atomic-red-team/atomics/Indexes/Indexes-CSV/windows-index.csv at 7d311f19f1394de014e2e504a5052128e63351b1

Files

T

Atomic Red Team doc generator 029110b694 Generated docs from job=generate-docs branch=master [ci skip]

2024-03-01 19:23:30 +00:00

191 KiB

Raw Blame History

1	Tactic	Technique #	Technique Name	Test #	Test Name	Test GUID	Executor Name
2	defense-evasion	T1055.011	Process Injection: Extra Window Memory Injection	1	Process Injection via Extra Window Memory (EWM) x64 executable	93ca40d2-336c-446d-bcef-87f14d438018	powershell
3	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	1	Rundll32 execute JavaScript Remote Payload With GetObject	57ba4ce9-ee7a-4f27-9928-3c70c489b59d	command_prompt
4	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	2	Rundll32 execute VBscript command	638730e7-7aed-43dc-bf8c-8117f805f5bb	command_prompt
5	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	3	Rundll32 execute VBscript command using Ordinal number	32d1cf1b-cbc2-4c09-8d05-07ec5c83a821	command_prompt
6	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	4	Rundll32 advpack.dll Execution	d91cae26-7fc1-457b-a854-34c8aad48c89	command_prompt
7	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	5	Rundll32 ieadvpack.dll Execution	5e46a58e-cbf6-45ef-a289-ed7754603df9	command_prompt
8	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	6	Rundll32 syssetup.dll Execution	41fa324a-3946-401e-bbdd-d7991c628125	command_prompt
9	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	7	Rundll32 setupapi.dll Execution	71d771cd-d6b3-4f34-bc76-a63d47a10b19	command_prompt
10	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	8	Execution of HTA and VBS Files using Rundll32 and URL.dll	22cfde89-befe-4e15-9753-47306b37a6e3	command_prompt
11	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	9	Launches an executable using Rundll32 and pcwutl.dll	9f5d081a-ee5a-42f9-a04e-b7bdc487e676	command_prompt
12	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	10	Execution of non-dll using rundll32.exe	ae3a8605-b26e-457c-b6b3-2702fd335bac	powershell
13	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	11	Rundll32 with Ordinal Value	9fd5a74b-ba89-482a-8a3e-a5feaa3697b0	command_prompt
14	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	12	Rundll32 with Control_RunDLL	e4c04b6f-c492-4782-82c7-3bf75eb8077e	command_prompt
15	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	13	Rundll32 with desk.cpl	83a95136-a496-423c-81d3-1c6750133917	command_prompt
16	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	14	Running DLL with .init extension and function	2d5029f0-ae20-446f-8811-e7511b58e8b6	command_prompt
17	defense-evasion	T1216.001	Signed Script Proxy Execution: Pubprn	1	PubPrn.vbs Signed Script Bypass	9dd29a1f-1e16-4862-be83-913b10a88f6c	command_prompt
18	defense-evasion	T1006	Direct Volume Access	1	Read volume boot sector via DOS device path (PowerShell)	88f6327e-51ec-4bbf-b2e8-3fea534eab8b	powershell
19	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	1	Bypass UAC using Event Viewer (cmd)	5073adf8-9a50-4bd9-b298-a9bd2ead8af9	command_prompt
20	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	2	Bypass UAC using Event Viewer (PowerShell)	a6ce9acf-842a-4af6-8f79-539be7608e2b	powershell
21	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	3	Bypass UAC using Fodhelper	58f641ea-12e3-499a-b684-44dee46bd182	command_prompt
22	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	4	Bypass UAC using Fodhelper - PowerShell	3f627297-6c38-4e7d-a278-fc2563eaaeaa	powershell
23	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	5	Bypass UAC using ComputerDefaults (PowerShell)	3c51abf2-44bf-42d8-9111-dc96ff66750f	powershell
24	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	6	Bypass UAC by Mocking Trusted Directories	f7a35090-6f7f-4f64-bb47-d657bf5b10c1	command_prompt
25	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	7	Bypass UAC using sdclt DelegateExecute	3be891eb-4608-4173-87e8-78b494c029b7	powershell
26	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	8	Disable UAC using reg.exe	9e8af564-53ec-407e-aaa8-3cb20c3af7f9	command_prompt
27	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	9	Bypass UAC using SilentCleanup task	28104f8a-4ff1-4582-bcf6-699dce156608	command_prompt
28	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	10	UACME Bypass Method 23	8ceab7a2-563a-47d2-b5ba-0995211128d7	command_prompt
29	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	11	UACME Bypass Method 31	b0f76240-9f33-4d34-90e8-3a7d501beb15	command_prompt
30	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	12	UACME Bypass Method 33	e514bb03-f71c-4b22-9092-9f961ec6fb03	command_prompt
31	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	13	UACME Bypass Method 34	695b2dac-423e-448e-b6ef-5b88e93011d6	command_prompt
32	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	14	UACME Bypass Method 39	56163687-081f-47da-bb9c-7b231c5585cf	command_prompt
33	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	15	UACME Bypass Method 56	235ec031-cd2d-465d-a7ae-68bab281e80e	command_prompt
34	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	16	UACME Bypass Method 59	dfb1b667-4bb8-4a63-a85e-29936ea75f29	command_prompt
35	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	17	UACME Bypass Method 61	7825b576-744c-4555-856d-caf3460dc236	command_prompt
36	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	18	WinPwn - UAC Magic	964d8bf8-37bc-4fd3-ba36-ad13761ebbcc	powershell
37	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	19	WinPwn - UAC Bypass ccmstp technique	f3c145f9-3c8d-422c-bd99-296a17a8f567	powershell
38	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	20	WinPwn - UAC Bypass DiskCleanup technique	1ed67900-66cd-4b09-b546-2a0ef4431a0c	powershell
39	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	21	WinPwn - UAC Bypass DccwBypassUAC technique	2b61977b-ae2d-4ae4-89cb-5c36c89586be	powershell
40	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	22	Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key	251c5936-569f-42f4-9ac2-87a173b9e9b8	powershell
41	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	23	UAC Bypass with WSReset Registry Modification	3b96673f-9c92-40f1-8a3e-ca060846f8d9	powershell
42	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	24	Disable UAC - Switch to the secure desktop when prompting for elevation via registry key	85f3a526-4cfa-4fe7-98c1-dea99be025c7	powershell
43	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	25	Disable UAC notification via registry keys	160a7c77-b00e-4111-9e45-7c2a44eda3fd	command_prompt
44	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	26	Disable ConsentPromptBehaviorAdmin via registry keys	a768aaa2-2442-475c-8990-69cf33af0f4e	command_prompt
45	defense-evasion	T1542.001	Pre-OS Boot: System Firmware	1	UEFI Persistence via Wpbbin.exe File Creation	b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1	powershell
46	defense-evasion	T1574.011	Hijack Execution Flow: Services Registry Permissions Weakness	1	Service Registry Permissions Weakness	f7536d63-7fd4-466f-89da-7e48d550752a	powershell
47	defense-evasion	T1574.011	Hijack Execution Flow: Services Registry Permissions Weakness	2	Service ImagePath Change with reg.exe	f38e9eea-e1d7-4ba6-b716-584791963827	command_prompt
48	defense-evasion	T1036.005	Masquerading: Match Legitimate Name or Location	2	Masquerade as a built-in system executable	35eb8d16-9820-4423-a2a1-90c4f5edd9ca	powershell
49	defense-evasion	T1564	Hide Artifacts	1	Extract binary files via VBA	6afe288a-8a8b-4d33-a629-8d03ba9dad3a	powershell
50	defense-evasion	T1564	Hide Artifacts	2	Create a Hidden User Called "$"	2ec63cc2-4975-41a6-bf09-dffdfb610778	command_prompt
51	defense-evasion	T1564	Hide Artifacts	3	Create an "Administrator " user (with a space on the end)	5bb20389-39a5-4e99-9264-aeb92a55a85c	powershell
52	defense-evasion	T1564	Hide Artifacts	4	Create and Hide a Service with sc.exe	333c7de0-6fbe-42aa-ac2b-c7e40b18246a	command_prompt
53	defense-evasion	T1564	Hide Artifacts	5	Command Execution with NirCmd	2748ab4a-1e0b-4cf2-a2b0-8ef765bec7be	powershell
54	defense-evasion	T1562.009	Impair Defenses: Safe Boot Mode	1	Safe Mode Boot	2a78362e-b79a-4482-8e24-be397bce4d85	command_prompt
55	defense-evasion	T1497.001	Virtualization/Sandbox Evasion: System Checks	3	Detect Virtualization Environment (Windows)	502a7dc4-9d6f-4d28-abf2-f0e84692562d	powershell
56	defense-evasion	T1497.001	Virtualization/Sandbox Evasion: System Checks	5	Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)	4a41089a-48e0-47aa-82cb-5b81a463bc78	powershell
57	defense-evasion	T1218.004	Signed Binary Proxy Execution: InstallUtil	1	CheckIfInstallable method call	ffd9c807-d402-47d2-879d-f915cf2a3a94	powershell
58	defense-evasion	T1218.004	Signed Binary Proxy Execution: InstallUtil	2	InstallHelper method call	d43a5bde-ae28-4c55-a850-3f4c80573503	powershell
59	defense-evasion	T1218.004	Signed Binary Proxy Execution: InstallUtil	3	InstallUtil class constructor method call	9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93	powershell
60	defense-evasion	T1218.004	Signed Binary Proxy Execution: InstallUtil	4	InstallUtil Install method call	9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b	powershell
61	defense-evasion	T1218.004	Signed Binary Proxy Execution: InstallUtil	5	InstallUtil Uninstall method call - /U variant	34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b	powershell
62	defense-evasion	T1218.004	Signed Binary Proxy Execution: InstallUtil	6	InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant	06d9deba-f732-48a8-af8e-bdd6e4d98c1d	powershell
63	defense-evasion	T1218.004	Signed Binary Proxy Execution: InstallUtil	7	InstallUtil HelpText method call	5a683850-1145-4326-a0e5-e91ced3c6022	powershell
64	defense-evasion	T1218.004	Signed Binary Proxy Execution: InstallUtil	8	InstallUtil evasive invocation	559e6d06-bb42-4307-bff7-3b95a8254bad	powershell
65	defense-evasion	T1574.001	Hijack Execution Flow: DLL Search Order Hijacking	1	DLL Search Order Hijacking - amsi.dll	8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3	command_prompt
66	defense-evasion	T1222.001	File and Directory Permissions Modification: Windows File and Directory Permissions Modification	1	Take ownership using takeown utility	98d34bb4-6e75-42ad-9c41-1dae7dc6a001	command_prompt
67	defense-evasion	T1222.001	File and Directory Permissions Modification: Windows File and Directory Permissions Modification	2	cacls - Grant permission to specified user or group recursively	a8206bcc-f282-40a9-a389-05d9c0263485	command_prompt
68	defense-evasion	T1222.001	File and Directory Permissions Modification: Windows File and Directory Permissions Modification	3	attrib - Remove read-only attribute	bec1e95c-83aa-492e-ab77-60c71bbd21b0	command_prompt
69	defense-evasion	T1222.001	File and Directory Permissions Modification: Windows File and Directory Permissions Modification	4	attrib - hide file	32b979da-7b68-42c9-9a99-0e39900fc36c	command_prompt
70	defense-evasion	T1222.001	File and Directory Permissions Modification: Windows File and Directory Permissions Modification	5	Grant Full Access to folder for Everyone - Ryuk Ransomware Style	ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6	command_prompt
71	defense-evasion	T1218.007	Signed Binary Proxy Execution: Msiexec	1	Msiexec.exe - Execute Local MSI file with embedded JScript	a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04	command_prompt
72	defense-evasion	T1218.007	Signed Binary Proxy Execution: Msiexec	2	Msiexec.exe - Execute Local MSI file with embedded VBScript	8d73c7b0-c2b1-4ac1-881a-4aa644f76064	command_prompt
73	defense-evasion	T1218.007	Signed Binary Proxy Execution: Msiexec	3	Msiexec.exe - Execute Local MSI file with an embedded DLL	628fa796-76c5-44c3-93aa-b9d8214fd568	command_prompt
74	defense-evasion	T1218.007	Signed Binary Proxy Execution: Msiexec	4	Msiexec.exe - Execute Local MSI file with an embedded EXE	ed3fa08a-ca18-4009-973e-03d13014d0e8	command_prompt
75	defense-evasion	T1218.007	Signed Binary Proxy Execution: Msiexec	5	WMI Win32_Product Class - Execute Local MSI file with embedded JScript	882082f0-27c6-4eec-a43c-9aa80bccdb30	powershell
76	defense-evasion	T1218.007	Signed Binary Proxy Execution: Msiexec	6	WMI Win32_Product Class - Execute Local MSI file with embedded VBScript	cf470d9a-58e7-43e5-b0d2-805dffc05576	powershell
77	defense-evasion	T1218.007	Signed Binary Proxy Execution: Msiexec	7	WMI Win32_Product Class - Execute Local MSI file with an embedded DLL	32eb3861-30da-4993-897a-42737152f5f8	powershell
78	defense-evasion	T1218.007	Signed Binary Proxy Execution: Msiexec	8	WMI Win32_Product Class - Execute Local MSI file with an embedded EXE	55080eb0-49ae-4f55-a440-4167b7974f79	powershell
79	defense-evasion	T1218.007	Signed Binary Proxy Execution: Msiexec	9	Msiexec.exe - Execute the DllRegisterServer function of a DLL	0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d	command_prompt
80	defense-evasion	T1218.007	Signed Binary Proxy Execution: Msiexec	10	Msiexec.exe - Execute the DllUnregisterServer function of a DLL	ab09ec85-4955-4f9c-b8e0-6851baf4d47f	command_prompt
81	defense-evasion	T1218.007	Signed Binary Proxy Execution: Msiexec	11	Msiexec.exe - Execute Remote MSI file	44a4bedf-ffe3-452e-bee4-6925ab125662	command_prompt
82	defense-evasion	T1556.002	Modify Authentication Process: Password Filter DLL	1	Install and Register Password Filter DLL	a7961770-beb5-4134-9674-83d7e1fa865c	powershell
83	defense-evasion	T1070.003	Indicator Removal on Host: Clear Command History	10	Prevent Powershell History Logging	2f898b81-3e97-4abb-bc3f-a95138988370	powershell
84	defense-evasion	T1070.003	Indicator Removal on Host: Clear Command History	11	Clear Powershell History by Deleting History File	da75ae8d-26d6-4483-b0fe-700e4df4f037	powershell
85	defense-evasion	T1070.003	Indicator Removal on Host: Clear Command History	12	Set Custom AddToHistoryHandler to Avoid History File Logging	1d0d9aa6-6111-4f89-927b-53e8afae7f94	powershell
86	defense-evasion	T1202	Indirect Command Execution	1	Indirect Command Execution - pcalua.exe	cecfea7a-5f03-4cdd-8bc8-6f7c22862440	command_prompt
87	defense-evasion	T1202	Indirect Command Execution	2	Indirect Command Execution - forfiles.exe	8b34a448-40d9-4fc3-a8c8-4bb286faf7dc	command_prompt
88	defense-evasion	T1202	Indirect Command Execution	3	Indirect Command Execution - conhost.exe	cf3391e0-b482-4b02-87fc-ca8362269b29	command_prompt
89	defense-evasion	T1140	Deobfuscate/Decode Files or Information	1	Deobfuscate/Decode Files Or Information	dc6fe391-69e6-4506-bd06-ea5eeb4082f8	command_prompt
90	defense-evasion	T1140	Deobfuscate/Decode Files or Information	2	Certutil Rename and Decode	71abc534-3c05-4d0c-80f7-cbe93cb2aa94	command_prompt
91	defense-evasion	T1562	Impair Defenses	1	Windows Disable LSA Protection	40075d5f-3a70-4c66-9125-f72bee87247d	command_prompt
92	defense-evasion	T1055.003	Thread Execution Hijacking	1	Thread Execution Hijacking	578025d5-faa9-4f6d-8390-aae527d503e1	powershell
93	defense-evasion	T1036	Masquerading	1	System File Copied to Unusual Location	51005ac7-52e2-45e0-bdab-d17c6d4916cd	powershell
94	defense-evasion	T1036	Masquerading	2	Malware Masquerading and Execution from Zip File	4449c89b-ec82-43a4-89c1-91e2f1abeecc	powershell
95	defense-evasion	T1070.008	Email Collection: Mailbox Manipulation	1	Copy and Delete Mailbox Data on Windows	d29f01ea-ac72-4efc-8a15-bea64b77fabf	powershell
96	defense-evasion	T1070.008	Email Collection: Mailbox Manipulation	4	Copy and Modify Mailbox Data on Windows	edddff85-fee0-499d-9501-7d4d2892e79b	powershell
97	defense-evasion	T1055	Process Injection	1	Shellcode execution via VBA	1c91e740-1729-4329-b779-feba6e71d048	powershell
98	defense-evasion	T1055	Process Injection	2	Remote Process Injection in LSASS via mimikatz	3203ad24-168e-4bec-be36-f79b13ef8a83	command_prompt
99	defense-evasion	T1055	Process Injection	3	Section View Injection	c6952f41-6cf0-450a-b352-2ca8dae7c178	powershell
100	defense-evasion	T1055	Process Injection	4	Dirty Vanity process Injection	49543237-25db-497b-90df-d0a0a6e8fe2c	powershell
101	defense-evasion	T1055	Process Injection	5	Read-Write-Execute process Injection	0128e48e-8c1a-433a-a11a-a5387384f1e1	powershell
102	defense-evasion	T1055	Process Injection	6	Process Injection with Go using UuidFromStringA WinAPI	2315ce15-38b6-46ac-a3eb-5e21abef2545	powershell
103	defense-evasion	T1055	Process Injection	7	Process Injection with Go using EtwpCreateEtwThread WinAPI	7362ecef-6461-402e-8716-7410e1566400	powershell
104	defense-evasion	T1055	Process Injection	8	Remote Process Injection with Go using RtlCreateUserThread WinAPI	a0c1725f-abcd-40d6-baac-020f3cf94ecd	powershell
105	defense-evasion	T1055	Process Injection	9	Remote Process Injection with Go using CreateRemoteThread WinAPI	69534efc-d5f5-4550-89e6-12c6457b9edd	powershell
106	defense-evasion	T1055	Process Injection	10	Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)	2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39	powershell
107	defense-evasion	T1055	Process Injection	11	Process Injection with Go using CreateThread WinAPI	2871ed59-3837-4a52-9107-99500ebc87cb	powershell
108	defense-evasion	T1055	Process Injection	12	Process Injection with Go using CreateThread WinAPI (Natively)	2a3c7035-d14f-467a-af94-933e49fe6786	powershell
109	defense-evasion	T1055	Process Injection	13	UUID custom process Injection	0128e48e-8c1a-433a-a11a-a5304734f1e1	powershell
110	defense-evasion	T1218	Signed Binary Proxy Execution	1	mavinject - Inject DLL into running process	c426dacf-575d-4937-8611-a148a86a5e61	command_prompt
111	defense-evasion	T1218	Signed Binary Proxy Execution	2	Register-CimProvider - Execute evil dll	ad2c17ed-f626-4061-b21e-b9804a6f3655	command_prompt
112	defense-evasion	T1218	Signed Binary Proxy Execution	3	InfDefaultInstall.exe .inf Execution	54ad7d5a-a1b5-472c-b6c4-f8090fb2daef	command_prompt
113	defense-evasion	T1218	Signed Binary Proxy Execution	4	ProtocolHandler.exe Downloaded a Suspicious File	db020456-125b-4c8b-a4a7-487df8afb5a2	command_prompt
114	defense-evasion	T1218	Signed Binary Proxy Execution	5	Microsoft.Workflow.Compiler.exe Payload Execution	7cbb0f26-a4c1-4f77-b180-a009aa05637e	powershell
115	defense-evasion	T1218	Signed Binary Proxy Execution	6	Renamed Microsoft.Workflow.Compiler.exe Payload Executions	4cc40fd7-87b8-4b16-b2d7-57534b86b911	powershell
116	defense-evasion	T1218	Signed Binary Proxy Execution	7	Invoke-ATHRemoteFXvGPUDisablementCommand base test	9ebe7901-7edf-45c0-b5c7-8366300919db	powershell
117	defense-evasion	T1218	Signed Binary Proxy Execution	8	DiskShadow Command Execution	0e1483ba-8f0c-425d-b8c6-42736e058eaa	powershell
118	defense-evasion	T1218	Signed Binary Proxy Execution	9	Load Arbitrary DLL via Wuauclt (Windows Update Client)	49fbd548-49e9-4bb7-94a6-3769613912b8	command_prompt
119	defense-evasion	T1218	Signed Binary Proxy Execution	10	Lolbin Gpscript logon option	5bcda9cd-8e85-48fa-861d-b5a85d91d48c	command_prompt
120	defense-evasion	T1218	Signed Binary Proxy Execution	11	Lolbin Gpscript startup option	f8da74bb-21b8-4af9-8d84-f2c8e4a220e3	command_prompt
121	defense-evasion	T1218	Signed Binary Proxy Execution	12	Lolbas ie4uinit.exe use as proxy	13c0804e-615e-43ad-b223-2dfbacd0b0b3	command_prompt
122	defense-evasion	T1218	Signed Binary Proxy Execution	13	LOLBAS CustomShellHost to Spawn Process	b1eeb683-90bb-4365-bbc2-2689015782fe	powershell
123	defense-evasion	T1218	Signed Binary Proxy Execution	14	Provlaunch.exe Executes Arbitrary Command via Registry Key	ab76e34f-28bf-441f-a39c-8db4835b89cc	command_prompt
124	defense-evasion	T1218	Signed Binary Proxy Execution	15	LOLBAS Msedge to Spawn Process	e5eedaed-ad42-4c1e-8783-19529738a349	powershell
125	defense-evasion	T1070.006	Indicator Removal on Host: Timestomp	5	Windows - Modify file creation timestamp with PowerShell	b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c	powershell
126	defense-evasion	T1070.006	Indicator Removal on Host: Timestomp	6	Windows - Modify file last modified timestamp with PowerShell	f8f6634d-93e1-4238-8510-f8a90a20dcf2	powershell
127	defense-evasion	T1070.006	Indicator Removal on Host: Timestomp	7	Windows - Modify file last access timestamp with PowerShell	da627f63-b9bd-4431-b6f8-c5b44d061a62	powershell
128	defense-evasion	T1070.006	Indicator Removal on Host: Timestomp	8	Windows - Timestomp a File	d7512c33-3a75-4806-9893-69abc3ccdd43	powershell
129	defense-evasion	T1620	Reflective Code Loading	1	WinPwn - Reflectively load Mimik@tz into memory	56b9589c-9170-4682-8c3d-33b86ecb5119	powershell
130	defense-evasion	T1218.003	Signed Binary Proxy Execution: CMSTP	1	CMSTP Executing Remote Scriptlet	34e63321-9683-496b-bbc1-7566bc55e624	command_prompt
131	defense-evasion	T1218.003	Signed Binary Proxy Execution: CMSTP	2	CMSTP Executing UAC Bypass	748cb4f6-2fb3-4e97-b7ad-b22635a09ab0	command_prompt
132	defense-evasion	T1562.002	Impair Defenses: Disable Windows Event Logging	1	Disable Windows IIS HTTP Logging	69435dcf-c66f-4ec0-a8b1-82beb76b34db	powershell
133	defense-evasion	T1562.002	Impair Defenses: Disable Windows Event Logging	2	Disable Windows IIS HTTP Logging via PowerShell	a957fb0f-1e85-49b2-a211-413366784b1e	powershell
134	defense-evasion	T1562.002	Impair Defenses: Disable Windows Event Logging	3	Kill Event Log Service Threads	41ac52ba-5d5e-40c0-b267-573ed90489bd	powershell
135	defense-evasion	T1562.002	Impair Defenses: Disable Windows Event Logging	4	Impair Windows Audit Log Policy	5102a3a7-e2d7-4129-9e45-f483f2e0eea8	command_prompt
136	defense-evasion	T1562.002	Impair Defenses: Disable Windows Event Logging	5	Clear Windows Audit Policy Config	913c0e4e-4b37-4b78-ad0b-90e7b25010f6	command_prompt
137	defense-evasion	T1562.002	Impair Defenses: Disable Windows Event Logging	6	Disable Event Logging with wevtutil	b26a3340-dad7-4360-9176-706269c74103	command_prompt
138	defense-evasion	T1562.002	Impair Defenses: Disable Windows Event Logging	7	Makes Eventlog blind with Phant0m	3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741	command_prompt
139	defense-evasion	T1218.002	Signed Binary Proxy Execution: Control Panel	1	Control Panel Items	037e9d8a-9e46-4255-8b33-2ae3b545ca6f	command_prompt
140	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	1	Disable Microsoft Defender Firewall	88d05800-a5e4-407e-9b53-ece4174f197f	command_prompt
141	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	2	Disable Microsoft Defender Firewall via Registry	afedc8c4-038c-4d82-b3e5-623a95f8a612	command_prompt
142	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	3	Allow SMB and RDP on Microsoft Defender Firewall	d9841bf8-f161-4c73-81e9-fd773a5ff8c1	command_prompt
143	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	4	Opening ports for proxy - HARDRAIN	15e57006-79dd-46df-9bf9-31bc24fb5a80	command_prompt
144	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	5	Open a local port through Windows Firewall to any profile	9636dd6e-7599-40d2-8eee-ac16434f35ed	powershell
145	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	6	Allow Executable Through Firewall Located in Non-Standard Location	6f5822d2-d38d-4f48-9bfc-916607ff6b8c	powershell
146	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	20	LockBit Black - Unusual Windows firewall registry modification -cmd	a4651931-ebbb-4cde-9363-ddf3d66214cb	command_prompt
147	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	21	LockBit Black - Unusual Windows firewall registry modification -Powershell	80b453d1-eec5-4144-bf08-613a6c3ffe12	powershell
148	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	22	Blackbit - Disable Windows Firewall using netsh firewall	91f348e6-3760-4997-a93b-2ceee7f254ee	command_prompt
149	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	23	ESXi - Disable Firewall via Esxcli	bac8a340-be64-4491-a0cc-0985cb227f5a	command_prompt
150	defense-evasion	T1553.003	Subvert Trust Controls: SIP and Trust Provider Hijacking	1	SIP (Subject Interface Package) Hijacking via Custom DLL	e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675	command_prompt
151	defense-evasion	T1207	Rogue Domain Controller	1	DCShadow (Active Directory)	0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6	powershell
152	defense-evasion	T1112	Modify Registry	1	Modify Registry of Current User Profile - cmd	1324796b-d0f6-455a-b4ae-21ffee6aa6b9	command_prompt
153	defense-evasion	T1112	Modify Registry	2	Modify Registry of Local Machine - cmd	282f929a-6bc5-42b8-bd93-960c3ba35afe	command_prompt
154	defense-evasion	T1112	Modify Registry	3	Modify registry to store logon credentials	c0413fb5-33e2-40b7-9b6f-60b29f4a7a18	command_prompt
155	defense-evasion	T1112	Modify Registry	4	Use Powershell to Modify registry to store logon credentials	68254a85-aa42-4312-a695-38b7276307f8	powershell
156	defense-evasion	T1112	Modify Registry	5	Add domain to Trusted sites Zone	cf447677-5a4e-4937-a82c-e47d254afd57	powershell
157	defense-evasion	T1112	Modify Registry	6	Javascript in registry	15f44ea9-4571-4837-be9e-802431a7bfae	powershell
158	defense-evasion	T1112	Modify Registry	7	Change Powershell Execution Policy to Bypass	f3a6cceb-06c9-48e5-8df8-8867a6814245	powershell
159	defense-evasion	T1112	Modify Registry	8	BlackByte Ransomware Registry Changes - CMD	4f4e2f9f-6209-4fcf-9b15-3b7455706f5b	command_prompt
160	defense-evasion	T1112	Modify Registry	9	BlackByte Ransomware Registry Changes - Powershell	0b79c06f-c788-44a2-8630-d69051f1123d	powershell
161	defense-evasion	T1112	Modify Registry	10	Disable Windows Registry Tool	ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8	command_prompt
162	defense-evasion	T1112	Modify Registry	11	Disable Windows CMD application	d2561a6d-72bd-408c-b150-13efe1801c2a	powershell
163	defense-evasion	T1112	Modify Registry	12	Disable Windows Task Manager application	af254e70-dd0e-4de6-9afe-a994d9ea8b62	command_prompt
164	defense-evasion	T1112	Modify Registry	13	Disable Windows Notification Center	c0d6d67f-1f63-42cc-95c0-5fd6b20082ad	command_prompt
165	defense-evasion	T1112	Modify Registry	14	Disable Windows Shutdown Button	6e0d1131-2d7e-4905-8ca5-d6172f05d03d	command_prompt
166	defense-evasion	T1112	Modify Registry	15	Disable Windows LogOff Button	e246578a-c24d-46a7-9237-0213ff86fb0c	command_prompt
167	defense-evasion	T1112	Modify Registry	16	Disable Windows Change Password Feature	d4a6da40-618f-454d-9a9e-26af552aaeb0	command_prompt
168	defense-evasion	T1112	Modify Registry	17	Disable Windows Lock Workstation Feature	3dacb0d2-46ee-4c27-ac1b-f9886bf91a56	command_prompt
169	defense-evasion	T1112	Modify Registry	18	Activate Windows NoDesktop Group Policy Feature	93386d41-525c-4a1b-8235-134a628dee17	command_prompt
170	defense-evasion	T1112	Modify Registry	19	Activate Windows NoRun Group Policy Feature	d49ff3cc-8168-4123-b5b3-f057d9abbd55	command_prompt
171	defense-evasion	T1112	Modify Registry	20	Activate Windows NoFind Group Policy Feature	ffbb407e-7f1d-4c95-b22e-548169db1fbd	command_prompt
172	defense-evasion	T1112	Modify Registry	21	Activate Windows NoControlPanel Group Policy Feature	a450e469-ba54-4de1-9deb-9023a6111690	command_prompt
173	defense-evasion	T1112	Modify Registry	22	Activate Windows NoFileMenu Group Policy Feature	5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4	command_prompt
174	defense-evasion	T1112	Modify Registry	23	Activate Windows NoClose Group Policy Feature	12f50e15-dbc6-478b-a801-a746e8ba1723	command_prompt
175	defense-evasion	T1112	Modify Registry	24	Activate Windows NoSetTaskbar Group Policy Feature	d29b7faf-7355-4036-9ed3-719bd17951ed	command_prompt
176	defense-evasion	T1112	Modify Registry	25	Activate Windows NoTrayContextMenu Group Policy Feature	4d72d4b1-fa7b-4374-b423-0fe326da49d2	command_prompt
177	defense-evasion	T1112	Modify Registry	26	Activate Windows NoPropertiesMyDocuments Group Policy Feature	20fc9daa-bd48-4325-9aff-81b967a84b1d	command_prompt
178	defense-evasion	T1112	Modify Registry	27	Hide Windows Clock Group Policy Feature	8023db1e-ad06-4966-934b-b6a0ae52689e	command_prompt
179	defense-evasion	T1112	Modify Registry	28	Windows HideSCAHealth Group Policy Feature	a4637291-40b1-4a96-8c82-b28f1d73e54e	command_prompt
180	defense-evasion	T1112	Modify Registry	29	Windows HideSCANetwork Group Policy Feature	3e757ce7-eca0-411a-9583-1c33b8508d52	command_prompt
181	defense-evasion	T1112	Modify Registry	30	Windows HideSCAPower Group Policy Feature	8d85a5d8-702f-436f-bc78-fcd9119496fc	command_prompt
182	defense-evasion	T1112	Modify Registry	31	Windows HideSCAVolume Group Policy Feature	7f037590-b4c6-4f13-b3cc-e424c5ab8ade	command_prompt
183	defense-evasion	T1112	Modify Registry	32	Windows Modify Show Compress Color And Info Tip Registry	795d3248-0394-4d4d-8e86-4e8df2a2693f	command_prompt
184	defense-evasion	T1112	Modify Registry	33	Windows Powershell Logging Disabled	95b25212-91a7-42ff-9613-124aca6845a8	command_prompt
185	defense-evasion	T1112	Modify Registry	34	Windows Add Registry Value to Load Service in Safe Mode without Network	1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5	command_prompt
186	defense-evasion	T1112	Modify Registry	35	Windows Add Registry Value to Load Service in Safe Mode with Network	c173c948-65e5-499c-afbe-433722ed5bd4	command_prompt
187	defense-evasion	T1112	Modify Registry	36	Disable Windows Toast Notifications	003f466a-6010-4b15-803a-cbb478a314d7	command_prompt
188	defense-evasion	T1112	Modify Registry	37	Disable Windows Security Center Notifications	45914594-8df6-4ea9-b3cc-7eb9321a807e	command_prompt
189	defense-evasion	T1112	Modify Registry	38	Suppress Win Defender Notifications	c30dada3-7777-4590-b970-dc890b8cf113	command_prompt
190	defense-evasion	T1112	Modify Registry	39	Allow RDP Remote Assistance Feature	86677d0e-0b5e-4a2b-b302-454175f9aa9e	command_prompt
191	defense-evasion	T1112	Modify Registry	40	NetWire RAT Registry Key Creation	65704cd4-6e36-4b90-b6c1-dc29a82c8e56	command_prompt
192	defense-evasion	T1112	Modify Registry	41	Ursnif Malware Registry Key Creation	c375558d-7c25-45e9-bd64-7b23a97c1db0	command_prompt
193	defense-evasion	T1112	Modify Registry	42	Terminal Server Client Connection History Cleared	3448824b-3c35-4a9e-a8f5-f887f68bea21	command_prompt
194	defense-evasion	T1112	Modify Registry	43	Disable Windows Error Reporting Settings	d2c9e41e-cd86-473d-980d-b6403562e3e1	command_prompt
195	defense-evasion	T1112	Modify Registry	44	DisallowRun Execution Of Certain Applications	71db768a-5a9c-4047-b5e7-59e01f188e84	command_prompt
196	defense-evasion	T1112	Modify Registry	45	Enabling Restricted Admin Mode via Command_Prompt	fe7974e5-5813-477b-a7bd-311d4f535e83	command_prompt
197	defense-evasion	T1112	Modify Registry	46	Mimic Ransomware - Enable Multiple User Sessions	39f1f378-ba8a-42b3-96dc-2a6540cfc1e3	command_prompt
198	defense-evasion	T1112	Modify Registry	47	Mimic Ransomware - Allow Multiple RDP Sessions per User	35727d9e-7a7f-4d0c-a259-dc3906d6e8b9	command_prompt
199	defense-evasion	T1112	Modify Registry	48	Event Viewer Registry Modification - Redirection URL	6174be7f-5153-4afd-92c5-e0c3b7cdb5ae	command_prompt
200	defense-evasion	T1112	Modify Registry	49	Event Viewer Registry Modification - Redirection Program	81483501-b8a5-4225-8b32-52128e2f69db	command_prompt
201	defense-evasion	T1112	Modify Registry	50	Enabling Remote Desktop Protocol via Remote Registry	e3ad8e83-3089-49ff-817f-e52f8c948090	command_prompt
202	defense-evasion	T1112	Modify Registry	51	Disable Win Defender Notification	12e03af7-79f9-4f95-af48-d3f12f28a260	command_prompt
203	defense-evasion	T1112	Modify Registry	52	Disable Windows OS Auto Update	01b20ca8-c7a3-4d86-af59-059f15ed5474	command_prompt
204	defense-evasion	T1112	Modify Registry	53	Disable Windows Auto Reboot for current logon user	396f997b-c5f8-4a96-bb2c-3c8795cf459d	command_prompt
205	defense-evasion	T1112	Modify Registry	54	Windows Auto Update Option to Notify before download	335a6b15-b8d2-4a3f-a973-ad69aa2620d7	command_prompt
206	defense-evasion	T1112	Modify Registry	55	Do Not Connect To Win Update	d1de3767-99c2-4c6c-8c5a-4ba4586474c8	command_prompt
207	defense-evasion	T1112	Modify Registry	56	Tamper Win Defender Protection	3b625eaa-c10d-4635-af96-3eae7d2a2f3c	command_prompt
208	defense-evasion	T1112	Modify Registry	57	Snake Malware Registry Blob	8318ad20-0488-4a64-98f4-72525a012f6b	powershell
209	defense-evasion	T1112	Modify Registry	58	Allow Simultaneous Download Registry	37950714-e923-4f92-8c7c-51e4b6fffbf6	command_prompt
210	defense-evasion	T1112	Modify Registry	59	Modify Internet Zone Protocol Defaults in Current User Registry - cmd	c88ef166-50fa-40d5-a80c-e2b87d4180f7	command_prompt
211	defense-evasion	T1112	Modify Registry	60	Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell	b1a4d687-ba52-4057-81ab-757c3dc0d3b5	powershell
212	defense-evasion	T1112	Modify Registry	61	Activities To Disable Secondary Authentication Detected By Modified Registry Value.	c26fb85a-fa50-4fab-a64a-c51f5dc538d5	command_prompt
213	defense-evasion	T1112	Modify Registry	62	Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.	ffeddced-bb9f-49c6-97f0-3d07a509bf94	command_prompt
214	defense-evasion	T1112	Modify Registry	63	Scarab Ransomware Defense Evasion Activities	ca8ba39c-3c5a-459f-8e15-280aec65a910	command_prompt
215	defense-evasion	T1112	Modify Registry	64	Disable Remote Desktop Anti-Alias Setting Through Registry	61d35188-f113-4334-8245-8c6556d43909	command_prompt
216	defense-evasion	T1112	Modify Registry	65	Disable Remote Desktop Security Settings Through Registry	4b81bcfa-fb0a-45e9-90c2-e3efe5160140	command_prompt
217	defense-evasion	T1112	Modify Registry	66	Disabling ShowUI Settings of Windows Error Reporting (WER)	09147b61-40f6-4b2a-b6fb-9e73a3437c96	command_prompt
218	defense-evasion	T1112	Modify Registry	67	Enable Proxy Settings	eb0ba433-63e5-4a8c-a9f0-27c4192e1336	command_prompt
219	defense-evasion	T1112	Modify Registry	68	Set-Up Proxy Server	d88a3d3b-d016-4939-a745-03638aafd21b	command_prompt
220	defense-evasion	T1112	Modify Registry	69	RDP Authentication Level Override	7e7b62e9-5f83-477d-8935-48600f38a3c6	command_prompt
221	defense-evasion	T1574.008	Hijack Execution Flow: Path Interception by Search Order Hijacking	1	powerShell Persistence via hijacking default modules - Get-Variable.exe	1561de08-0b4b-498e-8261-e922f3494aae	powershell
222	defense-evasion	T1484.001	Domain Policy Modification: Group Policy Modification	1	LockBit Black - Modify Group policy settings -cmd	9ab80952-74ee-43da-a98c-1e740a985f28	command_prompt
223	defense-evasion	T1484.001	Domain Policy Modification: Group Policy Modification	2	LockBit Black - Modify Group policy settings -Powershell	b51eae65-5441-4789-b8e8-64783c26c1d1	powershell
224	defense-evasion	T1078.001	Valid Accounts: Default Accounts	1	Enable Guest account with RDP capability and admin privileges	99747561-ed8d-47f2-9c91-1e5fde1ed6e0	command_prompt
225	defense-evasion	T1078.001	Valid Accounts: Default Accounts	2	Activate Guest Account	aa6cb8c4-b582-4f8e-b677-37733914abda	command_prompt
226	defense-evasion	T1070.001	Indicator Removal on Host: Clear Windows Event Logs	1	Clear Logs	e6abb60e-26b8-41da-8aae-0c35174b0967	command_prompt
227	defense-evasion	T1070.001	Indicator Removal on Host: Clear Windows Event Logs	2	Delete System Logs Using Clear-EventLog	b13e9306-3351-4b4b-a6e8-477358b0b498	powershell
228	defense-evasion	T1070.001	Indicator Removal on Host: Clear Windows Event Logs	3	Clear Event Logs via VBA	1b682d84-f075-4f93-9a89-8a8de19ffd6e	powershell
229	defense-evasion	T1134.002	Create Process with Token	1	Access Token Manipulation	dbf4f5a9-b8e0-46a3-9841-9ad71247239e	powershell
230	defense-evasion	T1134.002	Create Process with Token	2	WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique	ccf4ac39-ec93-42be-9035-90e2f26bcd92	powershell
231	defense-evasion	T1218.008	Signed Binary Proxy Execution: Odbcconf	1	Odbcconf.exe - Execute Arbitrary DLL	2430498b-06c0-4b92-a448-8ad263c388e2	command_prompt
232	defense-evasion	T1218.008	Signed Binary Proxy Execution: Odbcconf	2	Odbcconf.exe - Load Response File	331ce274-f9c9-440b-9f8c-a1006e1fce0b	command_prompt
233	defense-evasion	T1562.006	Impair Defenses: Indicator Blocking	5	Disable Powershell ETW Provider - Windows	6f118276-121d-4c09-bb58-a8fb4a72ee84	powershell
234	defense-evasion	T1562.006	Impair Defenses: Indicator Blocking	6	Disable .NET Event Tracing for Windows Via Registry (cmd)	8a4c33be-a0d3-434a-bee6-315405edbd5b	command_prompt
235	defense-evasion	T1562.006	Impair Defenses: Indicator Blocking	7	Disable .NET Event Tracing for Windows Via Registry (powershell)	19c07a45-452d-4620-90ed-4c34fffbe758	powershell
236	defense-evasion	T1562.006	Impair Defenses: Indicator Blocking	8	LockBit Black - Disable the ETW Provider of Windows Defender -cmd	f6df0b8e-2c83-44c7-ba5e-0fa4386bec41	command_prompt
237	defense-evasion	T1562.006	Impair Defenses: Indicator Blocking	9	LockBit Black - Disable the ETW Provider of Windows Defender -Powershell	69fc085b-5444-4879-8002-b24c8e1a3e02	powershell
238	defense-evasion	T1070	Indicator Removal on Host	1	Indicator Removal using FSUtil	b4115c7a-0e92-47f0-a61e-17e7218b2435	command_prompt
239	defense-evasion	T1070	Indicator Removal on Host	2	Indicator Manipulation using FSUtil	96e86706-6afd-45b6-95d6-108d23eaf2e9	powershell
240	defense-evasion	T1550.003	Use Alternate Authentication Material: Pass the Ticket	1	Mimikatz Kerberos Ticket Attack	dbf38128-7ba7-4776-bedf-cc2eed432098	command_prompt
241	defense-evasion	T1550.003	Use Alternate Authentication Material: Pass the Ticket	2	Rubeus Kerberos Pass The Ticket	a2fc4ec5-12c6-4fb4-b661-961f23f359cb	powershell
242	defense-evasion	T1036.004	Masquerading: Masquerade Task or Service	1	Creating W32Time similar named service using schtasks	f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9	command_prompt
243	defense-evasion	T1036.004	Masquerading: Masquerade Task or Service	2	Creating W32Time similar named service using sc	b721c6ef-472c-4263-a0d9-37f1f4ecff66	command_prompt
244	defense-evasion	T1055.004	Process Injection: Asynchronous Procedure Call	1	Process Injection via C#	611b39b7-e243-4c81-87a4-7145a90358b1	command_prompt
245	defense-evasion	T1055.004	Process Injection: Asynchronous Procedure Call	2	EarlyBird APC Queue Injection in Go	73785dd2-323b-4205-ab16-bb6f06677e14	powershell
246	defense-evasion	T1055.004	Process Injection: Asynchronous Procedure Call	3	Remote Process Injection with Go using NtQueueApcThreadEx WinAPI	4cc571b1-f450-414a-850f-879baf36aa06	powershell
247	defense-evasion	T1553.005	Subvert Trust Controls: Mark-of-the-Web Bypass	1	Mount ISO image	002cca30-4778-4891-878a-aaffcfa502fa	powershell
248	defense-evasion	T1553.005	Subvert Trust Controls: Mark-of-the-Web Bypass	2	Mount an ISO image and run executable from the ISO	42f22b00-0242-4afc-a61b-0da05041f9cc	powershell
249	defense-evasion	T1553.005	Subvert Trust Controls: Mark-of-the-Web Bypass	3	Remove the Zone.Identifier alternate data stream	64b12afc-18b8-4d3f-9eab-7f6cae7c73f9	powershell
250	defense-evasion	T1553.005	Subvert Trust Controls: Mark-of-the-Web Bypass	4	Execute LNK file from ISO	c2587b8d-743d-4985-aa50-c83394eaeb68	powershell
251	defense-evasion	T1055.002	Process Injection: Portable Executable Injection	1	Portable Executable Injection	578025d5-faa9-4f6d-8390-aae739d503e1	powershell
252	defense-evasion	T1562.010	Impair Defenses: Downgrade Attack	3	PowerShell Version 2 Downgrade	47c96489-2f55-4774-a6df-39faff428f6f	powershell
253	defense-evasion	T1218.005	Signed Binary Proxy Execution: Mshta	1	Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject	1483fab9-4f52-4217-a9ce-daa9d7747cae	command_prompt
254	defense-evasion	T1218.005	Signed Binary Proxy Execution: Mshta	2	Mshta executes VBScript to execute malicious command	906865c3-e05f-4acc-85c4-fbc185455095	command_prompt
255	defense-evasion	T1218.005	Signed Binary Proxy Execution: Mshta	3	Mshta Executes Remote HTML Application (HTA)	c4b97eeb-5249-4455-a607-59f95485cb45	powershell
256	defense-evasion	T1218.005	Signed Binary Proxy Execution: Mshta	4	Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement	007e5672-2088-4853-a562-7490ddc19447	powershell
257	defense-evasion	T1218.005	Signed Binary Proxy Execution: Mshta	5	Invoke HTML Application - Jscript Engine Simulating Double Click	58a193ec-131b-404e-b1ca-b35cf0b18c33	powershell
258	defense-evasion	T1218.005	Signed Binary Proxy Execution: Mshta	6	Invoke HTML Application - Direct download from URI	39ceed55-f653-48ac-bd19-aceceaf525db	powershell
259	defense-evasion	T1218.005	Signed Binary Proxy Execution: Mshta	7	Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler	e7e3a525-7612-4d68-a5d3-c4649181b8af	powershell
260	defense-evasion	T1218.005	Signed Binary Proxy Execution: Mshta	8	Invoke HTML Application - JScript Engine with Inline Protocol Handler	d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840	powershell
261	defense-evasion	T1218.005	Signed Binary Proxy Execution: Mshta	9	Invoke HTML Application - Simulate Lateral Movement over UNC Path	b8a8bdb2-7eae-490d-8251-d5e0295b2362	powershell
262	defense-evasion	T1218.005	Signed Binary Proxy Execution: Mshta	10	Mshta used to Execute PowerShell	8707a805-2b76-4f32-b1c0-14e558205772	command_prompt
263	defense-evasion	T1134.001	Access Token Manipulation: Token Impersonation/Theft	1	Named pipe client impersonation	90db9e27-8e7c-4c04-b602-a45927884966	powershell
264	defense-evasion	T1134.001	Access Token Manipulation: Token Impersonation/Theft	2	`SeDebugPrivilege` token duplication	34f0a430-9d04-4d98-bcb5-1989f14719f0	powershell
265	defense-evasion	T1134.001	Access Token Manipulation: Token Impersonation/Theft	3	Launch NSudo Executable	7be1bc0f-d8e5-4345-9333-f5f67d742cb9	powershell
266	defense-evasion	T1134.001	Access Token Manipulation: Token Impersonation/Theft	4	Bad Potato	9c6d799b-c111-4749-a42f-ec2f8cb51448	powershell
267	defense-evasion	T1134.001	Access Token Manipulation: Token Impersonation/Theft	5	Juicy Potato	f095e373-b936-4eb4-8d22-f47ccbfbe64a	powershell
268	defense-evasion	T1564.002	Hide Artifacts: Hidden Users	3	Create Hidden User in Registry	173126b7-afe4-45eb-8680-fa9f6400431c	command_prompt
269	defense-evasion	T1134.004	Access Token Manipulation: Parent PID Spoofing	1	Parent PID Spoofing using PowerShell	069258f4-2162-46e9-9a25-c9c6c56150d2	powershell
270	defense-evasion	T1134.004	Access Token Manipulation: Parent PID Spoofing	2	Parent PID Spoofing - Spawn from Current Process	14920ebd-1d61-491a-85e0-fe98efe37f25	powershell
271	defense-evasion	T1134.004	Access Token Manipulation: Parent PID Spoofing	3	Parent PID Spoofing - Spawn from Specified Process	cbbff285-9051-444a-9d17-c07cd2d230eb	powershell
272	defense-evasion	T1134.004	Access Token Manipulation: Parent PID Spoofing	4	Parent PID Spoofing - Spawn from svchost.exe	e9f2b777-3123-430b-805d-5cedc66ab591	powershell
273	defense-evasion	T1134.004	Access Token Manipulation: Parent PID Spoofing	5	Parent PID Spoofing - Spawn from New Process	2988133e-561c-4e42-a15f-6281e6a9b2db	powershell
274	defense-evasion	T1218.001	Signed Binary Proxy Execution: Compiled HTML File	1	Compiled HTML Help Local Payload	5cb87818-0d7c-4469-b7ef-9224107aebe8	command_prompt
275	defense-evasion	T1218.001	Signed Binary Proxy Execution: Compiled HTML File	2	Compiled HTML Help Remote Payload	0f8af516-9818-4172-922b-42986ef1e81d	command_prompt
276	defense-evasion	T1218.001	Signed Binary Proxy Execution: Compiled HTML File	3	Invoke CHM with default Shortcut Command Execution	29d6f0d7-be63-4482-8827-ea77126c1ef7	powershell
277	defense-evasion	T1218.001	Signed Binary Proxy Execution: Compiled HTML File	4	Invoke CHM with InfoTech Storage Protocol Handler	b4094750-5fc7-4e8e-af12-b4e36bf5e7f6	powershell
278	defense-evasion	T1218.001	Signed Binary Proxy Execution: Compiled HTML File	5	Invoke CHM Simulate Double click	5decef42-92b8-4a93-9eb2-877ddcb9401a	powershell
279	defense-evasion	T1218.001	Signed Binary Proxy Execution: Compiled HTML File	6	Invoke CHM with Script Engine and Help Topic	4f83adda-f5ec-406d-b318-9773c9ca92e5	powershell
280	defense-evasion	T1218.001	Signed Binary Proxy Execution: Compiled HTML File	7	Invoke CHM Shortcut Command with ITS and Help Topic	15756147-7470-4a83-87fb-bb5662526247	powershell
281	defense-evasion	T1218.001	Signed Binary Proxy Execution: Compiled HTML File	8	Decompile Local CHM File	20cb05e0-1fa5-406d-92c1-84da4ba01813	command_prompt
282	defense-evasion	T1070.005	Indicator Removal on Host: Network Share Connection Removal	1	Add Network Share	14c38f32-6509-46d8-ab43-d53e32d2b131	command_prompt
283	defense-evasion	T1070.005	Indicator Removal on Host: Network Share Connection Removal	2	Remove Network Share	09210ad5-1ef2-4077-9ad3-7351e13e9222	command_prompt
284	defense-evasion	T1070.005	Indicator Removal on Host: Network Share Connection Removal	3	Remove Network Share PowerShell	0512d214-9512-4d22-bde7-f37e058259b3	powershell
285	defense-evasion	T1070.005	Indicator Removal on Host: Network Share Connection Removal	4	Disable Administrative Share Creation at Startup	99c657aa-ebeb-4179-a665-69288fdd12b8	command_prompt
286	defense-evasion	T1070.005	Indicator Removal on Host: Network Share Connection Removal	5	Remove Administrative Shares	4299eff5-90f1-4446-b2f3-7f4f5cfd5d62	command_prompt
287	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	11	Unload Sysmon Filter Driver	811b3e76-c41b-430c-ac0d-e2380bfaa164	command_prompt
288	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	12	Uninstall Sysmon	a316fb2e-5344-470d-91c1-23e15c374edc	command_prompt
289	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	13	AMSI Bypass - AMSI InitFailed	695eed40-e949-40e5-b306-b4031e4154bd	powershell
290	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	14	AMSI Bypass - Remove AMSI Provider Reg Key	13f09b91-c953-438e-845b-b585e51cac9b	powershell
291	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	15	Disable Arbitrary Security Windows Service	a1230893-56ac-4c81-b644-2108e982f8f5	command_prompt
292	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	16	Tamper with Windows Defender ATP PowerShell	6b8df440-51ec-4d53-bf83-899591c9b5d7	powershell
293	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	17	Tamper with Windows Defender Command Prompt	aa875ed4-8935-47e2-b2c5-6ec00ab220d2	command_prompt
294	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	18	Tamper with Windows Defender Registry	1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45	powershell
295	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	19	Disable Microsoft Office Security Features	6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7	powershell
296	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	20	Remove Windows Defender Definition Files	3d47daaa-2f56-43e0-94cc-caf5d8d52a68	command_prompt
297	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	21	Stop and Remove Arbitrary Security Windows Service	ae753dda-0f15-4af6-a168-b9ba16143143	powershell
298	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	22	Uninstall Crowdstrike Falcon on Windows	b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297	powershell
299	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	23	Tamper with Windows Defender Evade Scanning -Folder	0b19f4ee-de90-4059-88cb-63c800c683ed	powershell
300	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	24	Tamper with Windows Defender Evade Scanning -Extension	315f4be6-2240-4552-b3e1-d1047f5eecea	powershell
301	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	25	Tamper with Windows Defender Evade Scanning -Process	a123ce6a-3916-45d6-ba9c-7d4081315c27	powershell
302	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	27	Disable Windows Defender with DISM	871438ac-7d6e-432a-b27d-3e7db69faf58	command_prompt
303	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	28	Disable Defender Using NirSoft AdvancedRun	81ce22fd-9612-4154-918e-8a1f285d214d	powershell
304	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	29	Kill antimalware protected processes using Backstab	24a12b91-05a7-4deb-8d7f-035fa98591bc	powershell
305	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	30	WinPwn - Kill the event log services for stealth	7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66	powershell
306	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	31	Tamper with Windows Defender ATP using Aliases - PowerShell	c531aa6e-9c97-4b29-afee-9b7be6fc8a64	powershell
307	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	32	LockBit Black - Disable Privacy Settings Experience Using Registry -cmd	d6d22332-d07d-498f-aea0-6139ecb7850e	command_prompt
308	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	33	LockBit Black - Use Registry Editor to turn on automatic logon -cmd	9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70	command_prompt
309	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	34	LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell	d8c57eaa-497a-4a08-961e-bd5efd7c9374	powershell
310	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	35	Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell	5e27f36d-5132-4537-b43b-413b0d5eec9a	powershell
311	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	36	Disable Windows Defender with PwSh Disable-WindowsOptionalFeature	f542ffd3-37b4-4528-837f-682874faa012	powershell
312	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	37	WMIC Tamper with Windows Defender Evade Scanning Folder	59d386fc-3a4b-41b8-850d-9e3eee24dfe4	command_prompt
313	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	38	Delete Windows Defender Scheduled Tasks	4b841aa1-0d05-4b32-bbe7-7564346e7c76	command_prompt
314	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	44	Disable Hypervisor-Enforced Code Integrity (HVCI)	70bd71e6-eba4-4e00-92f7-617911dbe020	powershell
315	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	45	AMSI Bypass - Override AMSI via COM	17538258-5699-4ff1-92d1-5ac9b0dc21f5	command_prompt
316	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	48	Tamper with Windows Defender Registry - Reg.exe	1f6743da-6ecc-4a93-b03f-dc357e4b313f	command_prompt
317	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	49	Tamper with Windows Defender Registry - Powershell	a72cfef8-d252-48b3-b292-635d332625c3	powershell
318	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	51	Delete Microsoft Defender ASR Rules - InTune	eea0a6c2-84e9-4e8c-a242-ac585d28d0d1	powershell
319	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	52	Delete Microsoft Defender ASR Rules - GPO	0e7b8a4b-2ca5-4743-a9f9-96051abb6e50	powershell
320	defense-evasion	T1055.012	Process Injection: Process Hollowing	1	Process Hollowing using PowerShell	562427b4-39ef-4e8c-af88-463a78e70b9c	powershell
321	defense-evasion	T1055.012	Process Injection: Process Hollowing	2	RunPE via VBA	3ad4a037-1598-4136-837c-4027e4fa319b	powershell
322	defense-evasion	T1055.012	Process Injection: Process Hollowing	3	Process Hollowing in Go using CreateProcessW WinAPI	c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a	powershell
323	defense-evasion	T1055.012	Process Injection: Process Hollowing	4	Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)	94903cc5-d462-498a-b919-b1e5ab155fee	powershell
324	defense-evasion	T1027	Obfuscated Files or Information	2	Execute base64-encoded PowerShell	a50d5a97-2531-499e-a1de-5544c74432c6	powershell
325	defense-evasion	T1027	Obfuscated Files or Information	3	Execute base64-encoded PowerShell from Windows Registry	450e7218-7915-4be4-8b9b-464a49eafcec	powershell
326	defense-evasion	T1027	Obfuscated Files or Information	4	Execution from Compressed File	f8c8a909-5f29-49ac-9244-413936ce6d1f	command_prompt
327	defense-evasion	T1027	Obfuscated Files or Information	5	DLP Evasion via Sensitive Data in VBA Macro over email	129edb75-d7b8-42cd-a8ba-1f3db64ec4ad	powershell
328	defense-evasion	T1027	Obfuscated Files or Information	6	DLP Evasion via Sensitive Data in VBA Macro over HTTP	e2d85e66-cb66-4ed7-93b1-833fc56c9319	powershell
329	defense-evasion	T1027	Obfuscated Files or Information	7	Obfuscated Command in PowerShell	8b3f4ed6-077b-4bdd-891c-2d237f19410f	powershell
330	defense-evasion	T1027	Obfuscated Files or Information	8	Obfuscated Command Line using special Unicode characters	e68b945c-52d0-4dd9-a5e8-d173d70c448f	manual
331	defense-evasion	T1027	Obfuscated Files or Information	9	Snake Malware Encrypted crmlog file	7e47ee60-9dd1-4269-9c4f-97953b183268	powershell
332	defense-evasion	T1027	Obfuscated Files or Information	10	Execution from Compressed JScript File	fad04df1-5229-4185-b016-fb6010cd87ac	command_prompt
333	defense-evasion	T1564.006	Run Virtual Instance	1	Register Portable Virtualbox	c59f246a-34f8-4e4d-9276-c295ef9ba0dd	command_prompt
334	defense-evasion	T1564.006	Run Virtual Instance	2	Create and start VirtualBox virtual machine	88b81702-a1c0-49a9-95b2-2dd53d755767	command_prompt
335	defense-evasion	T1564.006	Run Virtual Instance	3	Create and start Hyper-V virtual machine	fb8d4d7e-f5a4-481c-8867-febf13f8b6d3	powershell
336	defense-evasion	T1134.005	Access Token Manipulation: SID-History Injection	1	Injection SID-History with mimikatz	6bef32e5-9456-4072-8f14-35566fb85401	command_prompt
337	defense-evasion	T1218.010	Signed Binary Proxy Execution: Regsvr32	1	Regsvr32 local COM scriptlet execution	449aa403-6aba-47ce-8a37-247d21ef0306	command_prompt
338	defense-evasion	T1218.010	Signed Binary Proxy Execution: Regsvr32	2	Regsvr32 remote COM scriptlet execution	c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36	command_prompt
339	defense-evasion	T1218.010	Signed Binary Proxy Execution: Regsvr32	3	Regsvr32 local DLL execution	08ffca73-9a3d-471a-aeb0-68b4aa3ab37b	command_prompt
340	defense-evasion	T1218.010	Signed Binary Proxy Execution: Regsvr32	4	Regsvr32 Registering Non DLL	1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421	command_prompt
341	defense-evasion	T1218.010	Signed Binary Proxy Execution: Regsvr32	5	Regsvr32 Silent DLL Install Call DllRegisterServer	9d71c492-ea2e-4c08-af16-c6994cdf029f	command_prompt
342	defense-evasion	T1036.003	Masquerading: Rename System Utilities	1	Masquerading as Windows LSASS process	5ba5a3d1-cf3c-4499-968a-a93155d1f717	command_prompt
343	defense-evasion	T1036.003	Masquerading: Rename System Utilities	3	Masquerading - cscript.exe running as notepad.exe	3a2a578b-0a01-46e4-92e3-62e2859b42f0	command_prompt
344	defense-evasion	T1036.003	Masquerading: Rename System Utilities	4	Masquerading - wscript.exe running as svchost.exe	24136435-c91a-4ede-9da1-8b284a1c1a23	command_prompt
345	defense-evasion	T1036.003	Masquerading: Rename System Utilities	5	Masquerading - powershell.exe running as taskhostw.exe	ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa	command_prompt
346	defense-evasion	T1036.003	Masquerading: Rename System Utilities	6	Masquerading - non-windows exe running as windows exe	bc15c13f-d121-4b1f-8c7d-28d95854d086	powershell
347	defense-evasion	T1036.003	Masquerading: Rename System Utilities	7	Masquerading - windows exe running as different windows exe	c3d24a39-2bfe-4c6a-b064-90cd73896cb0	powershell
348	defense-evasion	T1036.003	Masquerading: Rename System Utilities	8	Malicious process Masquerading as LSM.exe	83810c46-f45e-4485-9ab6-8ed0e9e6ed7f	command_prompt
349	defense-evasion	T1036.003	Masquerading: Rename System Utilities	9	File Extension Masquerading	c7fa0c3b-b57f-4cba-9118-863bf4e653fc	command_prompt
350	defense-evasion	T1574.009	Hijack Execution Flow: Path Interception by Unquoted Path	1	Execution of program.exe as service with unquoted service path	2770dea7-c50f-457b-84c4-c40a47460d9f	command_prompt
351	defense-evasion	T1218.009	Signed Binary Proxy Execution: Regsvcs/Regasm	1	Regasm Uninstall Method Call Test	71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112	command_prompt
352	defense-evasion	T1218.009	Signed Binary Proxy Execution: Regsvcs/Regasm	2	Regsvcs Uninstall Method Call Test	fd3c1c6a-02d2-4b72-82d9-71c527abb126	powershell
353	defense-evasion	T1553.004	Subvert Trust Controls: Install Root Certificate	5	Install root CA on Windows	76f49d86-5eb1-461a-a032-a480f86652f1	powershell
354	defense-evasion	T1553.004	Subvert Trust Controls: Install Root Certificate	6	Install root CA on Windows with certutil	5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f	powershell
355	defense-evasion	T1553.004	Subvert Trust Controls: Install Root Certificate	7	Add Root Certificate to CurrentUser Certificate Store	ca20a3f1-42b5-4e21-ad3f-1049199ec2e0	powershell
356	defense-evasion	T1027.004	Obfuscated Files or Information: Compile After Delivery	1	Compile After Delivery using csc.exe	ffcdbd6a-b0e8-487d-927a-09127fe9a206	command_prompt
357	defense-evasion	T1027.004	Obfuscated Files or Information: Compile After Delivery	2	Dynamic C# Compile	453614d8-3ba6-4147-acc0-7ec4b3e1faef	powershell
358	defense-evasion	T1197	BITS Jobs	1	Bitsadmin Download (cmd)	3c73d728-75fb-4180-a12f-6712864d7421	command_prompt
359	defense-evasion	T1197	BITS Jobs	2	Bitsadmin Download (PowerShell)	f63b8bc4-07e5-4112-acba-56f646f3f0bc	powershell
360	defense-evasion	T1197	BITS Jobs	3	Persist, Download, & Execute	62a06ec5-5754-47d2-bcfc-123d8314c6ae	command_prompt
361	defense-evasion	T1197	BITS Jobs	4	Bits download using desktopimgdownldr.exe (cmd)	afb5e09e-e385-4dee-9a94-6ee60979d114	command_prompt
362	defense-evasion	T1127.001	Trusted Developer Utilities Proxy Execution: MSBuild	1	MSBuild Bypass Using Inline Tasks (C#)	58742c0f-cb01-44cd-a60b-fb26e8871c93	command_prompt
363	defense-evasion	T1127.001	Trusted Developer Utilities Proxy Execution: MSBuild	2	MSBuild Bypass Using Inline Tasks (VB)	ab042179-c0c5-402f-9bc8-42741f5ce359	command_prompt
364	defense-evasion	T1564.003	Hide Artifacts: Hidden Window	1	Hidden Window	f151ee37-9e2b-47e6-80e4-550b9f999b7a	powershell
365	defense-evasion	T1564.003	Hide Artifacts: Hidden Window	2	Headless Browser Accessing Mockbin	0ad9ab92-c48c-4f08-9b20-9633277c4646	command_prompt
366	defense-evasion	T1027.006	HTML Smuggling	1	HTML Smuggling Remote Payload	30cbeda4-08d9-42f1-8685-197fad677734	powershell
367	defense-evasion	T1070.004	Indicator Removal on Host: File Deletion	4	Delete a single file - Windows cmd	861ea0b4-708a-4d17-848d-186c9c7f17e3	command_prompt
368	defense-evasion	T1070.004	Indicator Removal on Host: File Deletion	5	Delete an entire folder - Windows cmd	ded937c4-2add-42f7-9c2c-c742b7a98698	command_prompt
369	defense-evasion	T1070.004	Indicator Removal on Host: File Deletion	6	Delete a single file - Windows PowerShell	9dee89bd-9a98-4c4f-9e2d-4256690b0e72	powershell
370	defense-evasion	T1070.004	Indicator Removal on Host: File Deletion	7	Delete an entire folder - Windows PowerShell	edd779e4-a509-4cba-8dfa-a112543dbfb1	powershell
371	defense-evasion	T1070.004	Indicator Removal on Host: File Deletion	9	Delete Prefetch File	36f96049-0ad7-4a5f-8418-460acaeb92fb	powershell
372	defense-evasion	T1070.004	Indicator Removal on Host: File Deletion	10	Delete TeamViewer Log Files	69f50a5f-967c-4327-a5bb-e1a9a9983785	powershell
373	defense-evasion	T1221	Template Injection	1	WINWORD Remote Template Injection	1489e08a-82c7-44ee-b769-51b72d03521d	command_prompt
374	defense-evasion	T1550.002	Use Alternate Authentication Material: Pass the Hash	1	Mimikatz Pass the Hash	ec23cef9-27d9-46e4-a68d-6f75f7b86908	command_prompt
375	defense-evasion	T1550.002	Use Alternate Authentication Material: Pass the Hash	2	crackmapexec Pass the Hash	eb05b028-16c8-4ad8-adea-6f5b219da9a9	command_prompt
376	defense-evasion	T1550.002	Use Alternate Authentication Material: Pass the Hash	3	Invoke-WMIExec Pass the Hash	f8757545-b00a-4e4e-8cfb-8cfb961ee713	powershell
377	defense-evasion	T1574.002	Hijack Execution Flow: DLL Side-Loading	1	DLL Side-Loading using the Notepad++ GUP.exe binary	65526037-7079-44a9-bda1-2cb624838040	command_prompt
378	defense-evasion	T1574.002	Hijack Execution Flow: DLL Side-Loading	2	DLL Side-Loading using the dotnet startup hook environment variable	d322cdd7-7d60-46e3-9111-648848da7c02	command_prompt
379	defense-evasion	T1027.007	Obfuscated Files or Information: Dynamic API Resolution	1	Dynamic API Resolution-Ninja-syscall	578025d5-faa9-4f6d-8390-aae739d507e1	powershell
380	defense-evasion	T1055.015	Process Injection: ListPlanting	1	Process injection ListPlanting	4f3c7502-b111-4dfe-8a6e-529307891a59	powershell
381	defense-evasion	T1220	XSL Script Processing	1	MSXSL Bypass using local files	ca23bfb2-023f-49c5-8802-e66997de462d	command_prompt
382	defense-evasion	T1220	XSL Script Processing	2	MSXSL Bypass using remote files	a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985	command_prompt
383	defense-evasion	T1220	XSL Script Processing	3	WMIC bypass using local XSL file	1b237334-3e21-4a0c-8178-b8c996124988	command_prompt
384	defense-evasion	T1220	XSL Script Processing	4	WMIC bypass using remote XSL file	7f5be499-33be-4129-a560-66021f379b9b	command_prompt
385	defense-evasion	T1564.001	Hide Artifacts: Hidden Files and Directories	3	Create Windows System File with Attrib	f70974c8-c094-4574-b542-2c545af95a32	command_prompt
386	defense-evasion	T1564.001	Hide Artifacts: Hidden Files and Directories	4	Create Windows Hidden File with Attrib	dadb792e-4358-4d8d-9207-b771faa0daa5	command_prompt
387	defense-evasion	T1564.001	Hide Artifacts: Hidden Files and Directories	8	Hide Files Through Registry	f650456b-bd49-4bc1-ae9d-271b5b9581e7	command_prompt
388	defense-evasion	T1564.001	Hide Artifacts: Hidden Files and Directories	9	Create Windows Hidden File with powershell	7f66d539-4fbe-4cfa-9a56-4a2bf660c58a	powershell
389	defense-evasion	T1564.001	Hide Artifacts: Hidden Files and Directories	10	Create Windows System File with powershell	d380c318-0b34-45cb-9dad-828c11891e43	powershell
390	defense-evasion	T1564.004	Hide Artifacts: NTFS File Attributes	1	Alternate Data Streams (ADS)	8822c3b0-d9f9-4daf-a043-49f4602364f4	command_prompt
391	defense-evasion	T1564.004	Hide Artifacts: NTFS File Attributes	2	Store file in Alternate Data Stream (ADS)	2ab75061-f5d5-4c1a-b666-ba2a50df5b02	powershell
392	defense-evasion	T1564.004	Hide Artifacts: NTFS File Attributes	3	Create ADS command prompt	17e7637a-ddaf-4a82-8622-377e20de8fdb	command_prompt
393	defense-evasion	T1564.004	Hide Artifacts: NTFS File Attributes	4	Create ADS PowerShell	0045ea16-ed3c-4d4c-a9ee-15e44d1560d1	powershell
394	defense-evasion	T1564.004	Hide Artifacts: NTFS File Attributes	5	Create Hidden Directory via $index_allocation	3e6791e7-232c-481c-a680-a52f86b83fdf	command_prompt
395	defense-evasion	T1055.001	Process Injection: Dynamic-link Library Injection	1	Process Injection via mavinject.exe	74496461-11a1-4982-b439-4d87a550d254	powershell
396	defense-evasion	T1055.001	Process Injection: Dynamic-link Library Injection	2	WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique	8b56f787-73d9-4f1d-87e8-d07e89cbc7f5	powershell
397	defense-evasion	T1216	Signed Script Proxy Execution	1	SyncAppvPublishingServer Signed Script PowerShell Command Execution	275d963d-3f36-476c-8bef-a2a3960ee6eb	command_prompt
398	defense-evasion	T1216	Signed Script Proxy Execution	2	manage-bde.wsf Signed Script Command Execution	2a8f2d3c-3dec-4262-99dd-150cb2a4d63a	command_prompt
399	defense-evasion	T1078.003	Valid Accounts: Local Accounts	1	Create local account with admin privileges	a524ce99-86de-4db6-b4f9-e08f35a47a15	command_prompt
400	defense-evasion	T1078.003	Valid Accounts: Local Accounts	6	WinPwn - Loot local Credentials - powerhell kittie	9e9fd066-453d-442f-88c1-ad7911d32912	powershell
401	defense-evasion	T1078.003	Valid Accounts: Local Accounts	7	WinPwn - Loot local Credentials - Safetykatz	e9fdb899-a980-4ba4-934b-486ad22e22f4	powershell
402	defense-evasion	T1127	Trusted Developer Utilities Proxy Execution	1	Lolbin Jsc.exe compile javascript to exe	1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8	command_prompt
403	defense-evasion	T1127	Trusted Developer Utilities Proxy Execution	2	Lolbin Jsc.exe compile javascript to dll	3fc9fea2-871d-414d-8ef6-02e85e322b80	command_prompt
404	defense-evasion	T1574.012	Hijack Execution Flow: COR_PROFILER	1	User scope COR_PROFILER	9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a	powershell
405	defense-evasion	T1574.012	Hijack Execution Flow: COR_PROFILER	2	System Scope COR_PROFILER	f373b482-48c8-4ce4-85ed-d40c8b3f7310	powershell
406	defense-evasion	T1574.012	Hijack Execution Flow: COR_PROFILER	3	Registry-free process scope COR_PROFILER	79d57242-bbef-41db-b301-9d01d9f6e817	powershell
407	privilege-escalation	T1055.011	Process Injection: Extra Window Memory Injection	1	Process Injection via Extra Window Memory (EWM) x64 executable	93ca40d2-336c-446d-bcef-87f14d438018	powershell
408	privilege-escalation	T1053.005	Scheduled Task/Job: Scheduled Task	1	Scheduled Task Startup Script	fec27f65-db86-4c2d-b66c-61945aee87c2	command_prompt
409	privilege-escalation	T1053.005	Scheduled Task/Job: Scheduled Task	2	Scheduled task Local	42f53695-ad4a-4546-abb6-7d837f644a71	command_prompt
410	privilege-escalation	T1053.005	Scheduled Task/Job: Scheduled Task	3	Scheduled task Remote	2e5eac3e-327b-4a88-a0c0-c4057039a8dd	command_prompt
411	privilege-escalation	T1053.005	Scheduled Task/Job: Scheduled Task	4	Powershell Cmdlet Scheduled Task	af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd	powershell
412	privilege-escalation	T1053.005	Scheduled Task/Job: Scheduled Task	5	Task Scheduler via VBA	ecd3fa21-7792-41a2-8726-2c5c673414d3	powershell
413	privilege-escalation	T1053.005	Scheduled Task/Job: Scheduled Task	6	WMI Invoke-CimMethod Scheduled Task	e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b	powershell
414	privilege-escalation	T1053.005	Scheduled Task/Job: Scheduled Task	7	Scheduled Task Executing Base64 Encoded Commands From Registry	e895677d-4f06-49ab-91b6-ae3742d0a2ba	command_prompt
415	privilege-escalation	T1053.005	Scheduled Task/Job: Scheduled Task	8	Import XML Schedule Task with Hidden Attribute	cd925593-fbb4-486d-8def-16cbdf944bf4	powershell
416	privilege-escalation	T1053.005	Scheduled Task/Job: Scheduled Task	9	PowerShell Modify A Scheduled Task	dda6fc7b-c9a6-4c18-b98d-95ec6542af6d	powershell
417	privilege-escalation	T1053.005	Scheduled Task/Job: Scheduled Task	10	Scheduled Task ("Ghost Task") via Registry Key Manipulation	704333ca-cc12-4bcf-9916-101844881f54	command_prompt
418	privilege-escalation	T1546.013	Event Triggered Execution: PowerShell Profile	1	Append malicious start-process cmdlet	090e5aa5-32b6-473b-a49b-21e843a56896	powershell
419	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	1	Bypass UAC using Event Viewer (cmd)	5073adf8-9a50-4bd9-b298-a9bd2ead8af9	command_prompt
420	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	2	Bypass UAC using Event Viewer (PowerShell)	a6ce9acf-842a-4af6-8f79-539be7608e2b	powershell
421	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	3	Bypass UAC using Fodhelper	58f641ea-12e3-499a-b684-44dee46bd182	command_prompt
422	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	4	Bypass UAC using Fodhelper - PowerShell	3f627297-6c38-4e7d-a278-fc2563eaaeaa	powershell
423	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	5	Bypass UAC using ComputerDefaults (PowerShell)	3c51abf2-44bf-42d8-9111-dc96ff66750f	powershell
424	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	6	Bypass UAC by Mocking Trusted Directories	f7a35090-6f7f-4f64-bb47-d657bf5b10c1	command_prompt
425	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	7	Bypass UAC using sdclt DelegateExecute	3be891eb-4608-4173-87e8-78b494c029b7	powershell
426	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	8	Disable UAC using reg.exe	9e8af564-53ec-407e-aaa8-3cb20c3af7f9	command_prompt
427	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	9	Bypass UAC using SilentCleanup task	28104f8a-4ff1-4582-bcf6-699dce156608	command_prompt
428	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	10	UACME Bypass Method 23	8ceab7a2-563a-47d2-b5ba-0995211128d7	command_prompt
429	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	11	UACME Bypass Method 31	b0f76240-9f33-4d34-90e8-3a7d501beb15	command_prompt
430	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	12	UACME Bypass Method 33	e514bb03-f71c-4b22-9092-9f961ec6fb03	command_prompt
431	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	13	UACME Bypass Method 34	695b2dac-423e-448e-b6ef-5b88e93011d6	command_prompt
432	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	14	UACME Bypass Method 39	56163687-081f-47da-bb9c-7b231c5585cf	command_prompt
433	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	15	UACME Bypass Method 56	235ec031-cd2d-465d-a7ae-68bab281e80e	command_prompt
434	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	16	UACME Bypass Method 59	dfb1b667-4bb8-4a63-a85e-29936ea75f29	command_prompt
435	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	17	UACME Bypass Method 61	7825b576-744c-4555-856d-caf3460dc236	command_prompt
436	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	18	WinPwn - UAC Magic	964d8bf8-37bc-4fd3-ba36-ad13761ebbcc	powershell
437	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	19	WinPwn - UAC Bypass ccmstp technique	f3c145f9-3c8d-422c-bd99-296a17a8f567	powershell
438	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	20	WinPwn - UAC Bypass DiskCleanup technique	1ed67900-66cd-4b09-b546-2a0ef4431a0c	powershell
439	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	21	WinPwn - UAC Bypass DccwBypassUAC technique	2b61977b-ae2d-4ae4-89cb-5c36c89586be	powershell
440	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	22	Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key	251c5936-569f-42f4-9ac2-87a173b9e9b8	powershell
441	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	23	UAC Bypass with WSReset Registry Modification	3b96673f-9c92-40f1-8a3e-ca060846f8d9	powershell
442	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	24	Disable UAC - Switch to the secure desktop when prompting for elevation via registry key	85f3a526-4cfa-4fe7-98c1-dea99be025c7	powershell
443	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	25	Disable UAC notification via registry keys	160a7c77-b00e-4111-9e45-7c2a44eda3fd	command_prompt
444	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Account Control	26	Disable ConsentPromptBehaviorAdmin via registry keys	a768aaa2-2442-475c-8990-69cf33af0f4e	command_prompt
445	privilege-escalation	T1574.011	Hijack Execution Flow: Services Registry Permissions Weakness	1	Service Registry Permissions Weakness	f7536d63-7fd4-466f-89da-7e48d550752a	powershell
446	privilege-escalation	T1574.011	Hijack Execution Flow: Services Registry Permissions Weakness	2	Service ImagePath Change with reg.exe	f38e9eea-e1d7-4ba6-b716-584791963827	command_prompt
447	privilege-escalation	T1547	Boot or Logon Autostart Execution	1	Add a driver	cb01b3da-b0e7-4e24-bf6d-de5223526785	command_prompt
448	privilege-escalation	T1547.014	Active Setup	1	HKLM - Add atomic_test key to launch executable as part of user setup	deff4586-0517-49c2-981d-bbea24d48d71	powershell
449	privilege-escalation	T1547.014	Active Setup	2	HKLM - Add malicious StubPath value to existing Active Setup Entry	39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a	powershell
450	privilege-escalation	T1547.014	Active Setup	3	HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number	04d55cef-f283-40ba-ae2a-316bc3b5e78c	powershell
451	privilege-escalation	T1543.003	Create or Modify System Process: Windows Service	1	Modify Fax service to run PowerShell	ed366cde-7d12-49df-a833-671904770b9f	command_prompt
452	privilege-escalation	T1543.003	Create or Modify System Process: Windows Service	2	Service Installation CMD	981e2942-e433-44e9-afc1-8c957a1496b6	command_prompt
453	privilege-escalation	T1543.003	Create or Modify System Process: Windows Service	3	Service Installation PowerShell	491a4af6-a521-4b74-b23b-f7b3f1ee9e77	powershell
454	privilege-escalation	T1543.003	Create or Modify System Process: Windows Service	4	TinyTurla backdoor service w64time	ef0581fd-528e-4662-87bc-4c2affb86940	command_prompt
455	privilege-escalation	T1543.003	Create or Modify System Process: Windows Service	5	Remote Service Installation CMD	fb4151a2-db33-4f8c-b7f8-78ea8790f961	command_prompt
456	privilege-escalation	T1543.003	Create or Modify System Process: Windows Service	6	Modify Service to Run Arbitrary Binary (Powershell)	1f896ce4-8070-4959-8a25-2658856a70c9	powershell
457	privilege-escalation	T1547.012	Boot or Logon Autostart Execution: Print Processors	1	Print Processors	f7d38f47-c61b-47cc-a59d-fc0368f47ed0	powershell
458	privilege-escalation	T1574.001	Hijack Execution Flow: DLL Search Order Hijacking	1	DLL Search Order Hijacking - amsi.dll	8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3	command_prompt
459	privilege-escalation	T1055.003	Thread Execution Hijacking	1	Thread Execution Hijacking	578025d5-faa9-4f6d-8390-aae527d503e1	powershell
460	privilege-escalation	T1546.011	Event Triggered Execution: Application Shimming	1	Application Shim Installation	9ab27e22-ee62-4211-962b-d36d9a0e6a18	command_prompt
461	privilege-escalation	T1546.011	Event Triggered Execution: Application Shimming	2	New shim database files created in the default shim database directory	aefd6866-d753-431f-a7a4-215ca7e3f13d	powershell
462	privilege-escalation	T1546.011	Event Triggered Execution: Application Shimming	3	Registry key creation and/or modification events for SDB	9b6a06f9-ab5e-4e8d-8289-1df4289db02f	powershell
463	privilege-escalation	T1547.010	Boot or Logon Autostart Execution: Port Monitors	1	Add Port Monitor persistence in Registry	d34ef297-f178-4462-871e-9ce618d44e50	command_prompt
464	privilege-escalation	T1055	Process Injection	1	Shellcode execution via VBA	1c91e740-1729-4329-b779-feba6e71d048	powershell
465	privilege-escalation	T1055	Process Injection	2	Remote Process Injection in LSASS via mimikatz	3203ad24-168e-4bec-be36-f79b13ef8a83	command_prompt
466	privilege-escalation	T1055	Process Injection	3	Section View Injection	c6952f41-6cf0-450a-b352-2ca8dae7c178	powershell
467	privilege-escalation	T1055	Process Injection	4	Dirty Vanity process Injection	49543237-25db-497b-90df-d0a0a6e8fe2c	powershell
468	privilege-escalation	T1055	Process Injection	5	Read-Write-Execute process Injection	0128e48e-8c1a-433a-a11a-a5387384f1e1	powershell
469	privilege-escalation	T1055	Process Injection	6	Process Injection with Go using UuidFromStringA WinAPI	2315ce15-38b6-46ac-a3eb-5e21abef2545	powershell
470	privilege-escalation	T1055	Process Injection	7	Process Injection with Go using EtwpCreateEtwThread WinAPI	7362ecef-6461-402e-8716-7410e1566400	powershell
471	privilege-escalation	T1055	Process Injection	8	Remote Process Injection with Go using RtlCreateUserThread WinAPI	a0c1725f-abcd-40d6-baac-020f3cf94ecd	powershell
472	privilege-escalation	T1055	Process Injection	9	Remote Process Injection with Go using CreateRemoteThread WinAPI	69534efc-d5f5-4550-89e6-12c6457b9edd	powershell
473	privilege-escalation	T1055	Process Injection	10	Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)	2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39	powershell
474	privilege-escalation	T1055	Process Injection	11	Process Injection with Go using CreateThread WinAPI	2871ed59-3837-4a52-9107-99500ebc87cb	powershell
475	privilege-escalation	T1055	Process Injection	12	Process Injection with Go using CreateThread WinAPI (Natively)	2a3c7035-d14f-467a-af94-933e49fe6786	powershell
476	privilege-escalation	T1055	Process Injection	13	UUID custom process Injection	0128e48e-8c1a-433a-a11a-a5304734f1e1	powershell
477	privilege-escalation	T1547.009	Boot or Logon Autostart Execution: Shortcut Modification	1	Shortcut Modification	ce4fc678-364f-4282-af16-2fb4c78005ce	command_prompt
478	privilege-escalation	T1547.009	Boot or Logon Autostart Execution: Shortcut Modification	2	Create shortcut to cmd in startup folders	cfdc954d-4bb0-4027-875b-a1893ce406f2	powershell
479	privilege-escalation	T1547.005	Boot or Logon Autostart Execution: Security Support Provider	1	Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry	afdfd7e3-8a0b-409f-85f7-886fdf249c9e	powershell
480	privilege-escalation	T1547.005	Boot or Logon Autostart Execution: Security Support Provider	2	Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry	de3f8e74-3351-4fdb-a442-265dbf231738	powershell
481	privilege-escalation	T1574.008	Hijack Execution Flow: Path Interception by Search Order Hijacking	1	powerShell Persistence via hijacking default modules - Get-Variable.exe	1561de08-0b4b-498e-8261-e922f3494aae	powershell
482	privilege-escalation	T1484.001	Domain Policy Modification: Group Policy Modification	1	LockBit Black - Modify Group policy settings -cmd	9ab80952-74ee-43da-a98c-1e740a985f28	command_prompt
483	privilege-escalation	T1484.001	Domain Policy Modification: Group Policy Modification	2	LockBit Black - Modify Group policy settings -Powershell	b51eae65-5441-4789-b8e8-64783c26c1d1	powershell
484	privilege-escalation	T1078.001	Valid Accounts: Default Accounts	1	Enable Guest account with RDP capability and admin privileges	99747561-ed8d-47f2-9c91-1e5fde1ed6e0	command_prompt
485	privilege-escalation	T1078.001	Valid Accounts: Default Accounts	2	Activate Guest Account	aa6cb8c4-b582-4f8e-b677-37733914abda	command_prompt
486	privilege-escalation	T1547.003	Time Providers	1	Create a new time provider	df1efab7-bc6d-4b88-8be9-91f55ae017aa	powershell
487	privilege-escalation	T1547.003	Time Providers	2	Edit an existing time provider	29e0afca-8d1d-471a-8d34-25512fc48315	powershell
488	privilege-escalation	T1134.002	Create Process with Token	1	Access Token Manipulation	dbf4f5a9-b8e0-46a3-9841-9ad71247239e	powershell
489	privilege-escalation	T1134.002	Create Process with Token	2	WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique	ccf4ac39-ec93-42be-9035-90e2f26bcd92	powershell
490	privilege-escalation	T1547.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	1	Winlogon Shell Key Persistence - PowerShell	bf9f9d65-ee4d-4c3e-a843-777d04f19c38	powershell
491	privilege-escalation	T1547.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	2	Winlogon Userinit Key Persistence - PowerShell	fb32c935-ee2e-454b-8fa3-1c46b42e8dfb	powershell
492	privilege-escalation	T1547.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	3	Winlogon Notify Key Logon Persistence - PowerShell	d40da266-e073-4e5a-bb8b-2b385023e5f9	powershell
493	privilege-escalation	T1547.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	4	Winlogon HKLM Shell Key Persistence - PowerShell	95a3c42f-8c88-4952-ad60-13b81d929a9d	powershell
494	privilege-escalation	T1547.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	5	Winlogon HKLM Userinit Key Persistence - PowerShell	f9b8daff-8fa7-4e6a-a1a7-7c14675a545b	powershell
495	privilege-escalation	T1546.012	Event Triggered Execution: Image File Execution Options Injection	1	IFEO Add Debugger	fdda2626-5234-4c90-b163-60849a24c0b8	command_prompt
496	privilege-escalation	T1546.012	Event Triggered Execution: Image File Execution Options Injection	2	IFEO Global Flags	46b1f278-c8ee-4aa5-acce-65e77b11f3c1	command_prompt
497	privilege-escalation	T1546.012	Event Triggered Execution: Image File Execution Options Injection	3	GlobalFlags in Image File Execution Options	13117939-c9b2-4a43-999e-0a543df92f0d	powershell
498	privilege-escalation	T1546.008	Event Triggered Execution: Accessibility Features	1	Attaches Command Prompt as a Debugger to a List of Target Processes	3309f53e-b22b-4eb6-8fd2-a6cf58b355a9	powershell
499	privilege-escalation	T1546.008	Event Triggered Execution: Accessibility Features	2	Replace binary of sticky keys	934e90cf-29ca-48b3-863c-411737ad44e3	command_prompt
500	privilege-escalation	T1546.008	Event Triggered Execution: Accessibility Features	3	Create Symbolic Link From osk.exe to cmd.exe	51ef369c-5e87-4f33-88cd-6d61be63edf2	command_prompt
501	privilege-escalation	T1546.008	Event Triggered Execution: Accessibility Features	4	Atbroker.exe (AT) Executes Arbitrary Command via Registry Key	444ff124-4c83-4e28-8df6-6efd3ece6bd4	command_prompt
502	privilege-escalation	T1055.004	Process Injection: Asynchronous Procedure Call	1	Process Injection via C#	611b39b7-e243-4c81-87a4-7145a90358b1	command_prompt
503	privilege-escalation	T1055.004	Process Injection: Asynchronous Procedure Call	2	EarlyBird APC Queue Injection in Go	73785dd2-323b-4205-ab16-bb6f06677e14	powershell
504	privilege-escalation	T1055.004	Process Injection: Asynchronous Procedure Call	3	Remote Process Injection with Go using NtQueueApcThreadEx WinAPI	4cc571b1-f450-414a-850f-879baf36aa06	powershell
505	privilege-escalation	T1546.009	Event Triggered Execution: AppCert DLLs	1	Create registry persistence via AppCert DLL	a5ad6104-5bab-4c43-b295-b4c44c7c6b05	powershell
506	privilege-escalation	T1055.002	Process Injection: Portable Executable Injection	1	Portable Executable Injection	578025d5-faa9-4f6d-8390-aae739d503e1	powershell
507	privilege-escalation	T1134.001	Access Token Manipulation: Token Impersonation/Theft	1	Named pipe client impersonation	90db9e27-8e7c-4c04-b602-a45927884966	powershell
508	privilege-escalation	T1134.001	Access Token Manipulation: Token Impersonation/Theft	2	`SeDebugPrivilege` token duplication	34f0a430-9d04-4d98-bcb5-1989f14719f0	powershell
509	privilege-escalation	T1134.001	Access Token Manipulation: Token Impersonation/Theft	3	Launch NSudo Executable	7be1bc0f-d8e5-4345-9333-f5f67d742cb9	powershell
510	privilege-escalation	T1134.001	Access Token Manipulation: Token Impersonation/Theft	4	Bad Potato	9c6d799b-c111-4749-a42f-ec2f8cb51448	powershell
511	privilege-escalation	T1134.001	Access Token Manipulation: Token Impersonation/Theft	5	Juicy Potato	f095e373-b936-4eb4-8d22-f47ccbfbe64a	powershell
512	privilege-escalation	T1546.003	Event Triggered Execution: Windows Management Instrumentation Event Subscription	1	Persistence via WMI Event Subscription - CommandLineEventConsumer	3c64f177-28e2-49eb-a799-d767b24dd1e0	powershell
513	privilege-escalation	T1546.003	Event Triggered Execution: Windows Management Instrumentation Event Subscription	2	Persistence via WMI Event Subscription - ActiveScriptEventConsumer	fecd0dfd-fb55-45fa-a10b-6250272d0832	powershell
514	privilege-escalation	T1546.003	Event Triggered Execution: Windows Management Instrumentation Event Subscription	3	Windows MOFComp.exe Load MOF File	29786d7e-8916-4de6-9c55-be7b093b2706	powershell
515	privilege-escalation	T1134.004	Access Token Manipulation: Parent PID Spoofing	1	Parent PID Spoofing using PowerShell	069258f4-2162-46e9-9a25-c9c6c56150d2	powershell
516	privilege-escalation	T1134.004	Access Token Manipulation: Parent PID Spoofing	2	Parent PID Spoofing - Spawn from Current Process	14920ebd-1d61-491a-85e0-fe98efe37f25	powershell
517	privilege-escalation	T1134.004	Access Token Manipulation: Parent PID Spoofing	3	Parent PID Spoofing - Spawn from Specified Process	cbbff285-9051-444a-9d17-c07cd2d230eb	powershell
518	privilege-escalation	T1134.004	Access Token Manipulation: Parent PID Spoofing	4	Parent PID Spoofing - Spawn from svchost.exe	e9f2b777-3123-430b-805d-5cedc66ab591	powershell
519	privilege-escalation	T1134.004	Access Token Manipulation: Parent PID Spoofing	5	Parent PID Spoofing - Spawn from New Process	2988133e-561c-4e42-a15f-6281e6a9b2db	powershell
520	privilege-escalation	T1546.001	Event Triggered Execution: Change Default File Association	1	Change Default File Association	10a08978-2045-4d62-8c42-1957bbbea102	command_prompt
521	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	1	Reg Key Run	e55be3fd-3521-4610-9d1a-e210e42dcf05	command_prompt
522	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	2	Reg Key RunOnce	554cbd88-cde1-4b56-8168-0be552eed9eb	command_prompt
523	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	3	PowerShell Registry RunOnce	eb44f842-0457-4ddc-9b92-c4caa144ac42	powershell
524	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	4	Suspicious vbs file run from startup Folder	2cb98256-625e-4da9-9d44-f2e5f90b8bd5	powershell
525	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	5	Suspicious jse file run from startup Folder	dade9447-791e-4c8f-b04b-3a35855dfa06	powershell
526	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	6	Suspicious bat file run from startup Folder	5b6768e4-44d2-44f0-89da-a01d1430fd5e	powershell
527	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	7	Add Executable Shortcut Link to User Startup Folder	24e55612-85f6-4bd6-ae74-a73d02e3441d	powershell
528	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	8	Add persistance via Recycle bin	bda6a3d6-7aa7-4e89-908b-306772e9662f	command_prompt
529	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	9	SystemBC Malware-as-a-Service Registry	9dc7767b-30c1-4cc4-b999-50cab5e27891	powershell
530	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	10	Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value	acfef903-7662-447e-a391-9c91c2f00f7b	powershell
531	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	11	Change Startup Folder - HKCU Modify User Shell Folders Startup Value	8834b65a-f808-4ece-ad7e-2acdf647aafa	powershell
532	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	12	HKCU - Policy Settings Explorer Run Key	a70faea1-e206-4f6f-8d9a-67379be8f6f1	powershell
533	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	13	HKLM - Policy Settings Explorer Run Key	b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f	powershell
534	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	14	HKLM - Append Command to Winlogon Userinit KEY Value	f7fab6cc-8ece-4ca7-a0f1-30a22fccd374	powershell
535	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	15	HKLM - Modify default System Shell - Winlogon Shell KEY Value	1d958c61-09c6-4d9e-b26b-4130314e520e	powershell
536	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	16	secedit used to create a Run key in the HKLM Hive	14fdc3f1-6fc3-4556-8d36-aa89d9d42d02	command_prompt
537	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	17	Modify BootExecute Value	befc2b40-d487-4a5a-8813-c11085fb5672	powershell
538	privilege-escalation	T1098	Account Manipulation	1	Admin Account Manipulate	5598f7cb-cf43-455e-883a-f6008c5d46af	powershell
539	privilege-escalation	T1098	Account Manipulation	2	Domain Account and Group Manipulate	a55a22e9-a3d3-42ce-bd48-2653adb8f7a9	powershell
540	privilege-escalation	T1098	Account Manipulation	9	Password Change on Directory Service Restore Mode (DSRM) Account	d5b886d9-d1c7-4b6e-a7b0-460041bf2823	command_prompt
541	privilege-escalation	T1098	Account Manipulation	10	Domain Password Policy Check: Short Password	fc5f9414-bd67-4f5f-a08e-e5381e29cbd1	powershell
542	privilege-escalation	T1098	Account Manipulation	11	Domain Password Policy Check: No Number in Password	68190529-069b-4ffc-a942-919704158065	powershell
543	privilege-escalation	T1098	Account Manipulation	12	Domain Password Policy Check: No Special Character in Password	7d984ef2-2db2-4cec-b090-e637e1698f61	powershell
544	privilege-escalation	T1098	Account Manipulation	13	Domain Password Policy Check: No Uppercase Character in Password	b299c120-44a7-4d68-b8e2-8ba5a28511ec	powershell
545	privilege-escalation	T1098	Account Manipulation	14	Domain Password Policy Check: No Lowercase Character in Password	945da11e-977e-4dab-85d2-f394d03c5887	powershell
546	privilege-escalation	T1098	Account Manipulation	15	Domain Password Policy Check: Only Two Character Classes	784d1349-5a26-4d20-af5e-d6af53bae460	powershell
547	privilege-escalation	T1098	Account Manipulation	16	Domain Password Policy Check: Common Password Use	81959d03-c51f-49a1-bb24-23f1ec885578	powershell
548	privilege-escalation	T1055.012	Process Injection: Process Hollowing	1	Process Hollowing using PowerShell	562427b4-39ef-4e8c-af88-463a78e70b9c	powershell
549	privilege-escalation	T1055.012	Process Injection: Process Hollowing	2	RunPE via VBA	3ad4a037-1598-4136-837c-4027e4fa319b	powershell
550	privilege-escalation	T1055.012	Process Injection: Process Hollowing	3	Process Hollowing in Go using CreateProcessW WinAPI	c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a	powershell
551	privilege-escalation	T1055.012	Process Injection: Process Hollowing	4	Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)	94903cc5-d462-498a-b919-b1e5ab155fee	powershell
552	privilege-escalation	T1546	Event Triggered Execution	1	Persistence with Custom AutodialDLL	aca9ae16-7425-4b6d-8c30-cad306fdbd5b	powershell
553	privilege-escalation	T1546	Event Triggered Execution	2	HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)	a574dafe-a903-4cce-9701-14040f4f3532	powershell
554	privilege-escalation	T1546	Event Triggered Execution	3	HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)	36b8dbf9-59b1-4e9b-a3bb-36e80563ef01	powershell
555	privilege-escalation	T1546	Event Triggered Execution	4	WMI Invoke-CimMethod Start Process	adae83d3-0df6-45e7-b2c3-575f91584577	powershell
556	privilege-escalation	T1134.005	Access Token Manipulation: SID-History Injection	1	Injection SID-History with mimikatz	6bef32e5-9456-4072-8f14-35566fb85401	command_prompt
557	privilege-escalation	T1547.002	Authentication Package	1	Authentication Package	be2590e8-4ac3-47ac-b4b5-945820f2fbe9	powershell
558	privilege-escalation	T1546.015	Event Triggered Execution: Component Object Model Hijacking	1	COM Hijacking - InprocServer32	48117158-d7be-441b-bc6a-d9e36e47b52b	powershell
559	privilege-escalation	T1546.015	Event Triggered Execution: Component Object Model Hijacking	2	Powershell Execute COM Object	752191b1-7c71-445c-9dbe-21bb031b18eb	powershell
560	privilege-escalation	T1546.015	Event Triggered Execution: Component Object Model Hijacking	3	COM Hijacking with RunDLL32 (Local Server Switch)	123520cc-e998-471b-a920-bd28e3feafa0	powershell
561	privilege-escalation	T1546.015	Event Triggered Execution: Component Object Model Hijacking	4	COM hijacking via TreatAs	33eacead-f117-4863-8eb0-5c6304fbfaa9	powershell
562	privilege-escalation	T1574.009	Hijack Execution Flow: Path Interception by Unquoted Path	1	Execution of program.exe as service with unquoted service path	2770dea7-c50f-457b-84c4-c40a47460d9f	command_prompt
563	privilege-escalation	T1546.010	Event Triggered Execution: AppInit DLLs	1	Install AppInit Shim	a58d9386-3080-4242-ab5f-454c16503d18	command_prompt
564	privilege-escalation	T1546.002	Event Triggered Execution: Screensaver	1	Set Arbitrary Binary as Screensaver	281201e7-de41-4dc9-b73d-f288938cbb64	command_prompt
565	privilege-escalation	T1574.002	Hijack Execution Flow: DLL Side-Loading	1	DLL Side-Loading using the Notepad++ GUP.exe binary	65526037-7079-44a9-bda1-2cb624838040	command_prompt
566	privilege-escalation	T1574.002	Hijack Execution Flow: DLL Side-Loading	2	DLL Side-Loading using the dotnet startup hook environment variable	d322cdd7-7d60-46e3-9111-648848da7c02	command_prompt
567	privilege-escalation	T1037.001	Boot or Logon Initialization Scripts: Logon Script (Windows)	1	Logon Scripts	d6042746-07d4-4c92-9ad8-e644c114a231	command_prompt
568	privilege-escalation	T1055.015	Process Injection: ListPlanting	1	Process injection ListPlanting	4f3c7502-b111-4dfe-8a6e-529307891a59	powershell
569	privilege-escalation	T1547.008	Boot or Logon Autostart Execution: LSASS Driver	1	Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt	8ecef16d-d289-46b4-917b-0dba6dc81cf1	powershell
570	privilege-escalation	T1053.002	Scheduled Task/Job: At	1	At.exe Scheduled task	4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8	command_prompt
571	privilege-escalation	T1055.001	Process Injection: Dynamic-link Library Injection	1	Process Injection via mavinject.exe	74496461-11a1-4982-b439-4d87a550d254	powershell
572	privilege-escalation	T1055.001	Process Injection: Dynamic-link Library Injection	2	WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique	8b56f787-73d9-4f1d-87e8-d07e89cbc7f5	powershell
573	privilege-escalation	T1546.007	Event Triggered Execution: Netsh Helper DLL	1	Netsh Helper DLL Registration	3244697d-5a3a-4dfc-941c-550f69f91a4d	command_prompt
574	privilege-escalation	T1078.003	Valid Accounts: Local Accounts	1	Create local account with admin privileges	a524ce99-86de-4db6-b4f9-e08f35a47a15	command_prompt
575	privilege-escalation	T1078.003	Valid Accounts: Local Accounts	6	WinPwn - Loot local Credentials - powerhell kittie	9e9fd066-453d-442f-88c1-ad7911d32912	powershell
576	privilege-escalation	T1078.003	Valid Accounts: Local Accounts	7	WinPwn - Loot local Credentials - Safetykatz	e9fdb899-a980-4ba4-934b-486ad22e22f4	powershell
577	privilege-escalation	T1574.012	Hijack Execution Flow: COR_PROFILER	1	User scope COR_PROFILER	9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a	powershell
578	privilege-escalation	T1574.012	Hijack Execution Flow: COR_PROFILER	2	System Scope COR_PROFILER	f373b482-48c8-4ce4-85ed-d40c8b3f7310	powershell
579	privilege-escalation	T1574.012	Hijack Execution Flow: COR_PROFILER	3	Registry-free process scope COR_PROFILER	79d57242-bbef-41db-b301-9d01d9f6e817	powershell
580	execution	T1053.005	Scheduled Task/Job: Scheduled Task	1	Scheduled Task Startup Script	fec27f65-db86-4c2d-b66c-61945aee87c2	command_prompt
581	execution	T1053.005	Scheduled Task/Job: Scheduled Task	2	Scheduled task Local	42f53695-ad4a-4546-abb6-7d837f644a71	command_prompt
582	execution	T1053.005	Scheduled Task/Job: Scheduled Task	3	Scheduled task Remote	2e5eac3e-327b-4a88-a0c0-c4057039a8dd	command_prompt
583	execution	T1053.005	Scheduled Task/Job: Scheduled Task	4	Powershell Cmdlet Scheduled Task	af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd	powershell
584	execution	T1053.005	Scheduled Task/Job: Scheduled Task	5	Task Scheduler via VBA	ecd3fa21-7792-41a2-8726-2c5c673414d3	powershell
585	execution	T1053.005	Scheduled Task/Job: Scheduled Task	6	WMI Invoke-CimMethod Scheduled Task	e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b	powershell
586	execution	T1053.005	Scheduled Task/Job: Scheduled Task	7	Scheduled Task Executing Base64 Encoded Commands From Registry	e895677d-4f06-49ab-91b6-ae3742d0a2ba	command_prompt
587	execution	T1053.005	Scheduled Task/Job: Scheduled Task	8	Import XML Schedule Task with Hidden Attribute	cd925593-fbb4-486d-8def-16cbdf944bf4	powershell
588	execution	T1053.005	Scheduled Task/Job: Scheduled Task	9	PowerShell Modify A Scheduled Task	dda6fc7b-c9a6-4c18-b98d-95ec6542af6d	powershell
589	execution	T1053.005	Scheduled Task/Job: Scheduled Task	10	Scheduled Task ("Ghost Task") via Registry Key Manipulation	704333ca-cc12-4bcf-9916-101844881f54	command_prompt
590	execution	T1047	Windows Management Instrumentation	1	WMI Reconnaissance Users	c107778c-dcf5-47c5-af2e-1d058a3df3ea	command_prompt
591	execution	T1047	Windows Management Instrumentation	2	WMI Reconnaissance Processes	5750aa16-0e59-4410-8b9a-8a47ca2788e2	command_prompt
592	execution	T1047	Windows Management Instrumentation	3	WMI Reconnaissance Software	718aebaa-d0e0-471a-8241-c5afa69c7414	command_prompt
593	execution	T1047	Windows Management Instrumentation	4	WMI Reconnaissance List Remote Services	0fd48ef7-d890-4e93-a533-f7dedd5191d3	command_prompt
594	execution	T1047	Windows Management Instrumentation	5	WMI Execute Local Process	b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3	command_prompt
595	execution	T1047	Windows Management Instrumentation	6	WMI Execute Remote Process	9c8ef159-c666-472f-9874-90c8d60d136b	command_prompt
596	execution	T1047	Windows Management Instrumentation	7	Create a Process using WMI Query and an Encoded Command	7db7a7f9-9531-4840-9b30-46220135441c	command_prompt
597	execution	T1047	Windows Management Instrumentation	8	Create a Process using obfuscated Win32_Process	10447c83-fc38-462a-a936-5102363b1c43	powershell
598	execution	T1047	Windows Management Instrumentation	9	WMI Execute rundll32	00738d2a-4651-4d76-adf2-c43a41dfb243	command_prompt
599	execution	T1047	Windows Management Instrumentation	10	Application uninstall using WMIC	c510d25b-1667-467d-8331-a56d3e9bc4ff	command_prompt
600	execution	T1129	Server Software Component	1	ESXi - Install a custom VIB on an ESXi host	7f843046-abf2-443f-b880-07a83cf968ec	command_prompt
601	execution	T1059.007	Command and Scripting Interpreter: JavaScript	1	JScript execution to gather local computer information via cscript	01d75adf-ca1b-4dd1-ac96-7c9550ad1035	command_prompt
602	execution	T1059.007	Command and Scripting Interpreter: JavaScript	2	JScript execution to gather local computer information via wscript	0709945e-4fec-4c49-9faf-c3c292a74484	command_prompt
603	execution	T1559.002	Inter-Process Communication: Dynamic Data Exchange	1	Execute Commands	f592ba2a-e9e8-4d62-a459-ef63abd819fd	manual
604	execution	T1559.002	Inter-Process Communication: Dynamic Data Exchange	2	Execute PowerShell script via Word DDE	47c21fb6-085e-4b0d-b4d2-26d72c3830b3	command_prompt
605	execution	T1559.002	Inter-Process Communication: Dynamic Data Exchange	3	DDEAUTO	cf91174c-4e74-414e-bec0-8d60a104d181	manual
606	execution	T1204.002	User Execution: Malicious File	1	OSTap Style Macro Execution	8bebc690-18c7-4549-bc98-210f7019efff	powershell
607	execution	T1204.002	User Execution: Malicious File	2	OSTap Payload Download	3f3af983-118a-4fa1-85d3-ba4daa739d80	command_prompt
608	execution	T1204.002	User Execution: Malicious File	3	Maldoc choice flags command execution	0330a5d2-a45a-4272-a9ee-e364411c4b18	powershell
609	execution	T1204.002	User Execution: Malicious File	4	OSTAP JS version	add560ef-20d6-4011-a937-2c340f930911	powershell
610	execution	T1204.002	User Execution: Malicious File	5	Office launching .bat file from AppData	9215ea92-1ded-41b7-9cd6-79f9a78397aa	powershell
611	execution	T1204.002	User Execution: Malicious File	6	Excel 4 Macro	4ea1fc97-8a46-4b4e-ba48-af43d2a98052	powershell
612	execution	T1204.002	User Execution: Malicious File	7	Headless Chrome code execution via VBA	a19ee671-ed98-4e9d-b19c-d1954a51585a	powershell
613	execution	T1204.002	User Execution: Malicious File	8	Potentially Unwanted Applications (PUA)	02f35d62-9fdc-4a97-b899-a5d9a876d295	powershell
614	execution	T1204.002	User Execution: Malicious File	9	Office Generic Payload Download	5202ee05-c420-4148-bf5e-fd7f7d24850c	powershell
615	execution	T1204.002	User Execution: Malicious File	10	LNK Payload Download	581d7521-9c4b-420e-9695-2aec5241167f	powershell
616	execution	T1204.002	User Execution: Malicious File	11	Mirror Blast Emulation	24fd9719-7419-42dd-bce6-ab3463110b3c	powershell
617	execution	T1106	Native API	1	Execution through API - CreateProcess	99be2089-c52d-4a4a-b5c3-261ee42c8b62	command_prompt
618	execution	T1106	Native API	2	WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique	ce4e76e6-de70-4392-9efe-b281fc2b4087	powershell
619	execution	T1106	Native API	3	WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique	7ec5b74e-8289-4ff2-a162-b6f286a33abd	powershell
620	execution	T1106	Native API	4	WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique	e1f93a06-1649-4f07-89a8-f57279a7d60e	powershell
621	execution	T1106	Native API	5	Run Shellcode via Syscall in Go	ae56083f-28d0-417d-84da-df4242da1f7c	powershell
622	execution	T1059	Command and Scripting Interpreter	1	AutoIt Script Execution	a9b93f17-31cb-435d-a462-5e838a2a6026	powershell
623	execution	T1072	Software Deployment Tools	1	Radmin Viewer Utility	b4988cad-6ed2-434d-ace5-ea2670782129	command_prompt
624	execution	T1072	Software Deployment Tools	2	PDQ Deploy RAT	e447b83b-a698-4feb-bed1-a7aaf45c3443	command_prompt
625	execution	T1059.001	Command and Scripting Interpreter: PowerShell	1	Mimikatz	f3132740-55bc-48c4-bcc0-758a459cd027	command_prompt
626	execution	T1059.001	Command and Scripting Interpreter: PowerShell	2	Run BloodHound from local disk	a21bb23e-e677-4ee7-af90-6931b57b6350	powershell
627	execution	T1059.001	Command and Scripting Interpreter: PowerShell	3	Run Bloodhound from Memory using Download Cradle	bf8c1441-4674-4dab-8e4e-39d93d08f9b7	powershell
628	execution	T1059.001	Command and Scripting Interpreter: PowerShell	4	Mimikatz - Cradlecraft PsSendKeys	af1800cf-9f9d-4fd1-a709-14b1e6de020d	powershell
629	execution	T1059.001	Command and Scripting Interpreter: PowerShell	5	Invoke-AppPathBypass	06a220b6-7e29-4bd8-9d07-5b4d86742372	command_prompt
630	execution	T1059.001	Command and Scripting Interpreter: PowerShell	6	Powershell MsXml COM object - with prompt	388a7340-dbc1-4c9d-8e59-b75ad8c6d5da	command_prompt
631	execution	T1059.001	Command and Scripting Interpreter: PowerShell	7	Powershell XML requests	4396927f-e503-427b-b023-31049b9b09a6	command_prompt
632	execution	T1059.001	Command and Scripting Interpreter: PowerShell	8	Powershell invoke mshta.exe download	8a2ad40b-12c7-4b25-8521-2737b0a415af	command_prompt
633	execution	T1059.001	Command and Scripting Interpreter: PowerShell	9	Powershell Invoke-DownloadCradle	cc50fa2a-a4be-42af-a88f-e347ba0bf4d7	manual
634	execution	T1059.001	Command and Scripting Interpreter: PowerShell	10	PowerShell Fileless Script Execution	fa050f5e-bc75-4230-af73-b6fd7852cd73	powershell
635	execution	T1059.001	Command and Scripting Interpreter: PowerShell	11	NTFS Alternate Data Stream Access	8e5c5532-1181-4c1d-bb79-b3a9f5dbd680	powershell
636	execution	T1059.001	Command and Scripting Interpreter: PowerShell	12	PowerShell Session Creation and Use	7c1acec2-78fa-4305-a3e0-db2a54cddecd	powershell
637	execution	T1059.001	Command and Scripting Interpreter: PowerShell	13	ATHPowerShellCommandLineParameter -Command parameter variations	686a9785-f99b-41d4-90df-66ed515f81d7	powershell
638	execution	T1059.001	Command and Scripting Interpreter: PowerShell	14	ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments	1c0a870f-dc74-49cf-9afc-eccc45e58790	powershell
639	execution	T1059.001	Command and Scripting Interpreter: PowerShell	15	ATHPowerShellCommandLineParameter -EncodedCommand parameter variations	86a43bad-12e3-4e85-b97c-4d5cf25b95c3	powershell
640	execution	T1059.001	Command and Scripting Interpreter: PowerShell	16	ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments	0d181431-ddf3-4826-8055-2dbf63ae848b	powershell
641	execution	T1059.001	Command and Scripting Interpreter: PowerShell	17	PowerShell Command Execution	a538de64-1c74-46ed-aa60-b995ed302598	command_prompt
642	execution	T1059.001	Command and Scripting Interpreter: PowerShell	18	PowerShell Invoke Known Malicious Cmdlets	49eb9404-5e0f-4031-a179-b40f7be385e3	powershell
643	execution	T1059.001	Command and Scripting Interpreter: PowerShell	19	PowerUp Invoke-AllChecks	1289f78d-22d2-4590-ac76-166737e1811b	powershell
644	execution	T1059.001	Command and Scripting Interpreter: PowerShell	20	Abuse Nslookup with DNS Records	999bff6d-dc15-44c9-9f5c-e1051bfc86e1	powershell
645	execution	T1059.001	Command and Scripting Interpreter: PowerShell	21	SOAPHound - Dump BloodHound Data	6a5b2a50-d037-4879-bf01-43d4d6cbf73f	powershell
646	execution	T1059.001	Command and Scripting Interpreter: PowerShell	22	SOAPHound - Build Cache	4099086c-1470-4223-8085-8186e1ed5948	powershell
647	execution	T1559	Inter-Process Communication	1	Cobalt Strike Artifact Kit pipe	bd13b9fc-b758-496a-b81a-397462f82c72	command_prompt
648	execution	T1559	Inter-Process Communication	2	Cobalt Strike Lateral Movement (psexec_psh) pipe	830c8b6c-7a70-4f40-b975-8bbe74558acd	command_prompt
649	execution	T1559	Inter-Process Communication	3	Cobalt Strike SSH (postex_ssh) pipe	d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6	command_prompt
650	execution	T1559	Inter-Process Communication	4	Cobalt Strike post-exploitation pipe (4.2 and later)	7a48f482-246f-4aeb-9837-21c271ebf244	command_prompt
651	execution	T1559	Inter-Process Communication	5	Cobalt Strike post-exploitation pipe (before 4.2)	8dbfc15c-527b-4ab0-a272-019f469d367f	command_prompt
652	execution	T1059.003	Command and Scripting Interpreter: Windows Command Shell	1	Create and Execute Batch Script	9e8894c0-50bd-4525-a96c-d4ac78ece388	powershell
653	execution	T1059.003	Command and Scripting Interpreter: Windows Command Shell	2	Writes text to a file and displays it.	127b4afe-2346-4192-815c-69042bec570e	command_prompt
654	execution	T1059.003	Command and Scripting Interpreter: Windows Command Shell	3	Suspicious Execution via Windows Command Shell	d0eb3597-a1b3-4d65-b33b-2cda8d397f20	command_prompt
655	execution	T1059.003	Command and Scripting Interpreter: Windows Command Shell	4	Simulate BlackByte Ransomware Print Bombing	6b2903ac-8f36-450d-9ad5-b220e8a2dcb9	powershell
656	execution	T1059.003	Command and Scripting Interpreter: Windows Command Shell	5	Command Prompt read contents from CMD file and execute	df81db1b-066c-4802-9bc8-b6d030c3ba8e	command_prompt
657	execution	T1059.003	Command and Scripting Interpreter: Windows Command Shell	6	Command prompt writing script to file then executes it	00682c9f-7df4-4df8-950b-6dcaaa3ad9af	command_prompt
658	execution	T1059.005	Command and Scripting Interpreter: Visual Basic	1	Visual Basic script execution to gather local computer information	1620de42-160a-4fe5-bbaf-d3fef0181ce9	powershell
659	execution	T1059.005	Command and Scripting Interpreter: Visual Basic	2	Encoded VBS code execution	e8209d5f-e42d-45e6-9c2f-633ac4f1eefa	powershell
660	execution	T1059.005	Command and Scripting Interpreter: Visual Basic	3	Extract Memory via VBA	8faff437-a114-4547-9a60-749652a03df6	powershell
661	execution	T1569.002	System Services: Service Execution	1	Execute a Command as a Service	2382dee2-a75f-49aa-9378-f52df6ed3fb1	command_prompt
662	execution	T1569.002	System Services: Service Execution	2	Use PsExec to execute a command on a remote host	873106b7-cfed-454b-8680-fa9f6400431c	command_prompt
663	execution	T1569.002	System Services: Service Execution	4	BlackCat pre-encryption cmds with Lateral Movement	31eb7828-97d7-4067-9c1e-c6feb85edc4b	powershell
664	execution	T1569.002	System Services: Service Execution	5	Use RemCom to execute a command on a remote host	a5d8cdeb-be90-43a9-8b26-cc618deac1e0	command_prompt
665	execution	T1569.002	System Services: Service Execution	6	Snake Malware Service Create	b8db787e-dbea-493c-96cb-9272296ddc49	command_prompt
666	execution	T1053.002	Scheduled Task/Job: At	1	At.exe Scheduled task	4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8	command_prompt
667	persistence	T1053.005	Scheduled Task/Job: Scheduled Task	1	Scheduled Task Startup Script	fec27f65-db86-4c2d-b66c-61945aee87c2	command_prompt
668	persistence	T1053.005	Scheduled Task/Job: Scheduled Task	2	Scheduled task Local	42f53695-ad4a-4546-abb6-7d837f644a71	command_prompt
669	persistence	T1053.005	Scheduled Task/Job: Scheduled Task	3	Scheduled task Remote	2e5eac3e-327b-4a88-a0c0-c4057039a8dd	command_prompt
670	persistence	T1053.005	Scheduled Task/Job: Scheduled Task	4	Powershell Cmdlet Scheduled Task	af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd	powershell
671	persistence	T1053.005	Scheduled Task/Job: Scheduled Task	5	Task Scheduler via VBA	ecd3fa21-7792-41a2-8726-2c5c673414d3	powershell
672	persistence	T1053.005	Scheduled Task/Job: Scheduled Task	6	WMI Invoke-CimMethod Scheduled Task	e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b	powershell
673	persistence	T1053.005	Scheduled Task/Job: Scheduled Task	7	Scheduled Task Executing Base64 Encoded Commands From Registry	e895677d-4f06-49ab-91b6-ae3742d0a2ba	command_prompt
674	persistence	T1053.005	Scheduled Task/Job: Scheduled Task	8	Import XML Schedule Task with Hidden Attribute	cd925593-fbb4-486d-8def-16cbdf944bf4	powershell
675	persistence	T1053.005	Scheduled Task/Job: Scheduled Task	9	PowerShell Modify A Scheduled Task	dda6fc7b-c9a6-4c18-b98d-95ec6542af6d	powershell
676	persistence	T1053.005	Scheduled Task/Job: Scheduled Task	10	Scheduled Task ("Ghost Task") via Registry Key Manipulation	704333ca-cc12-4bcf-9916-101844881f54	command_prompt
677	persistence	T1546.013	Event Triggered Execution: PowerShell Profile	1	Append malicious start-process cmdlet	090e5aa5-32b6-473b-a49b-21e843a56896	powershell
678	persistence	T1133	External Remote Services	1	Running Chrome VPN Extensions via the Registry 2 vpn extension	4c8db261-a58b-42a6-a866-0a294deedde4	powershell
679	persistence	T1542.001	Pre-OS Boot: System Firmware	1	UEFI Persistence via Wpbbin.exe File Creation	b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1	powershell
680	persistence	T1574.011	Hijack Execution Flow: Services Registry Permissions Weakness	1	Service Registry Permissions Weakness	f7536d63-7fd4-466f-89da-7e48d550752a	powershell
681	persistence	T1574.011	Hijack Execution Flow: Services Registry Permissions Weakness	2	Service ImagePath Change with reg.exe	f38e9eea-e1d7-4ba6-b716-584791963827	command_prompt
682	persistence	T1547	Boot or Logon Autostart Execution	1	Add a driver	cb01b3da-b0e7-4e24-bf6d-de5223526785	command_prompt
683	persistence	T1547.014	Active Setup	1	HKLM - Add atomic_test key to launch executable as part of user setup	deff4586-0517-49c2-981d-bbea24d48d71	powershell
684	persistence	T1547.014	Active Setup	2	HKLM - Add malicious StubPath value to existing Active Setup Entry	39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a	powershell
685	persistence	T1547.014	Active Setup	3	HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number	04d55cef-f283-40ba-ae2a-316bc3b5e78c	powershell
686	persistence	T1543.003	Create or Modify System Process: Windows Service	1	Modify Fax service to run PowerShell	ed366cde-7d12-49df-a833-671904770b9f	command_prompt
687	persistence	T1543.003	Create or Modify System Process: Windows Service	2	Service Installation CMD	981e2942-e433-44e9-afc1-8c957a1496b6	command_prompt
688	persistence	T1543.003	Create or Modify System Process: Windows Service	3	Service Installation PowerShell	491a4af6-a521-4b74-b23b-f7b3f1ee9e77	powershell
689	persistence	T1543.003	Create or Modify System Process: Windows Service	4	TinyTurla backdoor service w64time	ef0581fd-528e-4662-87bc-4c2affb86940	command_prompt
690	persistence	T1543.003	Create or Modify System Process: Windows Service	5	Remote Service Installation CMD	fb4151a2-db33-4f8c-b7f8-78ea8790f961	command_prompt
691	persistence	T1543.003	Create or Modify System Process: Windows Service	6	Modify Service to Run Arbitrary Binary (Powershell)	1f896ce4-8070-4959-8a25-2658856a70c9	powershell
692	persistence	T1137	Office Application Startup	1	Office Application Startup - Outlook as a C2	bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c	command_prompt
693	persistence	T1547.012	Boot or Logon Autostart Execution: Print Processors	1	Print Processors	f7d38f47-c61b-47cc-a59d-fc0368f47ed0	powershell
694	persistence	T1574.001	Hijack Execution Flow: DLL Search Order Hijacking	1	DLL Search Order Hijacking - amsi.dll	8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3	command_prompt
695	persistence	T1137.006	Office Application Startup: Add-ins	1	Code Executed Via Excel Add-in File (XLL)	441b1a0f-a771-428a-8af0-e99e4698cda3	powershell
696	persistence	T1137.006	Office Application Startup: Add-ins	2	Persistent Code Execution Via Excel Add-in File (XLL)	9c307886-9fef-41d5-b344-073a0f5b2f5f	powershell
697	persistence	T1137.006	Office Application Startup: Add-ins	3	Persistent Code Execution Via Word Add-in File (WLL)	95408a99-4fa7-4cd6-a7ef-cb65f86351cf	powershell
698	persistence	T1137.006	Office Application Startup: Add-ins	4	Persistent Code Execution Via Excel VBA Add-in File (XLAM)	082141ed-b048-4c86-99c7-2b8da5b5bf48	powershell
699	persistence	T1137.006	Office Application Startup: Add-ins	5	Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM)	f89e58f9-2b49-423b-ac95-1f3e7cfd8277	powershell
700	persistence	T1505.002	Server Software Component: Transport Agent	1	Install MS Exchange Transport Agent Persistence	43e92449-ff60-46e9-83a3-1a38089df94d	powershell
701	persistence	T1556.002	Modify Authentication Process: Password Filter DLL	1	Install and Register Password Filter DLL	a7961770-beb5-4134-9674-83d7e1fa865c	powershell
702	persistence	T1505.005	Server Software Component: Terminal Services DLL	1	Simulate Patching termsrv.dll	0b2eadeb-4a64-4449-9d43-3d999f4a317b	powershell
703	persistence	T1505.005	Server Software Component: Terminal Services DLL	2	Modify Terminal Services DLL Path	18136e38-0530-49b2-b309-eed173787471	powershell
704	persistence	T1176	Browser Extensions	1	Chrome/Chromium (Developer Mode)	3ecd790d-2617-4abf-9a8c-4e8d47da9ee1	manual
705	persistence	T1176	Browser Extensions	2	Chrome/Chromium (Chrome Web Store)	4c83940d-8ca5-4bb2-8100-f46dc914bc3f	manual
706	persistence	T1176	Browser Extensions	3	Firefox	cb790029-17e6-4c43-b96f-002ce5f10938	manual
707	persistence	T1176	Browser Extensions	4	Edge Chromium Addon - VPN	3d456e2b-a7db-4af8-b5b3-720e7c4d9da5	manual
708	persistence	T1176	Browser Extensions	5	Google Chrome Load Unpacked Extension With Command Line	7a714703-9f6b-461c-b06d-e6aeac650f27	powershell
709	persistence	T1546.011	Event Triggered Execution: Application Shimming	1	Application Shim Installation	9ab27e22-ee62-4211-962b-d36d9a0e6a18	command_prompt
710	persistence	T1546.011	Event Triggered Execution: Application Shimming	2	New shim database files created in the default shim database directory	aefd6866-d753-431f-a7a4-215ca7e3f13d	powershell
711	persistence	T1546.011	Event Triggered Execution: Application Shimming	3	Registry key creation and/or modification events for SDB	9b6a06f9-ab5e-4e8d-8289-1df4289db02f	powershell
712	persistence	T1547.010	Boot or Logon Autostart Execution: Port Monitors	1	Add Port Monitor persistence in Registry	d34ef297-f178-4462-871e-9ce618d44e50	command_prompt
713	persistence	T1547.009	Boot or Logon Autostart Execution: Shortcut Modification	1	Shortcut Modification	ce4fc678-364f-4282-af16-2fb4c78005ce	command_prompt
714	persistence	T1547.009	Boot or Logon Autostart Execution: Shortcut Modification	2	Create shortcut to cmd in startup folders	cfdc954d-4bb0-4027-875b-a1893ce406f2	powershell
715	persistence	T1547.005	Boot or Logon Autostart Execution: Security Support Provider	1	Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry	afdfd7e3-8a0b-409f-85f7-886fdf249c9e	powershell
716	persistence	T1547.005	Boot or Logon Autostart Execution: Security Support Provider	2	Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry	de3f8e74-3351-4fdb-a442-265dbf231738	powershell
717	persistence	T1574.008	Hijack Execution Flow: Path Interception by Search Order Hijacking	1	powerShell Persistence via hijacking default modules - Get-Variable.exe	1561de08-0b4b-498e-8261-e922f3494aae	powershell
718	persistence	T1505.003	Server Software Component: Web Shell	1	Web Shell Written to Disk	0a2ce662-1efa-496f-a472-2fe7b080db16	command_prompt
719	persistence	T1078.001	Valid Accounts: Default Accounts	1	Enable Guest account with RDP capability and admin privileges	99747561-ed8d-47f2-9c91-1e5fde1ed6e0	command_prompt
720	persistence	T1078.001	Valid Accounts: Default Accounts	2	Activate Guest Account	aa6cb8c4-b582-4f8e-b677-37733914abda	command_prompt
721	persistence	T1547.003	Time Providers	1	Create a new time provider	df1efab7-bc6d-4b88-8be9-91f55ae017aa	powershell
722	persistence	T1547.003	Time Providers	2	Edit an existing time provider	29e0afca-8d1d-471a-8d34-25512fc48315	powershell
723	persistence	T1136.001	Create Account: Local Account	4	Create a new user in a command prompt	6657864e-0323-4206-9344-ac9cd7265a4f	command_prompt
724	persistence	T1136.001	Create Account: Local Account	5	Create a new user in PowerShell	bc8be0ac-475c-4fbf-9b1d-9fffd77afbde	powershell
725	persistence	T1136.001	Create Account: Local Account	8	Create a new Windows admin user	fda74566-a604-4581-a4cc-fbbe21d66559	command_prompt
726	persistence	T1136.001	Create Account: Local Account	9	Create a new Windows admin user via .NET	2170d9b5-bacd-4819-a952-da76dae0815f	powershell
727	persistence	T1547.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	1	Winlogon Shell Key Persistence - PowerShell	bf9f9d65-ee4d-4c3e-a843-777d04f19c38	powershell
728	persistence	T1547.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	2	Winlogon Userinit Key Persistence - PowerShell	fb32c935-ee2e-454b-8fa3-1c46b42e8dfb	powershell
729	persistence	T1547.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	3	Winlogon Notify Key Logon Persistence - PowerShell	d40da266-e073-4e5a-bb8b-2b385023e5f9	powershell
730	persistence	T1547.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	4	Winlogon HKLM Shell Key Persistence - PowerShell	95a3c42f-8c88-4952-ad60-13b81d929a9d	powershell
731	persistence	T1547.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	5	Winlogon HKLM Userinit Key Persistence - PowerShell	f9b8daff-8fa7-4e6a-a1a7-7c14675a545b	powershell
732	persistence	T1546.012	Event Triggered Execution: Image File Execution Options Injection	1	IFEO Add Debugger	fdda2626-5234-4c90-b163-60849a24c0b8	command_prompt
733	persistence	T1546.012	Event Triggered Execution: Image File Execution Options Injection	2	IFEO Global Flags	46b1f278-c8ee-4aa5-acce-65e77b11f3c1	command_prompt
734	persistence	T1546.012	Event Triggered Execution: Image File Execution Options Injection	3	GlobalFlags in Image File Execution Options	13117939-c9b2-4a43-999e-0a543df92f0d	powershell
735	persistence	T1546.008	Event Triggered Execution: Accessibility Features	1	Attaches Command Prompt as a Debugger to a List of Target Processes	3309f53e-b22b-4eb6-8fd2-a6cf58b355a9	powershell
736	persistence	T1546.008	Event Triggered Execution: Accessibility Features	2	Replace binary of sticky keys	934e90cf-29ca-48b3-863c-411737ad44e3	command_prompt
737	persistence	T1546.008	Event Triggered Execution: Accessibility Features	3	Create Symbolic Link From osk.exe to cmd.exe	51ef369c-5e87-4f33-88cd-6d61be63edf2	command_prompt
738	persistence	T1546.008	Event Triggered Execution: Accessibility Features	4	Atbroker.exe (AT) Executes Arbitrary Command via Registry Key	444ff124-4c83-4e28-8df6-6efd3ece6bd4	command_prompt
739	persistence	T1136.002	Create Account: Domain Account	1	Create a new Windows domain admin user	fcec2963-9951-4173-9bfa-98d8b7834e62	command_prompt
740	persistence	T1136.002	Create Account: Domain Account	2	Create a new account similar to ANONYMOUS LOGON	dc7726d2-8ccb-4cc6-af22-0d5afb53a548	command_prompt
741	persistence	T1136.002	Create Account: Domain Account	3	Create a new Domain Account using PowerShell	5a3497a4-1568-4663-b12a-d4a5ed70c7d7	powershell
742	persistence	T1137.001	Office Application Startup: Office Template Macros.	1	Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell	940db09e-80b6-4dd0-8d4d-7764f89b47a8	powershell
743	persistence	T1546.009	Event Triggered Execution: AppCert DLLs	1	Create registry persistence via AppCert DLL	a5ad6104-5bab-4c43-b295-b4c44c7c6b05	powershell
744	persistence	T1546.003	Event Triggered Execution: Windows Management Instrumentation Event Subscription	1	Persistence via WMI Event Subscription - CommandLineEventConsumer	3c64f177-28e2-49eb-a799-d767b24dd1e0	powershell
745	persistence	T1546.003	Event Triggered Execution: Windows Management Instrumentation Event Subscription	2	Persistence via WMI Event Subscription - ActiveScriptEventConsumer	fecd0dfd-fb55-45fa-a10b-6250272d0832	powershell
746	persistence	T1546.003	Event Triggered Execution: Windows Management Instrumentation Event Subscription	3	Windows MOFComp.exe Load MOF File	29786d7e-8916-4de6-9c55-be7b093b2706	powershell
747	persistence	T1546.001	Event Triggered Execution: Change Default File Association	1	Change Default File Association	10a08978-2045-4d62-8c42-1957bbbea102	command_prompt
748	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	1	Reg Key Run	e55be3fd-3521-4610-9d1a-e210e42dcf05	command_prompt
749	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	2	Reg Key RunOnce	554cbd88-cde1-4b56-8168-0be552eed9eb	command_prompt
750	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	3	PowerShell Registry RunOnce	eb44f842-0457-4ddc-9b92-c4caa144ac42	powershell
751	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	4	Suspicious vbs file run from startup Folder	2cb98256-625e-4da9-9d44-f2e5f90b8bd5	powershell
752	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	5	Suspicious jse file run from startup Folder	dade9447-791e-4c8f-b04b-3a35855dfa06	powershell
753	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	6	Suspicious bat file run from startup Folder	5b6768e4-44d2-44f0-89da-a01d1430fd5e	powershell
754	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	7	Add Executable Shortcut Link to User Startup Folder	24e55612-85f6-4bd6-ae74-a73d02e3441d	powershell
755	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	8	Add persistance via Recycle bin	bda6a3d6-7aa7-4e89-908b-306772e9662f	command_prompt
756	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	9	SystemBC Malware-as-a-Service Registry	9dc7767b-30c1-4cc4-b999-50cab5e27891	powershell
757	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	10	Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value	acfef903-7662-447e-a391-9c91c2f00f7b	powershell
758	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	11	Change Startup Folder - HKCU Modify User Shell Folders Startup Value	8834b65a-f808-4ece-ad7e-2acdf647aafa	powershell
759	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	12	HKCU - Policy Settings Explorer Run Key	a70faea1-e206-4f6f-8d9a-67379be8f6f1	powershell
760	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	13	HKLM - Policy Settings Explorer Run Key	b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f	powershell
761	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	14	HKLM - Append Command to Winlogon Userinit KEY Value	f7fab6cc-8ece-4ca7-a0f1-30a22fccd374	powershell
762	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	15	HKLM - Modify default System Shell - Winlogon Shell KEY Value	1d958c61-09c6-4d9e-b26b-4130314e520e	powershell
763	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	16	secedit used to create a Run key in the HKLM Hive	14fdc3f1-6fc3-4556-8d36-aa89d9d42d02	command_prompt
764	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	17	Modify BootExecute Value	befc2b40-d487-4a5a-8813-c11085fb5672	powershell
765	persistence	T1098	Account Manipulation	1	Admin Account Manipulate	5598f7cb-cf43-455e-883a-f6008c5d46af	powershell
766	persistence	T1098	Account Manipulation	2	Domain Account and Group Manipulate	a55a22e9-a3d3-42ce-bd48-2653adb8f7a9	powershell
767	persistence	T1098	Account Manipulation	9	Password Change on Directory Service Restore Mode (DSRM) Account	d5b886d9-d1c7-4b6e-a7b0-460041bf2823	command_prompt
768	persistence	T1098	Account Manipulation	10	Domain Password Policy Check: Short Password	fc5f9414-bd67-4f5f-a08e-e5381e29cbd1	powershell
769	persistence	T1098	Account Manipulation	11	Domain Password Policy Check: No Number in Password	68190529-069b-4ffc-a942-919704158065	powershell
770	persistence	T1098	Account Manipulation	12	Domain Password Policy Check: No Special Character in Password	7d984ef2-2db2-4cec-b090-e637e1698f61	powershell
771	persistence	T1098	Account Manipulation	13	Domain Password Policy Check: No Uppercase Character in Password	b299c120-44a7-4d68-b8e2-8ba5a28511ec	powershell
772	persistence	T1098	Account Manipulation	14	Domain Password Policy Check: No Lowercase Character in Password	945da11e-977e-4dab-85d2-f394d03c5887	powershell
773	persistence	T1098	Account Manipulation	15	Domain Password Policy Check: Only Two Character Classes	784d1349-5a26-4d20-af5e-d6af53bae460	powershell
774	persistence	T1098	Account Manipulation	16	Domain Password Policy Check: Common Password Use	81959d03-c51f-49a1-bb24-23f1ec885578	powershell
775	persistence	T1505.004	IIS Components	1	Install IIS Module using AppCmd.exe	53adbdfa-8200-490c-871c-d3b1ab3324b2	command_prompt
776	persistence	T1505.004	IIS Components	2	Install IIS Module using PowerShell Cmdlet New-WebGlobalModule	cc3381fb-4bd0-405c-a8e4-6cacfac3b06c	powershell
777	persistence	T1546	Event Triggered Execution	1	Persistence with Custom AutodialDLL	aca9ae16-7425-4b6d-8c30-cad306fdbd5b	powershell
778	persistence	T1546	Event Triggered Execution	2	HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)	a574dafe-a903-4cce-9701-14040f4f3532	powershell
779	persistence	T1546	Event Triggered Execution	3	HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)	36b8dbf9-59b1-4e9b-a3bb-36e80563ef01	powershell
780	persistence	T1546	Event Triggered Execution	4	WMI Invoke-CimMethod Start Process	adae83d3-0df6-45e7-b2c3-575f91584577	powershell
781	persistence	T1547.002	Authentication Package	1	Authentication Package	be2590e8-4ac3-47ac-b4b5-945820f2fbe9	powershell
782	persistence	T1546.015	Event Triggered Execution: Component Object Model Hijacking	1	COM Hijacking - InprocServer32	48117158-d7be-441b-bc6a-d9e36e47b52b	powershell
783	persistence	T1546.015	Event Triggered Execution: Component Object Model Hijacking	2	Powershell Execute COM Object	752191b1-7c71-445c-9dbe-21bb031b18eb	powershell
784	persistence	T1546.015	Event Triggered Execution: Component Object Model Hijacking	3	COM Hijacking with RunDLL32 (Local Server Switch)	123520cc-e998-471b-a920-bd28e3feafa0	powershell
785	persistence	T1546.015	Event Triggered Execution: Component Object Model Hijacking	4	COM hijacking via TreatAs	33eacead-f117-4863-8eb0-5c6304fbfaa9	powershell
786	persistence	T1137.004	Office Application Startup: Outlook Home Page	1	Install Outlook Home Page Persistence	7a91ad51-e6d2-4d43-9471-f26362f5738e	command_prompt
787	persistence	T1574.009	Hijack Execution Flow: Path Interception by Unquoted Path	1	Execution of program.exe as service with unquoted service path	2770dea7-c50f-457b-84c4-c40a47460d9f	command_prompt
788	persistence	T1197	BITS Jobs	1	Bitsadmin Download (cmd)	3c73d728-75fb-4180-a12f-6712864d7421	command_prompt
789	persistence	T1197	BITS Jobs	2	Bitsadmin Download (PowerShell)	f63b8bc4-07e5-4112-acba-56f646f3f0bc	powershell
790	persistence	T1197	BITS Jobs	3	Persist, Download, & Execute	62a06ec5-5754-47d2-bcfc-123d8314c6ae	command_prompt
791	persistence	T1197	BITS Jobs	4	Bits download using desktopimgdownldr.exe (cmd)	afb5e09e-e385-4dee-9a94-6ee60979d114	command_prompt
792	persistence	T1546.010	Event Triggered Execution: AppInit DLLs	1	Install AppInit Shim	a58d9386-3080-4242-ab5f-454c16503d18	command_prompt
793	persistence	T1546.002	Event Triggered Execution: Screensaver	1	Set Arbitrary Binary as Screensaver	281201e7-de41-4dc9-b73d-f288938cbb64	command_prompt
794	persistence	T1574.002	Hijack Execution Flow: DLL Side-Loading	1	DLL Side-Loading using the Notepad++ GUP.exe binary	65526037-7079-44a9-bda1-2cb624838040	command_prompt
795	persistence	T1574.002	Hijack Execution Flow: DLL Side-Loading	2	DLL Side-Loading using the dotnet startup hook environment variable	d322cdd7-7d60-46e3-9111-648848da7c02	command_prompt
796	persistence	T1037.001	Boot or Logon Initialization Scripts: Logon Script (Windows)	1	Logon Scripts	d6042746-07d4-4c92-9ad8-e644c114a231	command_prompt
797	persistence	T1137.002	Office Application Startup: Office Test	1	Office Application Startup Test Persistence (HKCU)	c3e35b58-fe1c-480b-b540-7600fb612563	powershell
798	persistence	T1547.008	Boot or Logon Autostart Execution: LSASS Driver	1	Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt	8ecef16d-d289-46b4-917b-0dba6dc81cf1	powershell
799	persistence	T1053.002	Scheduled Task/Job: At	1	At.exe Scheduled task	4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8	command_prompt
800	persistence	T1546.007	Event Triggered Execution: Netsh Helper DLL	1	Netsh Helper DLL Registration	3244697d-5a3a-4dfc-941c-550f69f91a4d	command_prompt
801	persistence	T1078.003	Valid Accounts: Local Accounts	1	Create local account with admin privileges	a524ce99-86de-4db6-b4f9-e08f35a47a15	command_prompt
802	persistence	T1078.003	Valid Accounts: Local Accounts	6	WinPwn - Loot local Credentials - powerhell kittie	9e9fd066-453d-442f-88c1-ad7911d32912	powershell
803	persistence	T1078.003	Valid Accounts: Local Accounts	7	WinPwn - Loot local Credentials - Safetykatz	e9fdb899-a980-4ba4-934b-486ad22e22f4	powershell
804	persistence	T1574.012	Hijack Execution Flow: COR_PROFILER	1	User scope COR_PROFILER	9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a	powershell
805	persistence	T1574.012	Hijack Execution Flow: COR_PROFILER	2	System Scope COR_PROFILER	f373b482-48c8-4ce4-85ed-d40c8b3f7310	powershell
806	persistence	T1574.012	Hijack Execution Flow: COR_PROFILER	3	Registry-free process scope COR_PROFILER	79d57242-bbef-41db-b301-9d01d9f6e817	powershell
807	command-and-control	T1132.001	Data Encoding: Standard Encoding	3	XOR Encoded data.	c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08	powershell
808	command-and-control	T1071.004	Application Layer Protocol: DNS	1	DNS Large Query Volume	1700f5d6-5a44-487b-84de-bc66f507b0a6	powershell
809	command-and-control	T1071.004	Application Layer Protocol: DNS	2	DNS Regular Beaconing	3efc144e-1af8-46bb-8ca2-1376bb6db8b6	powershell
810	command-and-control	T1071.004	Application Layer Protocol: DNS	3	DNS Long Domain Query	fef31710-223a-40ee-8462-a396d6b66978	powershell
811	command-and-control	T1071.004	Application Layer Protocol: DNS	4	DNS C2	e7bf9802-2e78-4db9-93b5-181b7bcd37d7	powershell
812	command-and-control	T1071	Application Layer Protocol	1	Telnet C2	3b0df731-030c-4768-b492-2a3216d90e53	powershell
813	command-and-control	T1219	Remote Access Software	1	TeamViewer Files Detected Test on Windows	8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0	powershell
814	command-and-control	T1219	Remote Access Software	2	AnyDesk Files Detected Test on Windows	6b8b7391-5c0a-4f8c-baee-78d8ce0ce330	powershell
815	command-and-control	T1219	Remote Access Software	3	LogMeIn Files Detected Test on Windows	d03683ec-aae0-42f9-9b4c-534780e0f8e1	powershell
816	command-and-control	T1219	Remote Access Software	4	GoToAssist Files Detected Test on Windows	1b72b3bd-72f8-4b63-a30b-84e91b9c3578	powershell
817	command-and-control	T1219	Remote Access Software	5	ScreenConnect Application Download and Install on Windows	4a18cc4e-416f-4966-9a9d-75731c4684c0	powershell
818	command-and-control	T1219	Remote Access Software	6	Ammyy Admin Software Execution	0ae9e327-3251-465a-a53b-485d4e3f58fa	powershell
819	command-and-control	T1219	Remote Access Software	7	RemotePC Software Execution	fbff3f1f-b0bf-448e-840f-7e1687affdce	powershell
820	command-and-control	T1219	Remote Access Software	8	NetSupport - RAT Execution	ecca999b-e0c8-40e8-8416-ad320b146a75	powershell
821	command-and-control	T1219	Remote Access Software	9	UltraViewer - RAT Execution	19acf63b-55c4-4b6a-8552-00a8865105c8	powershell
822	command-and-control	T1219	Remote Access Software	10	UltraVNC Execution	42e51815-a6cc-4c75-b970-3f0ff54b610e	powershell
823	command-and-control	T1219	Remote Access Software	11	MSP360 Connect Execution	b1b8128b-c5d4-4de9-bf70-e60419274562	powershell
824	command-and-control	T1219	Remote Access Software	12	RustDesk Files Detected Test on Windows	f1641ba9-919a-4323-b74f-33372333bf0e	powershell
825	command-and-control	T1572	Protocol Tunneling	1	DNS over HTTPS Large Query Volume	ae9ef4b0-d8c1-49d4-8758-06206f19af0a	powershell
826	command-and-control	T1572	Protocol Tunneling	2	DNS over HTTPS Regular Beaconing	0c5f9705-c575-42a6-9609-cbbff4b2fc9b	powershell
827	command-and-control	T1572	Protocol Tunneling	3	DNS over HTTPS Long Domain Query	748a73d5-cea4-4f34-84d8-839da5baa99c	powershell
828	command-and-control	T1572	Protocol Tunneling	4	run ngrok	4cdc9fc7-53fb-4894-9f0c-64836943ea60	powershell
829	command-and-control	T1090.003	Proxy: Multi-hop Proxy	1	Psiphon	14d55ca0-920e-4b44-8425-37eedd72b173	powershell
830	command-and-control	T1090.003	Proxy: Multi-hop Proxy	2	Tor Proxy Usage - Windows	7b9d85e5-c4ce-4434-8060-d3de83595e69	powershell
831	command-and-control	T1571	Non-Standard Port	1	Testing usage of uncommonly used port with PowerShell	21fe622f-8e53-4b31-ba83-6d333c2583f4	powershell
832	command-and-control	T1573	Encrypted Channel	1	OpenSSL C2	21caf58e-87ad-440c-a6b8-3ac259964003	powershell
833	command-and-control	T1095	Non-Application Layer Protocol	1	ICMP C2	0268e63c-e244-42db-bef7-72a9e59fc1fc	powershell
834	command-and-control	T1095	Non-Application Layer Protocol	2	Netcat C2	bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37	powershell
835	command-and-control	T1095	Non-Application Layer Protocol	3	Powercat C2	3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e	powershell
836	command-and-control	T1071.001	Application Layer Protocol: Web Protocols	1	Malicious User Agents - Powershell	81c13829-f6c9-45b8-85a6-053366d55297	powershell
837	command-and-control	T1071.001	Application Layer Protocol: Web Protocols	2	Malicious User Agents - CMD	dc3488b0-08c7-4fea-b585-905c83b48180	command_prompt
838	command-and-control	T1105	Ingress Tool Transfer	7	certutil download (urlcache)	dd3b61dd-7bbc-48cd-ab51-49ad1a776df0	command_prompt
839	command-and-control	T1105	Ingress Tool Transfer	8	certutil download (verifyctl)	ffd492e3-0455-4518-9fb1-46527c9f241b	powershell
840	command-and-control	T1105	Ingress Tool Transfer	9	Windows - BITSAdmin BITS Download	a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b	command_prompt
841	command-and-control	T1105	Ingress Tool Transfer	10	Windows - PowerShell Download	42dc4460-9aa6-45d3-b1a6-3955d34e1fe8	powershell
842	command-and-control	T1105	Ingress Tool Transfer	11	OSTAP Worming Activity	2ca61766-b456-4fcf-a35a-1233685e1cad	command_prompt
843	command-and-control	T1105	Ingress Tool Transfer	12	svchost writing a file to a UNC path	fa5a2759-41d7-4e13-a19c-e8f28a53566f	command_prompt
844	command-and-control	T1105	Ingress Tool Transfer	13	Download a File with Windows Defender MpCmdRun.exe	815bef8b-bf91-4b67-be4c-abe4c2a94ccc	command_prompt
845	command-and-control	T1105	Ingress Tool Transfer	15	File Download via PowerShell	54a4daf1-71df-4383-9ba7-f1a295d8b6d2	powershell
846	command-and-control	T1105	Ingress Tool Transfer	16	File download with finger.exe on Windows	5f507e45-8411-4f99-84e7-e38530c45d01	command_prompt
847	command-and-control	T1105	Ingress Tool Transfer	17	Download a file with IMEWDBLD.exe	1a02df58-09af-4064-a765-0babe1a0d1e2	powershell
848	command-and-control	T1105	Ingress Tool Transfer	18	Curl Download File	2b080b99-0deb-4d51-af0f-833d37c4ca6a	command_prompt
849	command-and-control	T1105	Ingress Tool Transfer	19	Curl Upload File	635c9a38-6cbf-47dc-8615-3810bc1167cf	command_prompt
850	command-and-control	T1105	Ingress Tool Transfer	20	Download a file with Microsoft Connection Manager Auto-Download	d239772b-88e2-4a2e-8473-897503401bcc	command_prompt
851	command-and-control	T1105	Ingress Tool Transfer	21	MAZE Propagation Script	70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf	powershell
852	command-and-control	T1105	Ingress Tool Transfer	22	Printer Migration Command-Line Tool UNC share folder into a zip file	49845fc1-7961-4590-a0f0-3dbcf065ae7e	command_prompt
853	command-and-control	T1105	Ingress Tool Transfer	23	Lolbas replace.exe use to copy file	54782d65-12f0-47a5-b4c1-b70ee23de6df	command_prompt
854	command-and-control	T1105	Ingress Tool Transfer	24	Lolbas replace.exe use to copy UNC file	ed0335ac-0354-400c-8148-f6151d20035a	command_prompt
855	command-and-control	T1105	Ingress Tool Transfer	25	certreq download	6fdaae87-c05b-42f8-842e-991a74e8376b	command_prompt
856	command-and-control	T1105	Ingress Tool Transfer	26	Download a file using wscript	97116a3f-efac-4b26-8336-b9cb18c45188	command_prompt
857	command-and-control	T1105	Ingress Tool Transfer	28	Nimgrab - Transfer Files	b1729c57-9384-4d1c-9b99-9b220afb384e	command_prompt
858	command-and-control	T1105	Ingress Tool Transfer	29	iwr or Invoke Web-Request download	c01cad7f-7a4c-49df-985e-b190dcf6a279	command_prompt
859	command-and-control	T1090.001	Proxy: Internal Proxy	3	portproxy reg key	b8223ea9-4be2-44a6-b50a-9657a3d4e72a	powershell
860	collection	T1560.001	Archive Collected Data: Archive via Utility	1	Compress Data for Exfiltration With Rar	02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0	command_prompt
861	collection	T1560.001	Archive Collected Data: Archive via Utility	2	Compress Data and lock with password for Exfiltration with winrar	8dd61a55-44c6-43cc-af0c-8bdda276860c	command_prompt
862	collection	T1560.001	Archive Collected Data: Archive via Utility	3	Compress Data and lock with password for Exfiltration with winzip	01df0353-d531-408d-a0c5-3161bf822134	command_prompt
863	collection	T1560.001	Archive Collected Data: Archive via Utility	4	Compress Data and lock with password for Exfiltration with 7zip	d1334303-59cb-4a03-8313-b3e24d02c198	command_prompt
864	collection	T1560.001	Archive Collected Data: Archive via Utility	10	ESXi - Remove Syslog remote IP	36c62584-d360-41d6-886f-d194654be7c2	powershell
865	collection	T1113	Screen Capture	7	Windows Screencapture	3c898f62-626c-47d5-aad2-6de873d69153	powershell
866	collection	T1113	Screen Capture	8	Windows Screen Capture (CopyFromScreen)	e9313014-985a-48ef-80d9-cde604ffc187	powershell
867	collection	T1056.001	Input Capture: Keylogging	1	Input Capture	d9b633ca-8efb-45e6-b838-70f595c6ae26	powershell
868	collection	T1123	Audio Capture	1	using device audio capture commandlet	9c3ad250-b185-4444-b5a9-d69218a10c95	powershell
869	collection	T1123	Audio Capture	2	Registry artefact when application use microphone	7a21cce2-6ada-4f7c-afd9-e1e9c481e44a	command_prompt
870	collection	T1074.001	Data Staged: Local Data Staging	1	Stage data from Discovery.bat	107706a5-6f9f-451a-adae-bab8c667829f	powershell
871	collection	T1074.001	Data Staged: Local Data Staging	3	Zip a Folder with PowerShell for Staging in Temp	a57fbe4b-3440-452a-88a7-943531ac872a	powershell
872	collection	T1114.001	Email Collection: Local Email Collection	1	Email Collection with PowerShell Get-Inbox	3f1b5096-0139-4736-9b78-19bcb02bb1cb	powershell
873	collection	T1119	Automated Collection	1	Automated Collection Command Prompt	cb379146-53f1-43e0-b884-7ce2c635ff5b	command_prompt
874	collection	T1119	Automated Collection	2	Automated Collection PowerShell	634bd9b9-dc83-4229-b19f-7f83ba9ad313	powershell
875	collection	T1119	Automated Collection	3	Recon information for export with PowerShell	c3f6d794-50dd-482f-b640-0384fbb7db26	powershell
876	collection	T1119	Automated Collection	4	Recon information for export with Command Prompt	aa1180e2-f329-4e1e-8625-2472ec0bfaf3	command_prompt
877	collection	T1115	Clipboard Data	1	Utilize Clipboard to store or execute commands from	0cd14633-58d4-4422-9ede-daa2c9474ae7	command_prompt
878	collection	T1115	Clipboard Data	2	Execute Commands from Clipboard using PowerShell	d6dc21af-bec9-4152-be86-326b6babd416	powershell
879	collection	T1115	Clipboard Data	4	Collect Clipboard Data via VBA	9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52	powershell
880	collection	T1005	Data from Local System	1	Search files of interest and save them to a single zip file (Windows)	d3d9af44-b8ad-4375-8b0a-4bff4b7e419c	powershell
881	collection	T1560	Archive Collected Data	1	Compress Data for Exfiltration With PowerShell	41410c60-614d-4b9d-b66e-b0192dd9c597	powershell
882	collection	T1557.001	Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay	1	LLMNR Poisoning with Inveigh (PowerShell)	deecd55f-afe0-4a62-9fba-4d1ba2deb321	powershell
883	collection	T1125	Video Capture	1	Registry artefact when application use webcam	6581e4a7-42e3-43c5-a0d2-5a0d62f9702a	command_prompt
884	collection	T1056.002	Input Capture: GUI Input Capture	2	PowerShell - Prompt User for Password	2b162bfd-0928-4d4c-9ec3-4d9f88374b52	powershell
885	collection	T1039	Data from Network Shared Drive	1	Copy a sensitive File over Administrative share with copy	6ed67921-1774-44ba-bac6-adb51ed60660	command_prompt
886	collection	T1039	Data from Network Shared Drive	2	Copy a sensitive File over Administrative share with Powershell	7762e120-5879-44ff-97f8-008b401b9a98	powershell
887	collection	T1056.004	Input Capture: Credential API Hooking	1	Hook PowerShell TLS Encrypt/Decrypt Messages	de1934ea-1fbf-425b-8795-65fb27dd7e33	powershell
888	lateral-movement	T1091	Replication Through Removable Media	1	USB Malware Spread Simulation	d44b7297-622c-4be8-ad88-ec40d7563c75	powershell
889	lateral-movement	T1021.002	Remote Services: SMB/Windows Admin Shares	1	Map admin share	3386975b-367a-4fbb-9d77-4dcf3639ffd3	command_prompt
890	lateral-movement	T1021.002	Remote Services: SMB/Windows Admin Shares	2	Map Admin Share PowerShell	514e9cd7-9207-4882-98b1-c8f791bae3c5	powershell
891	lateral-movement	T1021.002	Remote Services: SMB/Windows Admin Shares	3	Copy and Execute File with PsExec	0eb03d41-79e4-4393-8e57-6344856be1cf	command_prompt
892	lateral-movement	T1021.002	Remote Services: SMB/Windows Admin Shares	4	Execute command writing output to local Admin Share	d41aaab5-bdfe-431d-a3d5-c29e9136ff46	command_prompt
893	lateral-movement	T1021.006	Remote Services: Windows Remote Management	1	Enable Windows Remote Management	9059e8de-3d7d-4954-a322-46161880b9cf	powershell
894	lateral-movement	T1021.006	Remote Services: Windows Remote Management	2	Remote Code Execution with PS Credentials Using Invoke-Command	5295bd61-bd7e-4744-9d52-85962a4cf2d6	powershell
895	lateral-movement	T1021.006	Remote Services: Windows Remote Management	3	WinRM Access with Evil-WinRM	efe86d95-44c4-4509-ae42-7bfd9d1f5b3d	powershell
896	lateral-movement	T1021.003	Remote Services: Distributed Component Object Model	1	PowerShell Lateral Movement using MMC20	6dc74eb1-c9d6-4c53-b3b5-6f50ae339673	powershell
897	lateral-movement	T1021.003	Remote Services: Distributed Component Object Model	2	PowerShell Lateral Movement Using Excel Application Object	505f24be-1c11-4694-b614-e01ae1cd2570	powershell
898	lateral-movement	T1550.003	Use Alternate Authentication Material: Pass the Ticket	1	Mimikatz Kerberos Ticket Attack	dbf38128-7ba7-4776-bedf-cc2eed432098	command_prompt
899	lateral-movement	T1550.003	Use Alternate Authentication Material: Pass the Ticket	2	Rubeus Kerberos Pass The Ticket	a2fc4ec5-12c6-4fb4-b661-961f23f359cb	powershell
900	lateral-movement	T1072	Software Deployment Tools	1	Radmin Viewer Utility	b4988cad-6ed2-434d-ace5-ea2670782129	command_prompt
901	lateral-movement	T1072	Software Deployment Tools	2	PDQ Deploy RAT	e447b83b-a698-4feb-bed1-a7aaf45c3443	command_prompt
902	lateral-movement	T1570	Lateral Tool Transfer	1	Exfiltration Over SMB over QUIC (New-SmbMapping)	d8d13303-159e-4f33-89f4-9f07812d016f	powershell
903	lateral-movement	T1570	Lateral Tool Transfer	2	Exfiltration Over SMB over QUIC (NET USE)	183235ca-8e6c-422c-88c2-3aa28c4825d9	powershell
904	lateral-movement	T1563.002	Remote Service Session Hijacking: RDP Hijacking	1	RDP hijacking	a37ac520-b911-458e-8aed-c5f1576d9f46	command_prompt
905	lateral-movement	T1550.002	Use Alternate Authentication Material: Pass the Hash	1	Mimikatz Pass the Hash	ec23cef9-27d9-46e4-a68d-6f75f7b86908	command_prompt
906	lateral-movement	T1550.002	Use Alternate Authentication Material: Pass the Hash	2	crackmapexec Pass the Hash	eb05b028-16c8-4ad8-adea-6f5b219da9a9	command_prompt
907	lateral-movement	T1550.002	Use Alternate Authentication Material: Pass the Hash	3	Invoke-WMIExec Pass the Hash	f8757545-b00a-4e4e-8cfb-8cfb961ee713	powershell
908	lateral-movement	T1021.001	Remote Services: Remote Desktop Protocol	1	RDP to DomainController	355d4632-8cb9-449d-91ce-b566d0253d3e	powershell
909	lateral-movement	T1021.001	Remote Services: Remote Desktop Protocol	2	Changing RDP Port to Non Standard Port via Powershell	2f840dd4-8a2e-4f44-beb3-6b2399ea3771	powershell
910	lateral-movement	T1021.001	Remote Services: Remote Desktop Protocol	3	Changing RDP Port to Non Standard Port via Command_Prompt	74ace21e-a31c-4f7d-b540-53e4eb6d1f73	command_prompt
911	lateral-movement	T1021.001	Remote Services: Remote Desktop Protocol	4	Disable NLA for RDP via Command Prompt	01d1c6c0-faf0-408e-b368-752a02285cb2	command_prompt
912	credential-access	T1056.001	Input Capture: Keylogging	1	Input Capture	d9b633ca-8efb-45e6-b838-70f595c6ae26	powershell
913	credential-access	T1110.001	Brute Force: Password Guessing	1	Brute Force Credentials of single Active Directory domain users via SMB	09480053-2f98-4854-be6e-71ae5f672224	command_prompt
914	credential-access	T1110.001	Brute Force: Password Guessing	2	Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)	c2969434-672b-4ec8-8df0-bbb91f40e250	powershell
915	credential-access	T1110.001	Brute Force: Password Guessing	4	Password Brute User using Kerbrute Tool	59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4	powershell
916	credential-access	T1110.001	Brute Force: Password Guessing	8	ESXi - Brute Force Until Account Lockout	ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5	powershell
917	credential-access	T1003	OS Credential Dumping	1	Gsecdump	96345bfc-8ae7-4b6a-80b7-223200f24ef9	command_prompt
918	credential-access	T1003	OS Credential Dumping	2	Credential Dumping with NPPSpy	9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6	powershell
919	credential-access	T1003	OS Credential Dumping	3	Dump svchost.exe to gather RDP credentials	d400090a-d8ca-4be0-982e-c70598a23de9	powershell
920	credential-access	T1003	OS Credential Dumping	4	Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)	6c7a4fd3-5b0b-4b30-a93e-39411b25d889	powershell
921	credential-access	T1003	OS Credential Dumping	5	Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)	42510244-5019-48fa-a0e5-66c3b76e6049	powershell
922	credential-access	T1003	OS Credential Dumping	6	Dump Credential Manager using keymgr.dll and rundll32.exe	84113186-ed3c-4d0d-8a3c-8980c86c1f4a	powershell
923	credential-access	T1539	Steal Web Session Cookie	1	Steal Firefox Cookies (Windows)	4b437357-f4e9-4c84-9fa6-9bcee6f826aa	powershell
924	credential-access	T1539	Steal Web Session Cookie	2	Steal Chrome Cookies (Windows)	26a6b840-4943-4965-8df5-ef1f9a282440	powershell
925	credential-access	T1003.002	OS Credential Dumping: Security Account Manager	1	Registry dump of SAM, creds, and secrets	5c2571d0-1572-416d-9676-812e64ca9f44	command_prompt
926	credential-access	T1003.002	OS Credential Dumping: Security Account Manager	2	Registry parse with pypykatz	a96872b2-cbf3-46cf-8eb4-27e8c0e85263	command_prompt
927	credential-access	T1003.002	OS Credential Dumping: Security Account Manager	3	esentutl.exe SAM copy	a90c2f4d-6726-444e-99d2-a00cd7c20480	command_prompt
928	credential-access	T1003.002	OS Credential Dumping: Security Account Manager	4	PowerDump Hashes and Usernames from Registry	804f28fc-68fc-40da-b5a2-e9d0bce5c193	powershell
929	credential-access	T1003.002	OS Credential Dumping: Security Account Manager	5	dump volume shadow copy hives with certutil	eeb9751a-d598-42d3-b11c-c122d9c3f6c7	command_prompt
930	credential-access	T1003.002	OS Credential Dumping: Security Account Manager	6	dump volume shadow copy hives with System.IO.File	9d77fed7-05f8-476e-a81b-8ff0472c64d0	powershell
931	credential-access	T1003.002	OS Credential Dumping: Security Account Manager	7	WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes	0c0f5f06-166a-4f4d-bb4a-719df9a01dbb	powershell
932	credential-access	T1110.002	Brute Force: Password Cracking	1	Password Cracking with Hashcat	6d27df5d-69d4-4c91-bc33-5983ffe91692	command_prompt
933	credential-access	T1003.004	OS Credential Dumping: LSA Secrets	1	Dumping LSA Secrets	55295ab0-a703-433b-9ca4-ae13807de12f	command_prompt
934	credential-access	T1040	Network Sniffing	4	Packet Capture Windows Command Prompt	a5b2f6a0-24b4-493e-9590-c699f75723ca	command_prompt
935	credential-access	T1040	Network Sniffing	5	Windows Internal Packet Capture	b5656f67-d67f-4de8-8e62-b5581630f528	command_prompt
936	credential-access	T1040	Network Sniffing	6	Windows Internal pktmon capture	c67ba807-f48b-446e-b955-e4928cd1bf91	command_prompt
937	credential-access	T1040	Network Sniffing	7	Windows Internal pktmon set filter	855fb8b4-b8ab-4785-ae77-09f5df7bff55	command_prompt
938	credential-access	T1040	Network Sniffing	16	PowerShell Network Sniffing	9c15a7de-de14-46c3-bc2a-6d94130986ae	powershell
939	credential-access	T1552.002	Unsecured Credentials: Credentials in Registry	1	Enumeration for Credentials in Registry	b6ec082c-7384-46b3-a111-9a9b8b14e5e7	command_prompt
940	credential-access	T1552.002	Unsecured Credentials: Credentials in Registry	2	Enumeration for PuTTY Credentials in Registry	af197fd7-e868-448e-9bd5-05d1bcd9d9e5	command_prompt
941	credential-access	T1556.002	Modify Authentication Process: Password Filter DLL	1	Install and Register Password Filter DLL	a7961770-beb5-4134-9674-83d7e1fa865c	powershell
942	credential-access	T1558.004	Steal or Forge Kerberos Tickets: AS-REP Roasting	1	Rubeus asreproast	615bd568-2859-41b5-9aed-61f6a88e48dd	powershell
943	credential-access	T1558.004	Steal or Forge Kerberos Tickets: AS-REP Roasting	2	Get-DomainUser with PowerView	d6139549-7b72-4e48-9ea1-324fc9bdf88a	powershell
944	credential-access	T1558.004	Steal or Forge Kerberos Tickets: AS-REP Roasting	3	WinPwn - PowerSharpPack - Kerberoasting Using Rubeus	8c385f88-4d47-4c9a-814d-93d9deec8c71	powershell
945	credential-access	T1555	Credentials from Password Stores	1	Extract Windows Credential Manager via VBA	234f9b7c-b53d-4f32-897b-b880a6c9ea7b	powershell
946	credential-access	T1555	Credentials from Password Stores	2	Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]	c89becbe-1758-4e7d-a0f4-97d2188a23e3	powershell
947	credential-access	T1555	Credentials from Password Stores	3	Dump credentials from Windows Credential Manager With PowerShell [web Credentials]	8fd5a296-6772-4766-9991-ff4e92af7240	powershell
948	credential-access	T1555	Credentials from Password Stores	4	Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]	36753ded-e5c4-4eb5-bc3c-e8fba236878d	powershell
949	credential-access	T1555	Credentials from Password Stores	5	Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]	bc071188-459f-44d5-901a-f8f2625b2d2e	powershell
950	credential-access	T1555	Credentials from Password Stores	6	WinPwn - Loot local Credentials - lazagne	079ee2e9-6f16-47ca-a635-14efcd994118	powershell
951	credential-access	T1555	Credentials from Password Stores	7	WinPwn - Loot local Credentials - Wifi Credentials	afe369c2-b42e-447f-98a3-fb1f4e2b8552	powershell
952	credential-access	T1555	Credentials from Password Stores	8	WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords	db965264-3117-4bad-b7b7-2523b7856b92	powershell
953	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	1	Run Chrome-password Collector	8c05b133-d438-47ca-a630-19cc464c4622	powershell
954	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	3	LaZagne - Credentials from Browser	9a2915b3-3954-4cce-8c76-00fbf4dbd014	command_prompt
955	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	4	Simulating access to Chrome Login Data	3d111226-d09a-4911-8715-fe11664f960d	powershell
956	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	5	Simulating access to Opera Login Data	28498c17-57e4-495a-b0be-cc1e36de408b	powershell
957	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	6	Simulating access to Windows Firefox Login Data	eb8da98a-2e16-4551-b3dd-83de49baa14c	powershell
958	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	7	Simulating access to Windows Edge Login Data	a6a5ec26-a2d1-4109-9d35-58b867689329	powershell
959	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	8	Decrypt Mozilla Passwords with Firepwd.py	dc9cd677-c70f-4df5-bd1c-f114af3c2381	powershell
960	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	10	Stage Popular Credential Files for Exfiltration	f543635c-1705-42c3-b180-efd6dc6e7ee7	powershell
961	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	11	WinPwn - BrowserPwn	764ea176-fb71-494c-90ea-72e9d85dce76	powershell
962	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	12	WinPwn - Loot local Credentials - mimi-kittenz	ec1d0b37-f659-4186-869f-31a554891611	powershell
963	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	13	WinPwn - PowerSharpPack - Sharpweb for Browser Credentials	e5e3d639-6ea8-4408-9ecd-d5a286268ca0	powershell
964	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	15	WebBrowserPassView - Credentials from Browser	e359627f-2d90-4320-ba5e-b0f878155bbe	powershell
965	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	16	BrowserStealer (Chrome / Firefox / Microsoft Edge)	6f2c5c87-a4d5-4898-9bd1-47a55ecaf1dd	powershell
966	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	17	Dump Chrome Login Data with esentutl	70422253-8198-4019-b617-6be401b49fce	command_prompt
967	credential-access	T1552.004	Unsecured Credentials: Private Keys	1	Private Keys	520ce462-7ca7-441e-b5a5-f8347f632696	command_prompt
968	credential-access	T1552.004	Unsecured Credentials: Private Keys	9	ADFS token signing and encryption certificates theft - Local	78e95057-d429-4e66-8f82-0f060c1ac96f	powershell
969	credential-access	T1552.004	Unsecured Credentials: Private Keys	10	ADFS token signing and encryption certificates theft - Remote	cab413d8-9e4a-4b8d-9b84-c985bd73a442	powershell
970	credential-access	T1552.004	Unsecured Credentials: Private Keys	11	CertUtil ExportPFX	336b25bf-4514-4684-8924-474974f28137	powershell
971	credential-access	T1552.004	Unsecured Credentials: Private Keys	12	Export Root Certificate with Export-PFXCertificate	7617f689-bbd8-44bc-adcd-6f8968897848	powershell
972	credential-access	T1552.004	Unsecured Credentials: Private Keys	13	Export Root Certificate with Export-Certificate	78b274f8-acb0-428b-b1f7-7b0d0e73330a	powershell
973	credential-access	T1552.004	Unsecured Credentials: Private Keys	14	Export Certificates with Mimikatz	290df60e-4b5d-4a5e-b0c7-dc5348ea0c86	command_prompt
974	credential-access	T1557.001	Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay	1	LLMNR Poisoning with Inveigh (PowerShell)	deecd55f-afe0-4a62-9fba-4d1ba2deb321	powershell
975	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	1	Dump LSASS.exe Memory using ProcDump	0be2230c-9ab3-4ac2-8826-3199b9a0ebf8	command_prompt
976	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	2	Dump LSASS.exe Memory using comsvcs.dll	2536dee2-12fb-459a-8c37-971844fa73be	powershell
977	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	3	Dump LSASS.exe Memory using direct system calls and API unhooking	7ae7102c-a099-45c8-b985-4c7a2d05790d	command_prompt
978	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	4	Dump LSASS.exe Memory using NanoDump	dddd4aca-bbed-46f0-984d-e4c5971c51ea	command_prompt
979	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	5	Dump LSASS.exe Memory using Windows Task Manager	dea6c349-f1c6-44f3-87a1-1ed33a59a607	manual
980	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	6	Offline Credential Theft With Mimikatz	453acf13-1dbd-47d7-b28a-172ce9228023	command_prompt
981	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	7	LSASS read with pypykatz	c37bc535-5c62-4195-9cc3-0517673171d8	command_prompt
982	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	8	Dump LSASS.exe Memory using Out-Minidump.ps1	6502c8f0-b775-4dbd-9193-1298f56b6781	powershell
983	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	9	Create Mini Dump of LSASS.exe using ProcDump	7cede33f-0acd-44ef-9774-15511300b24b	command_prompt
984	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	10	Powershell Mimikatz	66fb0bc1-3c3f-47e9-a298-550ecfefacbc	powershell
985	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	11	Dump LSASS with createdump.exe from .Net v5	9d0072c8-7cca-45c4-bd14-f852cfa35cf0	powershell
986	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	12	Dump LSASS.exe using imported Microsoft DLLs	86fc3f40-237f-4701-b155-81c01c48d697	powershell
987	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	13	Dump LSASS.exe using lolbin rdrleakdiag.exe	47a539d1-61b9-4364-bf49-a68bc2a95ef0	powershell
988	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	14	Dump LSASS.exe Memory through Silent Process Exit	eb5adf16-b601-4926-bca7-dad22adffb37	command_prompt
989	credential-access	T1110.003	Brute Force: Password Spraying	1	Password Spray all Domain Users	90bc2e54-6c84-47a5-9439-0a2a92b4b175	command_prompt
990	credential-access	T1110.003	Brute Force: Password Spraying	2	Password Spray (DomainPasswordSpray)	263ae743-515f-4786-ac7d-41ef3a0d4b2b	powershell
991	credential-access	T1110.003	Brute Force: Password Spraying	3	Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)	f14d956a-5b6e-4a93-847f-0c415142f07d	powershell
992	credential-access	T1110.003	Brute Force: Password Spraying	5	WinPwn - DomainPasswordSpray Attacks	5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82	powershell
993	credential-access	T1110.003	Brute Force: Password Spraying	6	Password Spray Invoke-DomainPasswordSpray Light	b15bc9a5-a4f3-4879-9304-ea0011ace63a	powershell
994	credential-access	T1110.003	Brute Force: Password Spraying	8	Password Spray using Kerbrute Tool	c6f25ec3-6475-47a9-b75d-09ac593c5ecb	powershell
995	credential-access	T1003.005	OS Credential Dumping: Cached Domain Credentials	1	Cached Credential Dump via Cmdkey	56506854-89d6-46a3-9804-b7fde90791f9	command_prompt
996	credential-access	T1558.001	Steal or Forge Kerberos Tickets: Golden Ticket	1	Crafting Active Directory golden tickets with mimikatz	9726592a-dabc-4d4d-81cd-44070008b3af	powershell
997	credential-access	T1558.001	Steal or Forge Kerberos Tickets: Golden Ticket	2	Crafting Active Directory golden tickets with Rubeus	e42d33cd-205c-4acf-ab59-a9f38f6bad9c	powershell
998	credential-access	T1649	Steal or Forge Authentication Certificates	1	Staging Local Certificates via Export-Certificate	eb121494-82d1-4148-9e2b-e624e03fbf3d	powershell
999	credential-access	T1552.001	Unsecured Credentials: Credentials In Files	4	Extracting passwords with findstr	0e56bf29-ff49-4ea5-9af4-3b81283fd513	powershell
1000	credential-access	T1552.001	Unsecured Credentials: Credentials In Files	5	Access unattend.xml	367d4004-5fc0-446d-823f-960c74ae52c3	command_prompt
1001	credential-access	T1552.001	Unsecured Credentials: Credentials In Files	7	WinPwn - sensitivefiles	114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0	powershell
1002	credential-access	T1552.001	Unsecured Credentials: Credentials In Files	8	WinPwn - Snaffler	fdd0c913-714b-4c13-b40f-1824d6c015f2	powershell
1003	credential-access	T1552.001	Unsecured Credentials: Credentials In Files	9	WinPwn - powershellsensitive	75f66e03-37d3-4704-9520-3210efbe33ce	powershell
1004	credential-access	T1552.001	Unsecured Credentials: Credentials In Files	10	WinPwn - passhunt	00e3e3c7-6c3c-455e-bd4b-461c7f0e7797	powershell
1005	credential-access	T1552.001	Unsecured Credentials: Credentials In Files	11	WinPwn - SessionGopher	c9dc9de3-f961-4284-bd2d-f959c9f9fda5	powershell
1006	credential-access	T1552.001	Unsecured Credentials: Credentials In Files	12	WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials	aaa87b0e-5232-4649-ae5c-f1724a4b2798	powershell
1007	credential-access	T1552.006	Unsecured Credentials: Group Policy Preferences	1	GPP Passwords (findstr)	870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f	command_prompt
1008	credential-access	T1552.006	Unsecured Credentials: Group Policy Preferences	2	GPP Passwords (Get-GPPPassword)	e9584f82-322c-474a-b831-940fd8b4455c	powershell
1009	credential-access	T1056.002	Input Capture: GUI Input Capture	2	PowerShell - Prompt User for Password	2b162bfd-0928-4d4c-9ec3-4d9f88374b52	powershell
1010	credential-access	T1110.004	Brute Force: Credential Stuffing	4	Brute Force:Credential Stuffing using Kerbrute Tool	4852c630-87a9-409b-bb5e-5dc12c9ebcde	powershell
1011	credential-access	T1187	Forced Authentication	1	PetitPotam	485ce873-2e65-4706-9c7e-ae3ab9e14213	powershell
1012	credential-access	T1187	Forced Authentication	2	WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS	7f06b25c-799e-40f1-89db-999c9cc84317	powershell
1013	credential-access	T1558.002	Steal or Forge Kerberos Tickets: Silver Ticket	1	Crafting Active Directory silver tickets with mimikatz	385e59aa-113e-4711-84d9-f637aef01f2c	powershell
1014	credential-access	T1555.004	Credentials from Password Stores: Windows Credential Manager	1	Access Saved Credentials via VaultCmd	9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439	command_prompt
1015	credential-access	T1555.004	Credentials from Password Stores: Windows Credential Manager	2	WinPwn - Loot local Credentials - Invoke-WCMDump	fa714db1-63dd-479e-a58e-7b2b52ca5997	powershell
1016	credential-access	T1003.003	OS Credential Dumping: NTDS	1	Create Volume Shadow Copy with vssadmin	dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f	command_prompt
1017	credential-access	T1003.003	OS Credential Dumping: NTDS	2	Copy NTDS.dit from Volume Shadow Copy	c6237146-9ea6-4711-85c9-c56d263a6b03	command_prompt
1018	credential-access	T1003.003	OS Credential Dumping: NTDS	3	Dump Active Directory Database with NTDSUtil	2364e33d-ceab-4641-8468-bfb1d7cc2723	command_prompt
1019	credential-access	T1003.003	OS Credential Dumping: NTDS	4	Create Volume Shadow Copy with WMI	224f7de0-8f0a-4a94-b5d8-989b036c86da	command_prompt
1020	credential-access	T1003.003	OS Credential Dumping: NTDS	5	Create Volume Shadow Copy remotely with WMI	d893459f-71f0-484d-9808-ec83b2b64226	command_prompt
1021	credential-access	T1003.003	OS Credential Dumping: NTDS	6	Create Volume Shadow Copy remotely (WMI) with esentutl	21c7bf80-3e8b-40fa-8f9d-f5b194ff2865	command_prompt
1022	credential-access	T1003.003	OS Credential Dumping: NTDS	7	Create Volume Shadow Copy with Powershell	542bb97e-da53-436b-8e43-e0a7d31a6c24	powershell
1023	credential-access	T1003.003	OS Credential Dumping: NTDS	8	Create Symlink to Volume Shadow Copy	21748c28-2793-4284-9e07-d6d028b66702	command_prompt
1024	credential-access	T1003.003	OS Credential Dumping: NTDS	9	Create Volume Shadow Copy with diskshadow	b385996c-0e7d-4e27-95a4-aca046b119a7	command_prompt
1025	credential-access	T1558.003	Steal or Forge Kerberos Tickets: Kerberoasting	1	Request for service tickets	3f987809-3681-43c8-bcd8-b3ff3a28533a	powershell
1026	credential-access	T1558.003	Steal or Forge Kerberos Tickets: Kerberoasting	2	Rubeus kerberoast	14625569-6def-4497-99ac-8e7817105b55	powershell
1027	credential-access	T1558.003	Steal or Forge Kerberos Tickets: Kerberoasting	3	Extract all accounts in use as SPN using setspn	e6f4affd-d826-4871-9a62-6c9004b8fe06	command_prompt
1028	credential-access	T1558.003	Steal or Forge Kerberos Tickets: Kerberoasting	4	Request A Single Ticket via PowerShell	988539bc-2ed7-4e62-aec6-7c5cf6680863	powershell
1029	credential-access	T1558.003	Steal or Forge Kerberos Tickets: Kerberoasting	5	Request All Tickets via PowerShell	902f4ed2-1aba-4133-90f2-cff6d299d6da	powershell
1030	credential-access	T1558.003	Steal or Forge Kerberos Tickets: Kerberoasting	6	WinPwn - Kerberoasting	78d10e20-c874-45f2-a9df-6fea0120ec27	powershell
1031	credential-access	T1558.003	Steal or Forge Kerberos Tickets: Kerberoasting	7	WinPwn - PowerSharpPack - Kerberoasting Using Rubeus	29094950-2c96-4cbd-b5e4-f7c65079678f	powershell
1032	credential-access	T1003.006	OS Credential Dumping: DCSync	1	DCSync (Active Directory)	129efd28-8497-4c87-a1b0-73b9a870ca3e	command_prompt
1033	credential-access	T1003.006	OS Credential Dumping: DCSync	2	Run DSInternals Get-ADReplAccount	a0bced08-3fc5-4d8b-93b7-e8344739376e	powershell
1034	credential-access	T1056.004	Input Capture: Credential API Hooking	1	Hook PowerShell TLS Encrypt/Decrypt Messages	de1934ea-1fbf-425b-8795-65fb27dd7e33	powershell
1035	discovery	T1033	System Owner/User Discovery	1	System Owner/User Discovery	4c4959bf-addf-4b4a-be86-8d09cc1857aa	command_prompt
1036	discovery	T1033	System Owner/User Discovery	3	Find computers where user has session - Stealth mode (PowerView)	29857f27-a36f-4f7e-8084-4557cd6207ca	powershell
1037	discovery	T1033	System Owner/User Discovery	4	User Discovery With Env Vars PowerShell Script	dcb6cdee-1fb0-4087-8bf8-88cfd136ba51	powershell
1038	discovery	T1033	System Owner/User Discovery	5	GetCurrent User with PowerShell Script	1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b	powershell
1039	discovery	T1033	System Owner/User Discovery	6	System Discovery - SocGholish whoami	3d257a03-eb80-41c5-b744-bb37ac7f65c7	powershell
1040	discovery	T1033	System Owner/User Discovery	7	System Owner/User Discovery Using Command Prompt	ba38e193-37a6-4c41-b214-61b33277fe36	command_prompt
1041	discovery	T1615	Group Policy Discovery	1	Display group policy information via gpresult	0976990f-53b1-4d3f-a185-6df5be429d3b	command_prompt
1042	discovery	T1615	Group Policy Discovery	2	Get-DomainGPO to display group policy information via PowerView	4e524c4e-0e02-49aa-8df5-93f3f7959b9f	powershell
1043	discovery	T1615	Group Policy Discovery	3	WinPwn - GPOAudit	bc25c04b-841e-4965-855f-d1f645d7ab73	powershell
1044	discovery	T1615	Group Policy Discovery	4	WinPwn - GPORemoteAccessPolicy	7230d01a-0a72-4bd5-9d7f-c6d472bc6a59	powershell
1045	discovery	T1615	Group Policy Discovery	5	MSFT Get-GPO Cmdlet	52778a8f-a10b-41a4-9eae-52ddb74072bf	powershell
1046	discovery	T1087.002	Account Discovery: Domain Account	1	Enumerate all accounts (Domain)	6fbc9e68-5ad7-444a-bd11-8bf3136c477e	command_prompt
1047	discovery	T1087.002	Account Discovery: Domain Account	2	Enumerate all accounts via PowerShell (Domain)	8b8a6449-be98-4f42-afd2-dedddc7453b2	powershell
1048	discovery	T1087.002	Account Discovery: Domain Account	3	Enumerate logged on users via CMD (Domain)	161dcd85-d014-4f5e-900c-d3eaae82a0f7	command_prompt
1049	discovery	T1087.002	Account Discovery: Domain Account	4	Automated AD Recon (ADRecon)	95018438-454a-468c-a0fa-59c800149b59	powershell
1050	discovery	T1087.002	Account Discovery: Domain Account	5	Adfind -Listing password policy	736b4f53-f400-4c22-855d-1a6b5a551600	command_prompt
1051	discovery	T1087.002	Account Discovery: Domain Account	6	Adfind - Enumerate Active Directory Admins	b95fd967-4e62-4109-b48d-265edfd28c3a	command_prompt
1052	discovery	T1087.002	Account Discovery: Domain Account	7	Adfind - Enumerate Active Directory User Objects	e1ec8d20-509a-4b9a-b820-06c9b2da8eb7	command_prompt
1053	discovery	T1087.002	Account Discovery: Domain Account	8	Adfind - Enumerate Active Directory Exchange AD Objects	5e2938fb-f919-47b6-8b29-2f6a1f718e99	command_prompt
1054	discovery	T1087.002	Account Discovery: Domain Account	9	Enumerate Default Domain Admin Details (Domain)	c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef	command_prompt
1055	discovery	T1087.002	Account Discovery: Domain Account	10	Enumerate Active Directory for Unconstrained Delegation	46f8dbe9-22a5-4770-8513-66119c5be63b	powershell
1056	discovery	T1087.002	Account Discovery: Domain Account	11	Get-DomainUser with PowerView	93662494-5ed7-4454-a04c-8c8372808ac2	powershell
1057	discovery	T1087.002	Account Discovery: Domain Account	12	Enumerate Active Directory Users with ADSISearcher	02e8be5a-3065-4e54-8cc8-a14d138834d3	powershell
1058	discovery	T1087.002	Account Discovery: Domain Account	13	Enumerate Linked Policies In ADSISearcher Discovery	7ab0205a-34e4-4a44-9b04-e1541d1a57be	powershell
1059	discovery	T1087.002	Account Discovery: Domain Account	14	Enumerate Root Domain linked policies Discovery	00c652e2-0750-4ca6-82ff-0204684a6fe4	powershell
1060	discovery	T1087.002	Account Discovery: Domain Account	15	WinPwn - generaldomaininfo	ce483c35-c74b-45a7-a670-631d1e69db3d	powershell
1061	discovery	T1087.002	Account Discovery: Domain Account	16	Kerbrute - userenum	f450461c-18d1-4452-9f0d-2c42c3f08624	powershell
1062	discovery	T1087.002	Account Discovery: Domain Account	17	Wevtutil - Discover NTLM Users Remote	b8a563d4-a836-4993-a74e-0a19b8481bfe	powershell
1063	discovery	T1087.002	Account Discovery: Domain Account	18	Suspicious LAPS Attributes Query with Get-ADComputer all properties	394012d9-2164-4d4f-b9e5-acf30ba933fe	powershell
1064	discovery	T1087.002	Account Discovery: Domain Account	19	Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property	6e85bdf9-7bc4-4259-ac0f-f0cb39964443	powershell
1065	discovery	T1087.002	Account Discovery: Domain Account	20	Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope	ffbcfd62-15d6-4989-a21a-80bfc8e58bb5	powershell
1066	discovery	T1087.002	Account Discovery: Domain Account	21	Suspicious LAPS Attributes Query with adfind all properties	abf00f6c-9983-4d9a-afbc-6b1c6c6448e1	powershell
1067	discovery	T1087.002	Account Discovery: Domain Account	22	Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd	51a98f96-0269-4e09-a10f-e307779a8b05	powershell
1068	discovery	T1087.001	Account Discovery: Local Account	8	Enumerate all accounts on Windows (Local)	80887bec-5a9b-4efc-a81d-f83eb2eb32ab	command_prompt
1069	discovery	T1087.001	Account Discovery: Local Account	9	Enumerate all accounts via PowerShell (Local)	ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b	powershell
1070	discovery	T1087.001	Account Discovery: Local Account	10	Enumerate logged on users via CMD (Local)	a138085e-bfe5-46ba-a242-74a6fb884af3	command_prompt
1071	discovery	T1497.001	Virtualization/Sandbox Evasion: System Checks	3	Detect Virtualization Environment (Windows)	502a7dc4-9d6f-4d28-abf2-f0e84692562d	powershell
1072	discovery	T1497.001	Virtualization/Sandbox Evasion: System Checks	5	Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)	4a41089a-48e0-47aa-82cb-5b81a463bc78	powershell
1073	discovery	T1069.002	Permission Groups Discovery: Domain Groups	1	Basic Permission Groups Discovery Windows (Domain)	dd66d77d-8998-48c0-8024-df263dc2ce5d	command_prompt
1074	discovery	T1069.002	Permission Groups Discovery: Domain Groups	2	Permission Groups Discovery PowerShell (Domain)	6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7	powershell
1075	discovery	T1069.002	Permission Groups Discovery: Domain Groups	3	Elevated group enumeration using net group (Domain)	0afb5163-8181-432e-9405-4322710c0c37	command_prompt
1076	discovery	T1069.002	Permission Groups Discovery: Domain Groups	4	Find machines where user has local admin access (PowerView)	a2d71eee-a353-4232-9f86-54f4288dd8c1	powershell
1077	discovery	T1069.002	Permission Groups Discovery: Domain Groups	5	Find local admins on all machines in domain (PowerView)	a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd	powershell
1078	discovery	T1069.002	Permission Groups Discovery: Domain Groups	6	Find Local Admins via Group Policy (PowerView)	64fdb43b-5259-467a-b000-1b02c00e510a	powershell
1079	discovery	T1069.002	Permission Groups Discovery: Domain Groups	7	Enumerate Users Not Requiring Pre Auth (ASRepRoast)	870ba71e-6858-4f6d-895c-bb6237f6121b	powershell
1080	discovery	T1069.002	Permission Groups Discovery: Domain Groups	8	Adfind - Query Active Directory Groups	48ddc687-82af-40b7-8472-ff1e742e8274	command_prompt
1081	discovery	T1069.002	Permission Groups Discovery: Domain Groups	9	Enumerate Active Directory Groups with Get-AdGroup	3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8	powershell
1082	discovery	T1069.002	Permission Groups Discovery: Domain Groups	10	Enumerate Active Directory Groups with ADSISearcher	9f4e344b-8434-41b3-85b1-d38f29d148d0	powershell
1083	discovery	T1069.002	Permission Groups Discovery: Domain Groups	11	Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)	43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8	powershell
1084	discovery	T1069.002	Permission Groups Discovery: Domain Groups	12	Get-DomainGroupMember with PowerView	46352f40-f283-4fe5-b56d-d9a71750e145	powershell
1085	discovery	T1069.002	Permission Groups Discovery: Domain Groups	13	Get-DomainGroup with PowerView	5a8a181c-2c8e-478d-a943-549305a01230	powershell
1086	discovery	T1069.002	Permission Groups Discovery: Domain Groups	14	Active Directory Enumeration with LDIFDE	22cf8cb9-adb1-4e8c-80ca-7c723dfc8784	command_prompt
1087	discovery	T1007	System Service Discovery	1	System Service Discovery	89676ba1-b1f8-47ee-b940-2e1a113ebc71	command_prompt
1088	discovery	T1007	System Service Discovery	2	System Service Discovery - net.exe	5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3	command_prompt
1089	discovery	T1040	Network Sniffing	4	Packet Capture Windows Command Prompt	a5b2f6a0-24b4-493e-9590-c699f75723ca	command_prompt
1090	discovery	T1040	Network Sniffing	5	Windows Internal Packet Capture	b5656f67-d67f-4de8-8e62-b5581630f528	command_prompt
1091	discovery	T1040	Network Sniffing	6	Windows Internal pktmon capture	c67ba807-f48b-446e-b955-e4928cd1bf91	command_prompt
1092	discovery	T1040	Network Sniffing	7	Windows Internal pktmon set filter	855fb8b4-b8ab-4785-ae77-09f5df7bff55	command_prompt
1093	discovery	T1040	Network Sniffing	16	PowerShell Network Sniffing	9c15a7de-de14-46c3-bc2a-6d94130986ae	powershell
1094	discovery	T1135	Network Share Discovery	4	Network Share Discovery command prompt	20f1097d-81c1-405c-8380-32174d493bbb	command_prompt
1095	discovery	T1135	Network Share Discovery	5	Network Share Discovery PowerShell	1b0814d1-bb24-402d-9615-1b20c50733fb	powershell
1096	discovery	T1135	Network Share Discovery	6	View available share drives	ab39a04f-0c93-4540-9ff2-83f862c385ae	command_prompt
1097	discovery	T1135	Network Share Discovery	7	Share Discovery with PowerView	b1636f0a-ba82-435c-b699-0d78794d8bfd	powershell
1098	discovery	T1135	Network Share Discovery	8	PowerView ShareFinder	d07e4cc1-98ae-447e-9d31-36cb430d28c4	powershell
1099	discovery	T1135	Network Share Discovery	9	WinPwn - shareenumeration	987901d1-5b87-4558-a6d9-cffcabc638b8	powershell
1100	discovery	T1135	Network Share Discovery	10	Network Share Discovery via dir command	13daa2cf-195a-43df-a8bd-7dd5ffb607b5	command_prompt
1101	discovery	T1120	Peripheral Device Discovery	1	Win32_PnPEntity Hardware Inventory	2cb4dbf2-2dca-4597-8678-4d39d207a3a5	powershell
1102	discovery	T1120	Peripheral Device Discovery	2	WinPwn - printercheck	cb6e76ca-861e-4a7f-be08-564caa3e6f75	powershell
1103	discovery	T1120	Peripheral Device Discovery	3	Peripheral Device Discovery via fsutil	424e18fd-48b8-4201-8d3a-bf591523a686	command_prompt
1104	discovery	T1082	System Information Discovery	1	System Information Discovery	66703791-c902-4560-8770-42b8a91f7667	command_prompt
1105	discovery	T1082	System Information Discovery	7	Hostname Discovery (Windows)	85cfbf23-4a1e-4342-8792-007e004b975f	command_prompt
1106	discovery	T1082	System Information Discovery	9	Windows MachineGUID Discovery	224b4daf-db44-404e-b6b2-f4d1f0126ef8	command_prompt
1107	discovery	T1082	System Information Discovery	10	Griffon Recon	69bd4abe-8759-49a6-8d21-0f15822d6370	powershell
1108	discovery	T1082	System Information Discovery	11	Environment variables discovery on windows	f400d1c0-1804-4ff8-b069-ef5ddd2adbf3	command_prompt
1109	discovery	T1082	System Information Discovery	14	WinPwn - winPEAS	eea1d918-825e-47dd-acc2-814d6c58c0e1	powershell
1110	discovery	T1082	System Information Discovery	15	WinPwn - itm4nprivesc	3d256a2f-5e57-4003-8eb6-64d91b1da7ce	powershell
1111	discovery	T1082	System Information Discovery	16	WinPwn - Powersploits privesc checks	345cb8e4-d2de-4011-a580-619cf5a9e2d7	powershell
1112	discovery	T1082	System Information Discovery	17	WinPwn - General privesc checks	5b6f39a2-6ec7-4783-a5fd-2c54a55409ed	powershell
1113	discovery	T1082	System Information Discovery	18	WinPwn - GeneralRecon	7804659b-fdbf-4cf6-b06a-c03e758590e8	powershell
1114	discovery	T1082	System Information Discovery	19	WinPwn - Morerecon	3278b2f6-f733-4875-9ef4-bfed34244f0a	powershell
1115	discovery	T1082	System Information Discovery	20	WinPwn - RBCD-Check	dec6a0d8-bcaf-4c22-9d48-2aee59fb692b	powershell
1116	discovery	T1082	System Information Discovery	21	WinPwn - PowerSharpPack - Watson searching for missing windows patches	07b18a66-6304-47d2-bad0-ef421eb2e107	powershell
1117	discovery	T1082	System Information Discovery	22	WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors	efb79454-1101-4224-a4d0-30c9c8b29ffc	powershell
1118	discovery	T1082	System Information Discovery	23	WinPwn - PowerSharpPack - Seatbelt	5c16ceb4-ba3a-43d7-b848-a13c1f216d95	powershell
1119	discovery	T1082	System Information Discovery	27	System Information Discovery with WMIC	8851b73a-3624-4bf7-8704-aa312411565c	command_prompt
1120	discovery	T1082	System Information Discovery	28	Driver Enumeration using DriverQuery	bd85e3d1-4aeb-4a1d-850f-7be3cb8d60b9	command_prompt
1121	discovery	T1082	System Information Discovery	29	System Information Discovery	4060ee98-01ae-4c8e-8aad-af8300519cc7	command_prompt
1122	discovery	T1082	System Information Discovery	30	Check computer location	96be6002-9200-47db-94cb-c3e27de1cb36	command_prompt
1123	discovery	T1082	System Information Discovery	31	BIOS Information Discovery through Registry	f2f91612-d904-49d7-87c2-6c165d23bead	command_prompt
1124	discovery	T1010	Application Window Discovery	1	List Process Main Windows - C# .NET	fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4	command_prompt
1125	discovery	T1217	Browser Bookmark Discovery	5	List Google Chrome / Opera Bookmarks on Windows with powershell	faab755e-4299-48ec-8202-fc7885eb6545	powershell
1126	discovery	T1217	Browser Bookmark Discovery	6	List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt	76f71e2f-480e-4bed-b61e-398fe17499d5	command_prompt
1127	discovery	T1217	Browser Bookmark Discovery	7	List Mozilla Firefox bookmarks on Windows with command prompt	4312cdbc-79fc-4a9c-becc-53d49c734bc5	command_prompt
1128	discovery	T1217	Browser Bookmark Discovery	8	List Internet Explorer Bookmarks using the command prompt	727dbcdb-e495-4ab1-a6c4-80c7f77aef85	command_prompt
1129	discovery	T1016	System Network Configuration Discovery	1	System Network Configuration Discovery on Windows	970ab6a1-0157-4f3f-9a73-ec4166754b23	command_prompt
1130	discovery	T1016	System Network Configuration Discovery	2	List Windows Firewall Rules	038263cb-00f4-4b0a-98ae-0696c67e1752	command_prompt
1131	discovery	T1016	System Network Configuration Discovery	4	System Network Configuration Discovery (TrickBot Style)	dafaf052-5508-402d-bf77-51e0700c02e2	command_prompt
1132	discovery	T1016	System Network Configuration Discovery	5	List Open Egress Ports	4b467538-f102-491d-ace7-ed487b853bf5	powershell
1133	discovery	T1016	System Network Configuration Discovery	6	Adfind - Enumerate Active Directory Subnet Objects	9bb45dd7-c466-4f93-83a1-be30e56033ee	command_prompt
1134	discovery	T1016	System Network Configuration Discovery	7	Qakbot Recon	121de5c6-5818-4868-b8a7-8fd07c455c1b	command_prompt
1135	discovery	T1016	System Network Configuration Discovery	9	DNS Server Discovery Using nslookup	34557863-344a-468f-808b-a1bfb89b4fa9	command_prompt
1136	discovery	T1482	Domain Trust Discovery	1	Windows - Discover domain trusts with dsquery	4700a710-c821-4e17-a3ec-9e4c81d6845f	command_prompt
1137	discovery	T1482	Domain Trust Discovery	2	Windows - Discover domain trusts with nltest	2e22641d-0498-48d2-b9ff-c71e496ccdbe	command_prompt
1138	discovery	T1482	Domain Trust Discovery	3	Powershell enumerate domains and forests	c58fbc62-8a62-489e-8f2d-3565d7d96f30	powershell
1139	discovery	T1482	Domain Trust Discovery	4	Adfind - Enumerate Active Directory OUs	d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec	command_prompt
1140	discovery	T1482	Domain Trust Discovery	5	Adfind - Enumerate Active Directory Trusts	15fe436d-e771-4ff3-b655-2dca9ba52834	command_prompt
1141	discovery	T1482	Domain Trust Discovery	6	Get-DomainTrust with PowerView	f974894c-5991-4b19-aaf5-7cc2fe298c5d	powershell
1142	discovery	T1482	Domain Trust Discovery	7	Get-ForestTrust with PowerView	58ed10e8-0738-4651-8408-3a3e9a526279	powershell
1143	discovery	T1482	Domain Trust Discovery	8	TruffleSnout - Listing AD Infrastructure	ea1b4f2d-5b82-4006-b64f-f2845608a3bf	command_prompt
1144	discovery	T1083	File and Directory Discovery	1	File and Directory Discovery (cmd.exe)	0e36303b-6762-4500-b003-127743b80ba6	command_prompt
1145	discovery	T1083	File and Directory Discovery	2	File and Directory Discovery (PowerShell)	2158908e-b7ef-4c21-8a83-3ce4dd05a924	powershell
1146	discovery	T1083	File and Directory Discovery	5	Simulating MAZE Directory Enumeration	c6c34f61-1c3e-40fb-8a58-d017d88286d8	powershell
1147	discovery	T1083	File and Directory Discovery	6	Launch DirLister Executable	c5bec457-43c9-4a18-9a24-fe151d8971b7	powershell
1148	discovery	T1049	System Network Connections Discovery	1	System Network Connections Discovery	0940a971-809a-48f1-9c4d-b1d785e96ee5	command_prompt
1149	discovery	T1049	System Network Connections Discovery	2	System Network Connections Discovery with PowerShell	f069f0f1-baad-4831-aa2b-eddac4baac4a	powershell
1150	discovery	T1049	System Network Connections Discovery	4	System Discovery using SharpView	96f974bb-a0da-4d87-a744-ff33e73367e9	powershell
1151	discovery	T1654	Log Enumeration	1	Get-EventLog To Enumerate Windows Security Log	a9030b20-dd4b-4405-875e-3462c6078fdc	powershell
1152	discovery	T1654	Log Enumeration	2	Enumerate Windows Security Log via WevtUtil	fef0ace1-3550-4bf1-a075-9fea55a778dd	command_prompt
1153	discovery	T1057	Process Discovery	2	Process Discovery - tasklist	c5806a4f-62b8-4900-980b-c7ec004e9908	command_prompt
1154	discovery	T1057	Process Discovery	3	Process Discovery - Get-Process	3b3809b6-a54b-4f5b-8aff-cb51f2e97b34	powershell
1155	discovery	T1057	Process Discovery	4	Process Discovery - get-wmiObject	b51239b4-0129-474f-a2b4-70f855b9f2c2	powershell
1156	discovery	T1057	Process Discovery	5	Process Discovery - wmic process	640cbf6d-659b-498b-ba53-f6dd1a1cc02c	command_prompt
1157	discovery	T1057	Process Discovery	6	Discover Specific Process - tasklist	11ba69ee-902e-4a0f-b3b6-418aed7d7ddb	command_prompt
1158	discovery	T1069.001	Permission Groups Discovery: Local Groups	2	Basic Permission Groups Discovery Windows (Local)	1f454dd6-e134-44df-bebb-67de70fb6cd8	command_prompt
1159	discovery	T1069.001	Permission Groups Discovery: Local Groups	3	Permission Groups Discovery PowerShell (Local)	a580462d-2c19-4bc7-8b9a-57a41b7d3ba4	powershell
1160	discovery	T1069.001	Permission Groups Discovery: Local Groups	4	SharpHound3 - LocalAdmin	e03ada14-0980-4107-aff1-7783b2b59bb1	powershell
1161	discovery	T1069.001	Permission Groups Discovery: Local Groups	5	Wmic Group Discovery	7413be50-be8e-430f-ad4d-07bf197884b2	command_prompt
1162	discovery	T1069.001	Permission Groups Discovery: Local Groups	6	WMIObject Group Discovery	69119e58-96db-4110-ad27-954e48f3bb13	powershell
1163	discovery	T1201	Password Policy Discovery	6	Examine local password policy - Windows	4588d243-f24e-4549-b2e3-e627acc089f6	command_prompt
1164	discovery	T1201	Password Policy Discovery	7	Examine domain password policy - Windows	46c2c362-2679-4ef5-aec9-0e958e135be4	command_prompt
1165	discovery	T1201	Password Policy Discovery	9	Get-DomainPolicy with PowerView	3177f4da-3d4b-4592-8bdc-aa23d0b2e843	powershell
1166	discovery	T1201	Password Policy Discovery	10	Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy	b2698b33-984c-4a1c-93bb-e4ba72a0babb	powershell
1167	discovery	T1201	Password Policy Discovery	11	Use of SecEdit.exe to export the local security policy (including the password policy)	510cc97f-56ac-4cd3-a198-d3218c23d889	command_prompt
1168	discovery	T1614.001	System Location Discovery: System Language Discovery	1	Discover System Language by Registry Query	631d4cf1-42c9-4209-8fe9-6bd4de9421be	command_prompt
1169	discovery	T1614.001	System Location Discovery: System Language Discovery	2	Discover System Language with chcp	d91473ca-944e-477a-b484-0e80217cd789	command_prompt
1170	discovery	T1012	Query Registry	1	Query Registry	8f7578c4-9863-4d83-875c-a565573bbdf0	command_prompt
1171	discovery	T1012	Query Registry	2	Query Registry with Powershell cmdlets	0434d081-bb32-42ce-bcbb-3548e4f2628f	powershell
1172	discovery	T1012	Query Registry	3	Enumerate COM Objects in Registry with Powershell	0d80d088-a84c-4353-af1a-fc8b439f1564	powershell
1173	discovery	T1518.001	Software Discovery: Security Software Discovery	1	Security Software Discovery	f92a380f-ced9-491f-b338-95a991418ce2	command_prompt
1174	discovery	T1518.001	Software Discovery: Security Software Discovery	2	Security Software Discovery - powershell	7f566051-f033-49fb-89de-b6bacab730f0	powershell
1175	discovery	T1518.001	Software Discovery: Security Software Discovery	6	Security Software Discovery - Sysmon Service	fe613cf3-8009-4446-9a0f-bc78a15b66c9	command_prompt
1176	discovery	T1518.001	Software Discovery: Security Software Discovery	7	Security Software Discovery - AV Discovery via WMI	1553252f-14ea-4d3b-8a08-d7a4211aa945	command_prompt
1177	discovery	T1518.001	Software Discovery: Security Software Discovery	8	Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets	015cd268-996e-4c32-8347-94c80c6286ee	command_prompt
1178	discovery	T1518.001	Software Discovery: Security Software Discovery	9	Security Software Discovery - Windows Defender Enumeration	d3415a0e-66ef-429b-acf4-a768876954f6	powershell
1179	discovery	T1518.001	Software Discovery: Security Software Discovery	10	Security Software Discovery - Windows Firewall Enumeration	9dca5a1d-f78c-4a8d-accb-d6de67cfed6b	powershell
1180	discovery	T1018	Remote System Discovery	1	Remote System Discovery - net	85321a9c-897f-4a60-9f20-29788e50bccd	command_prompt
1181	discovery	T1018	Remote System Discovery	2	Remote System Discovery - net group Domain Computers	f1bf6c8f-9016-4edf-aff9-80b65f5d711f	command_prompt
1182	discovery	T1018	Remote System Discovery	3	Remote System Discovery - nltest	52ab5108-3f6f-42fb-8ba3-73bc054f22c8	command_prompt
1183	discovery	T1018	Remote System Discovery	4	Remote System Discovery - ping sweep	6db1f57f-d1d5-4223-8a66-55c9c65a9592	command_prompt
1184	discovery	T1018	Remote System Discovery	5	Remote System Discovery - arp	2d5a61f5-0447-4be4-944a-1f8530ed6574	command_prompt
1185	discovery	T1018	Remote System Discovery	8	Remote System Discovery - nslookup	baa01aaa-5e13-45ec-8a0d-e46c93c9760f	powershell
1186	discovery	T1018	Remote System Discovery	9	Remote System Discovery - adidnsdump	95e19466-469e-4316-86d2-1dc401b5a959	command_prompt
1187	discovery	T1018	Remote System Discovery	10	Adfind - Enumerate Active Directory Computer Objects	a889f5be-2d54-4050-bd05-884578748bb4	command_prompt
1188	discovery	T1018	Remote System Discovery	11	Adfind - Enumerate Active Directory Domain Controller Objects	5838c31e-a0e2-4b9f-b60a-d79d2cb7995e	command_prompt
1189	discovery	T1018	Remote System Discovery	16	Enumerate domain computers within Active Directory using DirectorySearcher	962a6017-1c09-45a6-880b-adc9c57cb22e	powershell
1190	discovery	T1018	Remote System Discovery	17	Enumerate Active Directory Computers with Get-AdComputer	97e89d9e-e3f5-41b5-a90f-1e0825df0fdf	powershell
1191	discovery	T1018	Remote System Discovery	18	Enumerate Active Directory Computers with ADSISearcher	64ede6ac-b57a-41c2-a7d1-32c6cd35397d	powershell
1192	discovery	T1018	Remote System Discovery	19	Get-DomainController with PowerView	b9d2e8ca-5520-4737-8076-4f08913da2c4	powershell
1193	discovery	T1018	Remote System Discovery	20	Get-WmiObject to Enumerate Domain Controllers	e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad	powershell
1194	discovery	T1018	Remote System Discovery	21	Remote System Discovery - net group Domain Controller	5843529a-5056-4bc1-9c13-a311e2af4ca0	command_prompt
1195	discovery	T1046	Network Service Discovery	3	Port Scan NMap for Windows	d696a3cb-d7a8-4976-8eb5-5af4abf2e3df	powershell
1196	discovery	T1046	Network Service Discovery	4	Port Scan using python	6ca45b04-9f15-4424-b9d3-84a217285a5c	powershell
1197	discovery	T1046	Network Service Discovery	5	WinPwn - spoolvulnscan	54574908-f1de-4356-9021-8053dd57439a	powershell
1198	discovery	T1046	Network Service Discovery	6	WinPwn - MS17-10	97585b04-5be2-40e9-8c31-82157b8af2d6	powershell
1199	discovery	T1046	Network Service Discovery	7	WinPwn - bluekeep	1cca5640-32a9-46e6-b8e0-fabbe2384a73	powershell
1200	discovery	T1046	Network Service Discovery	8	WinPwn - fruit	bb037826-cbe8-4a41-93ea-b94059d6bb98	powershell
1201	discovery	T1046	Network Service Discovery	10	Port-Scanning /24 Subnet with PowerShell	05df2a79-dba6-4088-a804-9ca0802ca8e4	powershell
1202	discovery	T1518	Software Discovery	1	Find and Display Internet Explorer Browser Version	68981660-6670-47ee-a5fa-7e74806420a4	command_prompt
1203	discovery	T1518	Software Discovery	2	Applications Installed	c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b	powershell
1204	discovery	T1518	Software Discovery	4	WinPwn - Dotnetsearch	7e79a1b6-519e-433c-ad55-3ff293667101	powershell
1205	discovery	T1518	Software Discovery	5	WinPwn - DotNet	10ba02d0-ab76-4f80-940d-451633f24c5b	powershell
1206	discovery	T1518	Software Discovery	6	WinPwn - powerSQL	0bb64470-582a-4155-bde2-d6003a95ed34	powershell
1207	discovery	T1124	System Time Discovery	1	System Time Discovery	20aba24b-e61f-4b26-b4ce-4784f763ca20	command_prompt
1208	discovery	T1124	System Time Discovery	2	System Time Discovery - PowerShell	1d5711d6-655c-4a47-ae9c-6503c74fa877	powershell
1209	discovery	T1124	System Time Discovery	4	System Time Discovery W32tm as a Delay	d5d5a6b0-0f92-42d8-985d-47aafa2dd4db	command_prompt
1210	discovery	T1124	System Time Discovery	5	System Time with Windows time Command	53ead5db-7098-4111-bb3f-563be390e72e	command_prompt
1211	impact	T1489	Service Stop	1	Windows - Stop service using Service Controller	21dfb440-830d-4c86-a3e5-2a491d5a8d04	command_prompt
1212	impact	T1489	Service Stop	2	Windows - Stop service using net.exe	41274289-ec9c-4213-bea4-e43c4aa57954	command_prompt
1213	impact	T1489	Service Stop	3	Windows - Stop service by killing process	f3191b84-c38b-400b-867e-3a217a27795f	command_prompt
1214	impact	T1491.001	Defacement: Internal Defacement	1	Replace Desktop Wallpaper	30558d53-9d76-41c4-9267-a7bd5184bed3	powershell
1215	impact	T1491.001	Defacement: Internal Defacement	2	Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message	ffcbfaab-c9ff-470b-928c-f086b326089b	powershell
1216	impact	T1531	Account Access Removal	1	Change User Password - Windows	1b99ef28-f83c-4ec5-8a08-1a56263a5bb2	command_prompt
1217	impact	T1531	Account Access Removal	2	Delete User - Windows	f21a1d7d-a62f-442a-8c3a-2440d43b19e5	command_prompt
1218	impact	T1531	Account Access Removal	3	Remove Account From Domain Admin Group	43f71395-6c37-498e-ab17-897d814a0947	powershell
1219	impact	T1486	Data Encrypted for Impact	5	PureLocker Ransom Note	649349c7-9abf-493b-a7a2-b1aa4d141528	command_prompt
1220	impact	T1486	Data Encrypted for Impact	8	Data Encrypted with GPG4Win	4541e2c2-33c8-44b1-be79-9161440f1718	powershell
1221	impact	T1486	Data Encrypted for Impact	9	Data Encrypt Using DiskCryptor	44b68e11-9da2-4d45-a0d9-893dabd60f30	command_prompt
1222	impact	T1485	Data Destruction	1	Windows - Overwrite file with SysInternals SDelete	476419b5-aebf-4366-a131-ae3e8dae5fc2	powershell
1223	impact	T1485	Data Destruction	3	Overwrite deleted data on C drive	321fd25e-0007-417f-adec-33232252be19	command_prompt
1224	impact	T1490	Inhibit System Recovery	1	Windows - Delete Volume Shadow Copies	43819286-91a9-4369-90ed-d31fb4da2c01	command_prompt
1225	impact	T1490	Inhibit System Recovery	2	Windows - Delete Volume Shadow Copies via WMI	6a3ff8dd-f49c-4272-a658-11c2fe58bd88	command_prompt
1226	impact	T1490	Inhibit System Recovery	3	Windows - wbadmin Delete Windows Backup Catalog	263ba6cb-ea2b-41c9-9d4e-b652dadd002c	command_prompt
1227	impact	T1490	Inhibit System Recovery	4	Windows - Disable Windows Recovery Console Repair	cf21060a-80b3-4238-a595-22525de4ab81	command_prompt
1228	impact	T1490	Inhibit System Recovery	5	Windows - Delete Volume Shadow Copies via WMI with PowerShell	39a295ca-7059-4a88-86f6-09556c1211e7	powershell
1229	impact	T1490	Inhibit System Recovery	6	Windows - Delete Backup Files	6b1dbaf6-cc8a-4ea6-891f-6058569653bf	command_prompt
1230	impact	T1490	Inhibit System Recovery	7	Windows - wbadmin Delete systemstatebackup	584331dd-75bc-4c02-9e0b-17f5fd81c748	command_prompt
1231	impact	T1490	Inhibit System Recovery	8	Windows - Disable the SR scheduled task	1c68c68d-83a4-4981-974e-8993055fa034	command_prompt
1232	impact	T1490	Inhibit System Recovery	9	Disable System Restore Through Registry	66e647d1-8741-4e43-b7c1-334760c2047f	command_prompt
1233	impact	T1490	Inhibit System Recovery	10	Windows - vssadmin Resize Shadowstorage Volume	da558b07-69ae-41b9-b9d4-4d98154a7049	powershell
1234	impact	T1490	Inhibit System Recovery	11	Modify VSS Service Permissions	a4420f93-5386-4290-b780-f4f66abc7070	command_prompt
1235	impact	T1529	System Shutdown/Reboot	1	Shutdown System - Windows	ad254fa8-45c0-403b-8c77-e00b3d3e7a64	command_prompt
1236	impact	T1529	System Shutdown/Reboot	2	Restart System - Windows	f4648f0d-bf78-483c-bafc-3ec99cd1c302	command_prompt
1237	impact	T1529	System Shutdown/Reboot	12	Logoff System - Windows	3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4	command_prompt
1238	initial-access	T1133	External Remote Services	1	Running Chrome VPN Extensions via the Registry 2 vpn extension	4c8db261-a58b-42a6-a866-0a294deedde4	powershell
1239	initial-access	T1566.001	Phishing: Spearphishing Attachment	1	Download Macro-Enabled Phishing Attachment	114ccff9-ae6d-4547-9ead-4cd69f687306	powershell
1240	initial-access	T1566.001	Phishing: Spearphishing Attachment	2	Word spawned a command shell and used an IP address in the command line	cbb6799a-425c-4f83-9194-5447a909d67f	powershell
1241	initial-access	T1091	Replication Through Removable Media	1	USB Malware Spread Simulation	d44b7297-622c-4be8-ad88-ec40d7563c75	powershell
1242	initial-access	T1195	Supply Chain Compromise	1	Octopus Scanner Malware Open Source Supply Chain	82a9f001-94c5-495e-9ed5-f530dbded5e2	command_prompt
1243	initial-access	T1078.001	Valid Accounts: Default Accounts	1	Enable Guest account with RDP capability and admin privileges	99747561-ed8d-47f2-9c91-1e5fde1ed6e0	command_prompt
1244	initial-access	T1078.001	Valid Accounts: Default Accounts	2	Activate Guest Account	aa6cb8c4-b582-4f8e-b677-37733914abda	command_prompt
1245	initial-access	T1078.003	Valid Accounts: Local Accounts	1	Create local account with admin privileges	a524ce99-86de-4db6-b4f9-e08f35a47a15	command_prompt
1246	initial-access	T1078.003	Valid Accounts: Local Accounts	6	WinPwn - Loot local Credentials - powerhell kittie	9e9fd066-453d-442f-88c1-ad7911d32912	powershell
1247	initial-access	T1078.003	Valid Accounts: Local Accounts	7	WinPwn - Loot local Credentials - Safetykatz	e9fdb899-a980-4ba4-934b-486ad22e22f4	powershell
1248	exfiltration	T1020	Automated Exfiltration	1	IcedID Botnet HTTP PUT	9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0	powershell
1249	exfiltration	T1020	Automated Exfiltration	2	Exfiltration via Encrypted FTP	5b380e96-b0ef-4072-8a8e-f194cb9eb9ac	powershell
1250	exfiltration	T1048.002	Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	1	Exfiltrate data HTTPS using curl windows	1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0	command_prompt
1251	exfiltration	T1041	Exfiltration Over C2 Channel	1	C2 Data Exfiltration	d1253f6e-c29b-49dc-b466-2147a6191932	powershell
1252	exfiltration	T1041	Exfiltration Over C2 Channel	2	Text Based Data Exfiltration using DNS subdomains	c9207f3e-213d-4cc7-ad2a-7697a7237df9	powershell
1253	exfiltration	T1048	Exfiltration Over Alternative Protocol	3	DNSExfiltration (doh)	c943d285-ada3-45ca-b3aa-7cd6500c6a48	powershell
1254	exfiltration	T1567.003	Exfiltration Over Web Service: Exfiltration to Text Storage Sites	1	Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)	c2e8ab6e-431e-460a-a2aa-3bc6a32022e3	powershell
1255	exfiltration	T1567.002	Exfiltration Over Web Service: Exfiltration to Cloud Storage	1	Exfiltrate data with rclone to cloud Storage - Mega (Windows)	8529ee44-279a-4a19-80bf-b846a40dda58	powershell
1256	exfiltration	T1030	Data Transfer Size Limits	2	Network-Based Data Transfer in Small Chunks	f0287b58-f4bc-40f6-87eb-692e126e7f8f	powershell
1257	exfiltration	T1048.003	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	2	Exfiltration Over Alternative Protocol - ICMP	dd4b4421-2e25-4593-90ae-7021947ad12e	powershell
1258	exfiltration	T1048.003	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4	Exfiltration Over Alternative Protocol - HTTP	6aa58451-1121-4490-a8e9-1dada3f1c68c	powershell
1259	exfiltration	T1048.003	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	5	Exfiltration Over Alternative Protocol - SMTP	ec3a835e-adca-4c7c-88d2-853b69c11bb9	powershell
1260	exfiltration	T1048.003	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	6	MAZE FTP Upload	57799bc2-ad1e-4130-a793-fb0c385130ba	powershell
1261	exfiltration	T1048.003	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	7	Exfiltration Over Alternative Protocol - FTP - Rclone	b854eb97-bf9b-45ab-a1b5-b94e4880c56b	powershell

191 KiB Raw Blame History

191 KiB

Raw Blame History