| 608 | exfiltration | T1022 | 4 | Compress Data and lock with password for Exfiltration with 7zip |
| 609 | exfiltration | T1030 | 1 | Data Transfer Size Limits |
| 610 | exfiltration | T1048 | 1 | Exfiltration Over Alternative Protocol - SSH |
| 611 | exfiltration | T1048 | 2 | Exfiltration Over Alternative Protocol - SSH |
| 612 | exfiltration | T1048 | 3 | Exfiltration Over Alternative Protocol - HTTP |
| 613 | exfiltration | T1048 | 4 | Exfiltration Over Alternative Protocol - ICMP |
| 614 | exfiltration | T1048 | 5 | Exfiltration Over Alternative Protocol - DNS |
| 615 | command-and-control | T1090 | 1 | Connection Proxy |
| 616 | command-and-control | T1090 | 2 | portproxy reg key |
| 617 | command-and-control | T1132 | 1 | Base64 Encoded data. |
| 618 | command-and-control | T1219 | 1 | TeamViewer Files Detected Test on Windows |
| 619 | command-and-control | T1105 | 1 | rsync remote file copy (push) |
| 620 | command-and-control | T1105 | 2 | rsync remote file copy (pull) |
| 621 | command-and-control | T1105 | 3 | scp remote file copy (push) |
| 622 | command-and-control | T1105 | 4 | scp remote file copy (pull) |
| 623 | command-and-control | T1105 | 5 | sftp remote file copy (push) |
| 624 | command-and-control | T1105 | 6 | sftp remote file copy (pull) |
| 625 | command-and-control | T1105 | 7 | certutil download (urlcache) |
| 626 | command-and-control | T1105 | 8 | certutil download (verifyctl) |
| 627 | command-and-control | T1105 | 9 | Windows - BITSAdmin BITS Download |
| 628 | command-and-control | T1105 | 10 | Windows - PowerShell Download |
| 629 | command-and-control | T1105 | 11 | OSTAP Worming Activity |
| 630 | command-and-control | T1071 | 1 | Malicious User Agents - Powershell |
| 631 | command-and-control | T1071 | 2 | Malicious User Agents - CMD |
| 632 | command-and-control | T1071 | 3 | Malicious User Agents - Nix |
| 633 | command-and-control | T1071 | 4 | DNS Large Query Volume |
| 634 | command-and-control | T1071 | 5 | DNS Regular Beaconing |
| 635 | command-and-control | T1071 | 6 | DNS Long Domain Query |
| 636 | command-and-control | T1071 | 7 | DNS C2 |
| 637 | command-and-control | T1071 | 8 | OSTap Payload Download |
| 638 | command-and-control | T1032 | 1 | OpenSSL C2 |
| 639 | command-and-control | T1095 | 1 | ICMP C2 |
| 640 | command-and-control | T1095 | 2 | Netcat C2 |
| 641 | command-and-control | T1095 | 3 | Powercat C2 |
| 642 | command-and-control | T1065 | 1 | Testing usage of uncommonly used port with PowerShell |
| 643 | command-and-control | T1065 | 2 | Testing usage of uncommonly used port |
| 644 | command-and-control | T1102 | 1 | Reach out to C2 Pointer URLs via command_prompt |
| 645 | command-and-control | T1102 | 2 | Reach out to C2 Pointer URLs via powershell |
| 646 | initial-access | T1193 | 1 | Download Phishing Attachment - VBScript |