Atomic Red Team doc generator
171 KiB
171 KiB
| 1 | Tactic | Technique # | Technique Name | Test # | Test Name | Test GUID | Executor Name |
|---|---|---|---|---|---|---|---|
| 2 | defense-evasion | T1218.011 | Rundll32 | 1 | Rundll32 execute JavaScript Remote Payload With GetObject | 57ba4ce9-ee7a-4f27-9928-3c70c489b59d | command_prompt |
| 3 | defense-evasion | T1218.011 | Rundll32 | 2 | Rundll32 execute VBscript command | 638730e7-7aed-43dc-bf8c-8117f805f5bb | command_prompt |
| 4 | defense-evasion | T1218.011 | Rundll32 | 3 | Rundll32 advpack.dll Execution | d91cae26-7fc1-457b-a854-34c8aad48c89 | command_prompt |
| 5 | defense-evasion | T1218.011 | Rundll32 | 4 | Rundll32 ieadvpack.dll Execution | 5e46a58e-cbf6-45ef-a289-ed7754603df9 | command_prompt |
| 6 | defense-evasion | T1218.011 | Rundll32 | 5 | Rundll32 syssetup.dll Execution | 41fa324a-3946-401e-bbdd-d7991c628125 | command_prompt |
| 7 | defense-evasion | T1218.011 | Rundll32 | 6 | Rundll32 setupapi.dll Execution | 71d771cd-d6b3-4f34-bc76-a63d47a10b19 | command_prompt |
| 8 | defense-evasion | T1218.011 | Rundll32 | 7 | Execution of HTA and VBS Files using Rundll32 and URL.dll | 22cfde89-befe-4e15-9753-47306b37a6e3 | command_prompt |
| 9 | defense-evasion | T1218.011 | Rundll32 | 8 | Launches an executable using Rundll32 and pcwutl.dll | 9f5d081a-ee5a-42f9-a04e-b7bdc487e676 | command_prompt |
| 10 | defense-evasion | T1218.011 | Rundll32 | 9 | Execution of non-dll using rundll32.exe | ae3a8605-b26e-457c-b6b3-2702fd335bac | powershell |
| 11 | defense-evasion | T1218.011 | Rundll32 | 10 | Rundll32 with Ordinal Value | 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0 | command_prompt |
| 12 | defense-evasion | T1218.011 | Rundll32 | 11 | Rundll32 with Control_RunDLL | e4c04b6f-c492-4782-82c7-3bf75eb8077e | command_prompt |
| 13 | defense-evasion | T1218.011 | Rundll32 | 12 | Rundll32 with desk.cpl | 83a95136-a496-423c-81d3-1c6750133917 | command_prompt |
| 14 | defense-evasion | T1556.003 | Pluggable Authentication Modules | 1 | Malicious PAM rule | 4b9dde80-ae22-44b1-a82a-644bf009eb9c | sh |
| 15 | defense-evasion | T1556.003 | Pluggable Authentication Modules | 2 | Malicious PAM module | 65208808-3125-4a2e-8389-a0a00e9ab326 | sh |
| 16 | defense-evasion | T1222.002 | Linux and Mac File and Directory Permissions Modification | 1 | chmod - Change file or folder mode (numeric mode) | 34ca1464-de9d-40c6-8c77-690adf36a135 | bash |
| 17 | defense-evasion | T1222.002 | Linux and Mac File and Directory Permissions Modification | 2 | chmod - Change file or folder mode (symbolic mode) | fc9d6695-d022-4a80-91b1-381f5c35aff3 | bash |
| 18 | defense-evasion | T1222.002 | Linux and Mac File and Directory Permissions Modification | 3 | chmod - Change file or folder mode (numeric mode) recursively | ea79f937-4a4d-4348-ace6-9916aec453a4 | bash |
| 19 | defense-evasion | T1222.002 | Linux and Mac File and Directory Permissions Modification | 4 | chmod - Change file or folder mode (symbolic mode) recursively | 0451125c-b5f6-488f-993b-5a32b09f7d8f | bash |
| 20 | defense-evasion | T1222.002 | Linux and Mac File and Directory Permissions Modification | 5 | chown - Change file or folder ownership and group | d169e71b-85f9-44ec-8343-27093ff3dfc0 | bash |
| 21 | defense-evasion | T1222.002 | Linux and Mac File and Directory Permissions Modification | 6 | chown - Change file or folder ownership and group recursively | b78598be-ff39-448f-a463-adbf2a5b7848 | bash |
| 22 | defense-evasion | T1222.002 | Linux and Mac File and Directory Permissions Modification | 7 | chown - Change file or folder mode ownership only | 967ba79d-f184-4e0e-8d09-6362b3162e99 | bash |
| 23 | defense-evasion | T1222.002 | Linux and Mac File and Directory Permissions Modification | 8 | chown - Change file or folder ownership recursively | 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 | bash |
| 24 | defense-evasion | T1222.002 | Linux and Mac File and Directory Permissions Modification | 9 | chattr - Remove immutable file attribute | e7469fe2-ad41-4382-8965-99b94dd3c13f | sh |
| 25 | defense-evasion | T1222.002 | Linux and Mac File and Directory Permissions Modification | 10 | Chmod through c script | 973631cf-6680-4ffa-a053-045e1b6b67ab | sh |
| 26 | defense-evasion | T1222.002 | Linux and Mac File and Directory Permissions Modification | 11 | Chown through c script | 18592ba1-5f88-4e3c-abc8-ab1c6042e389 | sh |
| 27 | defense-evasion | T1216.001 | PubPrn | 1 | PubPrn.vbs Signed Script Bypass | 9dd29a1f-1e16-4862-be83-913b10a88f6c | command_prompt |
| 28 | defense-evasion | T1006 | Direct Volume Access | 1 | Read volume boot sector via DOS device path (PowerShell) | 88f6327e-51ec-4bbf-b2e8-3fea534eab8b | powershell |
| 29 | defense-evasion | T1014 | Rootkit | 1 | Loadable Kernel Module based Rootkit | dfb50072-e45a-4c75-a17e-a484809c8553 | sh |
| 30 | defense-evasion | T1014 | Rootkit | 2 | Loadable Kernel Module based Rootkit | 75483ef8-f10f-444a-bf02-62eb0e48db6f | sh |
| 31 | defense-evasion | T1548.002 | Bypass User Account Control | 1 | Bypass UAC using Event Viewer (cmd) | 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 | command_prompt |
| 32 | defense-evasion | T1548.002 | Bypass User Account Control | 2 | Bypass UAC using Event Viewer (PowerShell) | a6ce9acf-842a-4af6-8f79-539be7608e2b | powershell |
| 33 | defense-evasion | T1548.002 | Bypass User Account Control | 3 | Bypass UAC using Fodhelper | 58f641ea-12e3-499a-b684-44dee46bd182 | command_prompt |
| 34 | defense-evasion | T1548.002 | Bypass User Account Control | 4 | Bypass UAC using Fodhelper - PowerShell | 3f627297-6c38-4e7d-a278-fc2563eaaeaa | powershell |
| 35 | defense-evasion | T1548.002 | Bypass User Account Control | 5 | Bypass UAC using ComputerDefaults (PowerShell) | 3c51abf2-44bf-42d8-9111-dc96ff66750f | powershell |
| 36 | defense-evasion | T1548.002 | Bypass User Account Control | 6 | Bypass UAC by Mocking Trusted Directories | f7a35090-6f7f-4f64-bb47-d657bf5b10c1 | command_prompt |
| 37 | defense-evasion | T1548.002 | Bypass User Account Control | 7 | Bypass UAC using sdclt DelegateExecute | 3be891eb-4608-4173-87e8-78b494c029b7 | powershell |
| 38 | defense-evasion | T1548.002 | Bypass User Account Control | 8 | Disable UAC using reg.exe | 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 | command_prompt |
| 39 | defense-evasion | T1548.002 | Bypass User Account Control | 9 | Bypass UAC using SilentCleanup task | 28104f8a-4ff1-4582-bcf6-699dce156608 | command_prompt |
| 40 | defense-evasion | T1548.002 | Bypass User Account Control | 10 | UACME Bypass Method 23 | 8ceab7a2-563a-47d2-b5ba-0995211128d7 | command_prompt |
| 41 | defense-evasion | T1548.002 | Bypass User Account Control | 11 | UACME Bypass Method 31 | b0f76240-9f33-4d34-90e8-3a7d501beb15 | command_prompt |
| 42 | defense-evasion | T1548.002 | Bypass User Account Control | 12 | UACME Bypass Method 33 | e514bb03-f71c-4b22-9092-9f961ec6fb03 | command_prompt |
| 43 | defense-evasion | T1548.002 | Bypass User Account Control | 13 | UACME Bypass Method 34 | 695b2dac-423e-448e-b6ef-5b88e93011d6 | command_prompt |
| 44 | defense-evasion | T1548.002 | Bypass User Account Control | 14 | UACME Bypass Method 39 | 56163687-081f-47da-bb9c-7b231c5585cf | command_prompt |
| 45 | defense-evasion | T1548.002 | Bypass User Account Control | 15 | UACME Bypass Method 56 | 235ec031-cd2d-465d-a7ae-68bab281e80e | command_prompt |
| 46 | defense-evasion | T1548.002 | Bypass User Account Control | 16 | UACME Bypass Method 59 | dfb1b667-4bb8-4a63-a85e-29936ea75f29 | command_prompt |
| 47 | defense-evasion | T1548.002 | Bypass User Account Control | 17 | UACME Bypass Method 61 | 7825b576-744c-4555-856d-caf3460dc236 | command_prompt |
| 48 | defense-evasion | T1548.002 | Bypass User Account Control | 18 | WinPwn - UAC Magic | 964d8bf8-37bc-4fd3-ba36-ad13761ebbcc | powershell |
| 49 | defense-evasion | T1548.002 | Bypass User Account Control | 19 | WinPwn - UAC Bypass ccmstp technique | f3c145f9-3c8d-422c-bd99-296a17a8f567 | powershell |
| 50 | defense-evasion | T1548.002 | Bypass User Account Control | 20 | WinPwn - UAC Bypass DiskCleanup technique | 1ed67900-66cd-4b09-b546-2a0ef4431a0c | powershell |
| 51 | defense-evasion | T1548.002 | Bypass User Account Control | 21 | WinPwn - UAC Bypass DccwBypassUAC technique | 2b61977b-ae2d-4ae4-89cb-5c36c89586be | powershell |
| 52 | defense-evasion | T1548.003 | Sudo and Sudo Caching | 1 | Sudo usage | 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e | sh |
| 53 | defense-evasion | T1548.003 | Sudo and Sudo Caching | 2 | Unlimited sudo cache timeout | a7b17659-dd5e-46f7-b7d1-e6792c91d0bc | sh |
| 54 | defense-evasion | T1548.003 | Sudo and Sudo Caching | 3 | Disable tty_tickets for sudo caching | 91a60b03-fb75-4d24-a42e-2eb8956e8de1 | sh |
| 55 | defense-evasion | T1574.011 | Services Registry Permissions Weakness | 1 | Service Registry Permissions Weakness | f7536d63-7fd4-466f-89da-7e48d550752a | powershell |
| 56 | defense-evasion | T1574.011 | Services Registry Permissions Weakness | 2 | Service ImagePath Change with reg.exe | f38e9eea-e1d7-4ba6-b716-584791963827 | command_prompt |
| 57 | defense-evasion | T1036.005 | Match Legitimate Name or Location | 1 | Execute a process from a directory masquerading as the current parent directory. | 812c3ab8-94b0-4698-a9bf-9420af23ce24 | sh |
| 58 | defense-evasion | T1036.005 | Match Legitimate Name or Location | 2 | Masquerade as a built-in system executable | 35eb8d16-9820-4423-a2a1-90c4f5edd9ca | powershell |
| 59 | defense-evasion | T1564 | Hide Artifacts | 1 | Extract binary files via VBA | 6afe288a-8a8b-4d33-a629-8d03ba9dad3a | powershell |
| 60 | defense-evasion | T1564 | Hide Artifacts | 2 | Create a Hidden User Called "$" | 2ec63cc2-4975-41a6-bf09-dffdfb610778 | command_prompt |
| 61 | defense-evasion | T1564 | Hide Artifacts | 3 | Create an "Administrator " user (with a space on the end) | 5bb20389-39a5-4e99-9264-aeb92a55a85c | powershell |
| 62 | defense-evasion | T1484.002 | Domain Trust Modification | 1 | Add Federation to Azure AD | 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 | powershell |
| 63 | defense-evasion | T1497.001 | System Checks | 1 | Detect Virtualization Environment (Linux) | dfbd1a21-540d-4574-9731-e852bd6fe840 | sh |
| 64 | defense-evasion | T1497.001 | System Checks | 2 | Detect Virtualization Environment (Windows) | 502a7dc4-9d6f-4d28-abf2-f0e84692562d | powershell |
| 65 | defense-evasion | T1497.001 | System Checks | 3 | Detect Virtualization Environment (MacOS) | a960185f-aef6-4547-8350-d1ce16680d09 | sh |
| 66 | defense-evasion | T1497.001 | System Checks | 4 | Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) | 4a41089a-48e0-47aa-82cb-5b81a463bc78 | powershell |
| 67 | defense-evasion | T1070.002 | Clear Linux or Mac System Logs | 1 | rm -rf | 989cc1b1-3642-4260-a809-54f9dd559683 | sh |
| 68 | defense-evasion | T1070.002 | Clear Linux or Mac System Logs | 2 | Overwrite Linux Mail Spool | 1602ff76-ed7f-4c94-b550-2f727b4782d4 | bash |
| 69 | defense-evasion | T1070.002 | Clear Linux or Mac System Logs | 3 | Overwrite Linux Log | d304b2dc-90b4-4465-a650-16ddd503f7b5 | bash |
| 70 | defense-evasion | T1218.004 | InstallUtil | 1 | CheckIfInstallable method call | ffd9c807-d402-47d2-879d-f915cf2a3a94 | powershell |
| 71 | defense-evasion | T1218.004 | InstallUtil | 2 | InstallHelper method call | d43a5bde-ae28-4c55-a850-3f4c80573503 | powershell |
| 72 | defense-evasion | T1218.004 | InstallUtil | 3 | InstallUtil class constructor method call | 9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93 | powershell |
| 73 | defense-evasion | T1218.004 | InstallUtil | 4 | InstallUtil Install method call | 9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b | powershell |
| 74 | defense-evasion | T1218.004 | InstallUtil | 5 | InstallUtil Uninstall method call - /U variant | 34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b | powershell |
| 75 | defense-evasion | T1218.004 | InstallUtil | 6 | InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant | 06d9deba-f732-48a8-af8e-bdd6e4d98c1d | powershell |
| 76 | defense-evasion | T1218.004 | InstallUtil | 7 | InstallUtil HelpText method call | 5a683850-1145-4326-a0e5-e91ced3c6022 | powershell |
| 77 | defense-evasion | T1218.004 | InstallUtil | 8 | InstallUtil evasive invocation | 559e6d06-bb42-4307-bff7-3b95a8254bad | powershell |
| 78 | defense-evasion | T1574.001 | DLL Search Order Hijacking | 1 | DLL Search Order Hijacking - amsi.dll | 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 | command_prompt |
| 79 | defense-evasion | T1553.001 | Gatekeeper Bypass | 1 | Gatekeeper Bypass | fb3d46c6-9480-4803-8d7d-ce676e1f1a9b | sh |
| 80 | defense-evasion | T1222.001 | Windows File and Directory Permissions Modification | 1 | Take ownership using takeown utility | 98d34bb4-6e75-42ad-9c41-1dae7dc6a001 | command_prompt |
| 81 | defense-evasion | T1222.001 | Windows File and Directory Permissions Modification | 2 | cacls - Grant permission to specified user or group recursively | a8206bcc-f282-40a9-a389-05d9c0263485 | command_prompt |
| 82 | defense-evasion | T1222.001 | Windows File and Directory Permissions Modification | 3 | attrib - Remove read-only attribute | bec1e95c-83aa-492e-ab77-60c71bbd21b0 | command_prompt |
| 83 | defense-evasion | T1222.001 | Windows File and Directory Permissions Modification | 4 | attrib - hide file | 32b979da-7b68-42c9-9a99-0e39900fc36c | command_prompt |
| 84 | defense-evasion | T1222.001 | Windows File and Directory Permissions Modification | 5 | Grant Full Access to folder for Everyone - Ryuk Ransomware Style | ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 | command_prompt |
| 85 | defense-evasion | T1218.007 | Msiexec | 1 | Msiexec.exe - Execute Local MSI file with embedded JScript | a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04 | command_prompt |
| 86 | defense-evasion | T1218.007 | Msiexec | 2 | Msiexec.exe - Execute Local MSI file with embedded VBScript | 8d73c7b0-c2b1-4ac1-881a-4aa644f76064 | command_prompt |
| 87 | defense-evasion | T1218.007 | Msiexec | 3 | Msiexec.exe - Execute Local MSI file with an embedded DLL | 628fa796-76c5-44c3-93aa-b9d8214fd568 | command_prompt |
| 88 | defense-evasion | T1218.007 | Msiexec | 4 | Msiexec.exe - Execute Local MSI file with an embedded EXE | ed3fa08a-ca18-4009-973e-03d13014d0e8 | command_prompt |
| 89 | defense-evasion | T1218.007 | Msiexec | 5 | WMI Win32_Product Class - Execute Local MSI file with embedded JScript | 882082f0-27c6-4eec-a43c-9aa80bccdb30 | powershell |
| 90 | defense-evasion | T1218.007 | Msiexec | 6 | WMI Win32_Product Class - Execute Local MSI file with embedded VBScript | cf470d9a-58e7-43e5-b0d2-805dffc05576 | powershell |
| 91 | defense-evasion | T1218.007 | Msiexec | 7 | WMI Win32_Product Class - Execute Local MSI file with an embedded DLL | 32eb3861-30da-4993-897a-42737152f5f8 | powershell |
| 92 | defense-evasion | T1218.007 | Msiexec | 8 | WMI Win32_Product Class - Execute Local MSI file with an embedded EXE | 55080eb0-49ae-4f55-a440-4167b7974f79 | powershell |
| 93 | defense-evasion | T1218.007 | Msiexec | 9 | Msiexec.exe - Execute the DllRegisterServer function of a DLL | 0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d | command_prompt |
| 94 | defense-evasion | T1218.007 | Msiexec | 10 | Msiexec.exe - Execute the DllUnregisterServer function of a DLL | ab09ec85-4955-4f9c-b8e0-6851baf4d47f | command_prompt |
| 95 | defense-evasion | T1218.007 | Msiexec | 11 | Msiexec.exe - Execute Remote MSI file | 44a4bedf-ffe3-452e-bee4-6925ab125662 | command_prompt |
| 96 | defense-evasion | T1556.002 | Password Filter DLL | 1 | Install and Register Password Filter DLL | a7961770-beb5-4134-9674-83d7e1fa865c | powershell |
| 97 | defense-evasion | T1070.003 | Clear Command History | 1 | Clear Bash history (rm) | a934276e-2be5-4a36-93fd-98adbb5bd4fc | sh |
| 98 | defense-evasion | T1070.003 | Clear Command History | 2 | Clear Bash history (echo) | cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 | sh |
| 99 | defense-evasion | T1070.003 | Clear Command History | 3 | Clear Bash history (cat dev/null) | b1251c35-dcd3-4ea1-86da-36d27b54f31f | sh |
| 100 | defense-evasion | T1070.003 | Clear Command History | 4 | Clear Bash history (ln dev/null) | 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 | sh |
| 101 | defense-evasion | T1070.003 | Clear Command History | 5 | Clear Bash history (truncate) | 47966a1d-df4f-4078-af65-db6d9aa20739 | sh |
| 102 | defense-evasion | T1070.003 | Clear Command History | 6 | Clear history of a bunch of shells | 7e6721df-5f08-4370-9255-f06d8a77af4c | sh |
| 103 | defense-evasion | T1070.003 | Clear Command History | 7 | Clear and Disable Bash History Logging | 784e4011-bd1a-4ecd-a63a-8feb278512e6 | sh |
| 104 | defense-evasion | T1070.003 | Clear Command History | 8 | Use Space Before Command to Avoid Logging to History | 53b03a54-4529-4992-852d-a00b4b7215a6 | sh |
| 105 | defense-evasion | T1070.003 | Clear Command History | 9 | Disable Bash History Logging with SSH -T | 5f8abd62-f615-43c5-b6be-f780f25790a1 | sh |
| 106 | defense-evasion | T1070.003 | Clear Command History | 10 | Prevent Powershell History Logging | 2f898b81-3e97-4abb-bc3f-a95138988370 | powershell |
| 107 | defense-evasion | T1070.003 | Clear Command History | 11 | Clear Powershell History by Deleting History File | da75ae8d-26d6-4483-b0fe-700e4df4f037 | powershell |
| 108 | defense-evasion | T1202 | Indirect Command Execution | 1 | Indirect Command Execution - pcalua.exe | cecfea7a-5f03-4cdd-8bc8-6f7c22862440 | command_prompt |
| 109 | defense-evasion | T1202 | Indirect Command Execution | 2 | Indirect Command Execution - forfiles.exe | 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc | command_prompt |
| 110 | defense-evasion | T1202 | Indirect Command Execution | 3 | Indirect Command Execution - conhost.exe | cf3391e0-b482-4b02-87fc-ca8362269b29 | command_prompt |
| 111 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 1 | Deobfuscate/Decode Files Or Information | dc6fe391-69e6-4506-bd06-ea5eeb4082f8 | command_prompt |
| 112 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 2 | Certutil Rename and Decode | 71abc534-3c05-4d0c-80f7-cbe93cb2aa94 | command_prompt |
| 113 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 3 | Base64 decoding with Python | 356dc0e8-684f-4428-bb94-9313998ad608 | sh |
| 114 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 4 | Base64 decoding with Perl | 6604d964-b9f6-4d4b-8ce8-499829a14d0a | sh |
| 115 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 5 | Base64 decoding with shell utilities | b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e | sh |
| 116 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 6 | Hex decoding with shell utilities | 005943f9-8dd5-4349-8b46-0313c0a9f973 | sh |
| 117 | defense-evasion | T1036 | Masquerading | 1 | System File Copied to Unusual Location | 51005ac7-52e2-45e0-bdab-d17c6d4916cd | powershell |
| 118 | defense-evasion | T1036 | Masquerading | 2 | Malware Masquerading and Execution from Zip File | 4449c89b-ec82-43a4-89c1-91e2f1abeecc | powershell |
| 119 | defense-evasion | T1055 | Process Injection | 1 | Shellcode execution via VBA | 1c91e740-1729-4329-b779-feba6e71d048 | powershell |
| 120 | defense-evasion | T1055 | Process Injection | 2 | Remote Process Injection in LSASS via mimikatz | 3203ad24-168e-4bec-be36-f79b13ef8a83 | command_prompt |
| 121 | defense-evasion | T1218 | System Binary Proxy Execution | 1 | mavinject - Inject DLL into running process | c426dacf-575d-4937-8611-a148a86a5e61 | command_prompt |
| 122 | defense-evasion | T1218 | System Binary Proxy Execution | 2 | SyncAppvPublishingServer - Execute arbitrary PowerShell code | d590097e-d402-44e2-ad72-2c6aa1ce78b1 | command_prompt |
| 123 | defense-evasion | T1218 | System Binary Proxy Execution | 3 | Register-CimProvider - Execute evil dll | ad2c17ed-f626-4061-b21e-b9804a6f3655 | command_prompt |
| 124 | defense-evasion | T1218 | System Binary Proxy Execution | 4 | InfDefaultInstall.exe .inf Execution | 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef | command_prompt |
| 125 | defense-evasion | T1218 | System Binary Proxy Execution | 5 | ProtocolHandler.exe Downloaded a Suspicious File | db020456-125b-4c8b-a4a7-487df8afb5a2 | command_prompt |
| 126 | defense-evasion | T1218 | System Binary Proxy Execution | 6 | Microsoft.Workflow.Compiler.exe Payload Execution | 7cbb0f26-a4c1-4f77-b180-a009aa05637e | powershell |
| 127 | defense-evasion | T1218 | System Binary Proxy Execution | 7 | Renamed Microsoft.Workflow.Compiler.exe Payload Executions | 4cc40fd7-87b8-4b16-b2d7-57534b86b911 | powershell |
| 128 | defense-evasion | T1218 | System Binary Proxy Execution | 8 | Invoke-ATHRemoteFXvGPUDisablementCommand base test | 9ebe7901-7edf-45c0-b5c7-8366300919db | powershell |
| 129 | defense-evasion | T1218 | System Binary Proxy Execution | 9 | DiskShadow Command Execution | 0e1483ba-8f0c-425d-b8c6-42736e058eaa | powershell |
| 130 | defense-evasion | T1218 | System Binary Proxy Execution | 10 | Load Arbitrary DLL via Wuauclt (Windows Update Client) | 49fbd548-49e9-4bb7-94a6-3769613912b8 | command_prompt |
| 131 | defense-evasion | T1218 | System Binary Proxy Execution | 11 | Lolbin Gpscript logon option | 5bcda9cd-8e85-48fa-861d-b5a85d91d48c | command_prompt |
| 132 | defense-evasion | T1218 | System Binary Proxy Execution | 12 | Lolbin Gpscript startup option | f8da74bb-21b8-4af9-8d84-f2c8e4a220e3 | command_prompt |
| 133 | defense-evasion | T1218 | System Binary Proxy Execution | 13 | Lolbas ie4uinit.exe use as proxy | 13c0804e-615e-43ad-b223-2dfbacd0b0b3 | command_prompt |
| 134 | defense-evasion | T1070.006 | Timestomp | 1 | Set a file's access timestamp | 5f9113d5-ed75-47ed-ba23-ea3573d05810 | sh |
| 135 | defense-evasion | T1070.006 | Timestomp | 2 | Set a file's modification timestamp | 20ef1523-8758-4898-b5a2-d026cc3d2c52 | sh |
| 136 | defense-evasion | T1070.006 | Timestomp | 3 | Set a file's creation timestamp | 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b | sh |
| 137 | defense-evasion | T1070.006 | Timestomp | 4 | Modify file timestamps using reference file | 631ea661-d661-44b0-abdb-7a7f3fc08e50 | sh |
| 138 | defense-evasion | T1070.006 | Timestomp | 5 | Windows - Modify file creation timestamp with PowerShell | b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c | powershell |
| 139 | defense-evasion | T1070.006 | Timestomp | 6 | Windows - Modify file last modified timestamp with PowerShell | f8f6634d-93e1-4238-8510-f8a90a20dcf2 | powershell |
| 140 | defense-evasion | T1070.006 | Timestomp | 7 | Windows - Modify file last access timestamp with PowerShell | da627f63-b9bd-4431-b6f8-c5b44d061a62 | powershell |
| 141 | defense-evasion | T1070.006 | Timestomp | 8 | Windows - Timestomp a File | d7512c33-3a75-4806-9893-69abc3ccdd43 | powershell |
| 142 | defense-evasion | T1620 | Reflective Code Loading | 1 | WinPwn - Reflectively load Mimik@tz into memory | 56b9589c-9170-4682-8c3d-33b86ecb5119 | powershell |
| 143 | defense-evasion | T1218.003 | CMSTP | 1 | CMSTP Executing Remote Scriptlet | 34e63321-9683-496b-bbc1-7566bc55e624 | command_prompt |
| 144 | defense-evasion | T1218.003 | CMSTP | 2 | CMSTP Executing UAC Bypass | 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 | command_prompt |
| 145 | defense-evasion | T1562.002 | Disable Windows Event Logging | 1 | Disable Windows IIS HTTP Logging | 69435dcf-c66f-4ec0-a8b1-82beb76b34db | powershell |
| 146 | defense-evasion | T1562.002 | Disable Windows Event Logging | 2 | Kill Event Log Service Threads | 41ac52ba-5d5e-40c0-b267-573ed90489bd | powershell |
| 147 | defense-evasion | T1562.002 | Disable Windows Event Logging | 3 | Impair Windows Audit Log Policy | 5102a3a7-e2d7-4129-9e45-f483f2e0eea8 | command_prompt |
| 148 | defense-evasion | T1562.002 | Disable Windows Event Logging | 4 | Clear Windows Audit Policy Config | 913c0e4e-4b37-4b78-ad0b-90e7b25010f6 | command_prompt |
| 149 | defense-evasion | T1562.002 | Disable Windows Event Logging | 5 | Disable Event Logging with wevtutil | b26a3340-dad7-4360-9176-706269c74103 | command_prompt |
| 150 | defense-evasion | T1562.002 | Disable Windows Event Logging | 6 | Makes Eventlog blind with Phant0m | 3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741 | command_prompt |
| 151 | defense-evasion | T1218.002 | Control Panel | 1 | Control Panel Items | 037e9d8a-9e46-4255-8b33-2ae3b545ca6f | command_prompt |
| 152 | defense-evasion | T1562.004 | Disable or Modify System Firewall | 1 | Disable Microsoft Defender Firewall | 88d05800-a5e4-407e-9b53-ece4174f197f | command_prompt |
| 153 | defense-evasion | T1562.004 | Disable or Modify System Firewall | 2 | Disable Microsoft Defender Firewall via Registry | afedc8c4-038c-4d82-b3e5-623a95f8a612 | command_prompt |
| 154 | defense-evasion | T1562.004 | Disable or Modify System Firewall | 3 | Allow SMB and RDP on Microsoft Defender Firewall | d9841bf8-f161-4c73-81e9-fd773a5ff8c1 | command_prompt |
| 155 | defense-evasion | T1562.004 | Disable or Modify System Firewall | 4 | Opening ports for proxy - HARDRAIN | 15e57006-79dd-46df-9bf9-31bc24fb5a80 | command_prompt |
| 156 | defense-evasion | T1562.004 | Disable or Modify System Firewall | 5 | Open a local port through Windows Firewall to any profile | 9636dd6e-7599-40d2-8eee-ac16434f35ed | powershell |
| 157 | defense-evasion | T1562.004 | Disable or Modify System Firewall | 6 | Allow Executable Through Firewall Located in Non-Standard Location | 6f5822d2-d38d-4f48-9bfc-916607ff6b8c | powershell |
| 158 | defense-evasion | T1562.004 | Disable or Modify System Firewall | 7 | Stop/Start UFW firewall | fe135572-edcd-49a2-afe6-1d39521c5a9a | sh |
| 159 | defense-evasion | T1562.004 | Disable or Modify System Firewall | 8 | Stop/Start UFW firewall systemctl | 9fd99609-1854-4f3c-b47b-97d9a5972bd1 | sh |
| 160 | defense-evasion | T1562.004 | Disable or Modify System Firewall | 9 | Turn off UFW logging | 8a95b832-2c2a-494d-9cb0-dc9dd97c8bad | sh |
| 161 | defense-evasion | T1562.004 | Disable or Modify System Firewall | 10 | Add and delete UFW firewall rules | b2563a4e-c4b8-429c-8d47-d5bcb227ba7a | sh |
| 162 | defense-evasion | T1562.004 | Disable or Modify System Firewall | 11 | Edit UFW firewall user.rules file | beaf815a-c883-4194-97e9-fdbbb2bbdd7c | sh |
| 163 | defense-evasion | T1562.004 | Disable or Modify System Firewall | 12 | Edit UFW firewall ufw.conf file | c1d8c4eb-88da-4927-ae97-c7c25893803b | sh |
| 164 | defense-evasion | T1562.004 | Disable or Modify System Firewall | 13 | Edit UFW firewall sysctl.conf file | c4ae0701-88d3-4cd8-8bce-4801ed9f97e4 | sh |
| 165 | defense-evasion | T1562.004 | Disable or Modify System Firewall | 14 | Edit UFW firewall main configuration file | 7b697ece-8270-46b5-bbc7-6b9e27081831 | sh |
| 166 | defense-evasion | T1562.004 | Disable or Modify System Firewall | 15 | Tail the UFW firewall log file | 419cca0c-fa52-4572-b0d7-bc7c6f388a27 | sh |
| 167 | defense-evasion | T1207 | Rogue Domain Controller | 1 | DCShadow (Active Directory) | 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6 | powershell |
| 168 | defense-evasion | T1112 | Modify Registry | 1 | Modify Registry of Current User Profile - cmd | 1324796b-d0f6-455a-b4ae-21ffee6aa6b9 | command_prompt |
| 169 | defense-evasion | T1112 | Modify Registry | 2 | Modify Registry of Local Machine - cmd | 282f929a-6bc5-42b8-bd93-960c3ba35afe | command_prompt |
| 170 | defense-evasion | T1112 | Modify Registry | 3 | Modify registry to store logon credentials | c0413fb5-33e2-40b7-9b6f-60b29f4a7a18 | command_prompt |
| 171 | defense-evasion | T1112 | Modify Registry | 4 | Add domain to Trusted sites Zone | cf447677-5a4e-4937-a82c-e47d254afd57 | powershell |
| 172 | defense-evasion | T1112 | Modify Registry | 5 | Javascript in registry | 15f44ea9-4571-4837-be9e-802431a7bfae | powershell |
| 173 | defense-evasion | T1112 | Modify Registry | 6 | Change Powershell Execution Policy to Bypass | f3a6cceb-06c9-48e5-8df8-8867a6814245 | powershell |
| 174 | defense-evasion | T1112 | Modify Registry | 7 | BlackByte Ransomware Registry Changes - CMD | 4f4e2f9f-6209-4fcf-9b15-3b7455706f5b | command_prompt |
| 175 | defense-evasion | T1112 | Modify Registry | 8 | BlackByte Ransomware Registry Changes - Powershell | 0b79c06f-c788-44a2-8630-d69051f1123d | powershell |
| 176 | defense-evasion | T1112 | Modify Registry | 9 | Disable Windows Registry Tool | ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8 | command_prompt |
| 177 | defense-evasion | T1112 | Modify Registry | 10 | Disable Windows CMD application | d2561a6d-72bd-408c-b150-13efe1801c2a | powershell |
| 178 | defense-evasion | T1112 | Modify Registry | 11 | Disable Windows Task Manager application | af254e70-dd0e-4de6-9afe-a994d9ea8b62 | command_prompt |
| 179 | defense-evasion | T1112 | Modify Registry | 12 | Disable Windows Notification Center | c0d6d67f-1f63-42cc-95c0-5fd6b20082ad | command_prompt |
| 180 | defense-evasion | T1112 | Modify Registry | 13 | Disable Windows Shutdown Button | 6e0d1131-2d7e-4905-8ca5-d6172f05d03d | command_prompt |
| 181 | defense-evasion | T1112 | Modify Registry | 14 | Disable Windows LogOff Button | e246578a-c24d-46a7-9237-0213ff86fb0c | command_prompt |
| 182 | defense-evasion | T1112 | Modify Registry | 15 | Disable Windows Change Password Feature | d4a6da40-618f-454d-9a9e-26af552aaeb0 | command_prompt |
| 183 | defense-evasion | T1112 | Modify Registry | 16 | Disable Windows Lock Workstation Feature | 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56 | command_prompt |
| 184 | defense-evasion | T1112 | Modify Registry | 17 | Activate Windows NoDesktop Group Policy Feature | 93386d41-525c-4a1b-8235-134a628dee17 | command_prompt |
| 185 | defense-evasion | T1112 | Modify Registry | 18 | Activate Windows NoRun Group Policy Feature | d49ff3cc-8168-4123-b5b3-f057d9abbd55 | command_prompt |
| 186 | defense-evasion | T1112 | Modify Registry | 19 | Activate Windows NoFind Group Policy Feature | ffbb407e-7f1d-4c95-b22e-548169db1fbd | command_prompt |
| 187 | defense-evasion | T1112 | Modify Registry | 20 | Activate Windows NoControlPanel Group Policy Feature | a450e469-ba54-4de1-9deb-9023a6111690 | command_prompt |
| 188 | defense-evasion | T1112 | Modify Registry | 21 | Activate Windows NoFileMenu Group Policy Feature | 5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4 | command_prompt |
| 189 | defense-evasion | T1112 | Modify Registry | 22 | Activate Windows NoClose Group Policy Feature | 12f50e15-dbc6-478b-a801-a746e8ba1723 | command_prompt |
| 190 | defense-evasion | T1112 | Modify Registry | 23 | Activate Windows NoSetTaskbar Group Policy Feature | d29b7faf-7355-4036-9ed3-719bd17951ed | command_prompt |
| 191 | defense-evasion | T1112 | Modify Registry | 24 | Activate Windows NoTrayContextMenu Group Policy Feature | 4d72d4b1-fa7b-4374-b423-0fe326da49d2 | command_prompt |
| 192 | defense-evasion | T1112 | Modify Registry | 25 | Activate Windows NoPropertiesMyDocuments Group Policy Feature | 20fc9daa-bd48-4325-9aff-81b967a84b1d | command_prompt |
| 193 | defense-evasion | T1112 | Modify Registry | 26 | Hide Windows Clock Group Policy Feature | 8023db1e-ad06-4966-934b-b6a0ae52689e | command_prompt |
| 194 | defense-evasion | T1112 | Modify Registry | 27 | Windows HideSCAHealth Group Policy Feature | a4637291-40b1-4a96-8c82-b28f1d73e54e | command_prompt |
| 195 | defense-evasion | T1112 | Modify Registry | 28 | Windows HideSCANetwork Group Policy Feature | 3e757ce7-eca0-411a-9583-1c33b8508d52 | command_prompt |
| 196 | defense-evasion | T1112 | Modify Registry | 29 | Windows HideSCAPower Group Policy Feature | 8d85a5d8-702f-436f-bc78-fcd9119496fc | command_prompt |
| 197 | defense-evasion | T1112 | Modify Registry | 30 | Windows HideSCAVolume Group Policy Feature | 7f037590-b4c6-4f13-b3cc-e424c5ab8ade | command_prompt |
| 198 | defense-evasion | T1112 | Modify Registry | 31 | Windows Modify Show Compress Color And Info Tip Registry | 795d3248-0394-4d4d-8e86-4e8df2a2693f | command_prompt |
| 199 | defense-evasion | T1112 | Modify Registry | 32 | Windows Powershell Logging Disabled | 95b25212-91a7-42ff-9613-124aca6845a8 | command_prompt |
| 200 | defense-evasion | T1112 | Modify Registry | 33 | Windows Add Registry Value to Load Service in Safe Mode without Network | 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5 | command_prompt |
| 201 | defense-evasion | T1112 | Modify Registry | 34 | Windows Add Registry Value to Load Service in Safe Mode with Network | c173c948-65e5-499c-afbe-433722ed5bd4 | command_prompt |
| 202 | defense-evasion | T1112 | Modify Registry | 35 | Disable Windows Toast Notifications | 003f466a-6010-4b15-803a-cbb478a314d7 | command_prompt |
| 203 | defense-evasion | T1112 | Modify Registry | 36 | Disable Windows Security Center Notifications | 45914594-8df6-4ea9-b3cc-7eb9321a807e | command_prompt |
| 204 | defense-evasion | T1112 | Modify Registry | 37 | Suppress Win Defender Notifications | c30dada3-7777-4590-b970-dc890b8cf113 | command_prompt |
| 205 | defense-evasion | T1112 | Modify Registry | 38 | Allow RDP Remote Assistance Feature | 86677d0e-0b5e-4a2b-b302-454175f9aa9e | command_prompt |
| 206 | defense-evasion | T1112 | Modify Registry | 39 | NetWire RAT Registry Key Creation | 65704cd4-6e36-4b90-b6c1-dc29a82c8e56 | command_prompt |
| 207 | defense-evasion | T1112 | Modify Registry | 40 | Ursnif Malware Registry Key Creation | c375558d-7c25-45e9-bd64-7b23a97c1db0 | command_prompt |
| 208 | defense-evasion | T1112 | Modify Registry | 41 | Terminal Server Client Connection History Cleared | 3448824b-3c35-4a9e-a8f5-f887f68bea21 | command_prompt |
| 209 | defense-evasion | T1112 | Modify Registry | 42 | Disable Windows Error Reporting Settings | d2c9e41e-cd86-473d-980d-b6403562e3e1 | command_prompt |
| 210 | defense-evasion | T1112 | Modify Registry | 43 | DisallowRun Execution Of Certain Application | 71db768a-5a9c-4047-b5e7-59e01f188e84 | command_prompt |
| 211 | defense-evasion | T1574.008 | Path Interception by Search Order Hijacking | 1 | powerShell Persistence via hijacking default modules - Get-Variable.exe | 1561de08-0b4b-498e-8261-e922f3494aae | powershell |
| 212 | defense-evasion | T1027.001 | Binary Padding | 1 | Pad Binary to Change Hash - Linux/macOS dd | ffe2346c-abd5-4b45-a713-bf5f1ebd573a | sh |
| 213 | defense-evasion | T1078.001 | Default Accounts | 1 | Enable Guest account with RDP capability and admin privileges | 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 | command_prompt |
| 214 | defense-evasion | T1078.001 | Default Accounts | 2 | Activate Guest Account | aa6cb8c4-b582-4f8e-b677-37733914abda | command_prompt |
| 215 | defense-evasion | T1574.006 | Dynamic Linker Hijacking | 1 | Shared Library Injection via /etc/ld.so.preload | 39cb0e67-dd0d-4b74-a74b-c072db7ae991 | bash |
| 216 | defense-evasion | T1574.006 | Dynamic Linker Hijacking | 2 | Shared Library Injection via LD_PRELOAD | bc219ff7-789f-4d51-9142-ecae3397deae | bash |
| 217 | defense-evasion | T1574.006 | Dynamic Linker Hijacking | 3 | Dylib Injection via DYLD_INSERT_LIBRARIES | 4d66029d-7355-43fd-93a4-b63ba92ea1be | bash |
| 218 | defense-evasion | T1070.001 | Clear Windows Event Logs | 1 | Clear Logs | e6abb60e-26b8-41da-8aae-0c35174b0967 | command_prompt |
| 219 | defense-evasion | T1070.001 | Clear Windows Event Logs | 2 | Delete System Logs Using Clear-EventLog | b13e9306-3351-4b4b-a6e8-477358b0b498 | powershell |
| 220 | defense-evasion | T1070.001 | Clear Windows Event Logs | 3 | Clear Event Logs via VBA | 1b682d84-f075-4f93-9a89-8a8de19ffd6e | powershell |
| 221 | defense-evasion | T1134.002 | Create Process with Token | 1 | Access Token Manipulation | dbf4f5a9-b8e0-46a3-9841-9ad71247239e | powershell |
| 222 | defense-evasion | T1134.002 | Create Process with Token | 2 | WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique | ccf4ac39-ec93-42be-9035-90e2f26bcd92 | powershell |
| 223 | defense-evasion | T1548.001 | Setuid and Setgid | 1 | Make and modify binary from C source | 896dfe97-ae43-4101-8e96-9a7996555d80 | sh |
| 224 | defense-evasion | T1548.001 | Setuid and Setgid | 2 | Set a SetUID flag on file | 759055b3-3885-4582-a8ec-c00c9d64dd79 | sh |
| 225 | defense-evasion | T1548.001 | Setuid and Setgid | 3 | Set a SetGID flag on file | db55f666-7cba-46c6-9fe6-205a05c3242c | sh |
| 226 | defense-evasion | T1548.001 | Setuid and Setgid | 4 | Make and modify capabilities of a binary | db53959c-207d-4000-9e7a-cd8eb417e072 | sh |
| 227 | defense-evasion | T1548.001 | Setuid and Setgid | 5 | Provide the SetUID capability to a file | 1ac3272f-9bcf-443a-9888-4b1d3de785c1 | sh |
| 228 | defense-evasion | T1218.008 | Odbcconf | 1 | Odbcconf.exe - Execute Arbitrary DLL | 2430498b-06c0-4b92-a448-8ad263c388e2 | command_prompt |
| 229 | defense-evasion | T1218.008 | Odbcconf | 2 | Odbcconf.exe - Load Response File | 331ce274-f9c9-440b-9f8c-a1006e1fce0b | command_prompt |
| 230 | defense-evasion | T1562.006 | Indicator Blocking | 1 | Auditing Configuration Changes on Linux Host | 212cfbcf-4770-4980-bc21-303e37abd0e3 | bash |
| 231 | defense-evasion | T1562.006 | Indicator Blocking | 2 | Logging Configuration Changes on Linux Host | 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c | bash |
| 232 | defense-evasion | T1562.006 | Indicator Blocking | 3 | Disable Powershell ETW Provider - Windows | 6f118276-121d-4c09-bb58-a8fb4a72ee84 | powershell |
| 233 | defense-evasion | T1562.006 | Indicator Blocking | 4 | Disable .NET Event Tracing for Windows Via Registry (cmd) | 8a4c33be-a0d3-434a-bee6-315405edbd5b | command_prompt |
| 234 | defense-evasion | T1562.006 | Indicator Blocking | 5 | Disable .NET Event Tracing for Windows Via Registry (powershell) | 19c07a45-452d-4620-90ed-4c34fffbe758 | powershell |
| 235 | defense-evasion | T1070 | Indicator Removal on Host | 1 | Indicator Removal using FSUtil | b4115c7a-0e92-47f0-a61e-17e7218b2435 | command_prompt |
| 236 | defense-evasion | T1550.003 | Pass the Ticket | 1 | Mimikatz Kerberos Ticket Attack | dbf38128-7ba7-4776-bedf-cc2eed432098 | command_prompt |
| 237 | defense-evasion | T1550.003 | Pass the Ticket | 2 | Rubeus Kerberos Pass The Ticket | a2fc4ec5-12c6-4fb4-b661-961f23f359cb | powershell |
| 238 | defense-evasion | T1036.004 | Masquerade Task or Service | 1 | Creating W32Time similar named service using schtasks | f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9 | command_prompt |
| 239 | defense-evasion | T1036.004 | Masquerade Task or Service | 2 | Creating W32Time similar named service using sc | b721c6ef-472c-4263-a0d9-37f1f4ecff66 | command_prompt |
| 240 | defense-evasion | T1055.004 | Asynchronous Procedure Call | 1 | Process Injection via C# | 611b39b7-e243-4c81-87a4-7145a90358b1 | command_prompt |
| 241 | defense-evasion | T1647 | Plist File Modification | 1 | Plist Modification | 394a538e-09bb-4a4a-95d1-b93cf12682a8 | manual |
| 242 | defense-evasion | T1553.005 | Mark-of-the-Web Bypass | 1 | Mount ISO image | 002cca30-4778-4891-878a-aaffcfa502fa | powershell |
| 243 | defense-evasion | T1553.005 | Mark-of-the-Web Bypass | 2 | Mount an ISO image and run executable from the ISO | 42f22b00-0242-4afc-a61b-0da05041f9cc | powershell |
| 244 | defense-evasion | T1553.005 | Mark-of-the-Web Bypass | 3 | Remove the Zone.Identifier alternate data stream | 64b12afc-18b8-4d3f-9eab-7f6cae7c73f9 | powershell |
| 245 | defense-evasion | T1218.005 | Mshta | 1 | Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject | 1483fab9-4f52-4217-a9ce-daa9d7747cae | command_prompt |
| 246 | defense-evasion | T1218.005 | Mshta | 2 | Mshta executes VBScript to execute malicious command | 906865c3-e05f-4acc-85c4-fbc185455095 | command_prompt |
| 247 | defense-evasion | T1218.005 | Mshta | 3 | Mshta Executes Remote HTML Application (HTA) | c4b97eeb-5249-4455-a607-59f95485cb45 | powershell |
| 248 | defense-evasion | T1218.005 | Mshta | 4 | Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement | 007e5672-2088-4853-a562-7490ddc19447 | powershell |
| 249 | defense-evasion | T1218.005 | Mshta | 5 | Invoke HTML Application - Jscript Engine Simulating Double Click | 58a193ec-131b-404e-b1ca-b35cf0b18c33 | powershell |
| 250 | defense-evasion | T1218.005 | Mshta | 6 | Invoke HTML Application - Direct download from URI | 39ceed55-f653-48ac-bd19-aceceaf525db | powershell |
| 251 | defense-evasion | T1218.005 | Mshta | 7 | Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler | e7e3a525-7612-4d68-a5d3-c4649181b8af | powershell |
| 252 | defense-evasion | T1218.005 | Mshta | 8 | Invoke HTML Application - JScript Engine with Inline Protocol Handler | d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840 | powershell |
| 253 | defense-evasion | T1218.005 | Mshta | 9 | Invoke HTML Application - Simulate Lateral Movement over UNC Path | b8a8bdb2-7eae-490d-8251-d5e0295b2362 | powershell |
| 254 | defense-evasion | T1218.005 | Mshta | 10 | Mshta used to Execute PowerShell | 8707a805-2b76-4f32-b1c0-14e558205772 | command_prompt |
| 255 | defense-evasion | T1134.001 | Token Impersonation/Theft | 1 | Named pipe client impersonation | 90db9e27-8e7c-4c04-b602-a45927884966 | powershell |
| 256 | defense-evasion | T1134.001 | Token Impersonation/Theft | 2 | `SeDebugPrivilege` token duplication | 34f0a430-9d04-4d98-bcb5-1989f14719f0 | powershell |
| 257 | defense-evasion | T1564.002 | Hidden Users | 1 | Create Hidden User using UniqueID < 500 | 4238a7f0-a980-4fff-98a2-dfc0a363d507 | sh |
| 258 | defense-evasion | T1564.002 | Hidden Users | 2 | Create Hidden User using IsHidden option | de87ed7b-52c3-43fd-9554-730f695e7f31 | sh |
| 259 | defense-evasion | T1564.002 | Hidden Users | 3 | Create Hidden User in Registry | 173126b7-afe4-45eb-8680-fa9f6400431c | command_prompt |
| 260 | defense-evasion | T1562.003 | Impair Command History Logging | 1 | Disable history collection | 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 | sh |
| 261 | defense-evasion | T1562.003 | Impair Command History Logging | 2 | Mac HISTCONTROL | 468566d5-83e5-40c1-b338-511e1659628d | manual |
| 262 | defense-evasion | T1134.004 | Parent PID Spoofing | 1 | Parent PID Spoofing using PowerShell | 069258f4-2162-46e9-9a25-c9c6c56150d2 | powershell |
| 263 | defense-evasion | T1134.004 | Parent PID Spoofing | 2 | Parent PID Spoofing - Spawn from Current Process | 14920ebd-1d61-491a-85e0-fe98efe37f25 | powershell |
| 264 | defense-evasion | T1134.004 | Parent PID Spoofing | 3 | Parent PID Spoofing - Spawn from Specified Process | cbbff285-9051-444a-9d17-c07cd2d230eb | powershell |
| 265 | defense-evasion | T1134.004 | Parent PID Spoofing | 4 | Parent PID Spoofing - Spawn from svchost.exe | e9f2b777-3123-430b-805d-5cedc66ab591 | powershell |
| 266 | defense-evasion | T1134.004 | Parent PID Spoofing | 5 | Parent PID Spoofing - Spawn from New Process | 2988133e-561c-4e42-a15f-6281e6a9b2db | powershell |
| 267 | defense-evasion | T1218.001 | Compiled HTML File | 1 | Compiled HTML Help Local Payload | 5cb87818-0d7c-4469-b7ef-9224107aebe8 | command_prompt |
| 268 | defense-evasion | T1218.001 | Compiled HTML File | 2 | Compiled HTML Help Remote Payload | 0f8af516-9818-4172-922b-42986ef1e81d | command_prompt |
| 269 | defense-evasion | T1218.001 | Compiled HTML File | 3 | Invoke CHM with default Shortcut Command Execution | 29d6f0d7-be63-4482-8827-ea77126c1ef7 | powershell |
| 270 | defense-evasion | T1218.001 | Compiled HTML File | 4 | Invoke CHM with InfoTech Storage Protocol Handler | b4094750-5fc7-4e8e-af12-b4e36bf5e7f6 | powershell |
| 271 | defense-evasion | T1218.001 | Compiled HTML File | 5 | Invoke CHM Simulate Double click | 5decef42-92b8-4a93-9eb2-877ddcb9401a | powershell |
| 272 | defense-evasion | T1218.001 | Compiled HTML File | 6 | Invoke CHM with Script Engine and Help Topic | 4f83adda-f5ec-406d-b318-9773c9ca92e5 | powershell |
| 273 | defense-evasion | T1218.001 | Compiled HTML File | 7 | Invoke CHM Shortcut Command with ITS and Help Topic | 15756147-7470-4a83-87fb-bb5662526247 | powershell |
| 274 | defense-evasion | T1070.005 | Network Share Connection Removal | 1 | Add Network Share | 14c38f32-6509-46d8-ab43-d53e32d2b131 | command_prompt |
| 275 | defense-evasion | T1070.005 | Network Share Connection Removal | 2 | Remove Network Share | 09210ad5-1ef2-4077-9ad3-7351e13e9222 | command_prompt |
| 276 | defense-evasion | T1070.005 | Network Share Connection Removal | 3 | Remove Network Share PowerShell | 0512d214-9512-4d22-bde7-f37e058259b3 | powershell |
| 277 | defense-evasion | T1070.005 | Network Share Connection Removal | 4 | Disable Administrative Share Creation at Startup | 99c657aa-ebeb-4179-a665-69288fdd12b8 | command_prompt |
| 278 | defense-evasion | T1070.005 | Network Share Connection Removal | 5 | Remove Administrative Shares | 4299eff5-90f1-4446-b2f3-7f4f5cfd5d62 | command_prompt |
| 279 | defense-evasion | T1562.001 | Disable or Modify Tools | 1 | Disable syslog | 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8 | sh |
| 280 | defense-evasion | T1562.001 | Disable or Modify Tools | 2 | Disable Cb Response | ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 | sh |
| 281 | defense-evasion | T1562.001 | Disable or Modify Tools | 3 | Disable SELinux | fc225f36-9279-4c39-b3f9-5141ab74f8d8 | sh |
| 282 | defense-evasion | T1562.001 | Disable or Modify Tools | 4 | Stop Crowdstrike Falcon on Linux | 828a1278-81cc-4802-96ab-188bf29ca77d | sh |
| 283 | defense-evasion | T1562.001 | Disable or Modify Tools | 5 | Disable Carbon Black Response | 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c | sh |
| 284 | defense-evasion | T1562.001 | Disable or Modify Tools | 6 | Disable LittleSnitch | 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3 | sh |
| 285 | defense-evasion | T1562.001 | Disable or Modify Tools | 7 | Disable OpenDNS Umbrella | 07f43b33-1e15-4e99-be70-bc094157c849 | sh |
| 286 | defense-evasion | T1562.001 | Disable or Modify Tools | 8 | Disable macOS Gatekeeper | 2a821573-fb3f-4e71-92c3-daac7432f053 | sh |
| 287 | defense-evasion | T1562.001 | Disable or Modify Tools | 9 | Stop and unload Crowdstrike Falcon on macOS | b3e7510c-2d4c-4249-a33f-591a2bc83eef | sh |
| 288 | defense-evasion | T1562.001 | Disable or Modify Tools | 10 | Unload Sysmon Filter Driver | 811b3e76-c41b-430c-ac0d-e2380bfaa164 | command_prompt |
| 289 | defense-evasion | T1562.001 | Disable or Modify Tools | 11 | Uninstall Sysmon | a316fb2e-5344-470d-91c1-23e15c374edc | command_prompt |
| 290 | defense-evasion | T1562.001 | Disable or Modify Tools | 12 | AMSI Bypass - AMSI InitFailed | 695eed40-e949-40e5-b306-b4031e4154bd | powershell |
| 291 | defense-evasion | T1562.001 | Disable or Modify Tools | 13 | AMSI Bypass - Remove AMSI Provider Reg Key | 13f09b91-c953-438e-845b-b585e51cac9b | powershell |
| 292 | defense-evasion | T1562.001 | Disable or Modify Tools | 14 | Disable Arbitrary Security Windows Service | a1230893-56ac-4c81-b644-2108e982f8f5 | command_prompt |
| 293 | defense-evasion | T1562.001 | Disable or Modify Tools | 15 | Tamper with Windows Defender ATP PowerShell | 6b8df440-51ec-4d53-bf83-899591c9b5d7 | powershell |
| 294 | defense-evasion | T1562.001 | Disable or Modify Tools | 16 | Tamper with Windows Defender Command Prompt | aa875ed4-8935-47e2-b2c5-6ec00ab220d2 | command_prompt |
| 295 | defense-evasion | T1562.001 | Disable or Modify Tools | 17 | Tamper with Windows Defender Registry | 1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45 | powershell |
| 296 | defense-evasion | T1562.001 | Disable or Modify Tools | 18 | Disable Microsoft Office Security Features | 6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7 | powershell |
| 297 | defense-evasion | T1562.001 | Disable or Modify Tools | 19 | Remove Windows Defender Definition Files | 3d47daaa-2f56-43e0-94cc-caf5d8d52a68 | command_prompt |
| 298 | defense-evasion | T1562.001 | Disable or Modify Tools | 20 | Stop and Remove Arbitrary Security Windows Service | ae753dda-0f15-4af6-a168-b9ba16143143 | powershell |
| 299 | defense-evasion | T1562.001 | Disable or Modify Tools | 21 | Uninstall Crowdstrike Falcon on Windows | b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297 | powershell |
| 300 | defense-evasion | T1562.001 | Disable or Modify Tools | 22 | Tamper with Windows Defender Evade Scanning -Folder | 0b19f4ee-de90-4059-88cb-63c800c683ed | powershell |
| 301 | defense-evasion | T1562.001 | Disable or Modify Tools | 23 | Tamper with Windows Defender Evade Scanning -Extension | 315f4be6-2240-4552-b3e1-d1047f5eecea | powershell |
| 302 | defense-evasion | T1562.001 | Disable or Modify Tools | 24 | Tamper with Windows Defender Evade Scanning -Process | a123ce6a-3916-45d6-ba9c-7d4081315c27 | powershell |
| 303 | defense-evasion | T1562.001 | Disable or Modify Tools | 25 | office-365-Disable-AntiPhishRule | b9bbae2c-2ba6-4cf3-b452-8e8f908696f3 | powershell |
| 304 | defense-evasion | T1562.001 | Disable or Modify Tools | 26 | Disable Windows Defender with DISM | 871438ac-7d6e-432a-b27d-3e7db69faf58 | command_prompt |
| 305 | defense-evasion | T1562.001 | Disable or Modify Tools | 27 | Disable Defender with Defender Control | 178136d8-2778-4d7a-81f3-d517053a4fd6 | powershell |
| 306 | defense-evasion | T1562.001 | Disable or Modify Tools | 28 | Disable Defender Using NirSoft AdvancedRun | 81ce22fd-9612-4154-918e-8a1f285d214d | powershell |
| 307 | defense-evasion | T1562.001 | Disable or Modify Tools | 29 | Kill antimalware protected processes using Backstab | 24a12b91-05a7-4deb-8d7f-035fa98591bc | powershell |
| 308 | defense-evasion | T1562.001 | Disable or Modify Tools | 30 | WinPwn - Kill the event log services for stealth | 7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66 | powershell |
| 309 | defense-evasion | T1562.001 | Disable or Modify Tools | 31 | Tamper with Windows Defender ATP using Aliases - PowerShell | c531aa6e-9c97-4b29-afee-9b7be6fc8a64 | powershell |
| 310 | defense-evasion | T1055.012 | Process Hollowing | 1 | Process Hollowing using PowerShell | 562427b4-39ef-4e8c-af88-463a78e70b9c | powershell |
| 311 | defense-evasion | T1055.012 | Process Hollowing | 2 | RunPE via VBA | 3ad4a037-1598-4136-837c-4027e4fa319b | powershell |
| 312 | defense-evasion | T1027 | Obfuscated Files or Information | 1 | Decode base64 Data into Script | f45df6be-2e1e-4136-a384-8f18ab3826fb | sh |
| 313 | defense-evasion | T1027 | Obfuscated Files or Information | 2 | Execute base64-encoded PowerShell | a50d5a97-2531-499e-a1de-5544c74432c6 | powershell |
| 314 | defense-evasion | T1027 | Obfuscated Files or Information | 3 | Execute base64-encoded PowerShell from Windows Registry | 450e7218-7915-4be4-8b9b-464a49eafcec | powershell |
| 315 | defense-evasion | T1027 | Obfuscated Files or Information | 4 | Execution from Compressed File | f8c8a909-5f29-49ac-9244-413936ce6d1f | command_prompt |
| 316 | defense-evasion | T1027 | Obfuscated Files or Information | 5 | DLP Evasion via Sensitive Data in VBA Macro over email | 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad | powershell |
| 317 | defense-evasion | T1027 | Obfuscated Files or Information | 6 | DLP Evasion via Sensitive Data in VBA Macro over HTTP | e2d85e66-cb66-4ed7-93b1-833fc56c9319 | powershell |
| 318 | defense-evasion | T1027 | Obfuscated Files or Information | 7 | Obfuscated Command in PowerShell | 8b3f4ed6-077b-4bdd-891c-2d237f19410f | powershell |
| 319 | defense-evasion | T1027 | Obfuscated Files or Information | 8 | Obfuscated Command Line using special Unicode characters | e68b945c-52d0-4dd9-a5e8-d173d70c448f | manual |
| 320 | defense-evasion | T1564.006 | Run Virtual Instance | 1 | Register Portable Virtualbox | c59f246a-34f8-4e4d-9276-c295ef9ba0dd | command_prompt |
| 321 | defense-evasion | T1564.006 | Run Virtual Instance | 2 | Create and start VirtualBox virtual machine | 88b81702-a1c0-49a9-95b2-2dd53d755767 | command_prompt |
| 322 | defense-evasion | T1564.006 | Run Virtual Instance | 3 | Create and start Hyper-V virtual machine | fb8d4d7e-f5a4-481c-8867-febf13f8b6d3 | powershell |
| 323 | defense-evasion | T1134.005 | SID-History Injection | 1 | Injection SID-History with mimikatz | 6bef32e5-9456-4072-8f14-35566fb85401 | command_prompt |
| 324 | defense-evasion | T1218.010 | Regsvr32 | 1 | Regsvr32 local COM scriptlet execution | 449aa403-6aba-47ce-8a37-247d21ef0306 | command_prompt |
| 325 | defense-evasion | T1218.010 | Regsvr32 | 2 | Regsvr32 remote COM scriptlet execution | c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36 | command_prompt |
| 326 | defense-evasion | T1218.010 | Regsvr32 | 3 | Regsvr32 local DLL execution | 08ffca73-9a3d-471a-aeb0-68b4aa3ab37b | command_prompt |
| 327 | defense-evasion | T1218.010 | Regsvr32 | 4 | Regsvr32 Registering Non DLL | 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421 | command_prompt |
| 328 | defense-evasion | T1218.010 | Regsvr32 | 5 | Regsvr32 Silent DLL Install Call DllRegisterServer | 9d71c492-ea2e-4c08-af16-c6994cdf029f | command_prompt |
| 329 | defense-evasion | T1036.003 | Rename System Utilities | 1 | Masquerading as Windows LSASS process | 5ba5a3d1-cf3c-4499-968a-a93155d1f717 | command_prompt |
| 330 | defense-evasion | T1036.003 | Rename System Utilities | 2 | Masquerading as Linux crond process. | a315bfff-7a98-403b-b442-2ea1b255e556 | sh |
| 331 | defense-evasion | T1036.003 | Rename System Utilities | 3 | Masquerading - cscript.exe running as notepad.exe | 3a2a578b-0a01-46e4-92e3-62e2859b42f0 | command_prompt |
| 332 | defense-evasion | T1036.003 | Rename System Utilities | 4 | Masquerading - wscript.exe running as svchost.exe | 24136435-c91a-4ede-9da1-8b284a1c1a23 | command_prompt |
| 333 | defense-evasion | T1036.003 | Rename System Utilities | 5 | Masquerading - powershell.exe running as taskhostw.exe | ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa | command_prompt |
| 334 | defense-evasion | T1036.003 | Rename System Utilities | 6 | Masquerading - non-windows exe running as windows exe | bc15c13f-d121-4b1f-8c7d-28d95854d086 | powershell |
| 335 | defense-evasion | T1036.003 | Rename System Utilities | 7 | Masquerading - windows exe running as different windows exe | c3d24a39-2bfe-4c6a-b064-90cd73896cb0 | powershell |
| 336 | defense-evasion | T1036.003 | Rename System Utilities | 8 | Malicious process Masquerading as LSM.exe | 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f | command_prompt |
| 337 | defense-evasion | T1036.003 | Rename System Utilities | 9 | File Extension Masquerading | c7fa0c3b-b57f-4cba-9118-863bf4e653fc | command_prompt |
| 338 | defense-evasion | T1574.009 | Path Interception by Unquoted Path | 1 | Execution of program.exe as service with unquoted service path | 2770dea7-c50f-457b-84c4-c40a47460d9f | command_prompt |
| 339 | defense-evasion | T1218.009 | Regsvcs/Regasm | 1 | Regasm Uninstall Method Call Test | 71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112 | command_prompt |
| 340 | defense-evasion | T1218.009 | Regsvcs/Regasm | 2 | Regsvcs Uninstall Method Call Test | fd3c1c6a-02d2-4b72-82d9-71c527abb126 | powershell |
| 341 | defense-evasion | T1553.004 | Install Root Certificate | 1 | Install root CA on CentOS/RHEL | 9c096ec4-fd42-419d-a762-d64cc950627e | sh |
| 342 | defense-evasion | T1553.004 | Install Root Certificate | 2 | Install root CA on Debian/Ubuntu | 53bcf8a0-1549-4b85-b919-010c56d724ff | sh |
| 343 | defense-evasion | T1553.004 | Install Root Certificate | 3 | Install root CA on macOS | cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 | sh |
| 344 | defense-evasion | T1553.004 | Install Root Certificate | 4 | Install root CA on Windows | 76f49d86-5eb1-461a-a032-a480f86652f1 | powershell |
| 345 | defense-evasion | T1553.004 | Install Root Certificate | 5 | Install root CA on Windows with certutil | 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f | powershell |
| 346 | defense-evasion | T1553.004 | Install Root Certificate | 6 | Add Root Certificate to CurrentUser Certificate Store | ca20a3f1-42b5-4e21-ad3f-1049199ec2e0 | powershell |
| 347 | defense-evasion | T1027.004 | Compile After Delivery | 1 | Compile After Delivery using csc.exe | ffcdbd6a-b0e8-487d-927a-09127fe9a206 | command_prompt |
| 348 | defense-evasion | T1027.004 | Compile After Delivery | 2 | Dynamic C# Compile | 453614d8-3ba6-4147-acc0-7ec4b3e1faef | powershell |
| 349 | defense-evasion | T1027.004 | Compile After Delivery | 3 | C compile | d0377aa6-850a-42b2-95f0-de558d80be57 | bash |
| 350 | defense-evasion | T1027.004 | Compile After Delivery | 4 | CC compile | da97bb11-d6d0-4fc1-b445-e443d1346efe | bash |
| 351 | defense-evasion | T1027.004 | Compile After Delivery | 5 | Go compile | 78bd3fa7-773c-449e-a978-dc1f1500bc52 | bash |
| 352 | defense-evasion | T1197 | BITS Jobs | 1 | Bitsadmin Download (cmd) | 3c73d728-75fb-4180-a12f-6712864d7421 | command_prompt |
| 353 | defense-evasion | T1197 | BITS Jobs | 2 | Bitsadmin Download (PowerShell) | f63b8bc4-07e5-4112-acba-56f646f3f0bc | powershell |
| 354 | defense-evasion | T1197 | BITS Jobs | 3 | Persist, Download, & Execute | 62a06ec5-5754-47d2-bcfc-123d8314c6ae | command_prompt |
| 355 | defense-evasion | T1197 | BITS Jobs | 4 | Bits download using desktopimgdownldr.exe (cmd) | afb5e09e-e385-4dee-9a94-6ee60979d114 | command_prompt |
| 356 | defense-evasion | T1127.001 | MSBuild | 1 | MSBuild Bypass Using Inline Tasks (C#) | 58742c0f-cb01-44cd-a60b-fb26e8871c93 | command_prompt |
| 357 | defense-evasion | T1127.001 | MSBuild | 2 | MSBuild Bypass Using Inline Tasks (VB) | ab042179-c0c5-402f-9bc8-42741f5ce359 | command_prompt |
| 358 | defense-evasion | T1562.008 | Disable Cloud Logs | 1 | AWS CloudTrail Changes | 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e | sh |
| 359 | defense-evasion | T1562.008 | Disable Cloud Logs | 2 | Azure - Eventhub Deletion | 5e09bed0-7d33-453b-9bf3-caea32bff719 | powershell |
| 360 | defense-evasion | T1562.008 | Disable Cloud Logs | 3 | Office 365 - Exchange Audit Log Disabled | 1ee572f3-056c-4632-a7fc-7e7c42b1543c | powershell |
| 361 | defense-evasion | T1562.008 | Disable Cloud Logs | 4 | Disable CloudTrail Logging Through Event Selectors via Stratus | a27418de-bdce-4ebd-b655-38f11142bf0c | sh |
| 362 | defense-evasion | T1562.008 | Disable Cloud Logs | 5 | AWS CloudWatch Log Group Deletes | 89422c87-b57b-4a04-a8ca-802bb9d06121 | sh |
| 363 | defense-evasion | T1562.008 | Disable Cloud Logs | 6 | AWS CloudWatch Log Stream Deletes | 33ca84bc-4259-4943-bd36-4655dc420932 | sh |
| 364 | defense-evasion | T1564.003 | Hidden Window | 1 | Hidden Window | f151ee37-9e2b-47e6-80e4-550b9f999b7a | powershell |
| 365 | defense-evasion | T1070.004 | File Deletion | 1 | Delete a single file - Linux/macOS | 562d737f-2fc6-4b09-8c2a-7f8ff0828480 | sh |
| 366 | defense-evasion | T1070.004 | File Deletion | 2 | Delete an entire folder - Linux/macOS | a415f17e-ce8d-4ce2-a8b4-83b674e7017e | sh |
| 367 | defense-evasion | T1070.004 | File Deletion | 3 | Overwrite and delete a file with shred | 039b4b10-2900-404b-b67f-4b6d49aa6499 | sh |
| 368 | defense-evasion | T1070.004 | File Deletion | 4 | Delete a single file - Windows cmd | 861ea0b4-708a-4d17-848d-186c9c7f17e3 | command_prompt |
| 369 | defense-evasion | T1070.004 | File Deletion | 5 | Delete an entire folder - Windows cmd | ded937c4-2add-42f7-9c2c-c742b7a98698 | command_prompt |
| 370 | defense-evasion | T1070.004 | File Deletion | 6 | Delete a single file - Windows PowerShell | 9dee89bd-9a98-4c4f-9e2d-4256690b0e72 | powershell |
| 371 | defense-evasion | T1070.004 | File Deletion | 7 | Delete an entire folder - Windows PowerShell | edd779e4-a509-4cba-8dfa-a112543dbfb1 | powershell |
| 372 | defense-evasion | T1070.004 | File Deletion | 8 | Delete Filesystem - Linux | f3aa95fe-4f10-4485-ad26-abf22a764c52 | bash |
| 373 | defense-evasion | T1070.004 | File Deletion | 9 | Delete Prefetch File | 36f96049-0ad7-4a5f-8418-460acaeb92fb | powershell |
| 374 | defense-evasion | T1070.004 | File Deletion | 10 | Delete TeamViewer Log Files | 69f50a5f-967c-4327-a5bb-e1a9a9983785 | powershell |
| 375 | defense-evasion | T1221 | Template Injection | 1 | WINWORD Remote Template Injection | 1489e08a-82c7-44ee-b769-51b72d03521d | command_prompt |
| 376 | defense-evasion | T1027.002 | Software Packing | 1 | Binary simply packed by UPX (linux) | 11c46cd8-e471-450e-acb8-52a1216ae6a4 | sh |
| 377 | defense-evasion | T1027.002 | Software Packing | 2 | Binary packed by UPX, with modified headers (linux) | f06197f8-ff46-48c2-a0c6-afc1b50665e1 | sh |
| 378 | defense-evasion | T1027.002 | Software Packing | 3 | Binary simply packed by UPX | b16ef901-00bb-4dda-b4fc-a04db5067e20 | sh |
| 379 | defense-evasion | T1027.002 | Software Packing | 4 | Binary packed by UPX, with modified headers | 4d46e16b-5765-4046-9f25-a600d3e65e4d | sh |
| 380 | defense-evasion | T1036.006 | Space after Filename | 1 | Space After Filename (Manual) | 89a7dd26-e510-4c9f-9b15-f3bae333360f | manual |
| 381 | defense-evasion | T1036.006 | Space after Filename | 2 | Space After Filename | b95ce2eb-a093-4cd8-938d-5258cef656ea | bash |
| 382 | defense-evasion | T1550.002 | Pass the Hash | 1 | Mimikatz Pass the Hash | ec23cef9-27d9-46e4-a68d-6f75f7b86908 | command_prompt |
| 383 | defense-evasion | T1550.002 | Pass the Hash | 2 | crackmapexec Pass the Hash | eb05b028-16c8-4ad8-adea-6f5b219da9a9 | command_prompt |
| 384 | defense-evasion | T1550.002 | Pass the Hash | 3 | Invoke-WMIExec Pass the Hash | f8757545-b00a-4e4e-8cfb-8cfb961ee713 | powershell |
| 385 | defense-evasion | T1574.002 | DLL Side-Loading | 1 | DLL Side-Loading using the Notepad++ GUP.exe binary | 65526037-7079-44a9-bda1-2cb624838040 | command_prompt |
| 386 | defense-evasion | T1220 | XSL Script Processing | 1 | MSXSL Bypass using local files | ca23bfb2-023f-49c5-8802-e66997de462d | command_prompt |
| 387 | defense-evasion | T1220 | XSL Script Processing | 2 | MSXSL Bypass using remote files | a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 | command_prompt |
| 388 | defense-evasion | T1220 | XSL Script Processing | 3 | WMIC bypass using local XSL file | 1b237334-3e21-4a0c-8178-b8c996124988 | command_prompt |
| 389 | defense-evasion | T1220 | XSL Script Processing | 4 | WMIC bypass using remote XSL file | 7f5be499-33be-4129-a560-66021f379b9b | command_prompt |
| 390 | defense-evasion | T1564.001 | Hidden Files and Directories | 1 | Create a hidden file in a hidden directory | 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be | sh |
| 391 | defense-evasion | T1564.001 | Hidden Files and Directories | 2 | Mac Hidden file | cddb9098-3b47-4e01-9d3b-6f5f323288a9 | sh |
| 392 | defense-evasion | T1564.001 | Hidden Files and Directories | 3 | Create Windows System File with Attrib | f70974c8-c094-4574-b542-2c545af95a32 | command_prompt |
| 393 | defense-evasion | T1564.001 | Hidden Files and Directories | 4 | Create Windows Hidden File with Attrib | dadb792e-4358-4d8d-9207-b771faa0daa5 | command_prompt |
| 394 | defense-evasion | T1564.001 | Hidden Files and Directories | 5 | Hidden files | 3b7015f2-3144-4205-b799-b05580621379 | sh |
| 395 | defense-evasion | T1564.001 | Hidden Files and Directories | 6 | Hide a Directory | b115ecaf-3b24-4ed2-aefe-2fcb9db913d3 | sh |
| 396 | defense-evasion | T1564.001 | Hidden Files and Directories | 7 | Show all hidden files | 9a1ec7da-b892-449f-ad68-67066d04380c | sh |
| 397 | defense-evasion | T1564.001 | Hidden Files and Directories | 8 | Hide Files Through Registry | f650456b-bd49-4bc1-ae9d-271b5b9581e7 | command_prompt |
| 398 | defense-evasion | T1078.004 | Cloud Accounts | 1 | Creating GCP Service Account and Service Account Key | 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e | gcloud |
| 399 | defense-evasion | T1564.004 | NTFS File Attributes | 1 | Alternate Data Streams (ADS) | 8822c3b0-d9f9-4daf-a043-49f4602364f4 | command_prompt |
| 400 | defense-evasion | T1564.004 | NTFS File Attributes | 2 | Store file in Alternate Data Stream (ADS) | 2ab75061-f5d5-4c1a-b666-ba2a50df5b02 | powershell |
| 401 | defense-evasion | T1564.004 | NTFS File Attributes | 3 | Create ADS command prompt | 17e7637a-ddaf-4a82-8622-377e20de8fdb | command_prompt |
| 402 | defense-evasion | T1564.004 | NTFS File Attributes | 4 | Create ADS PowerShell | 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1 | powershell |
| 403 | defense-evasion | T1055.001 | Dynamic-link Library Injection | 1 | Process Injection via mavinject.exe | 74496461-11a1-4982-b439-4d87a550d254 | powershell |
| 404 | defense-evasion | T1055.001 | Dynamic-link Library Injection | 2 | WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique | 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5 | powershell |
| 405 | defense-evasion | T1216 | System Script Proxy Execution | 1 | SyncAppvPublishingServer Signed Script PowerShell Command Execution | 275d963d-3f36-476c-8bef-a2a3960ee6eb | command_prompt |
| 406 | defense-evasion | T1216 | System Script Proxy Execution | 2 | manage-bde.wsf Signed Script Command Execution | 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a | command_prompt |
| 407 | defense-evasion | T1078.003 | Local Accounts | 1 | Create local account with admin privileges | a524ce99-86de-4db6-b4f9-e08f35a47a15 | command_prompt |
| 408 | defense-evasion | T1078.003 | Local Accounts | 2 | Create local account with admin privileges - MacOS | f1275566-1c26-4b66-83e3-7f9f7f964daa | bash |
| 409 | defense-evasion | T1078.003 | Local Accounts | 3 | WinPwn - Loot local Credentials - powerhell kittie | 9e9fd066-453d-442f-88c1-ad7911d32912 | powershell |
| 410 | defense-evasion | T1078.003 | Local Accounts | 4 | WinPwn - Loot local Credentials - Safetykatz | e9fdb899-a980-4ba4-934b-486ad22e22f4 | powershell |
| 411 | defense-evasion | T1127 | Trusted Developer Utilities Proxy Execution | 1 | Lolbin Jsc.exe compile javascript to exe | 1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8 | command_prompt |
| 412 | defense-evasion | T1127 | Trusted Developer Utilities Proxy Execution | 2 | Lolbin Jsc.exe compile javascript to dll | 3fc9fea2-871d-414d-8ef6-02e85e322b80 | command_prompt |
| 413 | defense-evasion | T1574.012 | COR_PROFILER | 1 | User scope COR_PROFILER | 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a | powershell |
| 414 | defense-evasion | T1574.012 | COR_PROFILER | 2 | System Scope COR_PROFILER | f373b482-48c8-4ce4-85ed-d40c8b3f7310 | powershell |
| 415 | defense-evasion | T1574.012 | COR_PROFILER | 3 | Registry-free process scope COR_PROFILER | 79d57242-bbef-41db-b301-9d01d9f6e817 | powershell |
| 416 | privilege-escalation | T1053.005 | Scheduled Task | 1 | Scheduled Task Startup Script | fec27f65-db86-4c2d-b66c-61945aee87c2 | command_prompt |
| 417 | privilege-escalation | T1053.005 | Scheduled Task | 2 | Scheduled task Local | 42f53695-ad4a-4546-abb6-7d837f644a71 | command_prompt |
| 418 | privilege-escalation | T1053.005 | Scheduled Task | 3 | Scheduled task Remote | 2e5eac3e-327b-4a88-a0c0-c4057039a8dd | command_prompt |
| 419 | privilege-escalation | T1053.005 | Scheduled Task | 4 | Powershell Cmdlet Scheduled Task | af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd | powershell |
| 420 | privilege-escalation | T1053.005 | Scheduled Task | 5 | Task Scheduler via VBA | ecd3fa21-7792-41a2-8726-2c5c673414d3 | powershell |
| 421 | privilege-escalation | T1053.005 | Scheduled Task | 6 | WMI Invoke-CimMethod Scheduled Task | e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b | powershell |
| 422 | privilege-escalation | T1053.005 | Scheduled Task | 7 | Scheduled Task Executing Base64 Encoded Commands From Registry | e895677d-4f06-49ab-91b6-ae3742d0a2ba | command_prompt |
| 423 | privilege-escalation | T1053.005 | Scheduled Task | 8 | Import XML Schedule Task with Hidden Attribute | cd925593-fbb4-486d-8def-16cbdf944bf4 | powershell |
| 424 | privilege-escalation | T1546.013 | PowerShell Profile | 1 | Append malicious start-process cmdlet | 090e5aa5-32b6-473b-a49b-21e843a56896 | powershell |
| 425 | privilege-escalation | T1053.007 | Container Orchestration Job | 1 | ListCronjobs | ddfb0bc1-3c3f-47e9-a298-550ecfefacbd | bash |
| 426 | privilege-escalation | T1053.007 | Container Orchestration Job | 2 | CreateCronjob | f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 | bash |
| 427 | privilege-escalation | T1548.002 | Bypass User Account Control | 1 | Bypass UAC using Event Viewer (cmd) | 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 | command_prompt |
| 428 | privilege-escalation | T1548.002 | Bypass User Account Control | 2 | Bypass UAC using Event Viewer (PowerShell) | a6ce9acf-842a-4af6-8f79-539be7608e2b | powershell |
| 429 | privilege-escalation | T1548.002 | Bypass User Account Control | 3 | Bypass UAC using Fodhelper | 58f641ea-12e3-499a-b684-44dee46bd182 | command_prompt |
| 430 | privilege-escalation | T1548.002 | Bypass User Account Control | 4 | Bypass UAC using Fodhelper - PowerShell | 3f627297-6c38-4e7d-a278-fc2563eaaeaa | powershell |
| 431 | privilege-escalation | T1548.002 | Bypass User Account Control | 5 | Bypass UAC using ComputerDefaults (PowerShell) | 3c51abf2-44bf-42d8-9111-dc96ff66750f | powershell |
| 432 | privilege-escalation | T1548.002 | Bypass User Account Control | 6 | Bypass UAC by Mocking Trusted Directories | f7a35090-6f7f-4f64-bb47-d657bf5b10c1 | command_prompt |
| 433 | privilege-escalation | T1548.002 | Bypass User Account Control | 7 | Bypass UAC using sdclt DelegateExecute | 3be891eb-4608-4173-87e8-78b494c029b7 | powershell |
| 434 | privilege-escalation | T1548.002 | Bypass User Account Control | 8 | Disable UAC using reg.exe | 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 | command_prompt |
| 435 | privilege-escalation | T1548.002 | Bypass User Account Control | 9 | Bypass UAC using SilentCleanup task | 28104f8a-4ff1-4582-bcf6-699dce156608 | command_prompt |
| 436 | privilege-escalation | T1548.002 | Bypass User Account Control | 10 | UACME Bypass Method 23 | 8ceab7a2-563a-47d2-b5ba-0995211128d7 | command_prompt |
| 437 | privilege-escalation | T1548.002 | Bypass User Account Control | 11 | UACME Bypass Method 31 | b0f76240-9f33-4d34-90e8-3a7d501beb15 | command_prompt |
| 438 | privilege-escalation | T1548.002 | Bypass User Account Control | 12 | UACME Bypass Method 33 | e514bb03-f71c-4b22-9092-9f961ec6fb03 | command_prompt |
| 439 | privilege-escalation | T1548.002 | Bypass User Account Control | 13 | UACME Bypass Method 34 | 695b2dac-423e-448e-b6ef-5b88e93011d6 | command_prompt |
| 440 | privilege-escalation | T1548.002 | Bypass User Account Control | 14 | UACME Bypass Method 39 | 56163687-081f-47da-bb9c-7b231c5585cf | command_prompt |
| 441 | privilege-escalation | T1548.002 | Bypass User Account Control | 15 | UACME Bypass Method 56 | 235ec031-cd2d-465d-a7ae-68bab281e80e | command_prompt |
| 442 | privilege-escalation | T1548.002 | Bypass User Account Control | 16 | UACME Bypass Method 59 | dfb1b667-4bb8-4a63-a85e-29936ea75f29 | command_prompt |
| 443 | privilege-escalation | T1548.002 | Bypass User Account Control | 17 | UACME Bypass Method 61 | 7825b576-744c-4555-856d-caf3460dc236 | command_prompt |
| 444 | privilege-escalation | T1548.002 | Bypass User Account Control | 18 | WinPwn - UAC Magic | 964d8bf8-37bc-4fd3-ba36-ad13761ebbcc | powershell |
| 445 | privilege-escalation | T1548.002 | Bypass User Account Control | 19 | WinPwn - UAC Bypass ccmstp technique | f3c145f9-3c8d-422c-bd99-296a17a8f567 | powershell |
| 446 | privilege-escalation | T1548.002 | Bypass User Account Control | 20 | WinPwn - UAC Bypass DiskCleanup technique | 1ed67900-66cd-4b09-b546-2a0ef4431a0c | powershell |
| 447 | privilege-escalation | T1548.002 | Bypass User Account Control | 21 | WinPwn - UAC Bypass DccwBypassUAC technique | 2b61977b-ae2d-4ae4-89cb-5c36c89586be | powershell |
| 448 | privilege-escalation | T1548.003 | Sudo and Sudo Caching | 1 | Sudo usage | 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e | sh |
| 449 | privilege-escalation | T1548.003 | Sudo and Sudo Caching | 2 | Unlimited sudo cache timeout | a7b17659-dd5e-46f7-b7d1-e6792c91d0bc | sh |
| 450 | privilege-escalation | T1548.003 | Sudo and Sudo Caching | 3 | Disable tty_tickets for sudo caching | 91a60b03-fb75-4d24-a42e-2eb8956e8de1 | sh |
| 451 | privilege-escalation | T1574.011 | Services Registry Permissions Weakness | 1 | Service Registry Permissions Weakness | f7536d63-7fd4-466f-89da-7e48d550752a | powershell |
| 452 | privilege-escalation | T1574.011 | Services Registry Permissions Weakness | 2 | Service ImagePath Change with reg.exe | f38e9eea-e1d7-4ba6-b716-584791963827 | command_prompt |
| 453 | privilege-escalation | T1547 | Boot or Logon Autostart Execution | 1 | Add a driver | cb01b3da-b0e7-4e24-bf6d-de5223526785 | command_prompt |
| 454 | privilege-escalation | T1484.002 | Domain Trust Modification | 1 | Add Federation to Azure AD | 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 | powershell |
| 455 | privilege-escalation | T1543.003 | Windows Service | 1 | Modify Fax service to run PowerShell | ed366cde-7d12-49df-a833-671904770b9f | command_prompt |
| 456 | privilege-escalation | T1543.003 | Windows Service | 2 | Service Installation CMD | 981e2942-e433-44e9-afc1-8c957a1496b6 | command_prompt |
| 457 | privilege-escalation | T1543.003 | Windows Service | 3 | Service Installation PowerShell | 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 | powershell |
| 458 | privilege-escalation | T1543.003 | Windows Service | 4 | TinyTurla backdoor service w64time | ef0581fd-528e-4662-87bc-4c2affb86940 | command_prompt |
| 459 | privilege-escalation | T1053.003 | Cron | 1 | Cron - Replace crontab with referenced file | 435057fb-74b1-410e-9403-d81baf194f75 | bash |
| 460 | privilege-escalation | T1053.003 | Cron | 2 | Cron - Add script to all cron subfolders | b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 | bash |
| 461 | privilege-escalation | T1053.003 | Cron | 3 | Cron - Add script to /var/spool/cron/crontabs/ folder | 2d943c18-e74a-44bf-936f-25ade6cccab4 | bash |
| 462 | privilege-escalation | T1574.001 | DLL Search Order Hijacking | 1 | DLL Search Order Hijacking - amsi.dll | 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 | command_prompt |
| 463 | privilege-escalation | T1546.011 | Application Shimming | 1 | Application Shim Installation | 9ab27e22-ee62-4211-962b-d36d9a0e6a18 | command_prompt |
| 464 | privilege-escalation | T1546.011 | Application Shimming | 2 | New shim database files created in the default shim database directory | aefd6866-d753-431f-a7a4-215ca7e3f13d | powershell |
| 465 | privilege-escalation | T1546.011 | Application Shimming | 3 | Registry key creation and/or modification events for SDB | 9b6a06f9-ab5e-4e8d-8289-1df4289db02f | powershell |
| 466 | privilege-escalation | T1547.010 | Port Monitors | 1 | Add Port Monitor persistence in Registry | d34ef297-f178-4462-871e-9ce618d44e50 | command_prompt |
| 467 | privilege-escalation | T1037.002 | Login Hook | 1 | Logon Scripts - Mac | f047c7de-a2d9-406e-a62b-12a09d9516f4 | manual |
| 468 | privilege-escalation | T1055 | Process Injection | 1 | Shellcode execution via VBA | 1c91e740-1729-4329-b779-feba6e71d048 | powershell |
| 469 | privilege-escalation | T1055 | Process Injection | 2 | Remote Process Injection in LSASS via mimikatz | 3203ad24-168e-4bec-be36-f79b13ef8a83 | command_prompt |
| 470 | privilege-escalation | T1611 | Escape to Host | 1 | Deploy container using nsenter container escape | 0b2f9520-a17a-4671-9dba-3bd034099fff | sh |
| 471 | privilege-escalation | T1611 | Escape to Host | 2 | Mount host filesystem to escape privileged Docker container | 6c499943-b098-4bc6-8d38-0956fc182984 | sh |
| 472 | privilege-escalation | T1547.009 | Shortcut Modification | 1 | Shortcut Modification | ce4fc678-364f-4282-af16-2fb4c78005ce | command_prompt |
| 473 | privilege-escalation | T1547.009 | Shortcut Modification | 2 | Create shortcut to cmd in startup folders | cfdc954d-4bb0-4027-875b-a1893ce406f2 | powershell |
| 474 | privilege-escalation | T1547.005 | Security Support Provider | 1 | Modify SSP configuration in registry | afdfd7e3-8a0b-409f-85f7-886fdf249c9e | powershell |
| 475 | privilege-escalation | T1543.004 | Launch Daemon | 1 | Launch Daemon | 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf | bash |
| 476 | privilege-escalation | T1574.008 | Path Interception by Search Order Hijacking | 1 | powerShell Persistence via hijacking default modules - Get-Variable.exe | 1561de08-0b4b-498e-8261-e922f3494aae | powershell |
| 477 | privilege-escalation | T1078.001 | Default Accounts | 1 | Enable Guest account with RDP capability and admin privileges | 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 | command_prompt |
| 478 | privilege-escalation | T1078.001 | Default Accounts | 2 | Activate Guest Account | aa6cb8c4-b582-4f8e-b677-37733914abda | command_prompt |
| 479 | privilege-escalation | T1547.003 | Time Providers | 1 | Create a new time provider | df1efab7-bc6d-4b88-8be9-91f55ae017aa | powershell |
| 480 | privilege-escalation | T1547.003 | Time Providers | 2 | Edit an existing time provider | 29e0afca-8d1d-471a-8d34-25512fc48315 | powershell |
| 481 | privilege-escalation | T1546.005 | Trap | 1 | Trap | a74b2e07-5952-4c03-8b56-56274b076b61 | sh |
| 482 | privilege-escalation | T1574.006 | Dynamic Linker Hijacking | 1 | Shared Library Injection via /etc/ld.so.preload | 39cb0e67-dd0d-4b74-a74b-c072db7ae991 | bash |
| 483 | privilege-escalation | T1574.006 | Dynamic Linker Hijacking | 2 | Shared Library Injection via LD_PRELOAD | bc219ff7-789f-4d51-9142-ecae3397deae | bash |
| 484 | privilege-escalation | T1574.006 | Dynamic Linker Hijacking | 3 | Dylib Injection via DYLD_INSERT_LIBRARIES | 4d66029d-7355-43fd-93a4-b63ba92ea1be | bash |
| 485 | privilege-escalation | T1134.002 | Create Process with Token | 1 | Access Token Manipulation | dbf4f5a9-b8e0-46a3-9841-9ad71247239e | powershell |
| 486 | privilege-escalation | T1134.002 | Create Process with Token | 2 | WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique | ccf4ac39-ec93-42be-9035-90e2f26bcd92 | powershell |
| 487 | privilege-escalation | T1548.001 | Setuid and Setgid | 1 | Make and modify binary from C source | 896dfe97-ae43-4101-8e96-9a7996555d80 | sh |
| 488 | privilege-escalation | T1548.001 | Setuid and Setgid | 2 | Set a SetUID flag on file | 759055b3-3885-4582-a8ec-c00c9d64dd79 | sh |
| 489 | privilege-escalation | T1548.001 | Setuid and Setgid | 3 | Set a SetGID flag on file | db55f666-7cba-46c6-9fe6-205a05c3242c | sh |
| 490 | privilege-escalation | T1548.001 | Setuid and Setgid | 4 | Make and modify capabilities of a binary | db53959c-207d-4000-9e7a-cd8eb417e072 | sh |
| 491 | privilege-escalation | T1548.001 | Setuid and Setgid | 5 | Provide the SetUID capability to a file | 1ac3272f-9bcf-443a-9888-4b1d3de785c1 | sh |
| 492 | privilege-escalation | T1547.004 | Winlogon Helper DLL | 1 | Winlogon Shell Key Persistence - PowerShell | bf9f9d65-ee4d-4c3e-a843-777d04f19c38 | powershell |
| 493 | privilege-escalation | T1547.004 | Winlogon Helper DLL | 2 | Winlogon Userinit Key Persistence - PowerShell | fb32c935-ee2e-454b-8fa3-1c46b42e8dfb | powershell |
| 494 | privilege-escalation | T1547.004 | Winlogon Helper DLL | 3 | Winlogon Notify Key Logon Persistence - PowerShell | d40da266-e073-4e5a-bb8b-2b385023e5f9 | powershell |
| 495 | privilege-escalation | T1546.012 | Image File Execution Options Injection | 1 | IFEO Add Debugger | fdda2626-5234-4c90-b163-60849a24c0b8 | command_prompt |
| 496 | privilege-escalation | T1546.012 | Image File Execution Options Injection | 2 | IFEO Global Flags | 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 | command_prompt |
| 497 | privilege-escalation | T1546.008 | Accessibility Features | 1 | Attaches Command Prompt as a Debugger to a List of Target Processes | 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 | powershell |
| 498 | privilege-escalation | T1546.008 | Accessibility Features | 2 | Replace binary of sticky keys | 934e90cf-29ca-48b3-863c-411737ad44e3 | command_prompt |
| 499 | privilege-escalation | T1055.004 | Asynchronous Procedure Call | 1 | Process Injection via C# | 611b39b7-e243-4c81-87a4-7145a90358b1 | command_prompt |
| 500 | privilege-escalation | T1546.009 | AppCert DLLs | 1 | Create registry persistence via AppCert DLL | a5ad6104-5bab-4c43-b295-b4c44c7c6b05 | powershell |
| 501 | privilege-escalation | T1134.001 | Token Impersonation/Theft | 1 | Named pipe client impersonation | 90db9e27-8e7c-4c04-b602-a45927884966 | powershell |
| 502 | privilege-escalation | T1134.001 | Token Impersonation/Theft | 2 | `SeDebugPrivilege` token duplication | 34f0a430-9d04-4d98-bcb5-1989f14719f0 | powershell |
| 503 | privilege-escalation | T1546.003 | Windows Management Instrumentation Event Subscription | 1 | Persistence via WMI Event Subscription - CommandLineEventConsumer | 3c64f177-28e2-49eb-a799-d767b24dd1e0 | powershell |
| 504 | privilege-escalation | T1546.003 | Windows Management Instrumentation Event Subscription | 2 | Persistence via WMI Event Subscription - ActiveScriptEventConsumer | fecd0dfd-fb55-45fa-a10b-6250272d0832 | powershell |
| 505 | privilege-escalation | T1546.003 | Windows Management Instrumentation Event Subscription | 3 | Windows MOFComp.exe Load MOF File | 29786d7e-8916-4de6-9c55-be7b093b2706 | powershell |
| 506 | privilege-escalation | T1134.004 | Parent PID Spoofing | 1 | Parent PID Spoofing using PowerShell | 069258f4-2162-46e9-9a25-c9c6c56150d2 | powershell |
| 507 | privilege-escalation | T1134.004 | Parent PID Spoofing | 2 | Parent PID Spoofing - Spawn from Current Process | 14920ebd-1d61-491a-85e0-fe98efe37f25 | powershell |
| 508 | privilege-escalation | T1134.004 | Parent PID Spoofing | 3 | Parent PID Spoofing - Spawn from Specified Process | cbbff285-9051-444a-9d17-c07cd2d230eb | powershell |
| 509 | privilege-escalation | T1134.004 | Parent PID Spoofing | 4 | Parent PID Spoofing - Spawn from svchost.exe | e9f2b777-3123-430b-805d-5cedc66ab591 | powershell |
| 510 | privilege-escalation | T1134.004 | Parent PID Spoofing | 5 | Parent PID Spoofing - Spawn from New Process | 2988133e-561c-4e42-a15f-6281e6a9b2db | powershell |
| 511 | privilege-escalation | T1546.001 | Change Default File Association | 1 | Change Default File Association | 10a08978-2045-4d62-8c42-1957bbbea102 | command_prompt |
| 512 | privilege-escalation | T1546.014 | Emond | 1 | Persistance with Event Monitor - emond | 23c9c127-322b-4c75-95ca-eff464906114 | sh |
| 513 | privilege-escalation | T1547.001 | Registry Run Keys / Startup Folder | 1 | Reg Key Run | e55be3fd-3521-4610-9d1a-e210e42dcf05 | command_prompt |
| 514 | privilege-escalation | T1547.001 | Registry Run Keys / Startup Folder | 2 | Reg Key RunOnce | 554cbd88-cde1-4b56-8168-0be552eed9eb | command_prompt |
| 515 | privilege-escalation | T1547.001 | Registry Run Keys / Startup Folder | 3 | PowerShell Registry RunOnce | eb44f842-0457-4ddc-9b92-c4caa144ac42 | powershell |
| 516 | privilege-escalation | T1547.001 | Registry Run Keys / Startup Folder | 4 | Suspicious vbs file run from startup Folder | 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 | powershell |
| 517 | privilege-escalation | T1547.001 | Registry Run Keys / Startup Folder | 5 | Suspicious jse file run from startup Folder | dade9447-791e-4c8f-b04b-3a35855dfa06 | powershell |
| 518 | privilege-escalation | T1547.001 | Registry Run Keys / Startup Folder | 6 | Suspicious bat file run from startup Folder | 5b6768e4-44d2-44f0-89da-a01d1430fd5e | powershell |
| 519 | privilege-escalation | T1547.001 | Registry Run Keys / Startup Folder | 7 | Add Executable Shortcut Link to User Startup Folder | 24e55612-85f6-4bd6-ae74-a73d02e3441d | powershell |
| 520 | privilege-escalation | T1547.001 | Registry Run Keys / Startup Folder | 8 | Add persistance via Recycle bin | bda6a3d6-7aa7-4e89-908b-306772e9662f | command_prompt |
| 521 | privilege-escalation | T1547.001 | Registry Run Keys / Startup Folder | 9 | SystemBC Malware-as-a-Service Registry | 9dc7767b-30c1-4cc4-b999-50cab5e27891 | powershell |
| 522 | privilege-escalation | T1547.006 | Kernel Modules and Extensions | 1 | Linux - Load Kernel Module via insmod | 687dcb93-9656-4853-9c36-9977315e9d23 | bash |
| 523 | privilege-escalation | T1053.006 | Systemd Timers | 1 | Create Systemd Service and Timer | f4983098-bb13-44fb-9b2c-46149961807b | bash |
| 524 | privilege-escalation | T1053.006 | Systemd Timers | 2 | Create a user level transient systemd service and timer | 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec | sh |
| 525 | privilege-escalation | T1053.006 | Systemd Timers | 3 | Create a system level transient systemd service and timer | d3eda496-1fc0-49e9-aff5-3bec5da9fa22 | sh |
| 526 | privilege-escalation | T1055.012 | Process Hollowing | 1 | Process Hollowing using PowerShell | 562427b4-39ef-4e8c-af88-463a78e70b9c | powershell |
| 527 | privilege-escalation | T1055.012 | Process Hollowing | 2 | RunPE via VBA | 3ad4a037-1598-4136-837c-4027e4fa319b | powershell |
| 528 | privilege-escalation | T1546.004 | Unix Shell Configuration Modification | 1 | Add command to .bash_profile | 94500ae1-7e31-47e3-886b-c328da46872f | sh |
| 529 | privilege-escalation | T1546.004 | Unix Shell Configuration Modification | 2 | Add command to .bashrc | 0a898315-4cfa-4007-bafe-33a4646d115f | sh |
| 530 | privilege-escalation | T1134.005 | SID-History Injection | 1 | Injection SID-History with mimikatz | 6bef32e5-9456-4072-8f14-35566fb85401 | command_prompt |
| 531 | privilege-escalation | T1547.002 | Authentication Package | 1 | Authentication Package | be2590e8-4ac3-47ac-b4b5-945820f2fbe9 | powershell |
| 532 | privilege-escalation | T1546.015 | Component Object Model Hijacking | 1 | COM Hijacking - InprocServer32 | 48117158-d7be-441b-bc6a-d9e36e47b52b | powershell |
| 533 | privilege-escalation | T1546.015 | Component Object Model Hijacking | 2 | Powershell Execute COM Object | 752191b1-7c71-445c-9dbe-21bb031b18eb | powershell |
| 534 | privilege-escalation | T1546.015 | Component Object Model Hijacking | 3 | COM Hijacking with RunDLL32 (Local Server Switch) | 123520cc-e998-471b-a920-bd28e3feafa0 | powershell |
| 535 | privilege-escalation | T1546.015 | Component Object Model Hijacking | 4 | COM hijacking via TreatAs | 33eacead-f117-4863-8eb0-5c6304fbfaa9 | powershell |
| 536 | privilege-escalation | T1574.009 | Path Interception by Unquoted Path | 1 | Execution of program.exe as service with unquoted service path | 2770dea7-c50f-457b-84c4-c40a47460d9f | command_prompt |
| 537 | privilege-escalation | T1037.005 | Startup Items | 1 | Add file to Local Library StartupItems | 134627c3-75db-410e-bff8-7a920075f198 | sh |
| 538 | privilege-escalation | T1546.010 | AppInit DLLs | 1 | Install AppInit Shim | a58d9386-3080-4242-ab5f-454c16503d18 | command_prompt |
| 539 | privilege-escalation | T1546.002 | Screensaver | 1 | Set Arbitrary Binary as Screensaver | 281201e7-de41-4dc9-b73d-f288938cbb64 | command_prompt |
| 540 | privilege-escalation | T1543.001 | Launch Agent | 1 | Launch Agent | a5983dee-bf6c-4eaf-951c-dbc1a7b90900 | bash |
| 541 | privilege-escalation | T1543.001 | Launch Agent | 2 | Event Monitor Daemon Persistence | 11979f23-9b9d-482a-9935-6fc9cd022c3e | bash |
| 542 | privilege-escalation | T1037.004 | RC Scripts | 1 | rc.common | 97a48daa-8bca-4bc0-b1a9-c1d163e762de | bash |
| 543 | privilege-escalation | T1037.004 | RC Scripts | 2 | rc.common | c33f3d80-5f04-419b-a13a-854d1cbdbf3a | bash |
| 544 | privilege-escalation | T1037.004 | RC Scripts | 3 | rc.local | 126f71af-e1c9-405c-94ef-26a47b16c102 | bash |
| 545 | privilege-escalation | T1543.002 | Systemd Service | 1 | Create Systemd Service | d9e4f24f-aa67-4c6e-bcbf-85622b697a7c | bash |
| 546 | privilege-escalation | T1543.002 | Systemd Service | 2 | Create Systemd Service file, Enable the service , Modify and Reload the service. | c35ac4a8-19de-43af-b9f8-755da7e89c89 | bash |
| 547 | privilege-escalation | T1547.007 | Re-opened Applications | 1 | Re-Opened Applications | 5fefd767-ef54-4ac6-84d3-751ab85e8aba | manual |
| 548 | privilege-escalation | T1547.007 | Re-opened Applications | 2 | Re-Opened Applications | 5f5b71da-e03f-42e7-ac98-d63f9e0465cb | sh |
| 549 | privilege-escalation | T1574.002 | DLL Side-Loading | 1 | DLL Side-Loading using the Notepad++ GUP.exe binary | 65526037-7079-44a9-bda1-2cb624838040 | command_prompt |
| 550 | privilege-escalation | T1037.001 | Logon Script (Windows) | 1 | Logon Scripts | d6042746-07d4-4c92-9ad8-e644c114a231 | command_prompt |
| 551 | privilege-escalation | T1078.004 | Cloud Accounts | 1 | Creating GCP Service Account and Service Account Key | 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e | gcloud |
| 552 | privilege-escalation | T1053.002 | At | 1 | At.exe Scheduled task | 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 | command_prompt |
| 553 | privilege-escalation | T1053.002 | At | 2 | At - Schedule a job | 7266d898-ac82-4ec0-97c7-436075d0d08e | sh |
| 554 | privilege-escalation | T1055.001 | Dynamic-link Library Injection | 1 | Process Injection via mavinject.exe | 74496461-11a1-4982-b439-4d87a550d254 | powershell |
| 555 | privilege-escalation | T1055.001 | Dynamic-link Library Injection | 2 | WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique | 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5 | powershell |
| 556 | privilege-escalation | T1546.007 | Netsh Helper DLL | 1 | Netsh Helper DLL Registration | 3244697d-5a3a-4dfc-941c-550f69f91a4d | command_prompt |
| 557 | privilege-escalation | T1078.003 | Local Accounts | 1 | Create local account with admin privileges | a524ce99-86de-4db6-b4f9-e08f35a47a15 | command_prompt |
| 558 | privilege-escalation | T1078.003 | Local Accounts | 2 | Create local account with admin privileges - MacOS | f1275566-1c26-4b66-83e3-7f9f7f964daa | bash |
| 559 | privilege-escalation | T1078.003 | Local Accounts | 3 | WinPwn - Loot local Credentials - powerhell kittie | 9e9fd066-453d-442f-88c1-ad7911d32912 | powershell |
| 560 | privilege-escalation | T1078.003 | Local Accounts | 4 | WinPwn - Loot local Credentials - Safetykatz | e9fdb899-a980-4ba4-934b-486ad22e22f4 | powershell |
| 561 | privilege-escalation | T1574.012 | COR_PROFILER | 1 | User scope COR_PROFILER | 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a | powershell |
| 562 | privilege-escalation | T1574.012 | COR_PROFILER | 2 | System Scope COR_PROFILER | f373b482-48c8-4ce4-85ed-d40c8b3f7310 | powershell |
| 563 | privilege-escalation | T1574.012 | COR_PROFILER | 3 | Registry-free process scope COR_PROFILER | 79d57242-bbef-41db-b301-9d01d9f6e817 | powershell |
| 564 | execution | T1053.005 | Scheduled Task | 1 | Scheduled Task Startup Script | fec27f65-db86-4c2d-b66c-61945aee87c2 | command_prompt |
| 565 | execution | T1053.005 | Scheduled Task | 2 | Scheduled task Local | 42f53695-ad4a-4546-abb6-7d837f644a71 | command_prompt |
| 566 | execution | T1053.005 | Scheduled Task | 3 | Scheduled task Remote | 2e5eac3e-327b-4a88-a0c0-c4057039a8dd | command_prompt |
| 567 | execution | T1053.005 | Scheduled Task | 4 | Powershell Cmdlet Scheduled Task | af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd | powershell |
| 568 | execution | T1053.005 | Scheduled Task | 5 | Task Scheduler via VBA | ecd3fa21-7792-41a2-8726-2c5c673414d3 | powershell |
| 569 | execution | T1053.005 | Scheduled Task | 6 | WMI Invoke-CimMethod Scheduled Task | e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b | powershell |
| 570 | execution | T1053.005 | Scheduled Task | 7 | Scheduled Task Executing Base64 Encoded Commands From Registry | e895677d-4f06-49ab-91b6-ae3742d0a2ba | command_prompt |
| 571 | execution | T1053.005 | Scheduled Task | 8 | Import XML Schedule Task with Hidden Attribute | cd925593-fbb4-486d-8def-16cbdf944bf4 | powershell |
| 572 | execution | T1047 | Windows Management Instrumentation | 1 | WMI Reconnaissance Users | c107778c-dcf5-47c5-af2e-1d058a3df3ea | command_prompt |
| 573 | execution | T1047 | Windows Management Instrumentation | 2 | WMI Reconnaissance Processes | 5750aa16-0e59-4410-8b9a-8a47ca2788e2 | command_prompt |
| 574 | execution | T1047 | Windows Management Instrumentation | 3 | WMI Reconnaissance Software | 718aebaa-d0e0-471a-8241-c5afa69c7414 | command_prompt |
| 575 | execution | T1047 | Windows Management Instrumentation | 4 | WMI Reconnaissance List Remote Services | 0fd48ef7-d890-4e93-a533-f7dedd5191d3 | command_prompt |
| 576 | execution | T1047 | Windows Management Instrumentation | 5 | WMI Execute Local Process | b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3 | command_prompt |
| 577 | execution | T1047 | Windows Management Instrumentation | 6 | WMI Execute Remote Process | 9c8ef159-c666-472f-9874-90c8d60d136b | command_prompt |
| 578 | execution | T1047 | Windows Management Instrumentation | 7 | Create a Process using WMI Query and an Encoded Command | 7db7a7f9-9531-4840-9b30-46220135441c | command_prompt |
| 579 | execution | T1047 | Windows Management Instrumentation | 8 | Create a Process using obfuscated Win32_Process | 10447c83-fc38-462a-a936-5102363b1c43 | powershell |
| 580 | execution | T1047 | Windows Management Instrumentation | 9 | WMI Execute rundll32 | 00738d2a-4651-4d76-adf2-c43a41dfb243 | powershell |
| 581 | execution | T1047 | Windows Management Instrumentation | 10 | Application uninstall using WMIC | c510d25b-1667-467d-8331-a56d3e9bc4ff | command_prompt |
| 582 | execution | T1053.007 | Container Orchestration Job | 1 | ListCronjobs | ddfb0bc1-3c3f-47e9-a298-550ecfefacbd | bash |
| 583 | execution | T1053.007 | Container Orchestration Job | 2 | CreateCronjob | f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 | bash |
| 584 | execution | T1559.002 | Dynamic Data Exchange | 1 | Execute Commands | f592ba2a-e9e8-4d62-a459-ef63abd819fd | manual |
| 585 | execution | T1559.002 | Dynamic Data Exchange | 2 | Execute PowerShell script via Word DDE | 47c21fb6-085e-4b0d-b4d2-26d72c3830b3 | command_prompt |
| 586 | execution | T1559.002 | Dynamic Data Exchange | 3 | DDEAUTO | cf91174c-4e74-414e-bec0-8d60a104d181 | manual |
| 587 | execution | T1204.002 | Malicious File | 1 | OSTap Style Macro Execution | 8bebc690-18c7-4549-bc98-210f7019efff | powershell |
| 588 | execution | T1204.002 | Malicious File | 2 | OSTap Payload Download | 3f3af983-118a-4fa1-85d3-ba4daa739d80 | command_prompt |
| 589 | execution | T1204.002 | Malicious File | 3 | Maldoc choice flags command execution | 0330a5d2-a45a-4272-a9ee-e364411c4b18 | powershell |
| 590 | execution | T1204.002 | Malicious File | 4 | OSTAP JS version | add560ef-20d6-4011-a937-2c340f930911 | powershell |
| 591 | execution | T1204.002 | Malicious File | 5 | Office launching .bat file from AppData | 9215ea92-1ded-41b7-9cd6-79f9a78397aa | powershell |
| 592 | execution | T1204.002 | Malicious File | 6 | Excel 4 Macro | 4ea1fc97-8a46-4b4e-ba48-af43d2a98052 | powershell |
| 593 | execution | T1204.002 | Malicious File | 7 | Headless Chrome code execution via VBA | a19ee671-ed98-4e9d-b19c-d1954a51585a | powershell |
| 594 | execution | T1204.002 | Malicious File | 8 | Potentially Unwanted Applications (PUA) | 02f35d62-9fdc-4a97-b899-a5d9a876d295 | powershell |
| 595 | execution | T1204.002 | Malicious File | 9 | Office Generic Payload Download | 5202ee05-c420-4148-bf5e-fd7f7d24850c | powershell |
| 596 | execution | T1204.002 | Malicious File | 10 | LNK Payload Download | 581d7521-9c4b-420e-9695-2aec5241167f | powershell |
| 597 | execution | T1053.003 | Cron | 1 | Cron - Replace crontab with referenced file | 435057fb-74b1-410e-9403-d81baf194f75 | bash |
| 598 | execution | T1053.003 | Cron | 2 | Cron - Add script to all cron subfolders | b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 | bash |
| 599 | execution | T1053.003 | Cron | 3 | Cron - Add script to /var/spool/cron/crontabs/ folder | 2d943c18-e74a-44bf-936f-25ade6cccab4 | bash |
| 600 | execution | T1059.002 | AppleScript | 1 | AppleScript | 3600d97d-81b9-4171-ab96-e4386506e2c2 | sh |
| 601 | execution | T1106 | Native API | 1 | Execution through API - CreateProcess | 99be2089-c52d-4a4a-b5c3-261ee42c8b62 | command_prompt |
| 602 | execution | T1106 | Native API | 2 | WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique | ce4e76e6-de70-4392-9efe-b281fc2b4087 | powershell |
| 603 | execution | T1106 | Native API | 3 | WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique | 7ec5b74e-8289-4ff2-a162-b6f286a33abd | powershell |
| 604 | execution | T1106 | Native API | 4 | WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique | e1f93a06-1649-4f07-89a8-f57279a7d60e | powershell |
| 605 | execution | T1609 | Container Administration Command | 1 | ExecIntoContainer | d03bfcd3-ed87-49c8-8880-44bb772dea4b | bash |
| 606 | execution | T1569.001 | Launchctl | 1 | Launchctl | 6fb61988-724e-4755-a595-07743749d4e2 | bash |
| 607 | execution | T1072 | Software Deployment Tools | 1 | Radmin Viewer Utility | b4988cad-6ed2-434d-ace5-ea2670782129 | command_prompt |
| 608 | execution | T1059.001 | PowerShell | 1 | Mimikatz | f3132740-55bc-48c4-bcc0-758a459cd027 | command_prompt |
| 609 | execution | T1059.001 | PowerShell | 2 | Run BloodHound from local disk | a21bb23e-e677-4ee7-af90-6931b57b6350 | powershell |
| 610 | execution | T1059.001 | PowerShell | 3 | Run Bloodhound from Memory using Download Cradle | bf8c1441-4674-4dab-8e4e-39d93d08f9b7 | powershell |
| 611 | execution | T1059.001 | PowerShell | 4 | Obfuscation Tests | 4297c41a-8168-4138-972d-01f3ee92c804 | powershell |
| 612 | execution | T1059.001 | PowerShell | 5 | Mimikatz - Cradlecraft PsSendKeys | af1800cf-9f9d-4fd1-a709-14b1e6de020d | powershell |
| 613 | execution | T1059.001 | PowerShell | 6 | Invoke-AppPathBypass | 06a220b6-7e29-4bd8-9d07-5b4d86742372 | command_prompt |
| 614 | execution | T1059.001 | PowerShell | 7 | Powershell MsXml COM object - with prompt | 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da | command_prompt |
| 615 | execution | T1059.001 | PowerShell | 8 | Powershell XML requests | 4396927f-e503-427b-b023-31049b9b09a6 | command_prompt |
| 616 | execution | T1059.001 | PowerShell | 9 | Powershell invoke mshta.exe download | 8a2ad40b-12c7-4b25-8521-2737b0a415af | command_prompt |
| 617 | execution | T1059.001 | PowerShell | 10 | Powershell Invoke-DownloadCradle | cc50fa2a-a4be-42af-a88f-e347ba0bf4d7 | manual |
| 618 | execution | T1059.001 | PowerShell | 11 | PowerShell Fileless Script Execution | fa050f5e-bc75-4230-af73-b6fd7852cd73 | powershell |
| 619 | execution | T1059.001 | PowerShell | 12 | PowerShell Downgrade Attack | 9148e7c4-9356-420e-a416-e896e9c0f73e | powershell |
| 620 | execution | T1059.001 | PowerShell | 13 | NTFS Alternate Data Stream Access | 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680 | powershell |
| 621 | execution | T1059.001 | PowerShell | 14 | PowerShell Session Creation and Use | 7c1acec2-78fa-4305-a3e0-db2a54cddecd | powershell |
| 622 | execution | T1059.001 | PowerShell | 15 | ATHPowerShellCommandLineParameter -Command parameter variations | 686a9785-f99b-41d4-90df-66ed515f81d7 | powershell |
| 623 | execution | T1059.001 | PowerShell | 16 | ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments | 1c0a870f-dc74-49cf-9afc-eccc45e58790 | powershell |
| 624 | execution | T1059.001 | PowerShell | 17 | ATHPowerShellCommandLineParameter -EncodedCommand parameter variations | 86a43bad-12e3-4e85-b97c-4d5cf25b95c3 | powershell |
| 625 | execution | T1059.001 | PowerShell | 18 | ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments | 0d181431-ddf3-4826-8055-2dbf63ae848b | powershell |
| 626 | execution | T1059.001 | PowerShell | 19 | PowerShell Command Execution | a538de64-1c74-46ed-aa60-b995ed302598 | command_prompt |
| 627 | execution | T1059.001 | PowerShell | 20 | PowerShell Invoke Known Malicious Cmdlets | 49eb9404-5e0f-4031-a179-b40f7be385e3 | powershell |
| 628 | execution | T1059.001 | PowerShell | 21 | PowerUp Invoke-AllChecks | 1289f78d-22d2-4590-ac76-166737e1811b | powershell |
| 629 | execution | T1053.006 | Systemd Timers | 1 | Create Systemd Service and Timer | f4983098-bb13-44fb-9b2c-46149961807b | bash |
| 630 | execution | T1053.006 | Systemd Timers | 2 | Create a user level transient systemd service and timer | 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec | sh |
| 631 | execution | T1053.006 | Systemd Timers | 3 | Create a system level transient systemd service and timer | d3eda496-1fc0-49e9-aff5-3bec5da9fa22 | sh |
| 632 | execution | T1059.004 | Unix Shell | 1 | Create and Execute Bash Shell Script | 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 | sh |
| 633 | execution | T1059.004 | Unix Shell | 2 | Command-Line Interface | d0c88567-803d-4dca-99b4-7ce65e7b257c | sh |
| 634 | execution | T1059.004 | Unix Shell | 3 | Harvest SUID executable files | 46274fc6-08a7-4956-861b-24cbbaa0503c | sh |
| 635 | execution | T1059.004 | Unix Shell | 4 | LinEnum tool execution | a2b35a63-9df1-4806-9a4d-5fe0500845f2 | sh |
| 636 | execution | T1059.006 | Python | 1 | Execute shell script via python's command mode arguement | 3a95cdb2-c6ea-4761-b24e-02b71889b8bb | sh |
| 637 | execution | T1059.006 | Python | 2 | Execute Python via scripts (Linux) | 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 | sh |
| 638 | execution | T1059.006 | Python | 3 | Execute Python via Python executables (Linux) | 0b44d79b-570a-4b27-a31f-3bf2156e5eaa | sh |
| 639 | execution | T1059.006 | Python | 4 | Python pty module and spawn function used to spawn sh or bash | 161d694c-b543-4434-85c3-c3a433e33792 | bash |
| 640 | execution | T1059.003 | Windows Command Shell | 1 | Create and Execute Batch Script | 9e8894c0-50bd-4525-a96c-d4ac78ece388 | powershell |
| 641 | execution | T1059.003 | Windows Command Shell | 2 | Writes text to a file and displays it. | 127b4afe-2346-4192-815c-69042bec570e | command_prompt |
| 642 | execution | T1059.003 | Windows Command Shell | 3 | Suspicious Execution via Windows Command Shell | d0eb3597-a1b3-4d65-b33b-2cda8d397f20 | command_prompt |
| 643 | execution | T1059.003 | Windows Command Shell | 4 | Simulate BlackByte Ransomware Print Bombing | 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9 | powershell |
| 644 | execution | T1059.003 | Windows Command Shell | 5 | Command Prompt read contents from CMD file and execute | df81db1b-066c-4802-9bc8-b6d030c3ba8e | command_prompt |
| 645 | execution | T1059.005 | Visual Basic | 1 | Visual Basic script execution to gather local computer information | 1620de42-160a-4fe5-bbaf-d3fef0181ce9 | powershell |
| 646 | execution | T1059.005 | Visual Basic | 2 | Encoded VBS code execution | e8209d5f-e42d-45e6-9c2f-633ac4f1eefa | powershell |
| 647 | execution | T1059.005 | Visual Basic | 3 | Extract Memory via VBA | 8faff437-a114-4547-9a60-749652a03df6 | powershell |
| 648 | execution | T1569.002 | Service Execution | 1 | Execute a Command as a Service | 2382dee2-a75f-49aa-9378-f52df6ed3fb1 | command_prompt |
| 649 | execution | T1569.002 | Service Execution | 2 | Use PsExec to execute a command on a remote host | 873106b7-cfed-454b-8680-fa9f6400431c | command_prompt |
| 650 | execution | T1569.002 | Service Execution | 3 | psexec.py (Impacket) | edbcd8c9-3639-4844-afad-455c91e95a35 | bash |
| 651 | execution | T1569.002 | Service Execution | 4 | BlackCat pre-encryption cmds with Lateral Movement | 31eb7828-97d7-4067-9c1e-c6feb85edc4b | powershell |
| 652 | execution | T1053.002 | At | 1 | At.exe Scheduled task | 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 | command_prompt |
| 653 | execution | T1053.002 | At | 2 | At - Schedule a job | 7266d898-ac82-4ec0-97c7-436075d0d08e | sh |
| 654 | persistence | T1053.005 | Scheduled Task | 1 | Scheduled Task Startup Script | fec27f65-db86-4c2d-b66c-61945aee87c2 | command_prompt |
| 655 | persistence | T1053.005 | Scheduled Task | 2 | Scheduled task Local | 42f53695-ad4a-4546-abb6-7d837f644a71 | command_prompt |
| 656 | persistence | T1053.005 | Scheduled Task | 3 | Scheduled task Remote | 2e5eac3e-327b-4a88-a0c0-c4057039a8dd | command_prompt |
| 657 | persistence | T1053.005 | Scheduled Task | 4 | Powershell Cmdlet Scheduled Task | af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd | powershell |
| 658 | persistence | T1053.005 | Scheduled Task | 5 | Task Scheduler via VBA | ecd3fa21-7792-41a2-8726-2c5c673414d3 | powershell |
| 659 | persistence | T1053.005 | Scheduled Task | 6 | WMI Invoke-CimMethod Scheduled Task | e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b | powershell |
| 660 | persistence | T1053.005 | Scheduled Task | 7 | Scheduled Task Executing Base64 Encoded Commands From Registry | e895677d-4f06-49ab-91b6-ae3742d0a2ba | command_prompt |
| 661 | persistence | T1053.005 | Scheduled Task | 8 | Import XML Schedule Task with Hidden Attribute | cd925593-fbb4-486d-8def-16cbdf944bf4 | powershell |
| 662 | persistence | T1556.003 | Pluggable Authentication Modules | 1 | Malicious PAM rule | 4b9dde80-ae22-44b1-a82a-644bf009eb9c | sh |
| 663 | persistence | T1556.003 | Pluggable Authentication Modules | 2 | Malicious PAM module | 65208808-3125-4a2e-8389-a0a00e9ab326 | sh |
| 664 | persistence | T1546.013 | PowerShell Profile | 1 | Append malicious start-process cmdlet | 090e5aa5-32b6-473b-a49b-21e843a56896 | powershell |
| 665 | persistence | T1133 | External Remote Services | 1 | Running Chrome VPN Extensions via the Registry 2 vpn extension | 4c8db261-a58b-42a6-a866-0a294deedde4 | powershell |
| 666 | persistence | T1053.007 | Container Orchestration Job | 1 | ListCronjobs | ddfb0bc1-3c3f-47e9-a298-550ecfefacbd | bash |
| 667 | persistence | T1053.007 | Container Orchestration Job | 2 | CreateCronjob | f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 | bash |
| 668 | persistence | T1574.011 | Services Registry Permissions Weakness | 1 | Service Registry Permissions Weakness | f7536d63-7fd4-466f-89da-7e48d550752a | powershell |
| 669 | persistence | T1574.011 | Services Registry Permissions Weakness | 2 | Service ImagePath Change with reg.exe | f38e9eea-e1d7-4ba6-b716-584791963827 | command_prompt |
| 670 | persistence | T1547 | Boot or Logon Autostart Execution | 1 | Add a driver | cb01b3da-b0e7-4e24-bf6d-de5223526785 | command_prompt |
| 671 | persistence | T1543.003 | Windows Service | 1 | Modify Fax service to run PowerShell | ed366cde-7d12-49df-a833-671904770b9f | command_prompt |
| 672 | persistence | T1543.003 | Windows Service | 2 | Service Installation CMD | 981e2942-e433-44e9-afc1-8c957a1496b6 | command_prompt |
| 673 | persistence | T1543.003 | Windows Service | 3 | Service Installation PowerShell | 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 | powershell |
| 674 | persistence | T1543.003 | Windows Service | 4 | TinyTurla backdoor service w64time | ef0581fd-528e-4662-87bc-4c2affb86940 | command_prompt |
| 675 | persistence | T1053.003 | Cron | 1 | Cron - Replace crontab with referenced file | 435057fb-74b1-410e-9403-d81baf194f75 | bash |
| 676 | persistence | T1053.003 | Cron | 2 | Cron - Add script to all cron subfolders | b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 | bash |
| 677 | persistence | T1053.003 | Cron | 3 | Cron - Add script to /var/spool/cron/crontabs/ folder | 2d943c18-e74a-44bf-936f-25ade6cccab4 | bash |
| 678 | persistence | T1137 | Office Application Startup | 1 | Office Application Startup - Outlook as a C2 | bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c | command_prompt |
| 679 | persistence | T1574.001 | DLL Search Order Hijacking | 1 | DLL Search Order Hijacking - amsi.dll | 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 | command_prompt |
| 680 | persistence | T1137.006 | Add-ins | 1 | Code Executed Via Excel Add-in File (Xll) | 441b1a0f-a771-428a-8af0-e99e4698cda3 | powershell |
| 681 | persistence | T1505.002 | Transport Agent | 1 | Install MS Exchange Transport Agent Persistence | 43e92449-ff60-46e9-83a3-1a38089df94d | powershell |
| 682 | persistence | T1556.002 | Password Filter DLL | 1 | Install and Register Password Filter DLL | a7961770-beb5-4134-9674-83d7e1fa865c | powershell |
| 683 | persistence | T1176 | Browser Extensions | 1 | Chrome (Developer Mode) | 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 | manual |
| 684 | persistence | T1176 | Browser Extensions | 2 | Chrome (Chrome Web Store) | 4c83940d-8ca5-4bb2-8100-f46dc914bc3f | manual |
| 685 | persistence | T1176 | Browser Extensions | 3 | Firefox | cb790029-17e6-4c43-b96f-002ce5f10938 | manual |
| 686 | persistence | T1176 | Browser Extensions | 4 | Edge Chromium Addon - VPN | 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 | manual |
| 687 | persistence | T1546.011 | Application Shimming | 1 | Application Shim Installation | 9ab27e22-ee62-4211-962b-d36d9a0e6a18 | command_prompt |
| 688 | persistence | T1546.011 | Application Shimming | 2 | New shim database files created in the default shim database directory | aefd6866-d753-431f-a7a4-215ca7e3f13d | powershell |
| 689 | persistence | T1546.011 | Application Shimming | 3 | Registry key creation and/or modification events for SDB | 9b6a06f9-ab5e-4e8d-8289-1df4289db02f | powershell |
| 690 | persistence | T1547.010 | Port Monitors | 1 | Add Port Monitor persistence in Registry | d34ef297-f178-4462-871e-9ce618d44e50 | command_prompt |
| 691 | persistence | T1037.002 | Login Hook | 1 | Logon Scripts - Mac | f047c7de-a2d9-406e-a62b-12a09d9516f4 | manual |
| 692 | persistence | T1547.009 | Shortcut Modification | 1 | Shortcut Modification | ce4fc678-364f-4282-af16-2fb4c78005ce | command_prompt |
| 693 | persistence | T1547.009 | Shortcut Modification | 2 | Create shortcut to cmd in startup folders | cfdc954d-4bb0-4027-875b-a1893ce406f2 | powershell |
| 694 | persistence | T1547.005 | Security Support Provider | 1 | Modify SSP configuration in registry | afdfd7e3-8a0b-409f-85f7-886fdf249c9e | powershell |
| 695 | persistence | T1543.004 | Launch Daemon | 1 | Launch Daemon | 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf | bash |
| 696 | persistence | T1574.008 | Path Interception by Search Order Hijacking | 1 | powerShell Persistence via hijacking default modules - Get-Variable.exe | 1561de08-0b4b-498e-8261-e922f3494aae | powershell |
| 697 | persistence | T1505.003 | Web Shell | 1 | Web Shell Written to Disk | 0a2ce662-1efa-496f-a472-2fe7b080db16 | command_prompt |
| 698 | persistence | T1078.001 | Default Accounts | 1 | Enable Guest account with RDP capability and admin privileges | 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 | command_prompt |
| 699 | persistence | T1078.001 | Default Accounts | 2 | Activate Guest Account | aa6cb8c4-b582-4f8e-b677-37733914abda | command_prompt |
| 700 | persistence | T1547.003 | Time Providers | 1 | Create a new time provider | df1efab7-bc6d-4b88-8be9-91f55ae017aa | powershell |
| 701 | persistence | T1547.003 | Time Providers | 2 | Edit an existing time provider | 29e0afca-8d1d-471a-8d34-25512fc48315 | powershell |
| 702 | persistence | T1546.005 | Trap | 1 | Trap | a74b2e07-5952-4c03-8b56-56274b076b61 | sh |
| 703 | persistence | T1574.006 | Dynamic Linker Hijacking | 1 | Shared Library Injection via /etc/ld.so.preload | 39cb0e67-dd0d-4b74-a74b-c072db7ae991 | bash |
| 704 | persistence | T1574.006 | Dynamic Linker Hijacking | 2 | Shared Library Injection via LD_PRELOAD | bc219ff7-789f-4d51-9142-ecae3397deae | bash |
| 705 | persistence | T1574.006 | Dynamic Linker Hijacking | 3 | Dylib Injection via DYLD_INSERT_LIBRARIES | 4d66029d-7355-43fd-93a4-b63ba92ea1be | bash |
| 706 | persistence | T1136.001 | Local Account | 1 | Create a user account on a Linux system | 40d8eabd-e394-46f6-8785-b9bfa1d011d2 | bash |
| 707 | persistence | T1136.001 | Local Account | 2 | Create a user account on a MacOS system | 01993ba5-1da3-4e15-a719-b690d4f0f0b2 | bash |
| 708 | persistence | T1136.001 | Local Account | 3 | Create a new user in a command prompt | 6657864e-0323-4206-9344-ac9cd7265a4f | command_prompt |
| 709 | persistence | T1136.001 | Local Account | 4 | Create a new user in PowerShell | bc8be0ac-475c-4fbf-9b1d-9fffd77afbde | powershell |
| 710 | persistence | T1136.001 | Local Account | 5 | Create a new user in Linux with `root` UID and GID. | a1040a30-d28b-4eda-bd99-bb2861a4616c | bash |
| 711 | persistence | T1136.001 | Local Account | 6 | Create a new Windows admin user | fda74566-a604-4581-a4cc-fbbe21d66559 | command_prompt |
| 712 | persistence | T1547.004 | Winlogon Helper DLL | 1 | Winlogon Shell Key Persistence - PowerShell | bf9f9d65-ee4d-4c3e-a843-777d04f19c38 | powershell |
| 713 | persistence | T1547.004 | Winlogon Helper DLL | 2 | Winlogon Userinit Key Persistence - PowerShell | fb32c935-ee2e-454b-8fa3-1c46b42e8dfb | powershell |
| 714 | persistence | T1547.004 | Winlogon Helper DLL | 3 | Winlogon Notify Key Logon Persistence - PowerShell | d40da266-e073-4e5a-bb8b-2b385023e5f9 | powershell |
| 715 | persistence | T1098.004 | SSH Authorized Keys | 1 | Modify SSH Authorized Keys | 342cc723-127c-4d3a-8292-9c0c6b4ecadc | bash |
| 716 | persistence | T1546.012 | Image File Execution Options Injection | 1 | IFEO Add Debugger | fdda2626-5234-4c90-b163-60849a24c0b8 | command_prompt |
| 717 | persistence | T1546.012 | Image File Execution Options Injection | 2 | IFEO Global Flags | 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 | command_prompt |
| 718 | persistence | T1546.008 | Accessibility Features | 1 | Attaches Command Prompt as a Debugger to a List of Target Processes | 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 | powershell |
| 719 | persistence | T1546.008 | Accessibility Features | 2 | Replace binary of sticky keys | 934e90cf-29ca-48b3-863c-411737ad44e3 | command_prompt |
| 720 | persistence | T1136.002 | Domain Account | 1 | Create a new Windows domain admin user | fcec2963-9951-4173-9bfa-98d8b7834e62 | command_prompt |
| 721 | persistence | T1136.002 | Domain Account | 2 | Create a new account similar to ANONYMOUS LOGON | dc7726d2-8ccb-4cc6-af22-0d5afb53a548 | command_prompt |
| 722 | persistence | T1136.002 | Domain Account | 3 | Create a new Domain Account using PowerShell | 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 | powershell |
| 723 | persistence | T1546.009 | AppCert DLLs | 1 | Create registry persistence via AppCert DLL | a5ad6104-5bab-4c43-b295-b4c44c7c6b05 | powershell |
| 724 | persistence | T1098.001 | Additional Cloud Credentials | 1 | Azure AD Application Hijacking - Service Principal | b8e747c3-bdf7-4d71-bce2-f1df2a057406 | powershell |
| 725 | persistence | T1098.001 | Additional Cloud Credentials | 2 | Azure AD Application Hijacking - App Registration | a12b5531-acab-4618-a470-0dafb294a87a | powershell |
| 726 | persistence | T1098.001 | Additional Cloud Credentials | 3 | AWS - Create Access Key and Secret Key | 8822c3b0-d9f9-4daf-a043-491160a31122 | sh |
| 727 | persistence | T1546.003 | Windows Management Instrumentation Event Subscription | 1 | Persistence via WMI Event Subscription - CommandLineEventConsumer | 3c64f177-28e2-49eb-a799-d767b24dd1e0 | powershell |
| 728 | persistence | T1546.003 | Windows Management Instrumentation Event Subscription | 2 | Persistence via WMI Event Subscription - ActiveScriptEventConsumer | fecd0dfd-fb55-45fa-a10b-6250272d0832 | powershell |
| 729 | persistence | T1546.003 | Windows Management Instrumentation Event Subscription | 3 | Windows MOFComp.exe Load MOF File | 29786d7e-8916-4de6-9c55-be7b093b2706 | powershell |
| 730 | persistence | T1546.001 | Change Default File Association | 1 | Change Default File Association | 10a08978-2045-4d62-8c42-1957bbbea102 | command_prompt |
| 731 | persistence | T1546.014 | Emond | 1 | Persistance with Event Monitor - emond | 23c9c127-322b-4c75-95ca-eff464906114 | sh |
| 732 | persistence | T1547.001 | Registry Run Keys / Startup Folder | 1 | Reg Key Run | e55be3fd-3521-4610-9d1a-e210e42dcf05 | command_prompt |
| 733 | persistence | T1547.001 | Registry Run Keys / Startup Folder | 2 | Reg Key RunOnce | 554cbd88-cde1-4b56-8168-0be552eed9eb | command_prompt |
| 734 | persistence | T1547.001 | Registry Run Keys / Startup Folder | 3 | PowerShell Registry RunOnce | eb44f842-0457-4ddc-9b92-c4caa144ac42 | powershell |
| 735 | persistence | T1547.001 | Registry Run Keys / Startup Folder | 4 | Suspicious vbs file run from startup Folder | 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 | powershell |
| 736 | persistence | T1547.001 | Registry Run Keys / Startup Folder | 5 | Suspicious jse file run from startup Folder | dade9447-791e-4c8f-b04b-3a35855dfa06 | powershell |
| 737 | persistence | T1547.001 | Registry Run Keys / Startup Folder | 6 | Suspicious bat file run from startup Folder | 5b6768e4-44d2-44f0-89da-a01d1430fd5e | powershell |
| 738 | persistence | T1547.001 | Registry Run Keys / Startup Folder | 7 | Add Executable Shortcut Link to User Startup Folder | 24e55612-85f6-4bd6-ae74-a73d02e3441d | powershell |
| 739 | persistence | T1547.001 | Registry Run Keys / Startup Folder | 8 | Add persistance via Recycle bin | bda6a3d6-7aa7-4e89-908b-306772e9662f | command_prompt |
| 740 | persistence | T1547.001 | Registry Run Keys / Startup Folder | 9 | SystemBC Malware-as-a-Service Registry | 9dc7767b-30c1-4cc4-b999-50cab5e27891 | powershell |
| 741 | persistence | T1136.003 | Cloud Account | 1 | AWS - Create a new IAM user | 8d1c2368-b503-40c9-9057-8e42f21c58ad | sh |
| 742 | persistence | T1098 | Account Manipulation | 1 | Admin Account Manipulate | 5598f7cb-cf43-455e-883a-f6008c5d46af | powershell |
| 743 | persistence | T1098 | Account Manipulation | 2 | Domain Account and Group Manipulate | a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 | powershell |
| 744 | persistence | T1098 | Account Manipulation | 3 | AWS - Create a group and add a user to that group | 8822c3b0-d9f9-4daf-a043-49f110a31122 | sh |
| 745 | persistence | T1098 | Account Manipulation | 4 | Azure - adding user to Azure AD role | 0e65ae27-5385-46b4-98ac-607a8ee82261 | powershell |
| 746 | persistence | T1098 | Account Manipulation | 5 | Azure - adding service principal to Azure AD role | 92c40b3f-c406-4d1f-8d2b-c039bf5009e4 | powershell |
| 747 | persistence | T1098 | Account Manipulation | 6 | Azure - adding user to Azure role in subscription | 1a94b3fc-b080-450a-b3d8-6d9b57b472ea | powershell |
| 748 | persistence | T1098 | Account Manipulation | 7 | Azure - adding service principal to Azure role in subscription | c8f4bc29-a151-48da-b3be-4680af56f404 | powershell |
| 749 | persistence | T1098 | Account Manipulation | 8 | AzureAD - adding permission to application | 94ea9cc3-81f9-4111-8dde-3fb54f36af4b | powershell |
| 750 | persistence | T1098 | Account Manipulation | 9 | Password Change on Directory Service Restore Mode (DSRM) Account | d5b886d9-d1c7-4b6e-a7b0-460041bf2823 | command_prompt |
| 751 | persistence | T1547.006 | Kernel Modules and Extensions | 1 | Linux - Load Kernel Module via insmod | 687dcb93-9656-4853-9c36-9977315e9d23 | bash |
| 752 | persistence | T1053.006 | Systemd Timers | 1 | Create Systemd Service and Timer | f4983098-bb13-44fb-9b2c-46149961807b | bash |
| 753 | persistence | T1053.006 | Systemd Timers | 2 | Create a user level transient systemd service and timer | 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec | sh |
| 754 | persistence | T1053.006 | Systemd Timers | 3 | Create a system level transient systemd service and timer | d3eda496-1fc0-49e9-aff5-3bec5da9fa22 | sh |
| 755 | persistence | T1546.004 | Unix Shell Configuration Modification | 1 | Add command to .bash_profile | 94500ae1-7e31-47e3-886b-c328da46872f | sh |
| 756 | persistence | T1546.004 | Unix Shell Configuration Modification | 2 | Add command to .bashrc | 0a898315-4cfa-4007-bafe-33a4646d115f | sh |
| 757 | persistence | T1547.002 | Authentication Package | 1 | Authentication Package | be2590e8-4ac3-47ac-b4b5-945820f2fbe9 | powershell |
| 758 | persistence | T1546.015 | Component Object Model Hijacking | 1 | COM Hijacking - InprocServer32 | 48117158-d7be-441b-bc6a-d9e36e47b52b | powershell |
| 759 | persistence | T1546.015 | Component Object Model Hijacking | 2 | Powershell Execute COM Object | 752191b1-7c71-445c-9dbe-21bb031b18eb | powershell |
| 760 | persistence | T1546.015 | Component Object Model Hijacking | 3 | COM Hijacking with RunDLL32 (Local Server Switch) | 123520cc-e998-471b-a920-bd28e3feafa0 | powershell |
| 761 | persistence | T1546.015 | Component Object Model Hijacking | 4 | COM hijacking via TreatAs | 33eacead-f117-4863-8eb0-5c6304fbfaa9 | powershell |
| 762 | persistence | T1137.004 | Outlook Home Page | 1 | Install Outlook Home Page Persistence | 7a91ad51-e6d2-4d43-9471-f26362f5738e | command_prompt |
| 763 | persistence | T1574.009 | Path Interception by Unquoted Path | 1 | Execution of program.exe as service with unquoted service path | 2770dea7-c50f-457b-84c4-c40a47460d9f | command_prompt |
| 764 | persistence | T1037.005 | Startup Items | 1 | Add file to Local Library StartupItems | 134627c3-75db-410e-bff8-7a920075f198 | sh |
| 765 | persistence | T1197 | BITS Jobs | 1 | Bitsadmin Download (cmd) | 3c73d728-75fb-4180-a12f-6712864d7421 | command_prompt |
| 766 | persistence | T1197 | BITS Jobs | 2 | Bitsadmin Download (PowerShell) | f63b8bc4-07e5-4112-acba-56f646f3f0bc | powershell |
| 767 | persistence | T1197 | BITS Jobs | 3 | Persist, Download, & Execute | 62a06ec5-5754-47d2-bcfc-123d8314c6ae | command_prompt |
| 768 | persistence | T1197 | BITS Jobs | 4 | Bits download using desktopimgdownldr.exe (cmd) | afb5e09e-e385-4dee-9a94-6ee60979d114 | command_prompt |
| 769 | persistence | T1546.010 | AppInit DLLs | 1 | Install AppInit Shim | a58d9386-3080-4242-ab5f-454c16503d18 | command_prompt |
| 770 | persistence | T1546.002 | Screensaver | 1 | Set Arbitrary Binary as Screensaver | 281201e7-de41-4dc9-b73d-f288938cbb64 | command_prompt |
| 771 | persistence | T1543.001 | Launch Agent | 1 | Launch Agent | a5983dee-bf6c-4eaf-951c-dbc1a7b90900 | bash |
| 772 | persistence | T1543.001 | Launch Agent | 2 | Event Monitor Daemon Persistence | 11979f23-9b9d-482a-9935-6fc9cd022c3e | bash |
| 773 | persistence | T1037.004 | RC Scripts | 1 | rc.common | 97a48daa-8bca-4bc0-b1a9-c1d163e762de | bash |
| 774 | persistence | T1037.004 | RC Scripts | 2 | rc.common | c33f3d80-5f04-419b-a13a-854d1cbdbf3a | bash |
| 775 | persistence | T1037.004 | RC Scripts | 3 | rc.local | 126f71af-e1c9-405c-94ef-26a47b16c102 | bash |
| 776 | persistence | T1543.002 | Systemd Service | 1 | Create Systemd Service | d9e4f24f-aa67-4c6e-bcbf-85622b697a7c | bash |
| 777 | persistence | T1543.002 | Systemd Service | 2 | Create Systemd Service file, Enable the service , Modify and Reload the service. | c35ac4a8-19de-43af-b9f8-755da7e89c89 | bash |
| 778 | persistence | T1547.007 | Re-opened Applications | 1 | Re-Opened Applications | 5fefd767-ef54-4ac6-84d3-751ab85e8aba | manual |
| 779 | persistence | T1547.007 | Re-opened Applications | 2 | Re-Opened Applications | 5f5b71da-e03f-42e7-ac98-d63f9e0465cb | sh |
| 780 | persistence | T1574.002 | DLL Side-Loading | 1 | DLL Side-Loading using the Notepad++ GUP.exe binary | 65526037-7079-44a9-bda1-2cb624838040 | command_prompt |
| 781 | persistence | T1037.001 | Logon Script (Windows) | 1 | Logon Scripts | d6042746-07d4-4c92-9ad8-e644c114a231 | command_prompt |
| 782 | persistence | T1137.002 | Office Test | 1 | Office Application Startup Test Persistence | c3e35b58-fe1c-480b-b540-7600fb612563 | command_prompt |
| 783 | persistence | T1078.004 | Cloud Accounts | 1 | Creating GCP Service Account and Service Account Key | 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e | gcloud |
| 784 | persistence | T1053.002 | At | 1 | At.exe Scheduled task | 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 | command_prompt |
| 785 | persistence | T1053.002 | At | 2 | At - Schedule a job | 7266d898-ac82-4ec0-97c7-436075d0d08e | sh |
| 786 | persistence | T1546.007 | Netsh Helper DLL | 1 | Netsh Helper DLL Registration | 3244697d-5a3a-4dfc-941c-550f69f91a4d | command_prompt |
| 787 | persistence | T1078.003 | Local Accounts | 1 | Create local account with admin privileges | a524ce99-86de-4db6-b4f9-e08f35a47a15 | command_prompt |
| 788 | persistence | T1078.003 | Local Accounts | 2 | Create local account with admin privileges - MacOS | f1275566-1c26-4b66-83e3-7f9f7f964daa | bash |
| 789 | persistence | T1078.003 | Local Accounts | 3 | WinPwn - Loot local Credentials - powerhell kittie | 9e9fd066-453d-442f-88c1-ad7911d32912 | powershell |
| 790 | persistence | T1078.003 | Local Accounts | 4 | WinPwn - Loot local Credentials - Safetykatz | e9fdb899-a980-4ba4-934b-486ad22e22f4 | powershell |
| 791 | persistence | T1574.012 | COR_PROFILER | 1 | User scope COR_PROFILER | 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a | powershell |
| 792 | persistence | T1574.012 | COR_PROFILER | 2 | System Scope COR_PROFILER | f373b482-48c8-4ce4-85ed-d40c8b3f7310 | powershell |
| 793 | persistence | T1574.012 | COR_PROFILER | 3 | Registry-free process scope COR_PROFILER | 79d57242-bbef-41db-b301-9d01d9f6e817 | powershell |
| 794 | collection | T1560.001 | Archive via Utility | 1 | Compress Data for Exfiltration With Rar | 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0 | command_prompt |
| 795 | collection | T1560.001 | Archive via Utility | 2 | Compress Data and lock with password for Exfiltration with winrar | 8dd61a55-44c6-43cc-af0c-8bdda276860c | command_prompt |
| 796 | collection | T1560.001 | Archive via Utility | 3 | Compress Data and lock with password for Exfiltration with winzip | 01df0353-d531-408d-a0c5-3161bf822134 | command_prompt |
| 797 | collection | T1560.001 | Archive via Utility | 4 | Compress Data and lock with password for Exfiltration with 7zip | d1334303-59cb-4a03-8313-b3e24d02c198 | command_prompt |
| 798 | collection | T1560.001 | Archive via Utility | 5 | Data Compressed - nix - zip | c51cec55-28dd-4ad2-9461-1eacbc82c3a0 | sh |
| 799 | collection | T1560.001 | Archive via Utility | 6 | Data Compressed - nix - gzip Single File | cde3c2af-3485-49eb-9c1f-0ed60e9cc0af | sh |
| 800 | collection | T1560.001 | Archive via Utility | 7 | Data Compressed - nix - tar Folder or File | 7af2b51e-ad1c-498c-aca8-d3290c19535a | sh |
| 801 | collection | T1560.001 | Archive via Utility | 8 | Data Encrypted with zip and gpg symmetric | 0286eb44-e7ce-41a0-b109-3da516e05a5f | sh |
| 802 | collection | T1113 | Screen Capture | 1 | Screencapture | 0f47ceb1-720f-4275-96b8-21f0562217ac | bash |
| 803 | collection | T1113 | Screen Capture | 2 | Screencapture (silent) | deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 | bash |
| 804 | collection | T1113 | Screen Capture | 3 | X Windows Capture | 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac | bash |
| 805 | collection | T1113 | Screen Capture | 4 | Capture Linux Desktop using Import Tool | 9cd1cccb-91e4-4550-9139-e20a586fcea1 | bash |
| 806 | collection | T1113 | Screen Capture | 5 | Windows Screencapture | 3c898f62-626c-47d5-aad2-6de873d69153 | powershell |
| 807 | collection | T1113 | Screen Capture | 6 | Windows Screen Capture (CopyFromScreen) | e9313014-985a-48ef-80d9-cde604ffc187 | powershell |
| 808 | collection | T1056.001 | Keylogging | 1 | Input Capture | d9b633ca-8efb-45e6-b838-70f595c6ae26 | powershell |
| 809 | collection | T1056.001 | Keylogging | 2 | Living off the land Terminal Input Capture on Linux with pam.d | 9c6bdb34-a89f-4b90-acb1-5970614c711b | sh |
| 810 | collection | T1056.001 | Keylogging | 3 | Logging bash history to syslog | 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 | sh |
| 811 | collection | T1056.001 | Keylogging | 4 | Bash session based keylogger | 7f85a946-a0ea-48aa-b6ac-8ff539278258 | sh |
| 812 | collection | T1056.001 | Keylogging | 5 | SSHD PAM keylogger | 81d7d2ad-d644-4b6a-bea7-28ffe43becca | sh |
| 813 | collection | T1056.001 | Keylogging | 6 | Auditd keylogger | a668edb9-334e-48eb-8c2e-5413a40867af | sh |
| 814 | collection | T1056.001 | Keylogging | 7 | MacOS Swift Keylogger | aee3a097-4c5c-4fff-bbd3-0a705867ae29 | bash |
| 815 | collection | T1123 | Audio Capture | 1 | using device audio capture commandlet | 9c3ad250-b185-4444-b5a9-d69218a10c95 | powershell |
| 816 | collection | T1123 | Audio Capture | 2 | Registry artefact when application use microphone | 7a21cce2-6ada-4f7c-afd9-e1e9c481e44a | command_prompt |
| 817 | collection | T1074.001 | Local Data Staging | 1 | Stage data from Discovery.bat | 107706a5-6f9f-451a-adae-bab8c667829f | powershell |
| 818 | collection | T1074.001 | Local Data Staging | 2 | Stage data from Discovery.sh | 39ce0303-ae16-4b9e-bb5b-4f53e8262066 | bash |
| 819 | collection | T1074.001 | Local Data Staging | 3 | Zip a Folder with PowerShell for Staging in Temp | a57fbe4b-3440-452a-88a7-943531ac872a | powershell |
| 820 | collection | T1114.001 | Local Email Collection | 1 | Email Collection with PowerShell Get-Inbox | 3f1b5096-0139-4736-9b78-19bcb02bb1cb | powershell |
| 821 | collection | T1119 | Automated Collection | 1 | Automated Collection Command Prompt | cb379146-53f1-43e0-b884-7ce2c635ff5b | command_prompt |
| 822 | collection | T1119 | Automated Collection | 2 | Automated Collection PowerShell | 634bd9b9-dc83-4229-b19f-7f83ba9ad313 | powershell |
| 823 | collection | T1119 | Automated Collection | 3 | Recon information for export with PowerShell | c3f6d794-50dd-482f-b640-0384fbb7db26 | powershell |
| 824 | collection | T1119 | Automated Collection | 4 | Recon information for export with Command Prompt | aa1180e2-f329-4e1e-8625-2472ec0bfaf3 | command_prompt |
| 825 | collection | T1115 | Clipboard Data | 1 | Utilize Clipboard to store or execute commands from | 0cd14633-58d4-4422-9ede-daa2c9474ae7 | command_prompt |
| 826 | collection | T1115 | Clipboard Data | 2 | Execute Commands from Clipboard using PowerShell | d6dc21af-bec9-4152-be86-326b6babd416 | powershell |
| 827 | collection | T1115 | Clipboard Data | 3 | Execute commands from clipboard | 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff | bash |
| 828 | collection | T1115 | Clipboard Data | 4 | Collect Clipboard Data via VBA | 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52 | powershell |
| 829 | collection | T1530 | Data from Cloud Storage Object | 1 | Azure - Enumerate Azure Blobs with MicroBurst | 3dab4bcc-667f-4459-aea7-4162dd2d6590 | powershell |
| 830 | collection | T1530 | Data from Cloud Storage Object | 2 | Azure - Scan for Anonymous Access to Azure Storage (Powershell) | 146af1f1-b74e-4aa7-9895-505eb559b4b0 | powershell |
| 831 | collection | T1560.002 | Archive via Library | 1 | Compressing data using GZip in Python (Linux) | 391f5298-b12d-4636-8482-35d9c17d53a8 | bash |
| 832 | collection | T1560.002 | Archive via Library | 2 | Compressing data using bz2 in Python (Linux) | c75612b2-9de0-4d7c-879c-10d7b077072d | bash |
| 833 | collection | T1560.002 | Archive via Library | 3 | Compressing data using zipfile in Python (Linux) | 001a042b-859f-44d9-bf81-fd1c4e2200b0 | bash |
| 834 | collection | T1560.002 | Archive via Library | 4 | Compressing data using tarfile in Python (Linux) | e86f1b4b-fcc1-4a2a-ae10-b49da01458db | bash |
| 835 | collection | T1560 | Archive Collected Data | 1 | Compress Data for Exfiltration With PowerShell | 41410c60-614d-4b9d-b66e-b0192dd9c597 | powershell |
| 836 | collection | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | 1 | LLMNR Poisoning with Inveigh (PowerShell) | deecd55f-afe0-4a62-9fba-4d1ba2deb321 | powershell |
| 837 | collection | T1125 | Video Capture | 1 | Registry artefact when application use webcam | 6581e4a7-42e3-43c5-a0d2-5a0d62f9702a | command_prompt |
| 838 | collection | T1056.002 | GUI Input Capture | 1 | AppleScript - Prompt User for Password | 76628574-0bc1-4646-8fe2-8f4427b47d15 | bash |
| 839 | collection | T1056.002 | GUI Input Capture | 2 | PowerShell - Prompt User for Password | 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 | powershell |
| 840 | collection | T1039 | Data from Network Shared Drive | 1 | Copy a sensitive File over Administive share with copy | 6ed67921-1774-44ba-bac6-adb51ed60660 | command_prompt |
| 841 | collection | T1039 | Data from Network Shared Drive | 2 | Copy a sensitive File over Administive share with Powershell | 7762e120-5879-44ff-97f8-008b401b9a98 | powershell |
| 842 | collection | T1056.004 | Credential API Hooking | 1 | Hook PowerShell TLS Encrypt/Decrypt Messages | de1934ea-1fbf-425b-8795-65fb27dd7e33 | powershell |
| 843 | lateral-movement | T1091 | Replication Through Removable Media | 1 | USB Malware Spread Simulation | d44b7297-622c-4be8-ad88-ec40d7563c75 | powershell |
| 844 | lateral-movement | T1021.002 | SMB/Windows Admin Shares | 1 | Map admin share | 3386975b-367a-4fbb-9d77-4dcf3639ffd3 | command_prompt |
| 845 | lateral-movement | T1021.002 | SMB/Windows Admin Shares | 2 | Map Admin Share PowerShell | 514e9cd7-9207-4882-98b1-c8f791bae3c5 | powershell |
| 846 | lateral-movement | T1021.002 | SMB/Windows Admin Shares | 3 | Copy and Execute File with PsExec | 0eb03d41-79e4-4393-8e57-6344856be1cf | command_prompt |
| 847 | lateral-movement | T1021.002 | SMB/Windows Admin Shares | 4 | Execute command writing output to local Admin Share | d41aaab5-bdfe-431d-a3d5-c29e9136ff46 | command_prompt |
| 848 | lateral-movement | T1021.006 | Windows Remote Management | 1 | Enable Windows Remote Management | 9059e8de-3d7d-4954-a322-46161880b9cf | powershell |
| 849 | lateral-movement | T1021.006 | Windows Remote Management | 2 | Remote Code Execution with PS Credentials Using Invoke-Command | 5295bd61-bd7e-4744-9d52-85962a4cf2d6 | powershell |
| 850 | lateral-movement | T1021.006 | Windows Remote Management | 3 | WinRM Access with Evil-WinRM | efe86d95-44c4-4509-ae42-7bfd9d1f5b3d | powershell |
| 851 | lateral-movement | T1021.003 | Distributed Component Object Model | 1 | PowerShell Lateral Movement using MMC20 | 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 | powershell |
| 852 | lateral-movement | T1550.003 | Pass the Ticket | 1 | Mimikatz Kerberos Ticket Attack | dbf38128-7ba7-4776-bedf-cc2eed432098 | command_prompt |
| 853 | lateral-movement | T1550.003 | Pass the Ticket | 2 | Rubeus Kerberos Pass The Ticket | a2fc4ec5-12c6-4fb4-b661-961f23f359cb | powershell |
| 854 | lateral-movement | T1072 | Software Deployment Tools | 1 | Radmin Viewer Utility | b4988cad-6ed2-434d-ace5-ea2670782129 | command_prompt |
| 855 | lateral-movement | T1563.002 | RDP Hijacking | 1 | RDP hijacking | a37ac520-b911-458e-8aed-c5f1576d9f46 | command_prompt |
| 856 | lateral-movement | T1550.002 | Pass the Hash | 1 | Mimikatz Pass the Hash | ec23cef9-27d9-46e4-a68d-6f75f7b86908 | command_prompt |
| 857 | lateral-movement | T1550.002 | Pass the Hash | 2 | crackmapexec Pass the Hash | eb05b028-16c8-4ad8-adea-6f5b219da9a9 | command_prompt |
| 858 | lateral-movement | T1550.002 | Pass the Hash | 3 | Invoke-WMIExec Pass the Hash | f8757545-b00a-4e4e-8cfb-8cfb961ee713 | powershell |
| 859 | lateral-movement | T1021.001 | Remote Desktop Protocol | 1 | RDP to DomainController | 355d4632-8cb9-449d-91ce-b566d0253d3e | powershell |
| 860 | lateral-movement | T1021.001 | Remote Desktop Protocol | 2 | RDP to Server | 7382a43e-f19c-46be-8f09-5c63af7d3e2b | powershell |
| 861 | lateral-movement | T1021.001 | Remote Desktop Protocol | 3 | Changing RDP Port to Non Standard Port via Powershell | 2f840dd4-8a2e-4f44-beb3-6b2399ea3771 | powershell |
| 862 | lateral-movement | T1021.001 | Remote Desktop Protocol | 4 | Changing RDP Port to Non Standard Port via Command_Prompt | 74ace21e-a31c-4f7d-b540-53e4eb6d1f73 | command_prompt |
| 863 | credential-access | T1556.003 | Pluggable Authentication Modules | 1 | Malicious PAM rule | 4b9dde80-ae22-44b1-a82a-644bf009eb9c | sh |
| 864 | credential-access | T1556.003 | Pluggable Authentication Modules | 2 | Malicious PAM module | 65208808-3125-4a2e-8389-a0a00e9ab326 | sh |
| 865 | credential-access | T1056.001 | Keylogging | 1 | Input Capture | d9b633ca-8efb-45e6-b838-70f595c6ae26 | powershell |
| 866 | credential-access | T1056.001 | Keylogging | 2 | Living off the land Terminal Input Capture on Linux with pam.d | 9c6bdb34-a89f-4b90-acb1-5970614c711b | sh |
| 867 | credential-access | T1056.001 | Keylogging | 3 | Logging bash history to syslog | 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 | sh |
| 868 | credential-access | T1056.001 | Keylogging | 4 | Bash session based keylogger | 7f85a946-a0ea-48aa-b6ac-8ff539278258 | sh |
| 869 | credential-access | T1056.001 | Keylogging | 5 | SSHD PAM keylogger | 81d7d2ad-d644-4b6a-bea7-28ffe43becca | sh |
| 870 | credential-access | T1056.001 | Keylogging | 6 | Auditd keylogger | a668edb9-334e-48eb-8c2e-5413a40867af | sh |
| 871 | credential-access | T1056.001 | Keylogging | 7 | MacOS Swift Keylogger | aee3a097-4c5c-4fff-bbd3-0a705867ae29 | bash |
| 872 | credential-access | T1110.001 | Password Guessing | 1 | Brute Force Credentials of single Active Directory domain users via SMB | 09480053-2f98-4854-be6e-71ae5f672224 | command_prompt |
| 873 | credential-access | T1110.001 | Password Guessing | 2 | Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) | c2969434-672b-4ec8-8df0-bbb91f40e250 | powershell |
| 874 | credential-access | T1110.001 | Password Guessing | 3 | Brute Force Credentials of single Azure AD user | 5a51ef57-299e-4d62-8e11-2d440df55e69 | powershell |
| 875 | credential-access | T1110.001 | Password Guessing | 4 | SUDO brute force Debian | 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a | sh |
| 876 | credential-access | T1110.001 | Password Guessing | 5 | SUDO brute force Redhat | b72958a7-53e3-4809-9ee1-58f6ecd99ade | sh |
| 877 | credential-access | T1003 | OS Credential Dumping | 1 | Gsecdump | 96345bfc-8ae7-4b6a-80b7-223200f24ef9 | command_prompt |
| 878 | credential-access | T1003 | OS Credential Dumping | 2 | Credential Dumping with NPPSpy | 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 | powershell |
| 879 | credential-access | T1003 | OS Credential Dumping | 3 | Dump svchost.exe to gather RDP credentials | d400090a-d8ca-4be0-982e-c70598a23de9 | powershell |
| 880 | credential-access | T1539 | Steal Web Session Cookie | 1 | Steal Firefox Cookies (Windows) | 4b437357-f4e9-4c84-9fa6-9bcee6f826aa | powershell |
| 881 | credential-access | T1539 | Steal Web Session Cookie | 2 | Steal Chrome Cookies (Windows) | 26a6b840-4943-4965-8df5-ef1f9a282440 | powershell |
| 882 | credential-access | T1003.002 | Security Account Manager | 1 | Registry dump of SAM, creds, and secrets | 5c2571d0-1572-416d-9676-812e64ca9f44 | command_prompt |
| 883 | credential-access | T1003.002 | Security Account Manager | 2 | Registry parse with pypykatz | a96872b2-cbf3-46cf-8eb4-27e8c0e85263 | command_prompt |
| 884 | credential-access | T1003.002 | Security Account Manager | 3 | esentutl.exe SAM copy | a90c2f4d-6726-444e-99d2-a00cd7c20480 | command_prompt |
| 885 | credential-access | T1003.002 | Security Account Manager | 4 | PowerDump Hashes and Usernames from Registry | 804f28fc-68fc-40da-b5a2-e9d0bce5c193 | powershell |
| 886 | credential-access | T1003.002 | Security Account Manager | 5 | dump volume shadow copy hives with certutil | eeb9751a-d598-42d3-b11c-c122d9c3f6c7 | powershell |
| 887 | credential-access | T1003.002 | Security Account Manager | 6 | dump volume shadow copy hives with System.IO.File | 9d77fed7-05f8-476e-a81b-8ff0472c64d0 | powershell |
| 888 | credential-access | T1003.002 | Security Account Manager | 7 | WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes | 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb | powershell |
| 889 | credential-access | T1552.005 | Cloud Instance Metadata API | 1 | Azure - Search Azure AD User Attributes for Passwords | ae9b2e3e-efa1-4483-86e2-fae529ab9fb6 | powershell |
| 890 | credential-access | T1110.002 | Password Cracking | 1 | Password Cracking with Hashcat | 6d27df5d-69d4-4c91-bc33-5983ffe91692 | command_prompt |
| 891 | credential-access | T1555.001 | Keychain | 1 | Keychain | 1864fdec-ff86-4452-8c30-f12507582a93 | sh |
| 892 | credential-access | T1003.004 | LSA Secrets | 1 | Dumping LSA Secrets | 55295ab0-a703-433b-9ca4-ae13807de12f | command_prompt |
| 893 | credential-access | T1606.002 | SAML Tokens | 1 | Golden SAML | b16a03bc-1089-4dcc-ad98-30fe8f3a2b31 | powershell |
| 894 | credential-access | T1003.007 | Proc Filesystem | 1 | Dump individual process memory with sh (Local) | 7e91138a-8e74-456d-a007-973d67a0bb80 | sh |
| 895 | credential-access | T1003.007 | Proc Filesystem | 2 | Dump individual process memory with Python (Local) | 437b2003-a20d-4ed8-834c-4964f24eec63 | sh |
| 896 | credential-access | T1003.007 | Proc Filesystem | 3 | Capture Passwords with MimiPenguin | a27418de-bdce-4ebd-b655-38f04842bf0c | bash |
| 897 | credential-access | T1040 | Network Sniffing | 1 | Packet Capture Linux | 7fe741f7-b265-4951-a7c7-320889083b3e | bash |
| 898 | credential-access | T1040 | Network Sniffing | 2 | Packet Capture macOS | 9d04efee-eff5-4240-b8d2-07792b873608 | bash |
| 899 | credential-access | T1040 | Network Sniffing | 3 | Packet Capture Windows Command Prompt | a5b2f6a0-24b4-493e-9590-c699f75723ca | command_prompt |
| 900 | credential-access | T1040 | Network Sniffing | 4 | Windows Internal Packet Capture | b5656f67-d67f-4de8-8e62-b5581630f528 | command_prompt |
| 901 | credential-access | T1040 | Network Sniffing | 5 | Windows Internal pktmon capture | c67ba807-f48b-446e-b955-e4928cd1bf91 | command_prompt |
| 902 | credential-access | T1040 | Network Sniffing | 6 | Windows Internal pktmon set filter | 855fb8b4-b8ab-4785-ae77-09f5df7bff55 | command_prompt |
| 903 | credential-access | T1552.002 | Credentials in Registry | 1 | Enumeration for Credentials in Registry | b6ec082c-7384-46b3-a111-9a9b8b14e5e7 | command_prompt |
| 904 | credential-access | T1552.002 | Credentials in Registry | 2 | Enumeration for PuTTY Credentials in Registry | af197fd7-e868-448e-9bd5-05d1bcd9d9e5 | command_prompt |
| 905 | credential-access | T1556.002 | Password Filter DLL | 1 | Install and Register Password Filter DLL | a7961770-beb5-4134-9674-83d7e1fa865c | powershell |
| 906 | credential-access | T1558.004 | AS-REP Roasting | 1 | Rubeus asreproast | 615bd568-2859-41b5-9aed-61f6a88e48dd | powershell |
| 907 | credential-access | T1558.004 | AS-REP Roasting | 2 | Get-DomainUser with PowerView | d6139549-7b72-4e48-9ea1-324fc9bdf88a | powershell |
| 908 | credential-access | T1558.004 | AS-REP Roasting | 3 | WinPwn - PowerSharpPack - Kerberoasting Using Rubeus | 8c385f88-4d47-4c9a-814d-93d9deec8c71 | powershell |
| 909 | credential-access | T1555 | Credentials from Password Stores | 1 | Extract Windows Credential Manager via VBA | 234f9b7c-b53d-4f32-897b-b880a6c9ea7b | powershell |
| 910 | credential-access | T1555 | Credentials from Password Stores | 2 | Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] | c89becbe-1758-4e7d-a0f4-97d2188a23e3 | powershell |
| 911 | credential-access | T1555 | Credentials from Password Stores | 3 | Dump credentials from Windows Credential Manager With PowerShell [web Credentials] | 8fd5a296-6772-4766-9991-ff4e92af7240 | powershell |
| 912 | credential-access | T1555 | Credentials from Password Stores | 4 | Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] | 36753ded-e5c4-4eb5-bc3c-e8fba236878d | powershell |
| 913 | credential-access | T1555 | Credentials from Password Stores | 5 | Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] | bc071188-459f-44d5-901a-f8f2625b2d2e | powershell |
| 914 | credential-access | T1555 | Credentials from Password Stores | 6 | WinPwn - Loot local Credentials - lazagne | 079ee2e9-6f16-47ca-a635-14efcd994118 | powershell |
| 915 | credential-access | T1555 | Credentials from Password Stores | 7 | WinPwn - Loot local Credentials - Wifi Credentials | afe369c2-b42e-447f-98a3-fb1f4e2b8552 | powershell |
| 916 | credential-access | T1555 | Credentials from Password Stores | 8 | WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords | db965264-3117-4bad-b7b7-2523b7856b92 | powershell |
| 917 | credential-access | T1555.003 | Credentials from Web Browsers | 1 | Run Chrome-password Collector | 8c05b133-d438-47ca-a630-19cc464c4622 | powershell |
| 918 | credential-access | T1555.003 | Credentials from Web Browsers | 2 | Search macOS Safari Cookies | c1402f7b-67ca-43a8-b5f3-3143abedc01b | sh |
| 919 | credential-access | T1555.003 | Credentials from Web Browsers | 3 | LaZagne - Credentials from Browser | 9a2915b3-3954-4cce-8c76-00fbf4dbd014 | command_prompt |
| 920 | credential-access | T1555.003 | Credentials from Web Browsers | 4 | Simulating access to Chrome Login Data | 3d111226-d09a-4911-8715-fe11664f960d | powershell |
| 921 | credential-access | T1555.003 | Credentials from Web Browsers | 5 | Simulating access to Opera Login Data | 28498c17-57e4-495a-b0be-cc1e36de408b | powershell |
| 922 | credential-access | T1555.003 | Credentials from Web Browsers | 6 | Simulating access to Windows Firefox Login Data | eb8da98a-2e16-4551-b3dd-83de49baa14c | powershell |
| 923 | credential-access | T1555.003 | Credentials from Web Browsers | 7 | Simulating access to Windows Edge Login Data | a6a5ec26-a2d1-4109-9d35-58b867689329 | powershell |
| 924 | credential-access | T1555.003 | Credentials from Web Browsers | 8 | Decrypt Mozilla Passwords with Firepwd.py | dc9cd677-c70f-4df5-bd1c-f114af3c2381 | powershell |
| 925 | credential-access | T1555.003 | Credentials from Web Browsers | 9 | LaZagne.py - Dump Credentials from Firefox Browser | 87e88698-621b-4c45-8a89-4eaebdeaabb1 | sh |
| 926 | credential-access | T1555.003 | Credentials from Web Browsers | 10 | Stage Popular Credential Files for Exfiltration | f543635c-1705-42c3-b180-efd6dc6e7ee7 | powershell |
| 927 | credential-access | T1555.003 | Credentials from Web Browsers | 11 | WinPwn - BrowserPwn | 764ea176-fb71-494c-90ea-72e9d85dce76 | powershell |
| 928 | credential-access | T1555.003 | Credentials from Web Browsers | 12 | WinPwn - Loot local Credentials - mimi-kittenz | ec1d0b37-f659-4186-869f-31a554891611 | powershell |
| 929 | credential-access | T1555.003 | Credentials from Web Browsers | 13 | WinPwn - PowerSharpPack - Sharpweb for Browser Credentials | e5e3d639-6ea8-4408-9ecd-d5a286268ca0 | powershell |
| 930 | credential-access | T1555.003 | Credentials from Web Browsers | 14 | Simulating Access to Chrome Login Data - MacOS | 124e13e5-d8a1-4378-a6ee-a53cd0c7e369 | sh |
| 931 | credential-access | T1555.003 | Credentials from Web Browsers | 15 | WebBrowserPassView - Credentials from Browser | e359627f-2d90-4320-ba5e-b0f878155bbe | powershell |
| 932 | credential-access | T1552.004 | Private Keys | 1 | Private Keys | 520ce462-7ca7-441e-b5a5-f8347f632696 | command_prompt |
| 933 | credential-access | T1552.004 | Private Keys | 2 | Discover Private SSH Keys | 46959285-906d-40fa-9437-5a439accd878 | sh |
| 934 | credential-access | T1552.004 | Private Keys | 3 | Copy Private SSH Keys with CP | 7c247dc7-5128-4643-907b-73a76d9135c3 | sh |
| 935 | credential-access | T1552.004 | Private Keys | 4 | Copy Private SSH Keys with rsync | 864bb0b2-6bb5-489a-b43b-a77b3a16d68a | sh |
| 936 | credential-access | T1552.004 | Private Keys | 5 | Copy the users GnuPG directory with rsync | 2a5a0601-f5fb-4e2e-aa09-73282ae6afca | sh |
| 937 | credential-access | T1552.004 | Private Keys | 6 | ADFS token signing and encryption certificates theft - Local | 78e95057-d429-4e66-8f82-0f060c1ac96f | powershell |
| 938 | credential-access | T1552.004 | Private Keys | 7 | ADFS token signing and encryption certificates theft - Remote | cab413d8-9e4a-4b8d-9b84-c985bd73a442 | powershell |
| 939 | credential-access | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | 1 | LLMNR Poisoning with Inveigh (PowerShell) | deecd55f-afe0-4a62-9fba-4d1ba2deb321 | powershell |
| 940 | credential-access | T1003.001 | LSASS Memory | 1 | Dump LSASS.exe Memory using ProcDump | 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8 | command_prompt |
| 941 | credential-access | T1003.001 | LSASS Memory | 2 | Dump LSASS.exe Memory using comsvcs.dll | 2536dee2-12fb-459a-8c37-971844fa73be | powershell |
| 942 | credential-access | T1003.001 | LSASS Memory | 3 | Dump LSASS.exe Memory using direct system calls and API unhooking | 7ae7102c-a099-45c8-b985-4c7a2d05790d | command_prompt |
| 943 | credential-access | T1003.001 | LSASS Memory | 4 | Dump LSASS.exe Memory using NanoDump | dddd4aca-bbed-46f0-984d-e4c5971c51ea | command_prompt |
| 944 | credential-access | T1003.001 | LSASS Memory | 5 | Dump LSASS.exe Memory using Windows Task Manager | dea6c349-f1c6-44f3-87a1-1ed33a59a607 | manual |
| 945 | credential-access | T1003.001 | LSASS Memory | 6 | Offline Credential Theft With Mimikatz | 453acf13-1dbd-47d7-b28a-172ce9228023 | command_prompt |
| 946 | credential-access | T1003.001 | LSASS Memory | 7 | LSASS read with pypykatz | c37bc535-5c62-4195-9cc3-0517673171d8 | command_prompt |
| 947 | credential-access | T1003.001 | LSASS Memory | 8 | Dump LSASS.exe Memory using Out-Minidump.ps1 | 6502c8f0-b775-4dbd-9193-1298f56b6781 | powershell |
| 948 | credential-access | T1003.001 | LSASS Memory | 9 | Create Mini Dump of LSASS.exe using ProcDump | 7cede33f-0acd-44ef-9774-15511300b24b | command_prompt |
| 949 | credential-access | T1003.001 | LSASS Memory | 10 | Powershell Mimikatz | 66fb0bc1-3c3f-47e9-a298-550ecfefacbc | powershell |
| 950 | credential-access | T1003.001 | LSASS Memory | 11 | Dump LSASS with .Net 5 createdump.exe | 9d0072c8-7cca-45c4-bd14-f852cfa35cf0 | powershell |
| 951 | credential-access | T1003.001 | LSASS Memory | 12 | Dump LSASS.exe using imported Microsoft DLLs | 86fc3f40-237f-4701-b155-81c01c48d697 | powershell |
| 952 | credential-access | T1110.003 | Password Spraying | 1 | Password Spray all Domain Users | 90bc2e54-6c84-47a5-9439-0a2a92b4b175 | command_prompt |
| 953 | credential-access | T1110.003 | Password Spraying | 2 | Password Spray (DomainPasswordSpray) | 263ae743-515f-4786-ac7d-41ef3a0d4b2b | powershell |
| 954 | credential-access | T1110.003 | Password Spraying | 3 | Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) | f14d956a-5b6e-4a93-847f-0c415142f07d | powershell |
| 955 | credential-access | T1110.003 | Password Spraying | 4 | Password spray all Azure AD users with a single password | a8aa2d3e-1c52-4016-bc73-0f8854cfa80a | powershell |
| 956 | credential-access | T1110.003 | Password Spraying | 5 | WinPwn - DomainPasswordSpray Attacks | 5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82 | powershell |
| 957 | credential-access | T1110.003 | Password Spraying | 6 | Password Spray Invoke-DomainPasswordSpray Light | b15bc9a5-a4f3-4879-9304-ea0011ace63a | powershell |
| 958 | credential-access | T1110.003 | Password Spraying | 7 | Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365) | f3a10056-0160-4785-8744-d9bd7c12dc39 | powershell |
| 959 | credential-access | T1003.005 | Cached Domain Credentials | 1 | Cached Credential Dump via Cmdkey | 56506854-89d6-46a3-9804-b7fde90791f9 | command_prompt |
| 960 | credential-access | T1558.001 | Golden Ticket | 1 | Crafting Active Directory golden tickets with mimikatz | 9726592a-dabc-4d4d-81cd-44070008b3af | powershell |
| 961 | credential-access | T1558.001 | Golden Ticket | 2 | Crafting Active Directory golden tickets with Rubeus | e42d33cd-205c-4acf-ab59-a9f38f6bad9c | powershell |
| 962 | credential-access | T1552.003 | Bash History | 1 | Search Through Bash History | 3cfde62b-7c33-4b26-a61e-755d6131c8ce | sh |
| 963 | credential-access | T1552.001 | Credentials In Files | 1 | Extract Browser and System credentials with LaZagne | 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79 | bash |
| 964 | credential-access | T1552.001 | Credentials In Files | 2 | Extract passwords with grep | bd4cf0d1-7646-474e-8610-78ccf5a097c4 | sh |
| 965 | credential-access | T1552.001 | Credentials In Files | 3 | Extracting passwords with findstr | 0e56bf29-ff49-4ea5-9af4-3b81283fd513 | powershell |
| 966 | credential-access | T1552.001 | Credentials In Files | 4 | Access unattend.xml | 367d4004-5fc0-446d-823f-960c74ae52c3 | command_prompt |
| 967 | credential-access | T1552.001 | Credentials In Files | 5 | Find and Access Github Credentials | da4f751a-020b-40d7-b9ff-d433b7799803 | bash |
| 968 | credential-access | T1552.001 | Credentials In Files | 6 | WinPwn - sensitivefiles | 114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0 | powershell |
| 969 | credential-access | T1552.001 | Credentials In Files | 7 | WinPwn - Snaffler | fdd0c913-714b-4c13-b40f-1824d6c015f2 | powershell |
| 970 | credential-access | T1552.001 | Credentials In Files | 8 | WinPwn - powershellsensitive | 75f66e03-37d3-4704-9520-3210efbe33ce | powershell |
| 971 | credential-access | T1552.001 | Credentials In Files | 9 | WinPwn - passhunt | 00e3e3c7-6c3c-455e-bd4b-461c7f0e7797 | powershell |
| 972 | credential-access | T1552.001 | Credentials In Files | 10 | WinPwn - SessionGopher | c9dc9de3-f961-4284-bd2d-f959c9f9fda5 | powershell |
| 973 | credential-access | T1552.001 | Credentials In Files | 11 | WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials | aaa87b0e-5232-4649-ae5c-f1724a4b2798 | powershell |
| 974 | credential-access | T1552.006 | Group Policy Preferences | 1 | GPP Passwords (findstr) | 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f | command_prompt |
| 975 | credential-access | T1552.006 | Group Policy Preferences | 2 | GPP Passwords (Get-GPPPassword) | e9584f82-322c-474a-b831-940fd8b4455c | powershell |
| 976 | credential-access | T1056.002 | GUI Input Capture | 1 | AppleScript - Prompt User for Password | 76628574-0bc1-4646-8fe2-8f4427b47d15 | bash |
| 977 | credential-access | T1056.002 | GUI Input Capture | 2 | PowerShell - Prompt User for Password | 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 | powershell |
| 978 | credential-access | T1110.004 | Credential Stuffing | 1 | SSH Credential Stuffing From Linux | 4f08197a-2a8a-472d-9589-cd2895ef22ad | bash |
| 979 | credential-access | T1110.004 | Credential Stuffing | 2 | SSH Credential Stuffing From MacOS | d546a3d9-0be5-40c7-ad82-5a7d79e1b66b | bash |
| 980 | credential-access | T1187 | Forced Authentication | 1 | PetitPotam | 485ce873-2e65-4706-9c7e-ae3ab9e14213 | powershell |
| 981 | credential-access | T1187 | Forced Authentication | 2 | WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS | 7f06b25c-799e-40f1-89db-999c9cc84317 | powershell |
| 982 | credential-access | T1003.008 | /etc/passwd and /etc/shadow | 1 | Access /etc/shadow (Local) | 3723ab77-c546-403c-8fb4-bb577033b235 | bash |
| 983 | credential-access | T1003.008 | /etc/passwd and /etc/shadow | 2 | Access /etc/passwd (Local) | 60e860b6-8ae6-49db-ad07-5e73edd88f5d | sh |
| 984 | credential-access | T1003.008 | /etc/passwd and /etc/shadow | 3 | Access /etc/{shadow,passwd} with a standard bin that's not cat | df1a55ae-019d-4120-bc35-94f4bc5c4b0a | bash |
| 985 | credential-access | T1003.008 | /etc/passwd and /etc/shadow | 4 | Access /etc/{shadow,passwd} with shell builtins | f5aa6543-6cb2-4fae-b9c2-b96e14721713 | bash |
| 986 | credential-access | T1558.002 | Silver Ticket | 1 | Crafting Active Directory silver tickets with mimikatz | 385e59aa-113e-4711-84d9-f637aef01f2c | powershell |
| 987 | credential-access | T1555.004 | Windows Credential Manager | 1 | Access Saved Credentials via VaultCmd | 9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439 | command_prompt |
| 988 | credential-access | T1555.004 | Windows Credential Manager | 2 | WinPwn - Loot local Credentials - Invoke-WCMDump | fa714db1-63dd-479e-a58e-7b2b52ca5997 | powershell |
| 989 | credential-access | T1003.003 | NTDS | 1 | Create Volume Shadow Copy with vssadmin | dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f | command_prompt |
| 990 | credential-access | T1003.003 | NTDS | 2 | Copy NTDS.dit from Volume Shadow Copy | c6237146-9ea6-4711-85c9-c56d263a6b03 | command_prompt |
| 991 | credential-access | T1003.003 | NTDS | 3 | Dump Active Directory Database with NTDSUtil | 2364e33d-ceab-4641-8468-bfb1d7cc2723 | command_prompt |
| 992 | credential-access | T1003.003 | NTDS | 4 | Create Volume Shadow Copy with WMI | 224f7de0-8f0a-4a94-b5d8-989b036c86da | command_prompt |
| 993 | credential-access | T1003.003 | NTDS | 5 | Create Volume Shadow Copy remotely with WMI | d893459f-71f0-484d-9808-ec83b2b64226 | command_prompt |
| 994 | credential-access | T1003.003 | NTDS | 6 | Create Volume Shadow Copy remotely (WMI) with esentutl | 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865 | command_prompt |
| 995 | credential-access | T1003.003 | NTDS | 7 | Create Volume Shadow Copy with Powershell | 542bb97e-da53-436b-8e43-e0a7d31a6c24 | powershell |
| 996 | credential-access | T1003.003 | NTDS | 8 | Create Symlink to Volume Shadow Copy | 21748c28-2793-4284-9e07-d6d028b66702 | command_prompt |
| 997 | credential-access | T1558.003 | Kerberoasting | 1 | Request for service tickets | 3f987809-3681-43c8-bcd8-b3ff3a28533a | powershell |
| 998 | credential-access | T1558.003 | Kerberoasting | 2 | Rubeus kerberoast | 14625569-6def-4497-99ac-8e7817105b55 | powershell |
| 999 | credential-access | T1558.003 | Kerberoasting | 3 | Extract all accounts in use as SPN using setspn | e6f4affd-d826-4871-9a62-6c9004b8fe06 | command_prompt |
| 1000 | credential-access | T1558.003 | Kerberoasting | 4 | Request A Single Ticket via PowerShell | 988539bc-2ed7-4e62-aec6-7c5cf6680863 | powershell |
| 1001 | credential-access | T1558.003 | Kerberoasting | 5 | Request All Tickets via PowerShell | 902f4ed2-1aba-4133-90f2-cff6d299d6da | powershell |
| 1002 | credential-access | T1558.003 | Kerberoasting | 6 | WinPwn - Kerberoasting | 78d10e20-c874-45f2-a9df-6fea0120ec27 | powershell |
| 1003 | credential-access | T1558.003 | Kerberoasting | 7 | WinPwn - PowerSharpPack - Kerberoasting Using Rubeus | 29094950-2c96-4cbd-b5e4-f7c65079678f | powershell |
| 1004 | credential-access | T1003.006 | DCSync | 1 | DCSync (Active Directory) | 129efd28-8497-4c87-a1b0-73b9a870ca3e | command_prompt |
| 1005 | credential-access | T1003.006 | DCSync | 2 | Run DSInternals Get-ADReplAccount | a0bced08-3fc5-4d8b-93b7-e8344739376e | powershell |
| 1006 | credential-access | T1056.004 | Credential API Hooking | 1 | Hook PowerShell TLS Encrypt/Decrypt Messages | de1934ea-1fbf-425b-8795-65fb27dd7e33 | powershell |
| 1007 | credential-access | T1552.007 | Container API | 1 | ListSecrets | 43c3a49d-d15c-45e6-b303-f6e177e44a9a | bash |
| 1008 | credential-access | T1552.007 | Container API | 2 | Cat the contents of a Kubernetes service account token file | 788e0019-a483-45da-bcfe-96353d46820f | sh |
| 1009 | discovery | T1033 | System Owner/User Discovery | 1 | System Owner/User Discovery | 4c4959bf-addf-4b4a-be86-8d09cc1857aa | command_prompt |
| 1010 | discovery | T1033 | System Owner/User Discovery | 2 | System Owner/User Discovery | 2a9b677d-a230-44f4-ad86-782df1ef108c | sh |
| 1011 | discovery | T1033 | System Owner/User Discovery | 3 | Find computers where user has session - Stealth mode (PowerView) | 29857f27-a36f-4f7e-8084-4557cd6207ca | powershell |
| 1012 | discovery | T1033 | System Owner/User Discovery | 4 | User Discovery With Env Vars PowerShell Script | dcb6cdee-1fb0-4087-8bf8-88cfd136ba51 | powershell |
| 1013 | discovery | T1033 | System Owner/User Discovery | 5 | GetCurrent User with PowerShell Script | 1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b | powershell |
| 1014 | discovery | T1615 | Group Policy Discovery | 1 | Display group policy information via gpresult | 0976990f-53b1-4d3f-a185-6df5be429d3b | command_prompt |
| 1015 | discovery | T1615 | Group Policy Discovery | 2 | Get-DomainGPO to display group policy information via PowerView | 4e524c4e-0e02-49aa-8df5-93f3f7959b9f | powershell |
| 1016 | discovery | T1615 | Group Policy Discovery | 3 | WinPwn - GPOAudit | bc25c04b-841e-4965-855f-d1f645d7ab73 | powershell |
| 1017 | discovery | T1615 | Group Policy Discovery | 4 | WinPwn - GPORemoteAccessPolicy | 7230d01a-0a72-4bd5-9d7f-c6d472bc6a59 | powershell |
| 1018 | discovery | T1615 | Group Policy Discovery | 5 | MSFT Get-GPO Cmdlet | 52778a8f-a10b-41a4-9eae-52ddb74072bf | powershell |
| 1019 | discovery | T1087.002 | Domain Account | 1 | Enumerate all accounts (Domain) | 6fbc9e68-5ad7-444a-bd11-8bf3136c477e | command_prompt |
| 1020 | discovery | T1087.002 | Domain Account | 2 | Enumerate all accounts via PowerShell (Domain) | 8b8a6449-be98-4f42-afd2-dedddc7453b2 | powershell |
| 1021 | discovery | T1087.002 | Domain Account | 3 | Enumerate logged on users via CMD (Domain) | 161dcd85-d014-4f5e-900c-d3eaae82a0f7 | command_prompt |
| 1022 | discovery | T1087.002 | Domain Account | 4 | Automated AD Recon (ADRecon) | 95018438-454a-468c-a0fa-59c800149b59 | powershell |
| 1023 | discovery | T1087.002 | Domain Account | 5 | Adfind -Listing password policy | 736b4f53-f400-4c22-855d-1a6b5a551600 | command_prompt |
| 1024 | discovery | T1087.002 | Domain Account | 6 | Adfind - Enumerate Active Directory Admins | b95fd967-4e62-4109-b48d-265edfd28c3a | command_prompt |
| 1025 | discovery | T1087.002 | Domain Account | 7 | Adfind - Enumerate Active Directory User Objects | e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 | command_prompt |
| 1026 | discovery | T1087.002 | Domain Account | 8 | Adfind - Enumerate Active Directory Exchange AD Objects | 5e2938fb-f919-47b6-8b29-2f6a1f718e99 | command_prompt |
| 1027 | discovery | T1087.002 | Domain Account | 9 | Enumerate Default Domain Admin Details (Domain) | c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef | command_prompt |
| 1028 | discovery | T1087.002 | Domain Account | 10 | Enumerate Active Directory for Unconstrained Delegation | 46f8dbe9-22a5-4770-8513-66119c5be63b | powershell |
| 1029 | discovery | T1087.002 | Domain Account | 11 | Get-DomainUser with PowerView | 93662494-5ed7-4454-a04c-8c8372808ac2 | powershell |
| 1030 | discovery | T1087.002 | Domain Account | 12 | Enumerate Active Directory Users with ADSISearcher | 02e8be5a-3065-4e54-8cc8-a14d138834d3 | powershell |
| 1031 | discovery | T1087.002 | Domain Account | 13 | Enumerate Linked Policies In ADSISearcher Discovery | 7ab0205a-34e4-4a44-9b04-e1541d1a57be | powershell |
| 1032 | discovery | T1087.002 | Domain Account | 14 | Enumerate Root Domain linked policies Discovery | 00c652e2-0750-4ca6-82ff-0204684a6fe4 | powershell |
| 1033 | discovery | T1087.002 | Domain Account | 15 | WinPwn - generaldomaininfo | ce483c35-c74b-45a7-a670-631d1e69db3d | powershell |
| 1034 | discovery | T1087.001 | Local Account | 1 | Enumerate all accounts (Local) | f8aab3dd-5990-4bf8-b8ab-2226c951696f | sh |
| 1035 | discovery | T1087.001 | Local Account | 2 | View sudoers access | fed9be70-0186-4bde-9f8a-20945f9370c2 | sh |
| 1036 | discovery | T1087.001 | Local Account | 3 | View accounts with UID 0 | c955a599-3653-4fe5-b631-f11c00eb0397 | sh |
| 1037 | discovery | T1087.001 | Local Account | 4 | List opened files by user | 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb | sh |
| 1038 | discovery | T1087.001 | Local Account | 5 | Show if a user account has ever logged in remotely | 0f0b6a29-08c3-44ad-a30b-47fd996b2110 | sh |
| 1039 | discovery | T1087.001 | Local Account | 6 | Enumerate users and groups | e6f36545-dc1e-47f0-9f48-7f730f54a02e | sh |
| 1040 | discovery | T1087.001 | Local Account | 7 | Enumerate users and groups | 319e9f6c-7a9e-432e-8c62-9385c803b6f2 | sh |
| 1041 | discovery | T1087.001 | Local Account | 8 | Enumerate all accounts on Windows (Local) | 80887bec-5a9b-4efc-a81d-f83eb2eb32ab | command_prompt |
| 1042 | discovery | T1087.001 | Local Account | 9 | Enumerate all accounts via PowerShell (Local) | ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b | powershell |
| 1043 | discovery | T1087.001 | Local Account | 10 | Enumerate logged on users via CMD (Local) | a138085e-bfe5-46ba-a242-74a6fb884af3 | command_prompt |
| 1044 | discovery | T1497.001 | System Checks | 1 | Detect Virtualization Environment (Linux) | dfbd1a21-540d-4574-9731-e852bd6fe840 | sh |
| 1045 | discovery | T1497.001 | System Checks | 2 | Detect Virtualization Environment (Windows) | 502a7dc4-9d6f-4d28-abf2-f0e84692562d | powershell |
| 1046 | discovery | T1497.001 | System Checks | 3 | Detect Virtualization Environment (MacOS) | a960185f-aef6-4547-8350-d1ce16680d09 | sh |
| 1047 | discovery | T1497.001 | System Checks | 4 | Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) | 4a41089a-48e0-47aa-82cb-5b81a463bc78 | powershell |
| 1048 | discovery | T1069.002 | Domain Groups | 1 | Basic Permission Groups Discovery Windows (Domain) | dd66d77d-8998-48c0-8024-df263dc2ce5d | command_prompt |
| 1049 | discovery | T1069.002 | Domain Groups | 2 | Permission Groups Discovery PowerShell (Domain) | 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7 | powershell |
| 1050 | discovery | T1069.002 | Domain Groups | 3 | Elevated group enumeration using net group (Domain) | 0afb5163-8181-432e-9405-4322710c0c37 | command_prompt |
| 1051 | discovery | T1069.002 | Domain Groups | 4 | Find machines where user has local admin access (PowerView) | a2d71eee-a353-4232-9f86-54f4288dd8c1 | powershell |
| 1052 | discovery | T1069.002 | Domain Groups | 5 | Find local admins on all machines in domain (PowerView) | a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd | powershell |
| 1053 | discovery | T1069.002 | Domain Groups | 6 | Find Local Admins via Group Policy (PowerView) | 64fdb43b-5259-467a-b000-1b02c00e510a | powershell |
| 1054 | discovery | T1069.002 | Domain Groups | 7 | Enumerate Users Not Requiring Pre Auth (ASRepRoast) | 870ba71e-6858-4f6d-895c-bb6237f6121b | powershell |
| 1055 | discovery | T1069.002 | Domain Groups | 8 | Adfind - Query Active Directory Groups | 48ddc687-82af-40b7-8472-ff1e742e8274 | command_prompt |
| 1056 | discovery | T1069.002 | Domain Groups | 9 | Enumerate Active Directory Groups with Get-AdGroup | 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8 | powershell |
| 1057 | discovery | T1069.002 | Domain Groups | 10 | Enumerate Active Directory Groups with ADSISearcher | 9f4e344b-8434-41b3-85b1-d38f29d148d0 | powershell |
| 1058 | discovery | T1069.002 | Domain Groups | 11 | Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) | 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8 | powershell |
| 1059 | discovery | T1069.002 | Domain Groups | 12 | Get-DomainGroupMember with PowerView | 46352f40-f283-4fe5-b56d-d9a71750e145 | powershell |
| 1060 | discovery | T1069.002 | Domain Groups | 13 | Get-DomainGroup with PowerView | 5a8a181c-2c8e-478d-a943-549305a01230 | powershell |
| 1061 | discovery | T1007 | System Service Discovery | 1 | System Service Discovery | 89676ba1-b1f8-47ee-b940-2e1a113ebc71 | command_prompt |
| 1062 | discovery | T1007 | System Service Discovery | 2 | System Service Discovery - net.exe | 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3 | command_prompt |
| 1063 | discovery | T1007 | System Service Discovery | 3 | System Service Discovery - systemctl | f4b26bce-4c2c-46c0-bcc5-fce062d38bef | bash |
| 1064 | discovery | T1040 | Network Sniffing | 1 | Packet Capture Linux | 7fe741f7-b265-4951-a7c7-320889083b3e | bash |
| 1065 | discovery | T1040 | Network Sniffing | 2 | Packet Capture macOS | 9d04efee-eff5-4240-b8d2-07792b873608 | bash |
| 1066 | discovery | T1040 | Network Sniffing | 3 | Packet Capture Windows Command Prompt | a5b2f6a0-24b4-493e-9590-c699f75723ca | command_prompt |
| 1067 | discovery | T1040 | Network Sniffing | 4 | Windows Internal Packet Capture | b5656f67-d67f-4de8-8e62-b5581630f528 | command_prompt |
| 1068 | discovery | T1040 | Network Sniffing | 5 | Windows Internal pktmon capture | c67ba807-f48b-446e-b955-e4928cd1bf91 | command_prompt |
| 1069 | discovery | T1040 | Network Sniffing | 6 | Windows Internal pktmon set filter | 855fb8b4-b8ab-4785-ae77-09f5df7bff55 | command_prompt |
| 1070 | discovery | T1135 | Network Share Discovery | 1 | Network Share Discovery | f94b5ad9-911c-4eff-9718-fd21899db4f7 | sh |
| 1071 | discovery | T1135 | Network Share Discovery | 2 | Network Share Discovery - linux | 875805bc-9e86-4e87-be86-3a5527315cae | bash |
| 1072 | discovery | T1135 | Network Share Discovery | 3 | Network Share Discovery command prompt | 20f1097d-81c1-405c-8380-32174d493bbb | command_prompt |
| 1073 | discovery | T1135 | Network Share Discovery | 4 | Network Share Discovery PowerShell | 1b0814d1-bb24-402d-9615-1b20c50733fb | powershell |
| 1074 | discovery | T1135 | Network Share Discovery | 5 | View available share drives | ab39a04f-0c93-4540-9ff2-83f862c385ae | command_prompt |
| 1075 | discovery | T1135 | Network Share Discovery | 6 | Share Discovery with PowerView | b1636f0a-ba82-435c-b699-0d78794d8bfd | powershell |
| 1076 | discovery | T1135 | Network Share Discovery | 7 | PowerView ShareFinder | d07e4cc1-98ae-447e-9d31-36cb430d28c4 | powershell |
| 1077 | discovery | T1135 | Network Share Discovery | 8 | WinPwn - shareenumeration | 987901d1-5b87-4558-a6d9-cffcabc638b8 | powershell |
| 1078 | discovery | T1120 | Peripheral Device Discovery | 1 | Win32_PnPEntity Hardware Inventory | 2cb4dbf2-2dca-4597-8678-4d39d207a3a5 | powershell |
| 1079 | discovery | T1120 | Peripheral Device Discovery | 2 | WinPwn - printercheck | cb6e76ca-861e-4a7f-be08-564caa3e6f75 | powershell |
| 1080 | discovery | T1082 | System Information Discovery | 1 | System Information Discovery | 66703791-c902-4560-8770-42b8a91f7667 | command_prompt |
| 1081 | discovery | T1082 | System Information Discovery | 2 | System Information Discovery | edff98ec-0f73-4f63-9890-6b117092aff6 | sh |
| 1082 | discovery | T1082 | System Information Discovery | 3 | List OS Information | cccb070c-df86-4216-a5bc-9fb60c74e27c | sh |
| 1083 | discovery | T1082 | System Information Discovery | 4 | Linux VM Check via Hardware | 31dad7ad-2286-4c02-ae92-274418c85fec | bash |
| 1084 | discovery | T1082 | System Information Discovery | 5 | Linux VM Check via Kernel Modules | 8057d484-0fae-49a4-8302-4812c4f1e64e | bash |
| 1085 | discovery | T1082 | System Information Discovery | 6 | Hostname Discovery (Windows) | 85cfbf23-4a1e-4342-8792-007e004b975f | command_prompt |
| 1086 | discovery | T1082 | System Information Discovery | 7 | Hostname Discovery | 486e88ea-4f56-470f-9b57-3f4d73f39133 | bash |
| 1087 | discovery | T1082 | System Information Discovery | 8 | Windows MachineGUID Discovery | 224b4daf-db44-404e-b6b2-f4d1f0126ef8 | command_prompt |
| 1088 | discovery | T1082 | System Information Discovery | 9 | Griffon Recon | 69bd4abe-8759-49a6-8d21-0f15822d6370 | powershell |
| 1089 | discovery | T1082 | System Information Discovery | 10 | Environment variables discovery on windows | f400d1c0-1804-4ff8-b069-ef5ddd2adbf3 | command_prompt |
| 1090 | discovery | T1082 | System Information Discovery | 11 | Environment variables discovery on macos and linux | fcbdd43f-f4ad-42d5-98f3-0218097e2720 | sh |
| 1091 | discovery | T1082 | System Information Discovery | 12 | Show System Integrity Protection status (MacOS) | 327cc050-9e99-4c8e-99b5-1d15f2fb6b96 | sh |
| 1092 | discovery | T1082 | System Information Discovery | 13 | WinPwn - winPEAS | eea1d918-825e-47dd-acc2-814d6c58c0e1 | powershell |
| 1093 | discovery | T1082 | System Information Discovery | 14 | WinPwn - itm4nprivesc | 3d256a2f-5e57-4003-8eb6-64d91b1da7ce | powershell |
| 1094 | discovery | T1082 | System Information Discovery | 15 | WinPwn - Powersploits privesc checks | 345cb8e4-d2de-4011-a580-619cf5a9e2d7 | powershell |
| 1095 | discovery | T1082 | System Information Discovery | 16 | WinPwn - General privesc checks | 5b6f39a2-6ec7-4783-a5fd-2c54a55409ed | powershell |
| 1096 | discovery | T1082 | System Information Discovery | 17 | WinPwn - GeneralRecon | 7804659b-fdbf-4cf6-b06a-c03e758590e8 | powershell |
| 1097 | discovery | T1082 | System Information Discovery | 18 | WinPwn - Morerecon | 3278b2f6-f733-4875-9ef4-bfed34244f0a | powershell |
| 1098 | discovery | T1082 | System Information Discovery | 19 | WinPwn - RBCD-Check | dec6a0d8-bcaf-4c22-9d48-2aee59fb692b | powershell |
| 1099 | discovery | T1082 | System Information Discovery | 20 | WinPwn - PowerSharpPack - Watson searching for missing windows patches | 07b18a66-6304-47d2-bad0-ef421eb2e107 | powershell |
| 1100 | discovery | T1082 | System Information Discovery | 21 | WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors | efb79454-1101-4224-a4d0-30c9c8b29ffc | powershell |
| 1101 | discovery | T1082 | System Information Discovery | 22 | WinPwn - PowerSharpPack - Seatbelt | 5c16ceb4-ba3a-43d7-b848-a13c1f216d95 | powershell |
| 1102 | discovery | T1082 | System Information Discovery | 23 | Azure Security Scan with SkyArk | 26a18d3d-f8bc-486b-9a33-d6df5d78a594 | powershell |
| 1103 | discovery | T1010 | Application Window Discovery | 1 | List Process Main Windows - C# .NET | fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4 | command_prompt |
| 1104 | discovery | T1217 | Browser Bookmark Discovery | 1 | List Mozilla Firefox Bookmark Database Files on Linux | 3a41f169-a5ab-407f-9269-abafdb5da6c2 | sh |
| 1105 | discovery | T1217 | Browser Bookmark Discovery | 2 | List Mozilla Firefox Bookmark Database Files on macOS | 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b | sh |
| 1106 | discovery | T1217 | Browser Bookmark Discovery | 3 | List Google Chrome Bookmark JSON Files on macOS | b789d341-154b-4a42-a071-9111588be9bc | sh |
| 1107 | discovery | T1217 | Browser Bookmark Discovery | 4 | List Google Chrome / Opera Bookmarks on Windows with powershell | faab755e-4299-48ec-8202-fc7885eb6545 | powershell |
| 1108 | discovery | T1217 | Browser Bookmark Discovery | 5 | List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt | 76f71e2f-480e-4bed-b61e-398fe17499d5 | command_prompt |
| 1109 | discovery | T1217 | Browser Bookmark Discovery | 6 | List Mozilla Firefox bookmarks on Windows with command prompt | 4312cdbc-79fc-4a9c-becc-53d49c734bc5 | command_prompt |
| 1110 | discovery | T1217 | Browser Bookmark Discovery | 7 | List Internet Explorer Bookmarks using the command prompt | 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 | command_prompt |
| 1111 | discovery | T1217 | Browser Bookmark Discovery | 8 | List Safari Bookmarks on MacOS | 5fc528dd-79de-47f5-8188-25572b7fafe0 | sh |
| 1112 | discovery | T1016 | System Network Configuration Discovery | 1 | System Network Configuration Discovery on Windows | 970ab6a1-0157-4f3f-9a73-ec4166754b23 | command_prompt |
| 1113 | discovery | T1016 | System Network Configuration Discovery | 2 | List Windows Firewall Rules | 038263cb-00f4-4b0a-98ae-0696c67e1752 | command_prompt |
| 1114 | discovery | T1016 | System Network Configuration Discovery | 3 | System Network Configuration Discovery | c141bbdb-7fca-4254-9fd6-f47e79447e17 | sh |
| 1115 | discovery | T1016 | System Network Configuration Discovery | 4 | System Network Configuration Discovery (TrickBot Style) | dafaf052-5508-402d-bf77-51e0700c02e2 | command_prompt |
| 1116 | discovery | T1016 | System Network Configuration Discovery | 5 | List Open Egress Ports | 4b467538-f102-491d-ace7-ed487b853bf5 | powershell |
| 1117 | discovery | T1016 | System Network Configuration Discovery | 6 | Adfind - Enumerate Active Directory Subnet Objects | 9bb45dd7-c466-4f93-83a1-be30e56033ee | command_prompt |
| 1118 | discovery | T1016 | System Network Configuration Discovery | 7 | Qakbot Recon | 121de5c6-5818-4868-b8a7-8fd07c455c1b | command_prompt |
| 1119 | discovery | T1016 | System Network Configuration Discovery | 8 | List macOS Firewall Rules | ff1d8c25-2aa4-4f18-a425-fede4a41ee88 | bash |
| 1120 | discovery | T1482 | Domain Trust Discovery | 1 | Windows - Discover domain trusts with dsquery | 4700a710-c821-4e17-a3ec-9e4c81d6845f | command_prompt |
| 1121 | discovery | T1482 | Domain Trust Discovery | 2 | Windows - Discover domain trusts with nltest | 2e22641d-0498-48d2-b9ff-c71e496ccdbe | command_prompt |
| 1122 | discovery | T1482 | Domain Trust Discovery | 3 | Powershell enumerate domains and forests | c58fbc62-8a62-489e-8f2d-3565d7d96f30 | powershell |
| 1123 | discovery | T1482 | Domain Trust Discovery | 4 | Adfind - Enumerate Active Directory OUs | d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec | command_prompt |
| 1124 | discovery | T1482 | Domain Trust Discovery | 5 | Adfind - Enumerate Active Directory Trusts | 15fe436d-e771-4ff3-b655-2dca9ba52834 | command_prompt |
| 1125 | discovery | T1482 | Domain Trust Discovery | 6 | Get-DomainTrust with PowerView | f974894c-5991-4b19-aaf5-7cc2fe298c5d | powershell |
| 1126 | discovery | T1482 | Domain Trust Discovery | 7 | Get-ForestTrust with PowerView | 58ed10e8-0738-4651-8408-3a3e9a526279 | powershell |
| 1127 | discovery | T1482 | Domain Trust Discovery | 8 | TruffleSnout - Listing AD Infrastructure | ea1b4f2d-5b82-4006-b64f-f2845608a3bf | command_prompt |
| 1128 | discovery | T1083 | File and Directory Discovery | 1 | File and Directory Discovery (cmd.exe) | 0e36303b-6762-4500-b003-127743b80ba6 | command_prompt |
| 1129 | discovery | T1083 | File and Directory Discovery | 2 | File and Directory Discovery (PowerShell) | 2158908e-b7ef-4c21-8a83-3ce4dd05a924 | powershell |
| 1130 | discovery | T1083 | File and Directory Discovery | 3 | Nix File and Directory Discovery | ffc8b249-372a-4b74-adcd-e4c0430842de | sh |
| 1131 | discovery | T1083 | File and Directory Discovery | 4 | Nix File and Directory Discovery 2 | 13c5e1ae-605b-46c4-a79f-db28c77ff24e | sh |
| 1132 | discovery | T1083 | File and Directory Discovery | 5 | Simulating MAZE Directory Enumeration | c6c34f61-1c3e-40fb-8a58-d017d88286d8 | powershell |
| 1133 | discovery | T1049 | System Network Connections Discovery | 1 | System Network Connections Discovery | 0940a971-809a-48f1-9c4d-b1d785e96ee5 | command_prompt |
| 1134 | discovery | T1049 | System Network Connections Discovery | 2 | System Network Connections Discovery with PowerShell | f069f0f1-baad-4831-aa2b-eddac4baac4a | powershell |
| 1135 | discovery | T1049 | System Network Connections Discovery | 3 | System Network Connections Discovery Linux & MacOS | 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 | sh |
| 1136 | discovery | T1049 | System Network Connections Discovery | 4 | System Discovery using SharpView | 96f974bb-a0da-4d87-a744-ff33e73367e9 | powershell |
| 1137 | discovery | T1057 | Process Discovery | 1 | Process Discovery - ps | 4ff64f0b-aaf2-4866-b39d-38d9791407cc | sh |
| 1138 | discovery | T1057 | Process Discovery | 2 | Process Discovery - tasklist | c5806a4f-62b8-4900-980b-c7ec004e9908 | command_prompt |
| 1139 | discovery | T1057 | Process Discovery | 3 | Process Discovery - Get-Process | 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34 | powershell |
| 1140 | discovery | T1057 | Process Discovery | 4 | Process Discovery - get-wmiObject | b51239b4-0129-474f-a2b4-70f855b9f2c2 | powershell |
| 1141 | discovery | T1057 | Process Discovery | 5 | Process Discovery - wmic process | 640cbf6d-659b-498b-ba53-f6dd1a1cc02c | command_prompt |
| 1142 | discovery | T1069.001 | Local Groups | 1 | Permission Groups Discovery (Local) | 952931a4-af0b-4335-bbbe-73c8c5b327ae | sh |
| 1143 | discovery | T1069.001 | Local Groups | 2 | Basic Permission Groups Discovery Windows (Local) | 1f454dd6-e134-44df-bebb-67de70fb6cd8 | command_prompt |
| 1144 | discovery | T1069.001 | Local Groups | 3 | Permission Groups Discovery PowerShell (Local) | a580462d-2c19-4bc7-8b9a-57a41b7d3ba4 | powershell |
| 1145 | discovery | T1069.001 | Local Groups | 4 | SharpHound3 - LocalAdmin | e03ada14-0980-4107-aff1-7783b2b59bb1 | powershell |
| 1146 | discovery | T1069.001 | Local Groups | 5 | Wmic Group Discovery | 7413be50-be8e-430f-ad4d-07bf197884b2 | powershell |
| 1147 | discovery | T1069.001 | Local Groups | 6 | WMIObject Group Discovery | 69119e58-96db-4110-ad27-954e48f3bb13 | powershell |
| 1148 | discovery | T1201 | Password Policy Discovery | 1 | Examine password complexity policy - Ubuntu | 085fe567-ac84-47c7-ac4c-2688ce28265b | bash |
| 1149 | discovery | T1201 | Password Policy Discovery | 2 | Examine password complexity policy - CentOS/RHEL 7.x | 78a12e65-efff-4617-bc01-88f17d71315d | bash |
| 1150 | discovery | T1201 | Password Policy Discovery | 3 | Examine password complexity policy - CentOS/RHEL 6.x | 6ce12552-0adb-4f56-89ff-95ce268f6358 | bash |
| 1151 | discovery | T1201 | Password Policy Discovery | 4 | Examine password expiration policy - All Linux | 7c86c55c-70fa-4a05-83c9-3aa19b145d1a | bash |
| 1152 | discovery | T1201 | Password Policy Discovery | 5 | Examine local password policy - Windows | 4588d243-f24e-4549-b2e3-e627acc089f6 | command_prompt |
| 1153 | discovery | T1201 | Password Policy Discovery | 6 | Examine domain password policy - Windows | 46c2c362-2679-4ef5-aec9-0e958e135be4 | command_prompt |
| 1154 | discovery | T1201 | Password Policy Discovery | 7 | Examine password policy - macOS | 4b7fa042-9482-45e1-b348-4b756b2a0742 | bash |
| 1155 | discovery | T1201 | Password Policy Discovery | 8 | Get-DomainPolicy with PowerView | 3177f4da-3d4b-4592-8bdc-aa23d0b2e843 | powershell |
| 1156 | discovery | T1201 | Password Policy Discovery | 9 | Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy | b2698b33-984c-4a1c-93bb-e4ba72a0babb | powershell |
| 1157 | discovery | T1614.001 | System Language Discovery | 1 | Discover System Language by Registry Query | 631d4cf1-42c9-4209-8fe9-6bd4de9421be | command_prompt |
| 1158 | discovery | T1614.001 | System Language Discovery | 2 | Discover System Language with chcp | d91473ca-944e-477a-b484-0e80217cd789 | command_prompt |
| 1159 | discovery | T1012 | Query Registry | 1 | Query Registry | 8f7578c4-9863-4d83-875c-a565573bbdf0 | command_prompt |
| 1160 | discovery | T1518.001 | Security Software Discovery | 1 | Security Software Discovery | f92a380f-ced9-491f-b338-95a991418ce2 | command_prompt |
| 1161 | discovery | T1518.001 | Security Software Discovery | 2 | Security Software Discovery - powershell | 7f566051-f033-49fb-89de-b6bacab730f0 | powershell |
| 1162 | discovery | T1518.001 | Security Software Discovery | 3 | Security Software Discovery - ps (macOS) | ba62ce11-e820-485f-9c17-6f3c857cd840 | sh |
| 1163 | discovery | T1518.001 | Security Software Discovery | 4 | Security Software Discovery - ps (Linux) | 23b91cd2-c99c-4002-9e41-317c63e024a2 | sh |
| 1164 | discovery | T1518.001 | Security Software Discovery | 5 | Security Software Discovery - Sysmon Service | fe613cf3-8009-4446-9a0f-bc78a15b66c9 | command_prompt |
| 1165 | discovery | T1518.001 | Security Software Discovery | 6 | Security Software Discovery - AV Discovery via WMI | 1553252f-14ea-4d3b-8a08-d7a4211aa945 | command_prompt |
| 1166 | discovery | T1526 | Cloud Service Discovery | 1 | Azure - Dump Subscription Data with MicroBurst | 1e40bb1d-195e-401e-a86b-c192f55e005c | powershell |
| 1167 | discovery | T1018 | Remote System Discovery | 1 | Remote System Discovery - net | 85321a9c-897f-4a60-9f20-29788e50bccd | command_prompt |
| 1168 | discovery | T1018 | Remote System Discovery | 2 | Remote System Discovery - net group Domain Computers | f1bf6c8f-9016-4edf-aff9-80b65f5d711f | command_prompt |
| 1169 | discovery | T1018 | Remote System Discovery | 3 | Remote System Discovery - nltest | 52ab5108-3f6f-42fb-8ba3-73bc054f22c8 | command_prompt |
| 1170 | discovery | T1018 | Remote System Discovery | 4 | Remote System Discovery - ping sweep | 6db1f57f-d1d5-4223-8a66-55c9c65a9592 | command_prompt |
| 1171 | discovery | T1018 | Remote System Discovery | 5 | Remote System Discovery - arp | 2d5a61f5-0447-4be4-944a-1f8530ed6574 | command_prompt |
| 1172 | discovery | T1018 | Remote System Discovery | 6 | Remote System Discovery - arp nix | acb6b1ff-e2ad-4d64-806c-6c35fe73b951 | sh |
| 1173 | discovery | T1018 | Remote System Discovery | 7 | Remote System Discovery - sweep | 96db2632-8417-4dbb-b8bb-a8b92ba391de | sh |
| 1174 | discovery | T1018 | Remote System Discovery | 8 | Remote System Discovery - nslookup | baa01aaa-5e13-45ec-8a0d-e46c93c9760f | powershell |
| 1175 | discovery | T1018 | Remote System Discovery | 9 | Remote System Discovery - adidnsdump | 95e19466-469e-4316-86d2-1dc401b5a959 | command_prompt |
| 1176 | discovery | T1018 | Remote System Discovery | 10 | Adfind - Enumerate Active Directory Computer Objects | a889f5be-2d54-4050-bd05-884578748bb4 | command_prompt |
| 1177 | discovery | T1018 | Remote System Discovery | 11 | Adfind - Enumerate Active Directory Domain Controller Objects | 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e | command_prompt |
| 1178 | discovery | T1018 | Remote System Discovery | 12 | Remote System Discovery - ip neighbour | 158bd4dd-6359-40ab-b13c-285b9ef6fa25 | sh |
| 1179 | discovery | T1018 | Remote System Discovery | 13 | Remote System Discovery - ip route | 1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1 | sh |
| 1180 | discovery | T1018 | Remote System Discovery | 14 | Remote System Discovery - ip tcp_metrics | 6c2da894-0b57-43cb-87af-46ea3b501388 | sh |
| 1181 | discovery | T1018 | Remote System Discovery | 15 | Enumerate domain computers within Active Directory using DirectorySearcher | 962a6017-1c09-45a6-880b-adc9c57cb22e | powershell |
| 1182 | discovery | T1018 | Remote System Discovery | 16 | Enumerate Active Directory Computers with Get-AdComputer | 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf | powershell |
| 1183 | discovery | T1018 | Remote System Discovery | 17 | Enumerate Active Directory Computers with ADSISearcher | 64ede6ac-b57a-41c2-a7d1-32c6cd35397d | powershell |
| 1184 | discovery | T1018 | Remote System Discovery | 18 | Get-DomainController with PowerView | b9d2e8ca-5520-4737-8076-4f08913da2c4 | powershell |
| 1185 | discovery | T1018 | Remote System Discovery | 19 | Get-wmiobject to Enumerate Domain Controllers | e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad | powershell |
| 1186 | discovery | T1046 | Network Service Discovery | 1 | Port Scan | 68e907da-2539-48f6-9fc9-257a78c05540 | bash |
| 1187 | discovery | T1046 | Network Service Discovery | 2 | Port Scan Nmap | 515942b0-a09f-4163-a7bb-22fefb6f185f | sh |
| 1188 | discovery | T1046 | Network Service Discovery | 3 | Port Scan NMap for Windows | d696a3cb-d7a8-4976-8eb5-5af4abf2e3df | powershell |
| 1189 | discovery | T1046 | Network Service Discovery | 4 | Port Scan using python | 6ca45b04-9f15-4424-b9d3-84a217285a5c | powershell |
| 1190 | discovery | T1046 | Network Service Discovery | 5 | WinPwn - spoolvulnscan | 54574908-f1de-4356-9021-8053dd57439a | powershell |
| 1191 | discovery | T1046 | Network Service Discovery | 6 | WinPwn - MS17-10 | 97585b04-5be2-40e9-8c31-82157b8af2d6 | powershell |
| 1192 | discovery | T1046 | Network Service Discovery | 7 | WinPwn - bluekeep | 1cca5640-32a9-46e6-b8e0-fabbe2384a73 | powershell |
| 1193 | discovery | T1046 | Network Service Discovery | 8 | WinPwn - fruit | bb037826-cbe8-4a41-93ea-b94059d6bb98 | powershell |
| 1194 | discovery | T1518 | Software Discovery | 1 | Find and Display Internet Explorer Browser Version | 68981660-6670-47ee-a5fa-7e74806420a4 | command_prompt |
| 1195 | discovery | T1518 | Software Discovery | 2 | Applications Installed | c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b | powershell |
| 1196 | discovery | T1518 | Software Discovery | 3 | Find and Display Safari Browser Version | 103d6533-fd2a-4d08-976a-4a598565280f | sh |
| 1197 | discovery | T1518 | Software Discovery | 4 | WinPwn - Dotnetsearch | 7e79a1b6-519e-433c-ad55-3ff293667101 | powershell |
| 1198 | discovery | T1518 | Software Discovery | 5 | WinPwn - DotNet | 10ba02d0-ab76-4f80-940d-451633f24c5b | powershell |
| 1199 | discovery | T1518 | Software Discovery | 6 | WinPwn - powerSQL | 0bb64470-582a-4155-bde2-d6003a95ed34 | powershell |
| 1200 | discovery | T1124 | System Time Discovery | 1 | System Time Discovery | 20aba24b-e61f-4b26-b4ce-4784f763ca20 | command_prompt |
| 1201 | discovery | T1124 | System Time Discovery | 2 | System Time Discovery - PowerShell | 1d5711d6-655c-4a47-ae9c-6503c74fa877 | powershell |
| 1202 | discovery | T1124 | System Time Discovery | 3 | System Time Discovery in macOS | f449c933-0891-407f-821e-7916a21a1a6f | sh |
| 1203 | command-and-control | T1132.001 | Standard Encoding | 1 | Base64 Encoded data. | 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 | sh |
| 1204 | command-and-control | T1132.001 | Standard Encoding | 2 | XOR Encoded data. | c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08 | powershell |
| 1205 | command-and-control | T1071.004 | DNS | 1 | DNS Large Query Volume | 1700f5d6-5a44-487b-84de-bc66f507b0a6 | powershell |
| 1206 | command-and-control | T1071.004 | DNS | 2 | DNS Regular Beaconing | 3efc144e-1af8-46bb-8ca2-1376bb6db8b6 | powershell |
| 1207 | command-and-control | T1071.004 | DNS | 3 | DNS Long Domain Query | fef31710-223a-40ee-8462-a396d6b66978 | powershell |
| 1208 | command-and-control | T1071.004 | DNS | 4 | DNS C2 | e7bf9802-2e78-4db9-93b5-181b7bcd37d7 | powershell |
| 1209 | command-and-control | T1219 | Remote Access Software | 1 | TeamViewer Files Detected Test on Windows | 8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0 | powershell |
| 1210 | command-and-control | T1219 | Remote Access Software | 2 | AnyDesk Files Detected Test on Windows | 6b8b7391-5c0a-4f8c-baee-78d8ce0ce330 | powershell |
| 1211 | command-and-control | T1219 | Remote Access Software | 3 | LogMeIn Files Detected Test on Windows | d03683ec-aae0-42f9-9b4c-534780e0f8e1 | powershell |
| 1212 | command-and-control | T1219 | Remote Access Software | 4 | GoToAssist Files Detected Test on Windows | 1b72b3bd-72f8-4b63-a30b-84e91b9c3578 | powershell |
| 1213 | command-and-control | T1219 | Remote Access Software | 5 | ScreenConnect Application Download and Install on Windows | 4a18cc4e-416f-4966-9a9d-75731c4684c0 | powershell |
| 1214 | command-and-control | T1219 | Remote Access Software | 6 | Ammyy Admin Software Execution | 0ae9e327-3251-465a-a53b-485d4e3f58fa | powershell |
| 1215 | command-and-control | T1219 | Remote Access Software | 7 | RemotePC Software Execution | fbff3f1f-b0bf-448e-840f-7e1687affdce | powershell |
| 1216 | command-and-control | T1219 | Remote Access Software | 8 | NetSupport - RAT Execution | ecca999b-e0c8-40e8-8416-ad320b146a75 | powershell |
| 1217 | command-and-control | T1572 | Protocol Tunneling | 1 | DNS over HTTPS Large Query Volume | ae9ef4b0-d8c1-49d4-8758-06206f19af0a | powershell |
| 1218 | command-and-control | T1572 | Protocol Tunneling | 2 | DNS over HTTPS Regular Beaconing | 0c5f9705-c575-42a6-9609-cbbff4b2fc9b | powershell |
| 1219 | command-and-control | T1572 | Protocol Tunneling | 3 | DNS over HTTPS Long Domain Query | 748a73d5-cea4-4f34-84d8-839da5baa99c | powershell |
| 1220 | command-and-control | T1090.003 | Multi-hop Proxy | 1 | Psiphon | 14d55ca0-920e-4b44-8425-37eedd72b173 | powershell |
| 1221 | command-and-control | T1090.003 | Multi-hop Proxy | 2 | Tor Proxy Usage - Windows | 7b9d85e5-c4ce-4434-8060-d3de83595e69 | powershell |
| 1222 | command-and-control | T1090.003 | Multi-hop Proxy | 3 | Tor Proxy Usage - Debian/Ubuntu | 5ff9d047-6e9c-4357-b39b-5cf89d9b59c7 | sh |
| 1223 | command-and-control | T1090.003 | Multi-hop Proxy | 4 | Tor Proxy Usage - MacOS | 12631354-fdbc-4164-92be-402527e748da | sh |
| 1224 | command-and-control | T1571 | Non-Standard Port | 1 | Testing usage of uncommonly used port with PowerShell | 21fe622f-8e53-4b31-ba83-6d333c2583f4 | powershell |
| 1225 | command-and-control | T1571 | Non-Standard Port | 2 | Testing usage of uncommonly used port | 5db21e1d-dd9c-4a50-b885-b1e748912767 | sh |
| 1226 | command-and-control | T1573 | Encrypted Channel | 1 | OpenSSL C2 | 21caf58e-87ad-440c-a6b8-3ac259964003 | powershell |
| 1227 | command-and-control | T1095 | Non-Application Layer Protocol | 1 | ICMP C2 | 0268e63c-e244-42db-bef7-72a9e59fc1fc | powershell |
| 1228 | command-and-control | T1095 | Non-Application Layer Protocol | 2 | Netcat C2 | bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37 | powershell |
| 1229 | command-and-control | T1095 | Non-Application Layer Protocol | 3 | Powercat C2 | 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e | powershell |
| 1230 | command-and-control | T1071.001 | Web Protocols | 1 | Malicious User Agents - Powershell | 81c13829-f6c9-45b8-85a6-053366d55297 | powershell |
| 1231 | command-and-control | T1071.001 | Web Protocols | 2 | Malicious User Agents - CMD | dc3488b0-08c7-4fea-b585-905c83b48180 | command_prompt |
| 1232 | command-and-control | T1071.001 | Web Protocols | 3 | Malicious User Agents - Nix | 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 | sh |
| 1233 | command-and-control | T1105 | Ingress Tool Transfer | 1 | rsync remote file copy (push) | 0fc6e977-cb12-44f6-b263-2824ba917409 | bash |
| 1234 | command-and-control | T1105 | Ingress Tool Transfer | 2 | rsync remote file copy (pull) | 3180f7d5-52c0-4493-9ea0-e3431a84773f | bash |
| 1235 | command-and-control | T1105 | Ingress Tool Transfer | 3 | scp remote file copy (push) | 83a49600-222b-4866-80a0-37736ad29344 | bash |
| 1236 | command-and-control | T1105 | Ingress Tool Transfer | 4 | scp remote file copy (pull) | b9d22b9a-9778-4426-abf0-568ea64e9c33 | bash |
| 1237 | command-and-control | T1105 | Ingress Tool Transfer | 5 | sftp remote file copy (push) | f564c297-7978-4aa9-b37a-d90477feea4e | bash |
| 1238 | command-and-control | T1105 | Ingress Tool Transfer | 6 | sftp remote file copy (pull) | 0139dba1-f391-405e-a4f5-f3989f2c88ef | bash |
| 1239 | command-and-control | T1105 | Ingress Tool Transfer | 7 | certutil download (urlcache) | dd3b61dd-7bbc-48cd-ab51-49ad1a776df0 | command_prompt |
| 1240 | command-and-control | T1105 | Ingress Tool Transfer | 8 | certutil download (verifyctl) | ffd492e3-0455-4518-9fb1-46527c9f241b | powershell |
| 1241 | command-and-control | T1105 | Ingress Tool Transfer | 9 | Windows - BITSAdmin BITS Download | a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b | command_prompt |
| 1242 | command-and-control | T1105 | Ingress Tool Transfer | 10 | Windows - PowerShell Download | 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8 | powershell |
| 1243 | command-and-control | T1105 | Ingress Tool Transfer | 11 | OSTAP Worming Activity | 2ca61766-b456-4fcf-a35a-1233685e1cad | command_prompt |
| 1244 | command-and-control | T1105 | Ingress Tool Transfer | 12 | svchost writing a file to a UNC path | fa5a2759-41d7-4e13-a19c-e8f28a53566f | command_prompt |
| 1245 | command-and-control | T1105 | Ingress Tool Transfer | 13 | Download a File with Windows Defender MpCmdRun.exe | 815bef8b-bf91-4b67-be4c-abe4c2a94ccc | command_prompt |
| 1246 | command-and-control | T1105 | Ingress Tool Transfer | 14 | whois file download | c99a829f-0bb8-4187-b2c6-d47d1df74cab | sh |
| 1247 | command-and-control | T1105 | Ingress Tool Transfer | 15 | File Download via PowerShell | 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 | powershell |
| 1248 | command-and-control | T1105 | Ingress Tool Transfer | 16 | File download with finger.exe on Windows | 5f507e45-8411-4f99-84e7-e38530c45d01 | command_prompt |
| 1249 | command-and-control | T1105 | Ingress Tool Transfer | 17 | Download a file with IMEWDBLD.exe | 1a02df58-09af-4064-a765-0babe1a0d1e2 | powershell |
| 1250 | command-and-control | T1105 | Ingress Tool Transfer | 18 | Curl Download File | 2b080b99-0deb-4d51-af0f-833d37c4ca6a | command_prompt |
| 1251 | command-and-control | T1105 | Ingress Tool Transfer | 19 | Curl Upload File | 635c9a38-6cbf-47dc-8615-3810bc1167cf | command_prompt |
| 1252 | command-and-control | T1105 | Ingress Tool Transfer | 20 | Download a file with Microsoft Connection Manager Auto-Download | d239772b-88e2-4a2e-8473-897503401bcc | command_prompt |
| 1253 | command-and-control | T1105 | Ingress Tool Transfer | 21 | MAZE Propagation Script | 70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf | powershell |
| 1254 | command-and-control | T1105 | Ingress Tool Transfer | 22 | Printer Migration Command-Line Tool UNC share folder into a zip file | 49845fc1-7961-4590-a0f0-3dbcf065ae7e | command_prompt |
| 1255 | command-and-control | T1105 | Ingress Tool Transfer | 23 | Lolbas replace.exe use to copy file | 54782d65-12f0-47a5-b4c1-b70ee23de6df | command_prompt |
| 1256 | command-and-control | T1105 | Ingress Tool Transfer | 24 | Lolbas replace.exe use to copy UNC file | ed0335ac-0354-400c-8148-f6151d20035a | command_prompt |
| 1257 | command-and-control | T1105 | Ingress Tool Transfer | 25 | certreq download | 6fdaae87-c05b-42f8-842e-991a74e8376b | command_prompt |
| 1258 | command-and-control | T1105 | Ingress Tool Transfer | 26 | Download a file using wscript | 97116a3f-efac-4b26-8336-b9cb18c45188 | command_prompt |
| 1259 | command-and-control | T1090.001 | Internal Proxy | 1 | Connection Proxy | 0ac21132-4485-4212-a681-349e8a6637cd | sh |
| 1260 | command-and-control | T1090.001 | Internal Proxy | 2 | Connection Proxy for macOS UI | 648d68c1-8bcd-4486-9abe-71c6655b6a2c | sh |
| 1261 | command-and-control | T1090.001 | Internal Proxy | 3 | portproxy reg key | b8223ea9-4be2-44a6-b50a-9657a3d4e72a | powershell |
| 1262 | impact | T1489 | Service Stop | 1 | Windows - Stop service using Service Controller | 21dfb440-830d-4c86-a3e5-2a491d5a8d04 | command_prompt |
| 1263 | impact | T1489 | Service Stop | 2 | Windows - Stop service using net.exe | 41274289-ec9c-4213-bea4-e43c4aa57954 | command_prompt |
| 1264 | impact | T1489 | Service Stop | 3 | Windows - Stop service by killing process | f3191b84-c38b-400b-867e-3a217a27795f | command_prompt |
| 1265 | impact | T1491.001 | Internal Defacement | 1 | Replace Desktop Wallpaper | 30558d53-9d76-41c4-9267-a7bd5184bed3 | powershell |
| 1266 | impact | T1531 | Account Access Removal | 1 | Change User Password - Windows | 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2 | command_prompt |
| 1267 | impact | T1531 | Account Access Removal | 2 | Delete User - Windows | f21a1d7d-a62f-442a-8c3a-2440d43b19e5 | command_prompt |
| 1268 | impact | T1531 | Account Access Removal | 3 | Remove Account From Domain Admin Group | 43f71395-6c37-498e-ab17-897d814a0947 | powershell |
| 1269 | impact | T1486 | Data Encrypted for Impact | 1 | Encrypt files using gpg (Linux) | 7b8ce084-3922-4618-8d22-95f996173765 | bash |
| 1270 | impact | T1486 | Data Encrypted for Impact | 2 | Encrypt files using 7z (Linux) | 53e6735a-4727-44cc-b35b-237682a151ad | bash |
| 1271 | impact | T1486 | Data Encrypted for Impact | 3 | Encrypt files using ccrypt (Linux) | 08cbf59f-85da-4369-a5f4-049cffd7709f | bash |
| 1272 | impact | T1486 | Data Encrypted for Impact | 4 | Encrypt files using openssl (Linux) | 142752dc-ca71-443b-9359-cf6f497315f1 | bash |
| 1273 | impact | T1486 | Data Encrypted for Impact | 5 | PureLocker Ransom Note | 649349c7-9abf-493b-a7a2-b1aa4d141528 | command_prompt |
| 1274 | impact | T1496 | Resource Hijacking | 1 | macOS/Linux - Simulate CPU Load with Yes | 904a5a0e-fb02-490d-9f8d-0e256eb37549 | bash |
| 1275 | impact | T1485 | Data Destruction | 1 | Windows - Overwrite file with Sysinternals SDelete | 476419b5-aebf-4366-a131-ae3e8dae5fc2 | powershell |
| 1276 | impact | T1485 | Data Destruction | 2 | macOS/Linux - Overwrite file with DD | 38deee99-fd65-4031-bec8-bfa4f9f26146 | bash |
| 1277 | impact | T1485 | Data Destruction | 3 | Overwrite deleted data on C drive | 321fd25e-0007-417f-adec-33232252be19 | command_prompt |
| 1278 | impact | T1490 | Inhibit System Recovery | 1 | Windows - Delete Volume Shadow Copies | 43819286-91a9-4369-90ed-d31fb4da2c01 | command_prompt |
| 1279 | impact | T1490 | Inhibit System Recovery | 2 | Windows - Delete Volume Shadow Copies via WMI | 6a3ff8dd-f49c-4272-a658-11c2fe58bd88 | command_prompt |
| 1280 | impact | T1490 | Inhibit System Recovery | 3 | Windows - wbadmin Delete Windows Backup Catalog | 263ba6cb-ea2b-41c9-9d4e-b652dadd002c | command_prompt |
| 1281 | impact | T1490 | Inhibit System Recovery | 4 | Windows - Disable Windows Recovery Console Repair | cf21060a-80b3-4238-a595-22525de4ab81 | command_prompt |
| 1282 | impact | T1490 | Inhibit System Recovery | 5 | Windows - Delete Volume Shadow Copies via WMI with PowerShell | 39a295ca-7059-4a88-86f6-09556c1211e7 | powershell |
| 1283 | impact | T1490 | Inhibit System Recovery | 6 | Windows - Delete Backup Files | 6b1dbaf6-cc8a-4ea6-891f-6058569653bf | command_prompt |
| 1284 | impact | T1490 | Inhibit System Recovery | 7 | Windows - wbadmin Delete systemstatebackup | 584331dd-75bc-4c02-9e0b-17f5fd81c748 | command_prompt |
| 1285 | impact | T1490 | Inhibit System Recovery | 8 | Windows - Disable the SR scheduled task | 1c68c68d-83a4-4981-974e-8993055fa034 | command_prompt |
| 1286 | impact | T1490 | Inhibit System Recovery | 9 | Disable System Restore Through Registry | 66e647d1-8741-4e43-b7c1-334760c2047f | command_prompt |
| 1287 | impact | T1529 | System Shutdown/Reboot | 1 | Shutdown System - Windows | ad254fa8-45c0-403b-8c77-e00b3d3e7a64 | command_prompt |
| 1288 | impact | T1529 | System Shutdown/Reboot | 2 | Restart System - Windows | f4648f0d-bf78-483c-bafc-3ec99cd1c302 | command_prompt |
| 1289 | impact | T1529 | System Shutdown/Reboot | 3 | Restart System via `shutdown` - macOS/Linux | 6326dbc4-444b-4c04-88f4-27e94d0327cb | bash |
| 1290 | impact | T1529 | System Shutdown/Reboot | 4 | Shutdown System via `shutdown` - macOS/Linux | 4963a81e-a3ad-4f02-adda-812343b351de | bash |
| 1291 | impact | T1529 | System Shutdown/Reboot | 5 | Restart System via `reboot` - macOS/Linux | 47d0b042-a918-40ab-8cf9-150ffe919027 | bash |
| 1292 | impact | T1529 | System Shutdown/Reboot | 6 | Shutdown System via `halt` - Linux | 918f70ab-e1ef-49ff-bc57-b27021df84dd | bash |
| 1293 | impact | T1529 | System Shutdown/Reboot | 7 | Reboot System via `halt` - Linux | 78f92e14-f1e9-4446-b3e9-f1b921f2459e | bash |
| 1294 | impact | T1529 | System Shutdown/Reboot | 8 | Shutdown System via `poweroff` - Linux | 73a90cd2-48a2-4ac5-8594-2af35fa909fa | bash |
| 1295 | impact | T1529 | System Shutdown/Reboot | 9 | Reboot System via `poweroff` - Linux | 61303105-ff60-427b-999e-efb90b314e41 | bash |
| 1296 | impact | T1529 | System Shutdown/Reboot | 10 | Logoff System - Windows | 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4 | command_prompt |
| 1297 | initial-access | T1133 | External Remote Services | 1 | Running Chrome VPN Extensions via the Registry 2 vpn extension | 4c8db261-a58b-42a6-a866-0a294deedde4 | powershell |
| 1298 | initial-access | T1566.001 | Spearphishing Attachment | 1 | Download Macro-Enabled Phishing Attachment | 114ccff9-ae6d-4547-9ead-4cd69f687306 | powershell |
| 1299 | initial-access | T1566.001 | Spearphishing Attachment | 2 | Word spawned a command shell and used an IP address in the command line | cbb6799a-425c-4f83-9194-5447a909d67f | powershell |
| 1300 | initial-access | T1091 | Replication Through Removable Media | 1 | USB Malware Spread Simulation | d44b7297-622c-4be8-ad88-ec40d7563c75 | powershell |
| 1301 | initial-access | T1195 | Supply Chain Compromise | 1 | Octopus Scanner Malware Open Source Supply Chain | 82a9f001-94c5-495e-9ed5-f530dbded5e2 | command_prompt |
| 1302 | initial-access | T1078.001 | Default Accounts | 1 | Enable Guest account with RDP capability and admin privileges | 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 | command_prompt |
| 1303 | initial-access | T1078.001 | Default Accounts | 2 | Activate Guest Account | aa6cb8c4-b582-4f8e-b677-37733914abda | command_prompt |
| 1304 | initial-access | T1078.004 | Cloud Accounts | 1 | Creating GCP Service Account and Service Account Key | 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e | gcloud |
| 1305 | initial-access | T1078.003 | Local Accounts | 1 | Create local account with admin privileges | a524ce99-86de-4db6-b4f9-e08f35a47a15 | command_prompt |
| 1306 | initial-access | T1078.003 | Local Accounts | 2 | Create local account with admin privileges - MacOS | f1275566-1c26-4b66-83e3-7f9f7f964daa | bash |
| 1307 | initial-access | T1078.003 | Local Accounts | 3 | WinPwn - Loot local Credentials - powerhell kittie | 9e9fd066-453d-442f-88c1-ad7911d32912 | powershell |
| 1308 | initial-access | T1078.003 | Local Accounts | 4 | WinPwn - Loot local Credentials - Safetykatz | e9fdb899-a980-4ba4-934b-486ad22e22f4 | powershell |
| 1309 | exfiltration | T1567 | Exfiltration Over Web Service | 1 | Data Exfiltration with ConfigSecurityPolicy | 5568a8f4-a8b1-4c40-9399-4969b642f122 | powershell |
| 1310 | exfiltration | T1020 | Automated Exfiltration | 1 | IcedID Botnet HTTP PUT | 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0 | powershell |
| 1311 | exfiltration | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | 1 | Exfiltrate data HTTPS using curl windows | 1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0 | command_prompt |
| 1312 | exfiltration | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | 2 | Exfiltrate data HTTPS using curl linux | 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01 | bash |
| 1313 | exfiltration | T1041 | Exfiltration Over C2 Channel | 1 | C2 Data Exfiltration | d1253f6e-c29b-49dc-b466-2147a6191932 | powershell |
| 1314 | exfiltration | T1048 | Exfiltration Over Alternative Protocol | 1 | Exfiltration Over Alternative Protocol - SSH | f6786cc8-beda-4915-a4d6-ac2f193bb988 | sh |
| 1315 | exfiltration | T1048 | Exfiltration Over Alternative Protocol | 2 | Exfiltration Over Alternative Protocol - SSH | 7c3cb337-35ae-4d06-bf03-3032ed2ec268 | sh |
| 1316 | exfiltration | T1048 | Exfiltration Over Alternative Protocol | 3 | DNSExfiltration (doh) | c943d285-ada3-45ca-b3aa-7cd6500c6a48 | powershell |
| 1317 | exfiltration | T1030 | Data Transfer Size Limits | 1 | Data Transfer Size Limits | ab936c51-10f4-46ce-9144-e02137b2016a | sh |
| 1318 | exfiltration | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | 1 | Exfiltration Over Alternative Protocol - HTTP | 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff | manual |
| 1319 | exfiltration | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | 2 | Exfiltration Over Alternative Protocol - ICMP | dd4b4421-2e25-4593-90ae-7021947ad12e | powershell |
| 1320 | exfiltration | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | 3 | Exfiltration Over Alternative Protocol - DNS | c403b5a4-b5fc-49f2-b181-d1c80d27db45 | manual |
| 1321 | exfiltration | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | 4 | Exfiltration Over Alternative Protocol - HTTP | 6aa58451-1121-4490-a8e9-1dada3f1c68c | powershell |
| 1322 | exfiltration | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | 5 | Exfiltration Over Alternative Protocol - SMTP | ec3a835e-adca-4c7c-88d2-853b69c11bb9 | powershell |
| 1323 | exfiltration | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | 6 | MAZE FTP Upload | 57799bc2-ad1e-4130-a793-fb0c385130ba | powershell |