atomic-red-team/atomics/Indexes/Indexes-CSV/index.csv

1	Tactic	Technique #	Technique Name	Test #	Test Name	Test GUID	Executor Name
2	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	1	Rundll32 execute JavaScript Remote Payload With GetObject	57ba4ce9-ee7a-4f27-9928-3c70c489b59d	command_prompt
3	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	2	Rundll32 execute VBscript command	638730e7-7aed-43dc-bf8c-8117f805f5bb	command_prompt
4	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	3	Rundll32 execute VBscript command using Ordinal number	32d1cf1b-cbc2-4c09-8d05-07ec5c83a821	command_prompt
5	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	4	Rundll32 advpack.dll Execution	d91cae26-7fc1-457b-a854-34c8aad48c89	command_prompt
6	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	5	Rundll32 ieadvpack.dll Execution	5e46a58e-cbf6-45ef-a289-ed7754603df9	command_prompt
7	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	6	Rundll32 syssetup.dll Execution	41fa324a-3946-401e-bbdd-d7991c628125	command_prompt
8	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	7	Rundll32 setupapi.dll Execution	71d771cd-d6b3-4f34-bc76-a63d47a10b19	command_prompt
9	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	8	Execution of HTA and VBS Files using Rundll32 and URL.dll	22cfde89-befe-4e15-9753-47306b37a6e3	command_prompt
10	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	9	Launches an executable using Rundll32 and pcwutl.dll	9f5d081a-ee5a-42f9-a04e-b7bdc487e676	command_prompt
11	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	10	Execution of non-dll using rundll32.exe	ae3a8605-b26e-457c-b6b3-2702fd335bac	powershell
12	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	11	Rundll32 with Ordinal Value	9fd5a74b-ba89-482a-8a3e-a5feaa3697b0	command_prompt
13	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	12	Rundll32 with Control_RunDLL	e4c04b6f-c492-4782-82c7-3bf75eb8077e	command_prompt
14	defense-evasion	T1218.011	Signed Binary Proxy Execution: Rundll32	13	Rundll32 with desk.cpl	83a95136-a496-423c-81d3-1c6750133917	command_prompt
15	defense-evasion	T1556.003	Modify Authentication Process: Pluggable Authentication Modules	1	Malicious PAM rule	4b9dde80-ae22-44b1-a82a-644bf009eb9c	sh
16	defense-evasion	T1556.003	Modify Authentication Process: Pluggable Authentication Modules	2	Malicious PAM module	65208808-3125-4a2e-8389-a0a00e9ab326	sh
17	defense-evasion	T1222.002	File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification	1	chmod - Change file or folder mode (numeric mode)	34ca1464-de9d-40c6-8c77-690adf36a135	bash
18	defense-evasion	T1222.002	File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification	2	chmod - Change file or folder mode (symbolic mode)	fc9d6695-d022-4a80-91b1-381f5c35aff3	bash
19	defense-evasion	T1222.002	File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification	3	chmod - Change file or folder mode (numeric mode) recursively	ea79f937-4a4d-4348-ace6-9916aec453a4	bash
20	defense-evasion	T1222.002	File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification	4	chmod - Change file or folder mode (symbolic mode) recursively	0451125c-b5f6-488f-993b-5a32b09f7d8f	bash
21	defense-evasion	T1222.002	File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification	5	chown - Change file or folder ownership and group	d169e71b-85f9-44ec-8343-27093ff3dfc0	bash
22	defense-evasion	T1222.002	File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification	6	chown - Change file or folder ownership and group recursively	b78598be-ff39-448f-a463-adbf2a5b7848	bash
23	defense-evasion	T1222.002	File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification	7	chown - Change file or folder mode ownership only	967ba79d-f184-4e0e-8d09-6362b3162e99	bash
24	defense-evasion	T1222.002	File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification	8	chown - Change file or folder ownership recursively	3b015515-b3d8-44e9-b8cd-6fa84faf30b2	bash
25	defense-evasion	T1222.002	File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification	9	chattr - Remove immutable file attribute	e7469fe2-ad41-4382-8965-99b94dd3c13f	sh
26	defense-evasion	T1222.002	File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification	10	Chmod through c script	973631cf-6680-4ffa-a053-045e1b6b67ab	sh
27	defense-evasion	T1222.002	File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification	11	Chown through c script	18592ba1-5f88-4e3c-abc8-ab1c6042e389	sh
28	defense-evasion	T1216.001	Signed Script Proxy Execution: Pubprn	1	PubPrn.vbs Signed Script Bypass	9dd29a1f-1e16-4862-be83-913b10a88f6c	command_prompt
29	defense-evasion	T1006	Direct Volume Access	1	Read volume boot sector via DOS device path (PowerShell)	88f6327e-51ec-4bbf-b2e8-3fea534eab8b	powershell
30	defense-evasion	T1014	Rootkit	1	Loadable Kernel Module based Rootkit	dfb50072-e45a-4c75-a17e-a484809c8553	sh
31	defense-evasion	T1014	Rootkit	2	Loadable Kernel Module based Rootkit	75483ef8-f10f-444a-bf02-62eb0e48db6f	sh
32	defense-evasion	T1014	Rootkit	3	dynamic-linker based rootkit (libprocesshider)	1338bf0c-fd0c-48c0-9e65-329f18e2c0d3	sh
33	defense-evasion	T1014	Rootkit	4	Loadable Kernel Module based Rootkit (Diamorphine)	0b996469-48c6-46e2-8155-a17f8b6c2247	sh
34	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	1	Bypass UAC using Event Viewer (cmd)	5073adf8-9a50-4bd9-b298-a9bd2ead8af9	command_prompt
35	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	2	Bypass UAC using Event Viewer (PowerShell)	a6ce9acf-842a-4af6-8f79-539be7608e2b	powershell
36	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	3	Bypass UAC using Fodhelper	58f641ea-12e3-499a-b684-44dee46bd182	command_prompt
37	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	4	Bypass UAC using Fodhelper - PowerShell	3f627297-6c38-4e7d-a278-fc2563eaaeaa	powershell
38	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	5	Bypass UAC using ComputerDefaults (PowerShell)	3c51abf2-44bf-42d8-9111-dc96ff66750f	powershell
39	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	6	Bypass UAC by Mocking Trusted Directories	f7a35090-6f7f-4f64-bb47-d657bf5b10c1	command_prompt
40	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	7	Bypass UAC using sdclt DelegateExecute	3be891eb-4608-4173-87e8-78b494c029b7	powershell
41	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	8	Disable UAC using reg.exe	9e8af564-53ec-407e-aaa8-3cb20c3af7f9	command_prompt
42	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	9	Bypass UAC using SilentCleanup task	28104f8a-4ff1-4582-bcf6-699dce156608	command_prompt
43	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	10	UACME Bypass Method 23	8ceab7a2-563a-47d2-b5ba-0995211128d7	command_prompt
44	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	11	UACME Bypass Method 31	b0f76240-9f33-4d34-90e8-3a7d501beb15	command_prompt
45	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	12	UACME Bypass Method 33	e514bb03-f71c-4b22-9092-9f961ec6fb03	command_prompt
46	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	13	UACME Bypass Method 34	695b2dac-423e-448e-b6ef-5b88e93011d6	command_prompt
47	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	14	UACME Bypass Method 39	56163687-081f-47da-bb9c-7b231c5585cf	command_prompt
48	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	15	UACME Bypass Method 56	235ec031-cd2d-465d-a7ae-68bab281e80e	command_prompt
49	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	16	UACME Bypass Method 59	dfb1b667-4bb8-4a63-a85e-29936ea75f29	command_prompt
50	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	17	UACME Bypass Method 61	7825b576-744c-4555-856d-caf3460dc236	command_prompt
51	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	18	WinPwn - UAC Magic	964d8bf8-37bc-4fd3-ba36-ad13761ebbcc	powershell
52	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	19	WinPwn - UAC Bypass ccmstp technique	f3c145f9-3c8d-422c-bd99-296a17a8f567	powershell
53	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	20	WinPwn - UAC Bypass DiskCleanup technique	1ed67900-66cd-4b09-b546-2a0ef4431a0c	powershell
54	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	21	WinPwn - UAC Bypass DccwBypassUAC technique	2b61977b-ae2d-4ae4-89cb-5c36c89586be	powershell
55	defense-evasion	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	22	Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key	251c5936-569f-42f4-9ac2-87a173b9e9b8	powershell
56	defense-evasion	T1548.003	Abuse Elevation Control Mechanism: Sudo and Sudo Caching	1	Sudo usage	150c3a08-ee6e-48a6-aeaf-3659d24ceb4e	sh
57	defense-evasion	T1548.003	Abuse Elevation Control Mechanism: Sudo and Sudo Caching	2	Unlimited sudo cache timeout	a7b17659-dd5e-46f7-b7d1-e6792c91d0bc	sh
58	defense-evasion	T1548.003	Abuse Elevation Control Mechanism: Sudo and Sudo Caching	3	Disable tty_tickets for sudo caching	91a60b03-fb75-4d24-a42e-2eb8956e8de1	sh
59	defense-evasion	T1574.011	Hijack Execution Flow: Services Registry Permissions Weakness	1	Service Registry Permissions Weakness	f7536d63-7fd4-466f-89da-7e48d550752a	powershell
60	defense-evasion	T1574.011	Hijack Execution Flow: Services Registry Permissions Weakness	2	Service ImagePath Change with reg.exe	f38e9eea-e1d7-4ba6-b716-584791963827	command_prompt
61	defense-evasion	T1036.005	Masquerading: Match Legitimate Name or Location	1	Execute a process from a directory masquerading as the current parent directory.	812c3ab8-94b0-4698-a9bf-9420af23ce24	sh
62	defense-evasion	T1036.005	Masquerading: Match Legitimate Name or Location	2	Masquerade as a built-in system executable	35eb8d16-9820-4423-a2a1-90c4f5edd9ca	powershell
63	defense-evasion	T1564	Hide Artifacts	1	Extract binary files via VBA	6afe288a-8a8b-4d33-a629-8d03ba9dad3a	powershell
64	defense-evasion	T1564	Hide Artifacts	2	Create a Hidden User Called "$"	2ec63cc2-4975-41a6-bf09-dffdfb610778	command_prompt
65	defense-evasion	T1564	Hide Artifacts	3	Create an "Administrator " user (with a space on the end)	5bb20389-39a5-4e99-9264-aeb92a55a85c	powershell
66	defense-evasion	T1484.002	Domain Trust Modification	1	Add Federation to Azure AD	8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7	powershell
67	defense-evasion	T1497.001	Virtualization/Sandbox Evasion: System Checks	1	Detect Virtualization Environment (Linux)	dfbd1a21-540d-4574-9731-e852bd6fe840	sh
68	defense-evasion	T1497.001	Virtualization/Sandbox Evasion: System Checks	2	Detect Virtualization Environment (Windows)	502a7dc4-9d6f-4d28-abf2-f0e84692562d	powershell
69	defense-evasion	T1497.001	Virtualization/Sandbox Evasion: System Checks	3	Detect Virtualization Environment (MacOS)	a960185f-aef6-4547-8350-d1ce16680d09	sh
70	defense-evasion	T1497.001	Virtualization/Sandbox Evasion: System Checks	4	Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)	4a41089a-48e0-47aa-82cb-5b81a463bc78	powershell
71	defense-evasion	T1070.002	Indicator Removal on Host: Clear Linux or Mac System Logs	1	rm -rf	989cc1b1-3642-4260-a809-54f9dd559683	sh
72	defense-evasion	T1070.002	Indicator Removal on Host: Clear Linux or Mac System Logs	2	Overwrite Linux Mail Spool	1602ff76-ed7f-4c94-b550-2f727b4782d4	bash
73	defense-evasion	T1070.002	Indicator Removal on Host: Clear Linux or Mac System Logs	3	Overwrite Linux Log	d304b2dc-90b4-4465-a650-16ddd503f7b5	bash
74	defense-evasion	T1218.004	Signed Binary Proxy Execution: InstallUtil	1	CheckIfInstallable method call	ffd9c807-d402-47d2-879d-f915cf2a3a94	powershell
75	defense-evasion	T1218.004	Signed Binary Proxy Execution: InstallUtil	2	InstallHelper method call	d43a5bde-ae28-4c55-a850-3f4c80573503	powershell
76	defense-evasion	T1218.004	Signed Binary Proxy Execution: InstallUtil	3	InstallUtil class constructor method call	9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93	powershell
77	defense-evasion	T1218.004	Signed Binary Proxy Execution: InstallUtil	4	InstallUtil Install method call	9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b	powershell
78	defense-evasion	T1218.004	Signed Binary Proxy Execution: InstallUtil	5	InstallUtil Uninstall method call - /U variant	34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b	powershell
79	defense-evasion	T1218.004	Signed Binary Proxy Execution: InstallUtil	6	InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant	06d9deba-f732-48a8-af8e-bdd6e4d98c1d	powershell
80	defense-evasion	T1218.004	Signed Binary Proxy Execution: InstallUtil	7	InstallUtil HelpText method call	5a683850-1145-4326-a0e5-e91ced3c6022	powershell
81	defense-evasion	T1218.004	Signed Binary Proxy Execution: InstallUtil	8	InstallUtil evasive invocation	559e6d06-bb42-4307-bff7-3b95a8254bad	powershell
82	defense-evasion	T1574.001	Hijack Execution Flow: DLL Search Order Hijacking	1	DLL Search Order Hijacking - amsi.dll	8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3	command_prompt
83	defense-evasion	T1553.001	Subvert Trust Controls: Gatekeeper Bypass	1	Gatekeeper Bypass	fb3d46c6-9480-4803-8d7d-ce676e1f1a9b	sh
84	defense-evasion	T1222.001	File and Directory Permissions Modification: Windows File and Directory Permissions Modification	1	Take ownership using takeown utility	98d34bb4-6e75-42ad-9c41-1dae7dc6a001	command_prompt
85	defense-evasion	T1222.001	File and Directory Permissions Modification: Windows File and Directory Permissions Modification	2	cacls - Grant permission to specified user or group recursively	a8206bcc-f282-40a9-a389-05d9c0263485	command_prompt
86	defense-evasion	T1222.001	File and Directory Permissions Modification: Windows File and Directory Permissions Modification	3	attrib - Remove read-only attribute	bec1e95c-83aa-492e-ab77-60c71bbd21b0	command_prompt
87	defense-evasion	T1222.001	File and Directory Permissions Modification: Windows File and Directory Permissions Modification	4	attrib - hide file	32b979da-7b68-42c9-9a99-0e39900fc36c	command_prompt
88	defense-evasion	T1222.001	File and Directory Permissions Modification: Windows File and Directory Permissions Modification	5	Grant Full Access to folder for Everyone - Ryuk Ransomware Style	ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6	command_prompt
89	defense-evasion	T1218.007	Signed Binary Proxy Execution: Msiexec	1	Msiexec.exe - Execute Local MSI file with embedded JScript	a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04	command_prompt
90	defense-evasion	T1218.007	Signed Binary Proxy Execution: Msiexec	2	Msiexec.exe - Execute Local MSI file with embedded VBScript	8d73c7b0-c2b1-4ac1-881a-4aa644f76064	command_prompt
91	defense-evasion	T1218.007	Signed Binary Proxy Execution: Msiexec	3	Msiexec.exe - Execute Local MSI file with an embedded DLL	628fa796-76c5-44c3-93aa-b9d8214fd568	command_prompt
92	defense-evasion	T1218.007	Signed Binary Proxy Execution: Msiexec	4	Msiexec.exe - Execute Local MSI file with an embedded EXE	ed3fa08a-ca18-4009-973e-03d13014d0e8	command_prompt
93	defense-evasion	T1218.007	Signed Binary Proxy Execution: Msiexec	5	WMI Win32_Product Class - Execute Local MSI file with embedded JScript	882082f0-27c6-4eec-a43c-9aa80bccdb30	powershell
94	defense-evasion	T1218.007	Signed Binary Proxy Execution: Msiexec	6	WMI Win32_Product Class - Execute Local MSI file with embedded VBScript	cf470d9a-58e7-43e5-b0d2-805dffc05576	powershell
95	defense-evasion	T1218.007	Signed Binary Proxy Execution: Msiexec	7	WMI Win32_Product Class - Execute Local MSI file with an embedded DLL	32eb3861-30da-4993-897a-42737152f5f8	powershell
96	defense-evasion	T1218.007	Signed Binary Proxy Execution: Msiexec	8	WMI Win32_Product Class - Execute Local MSI file with an embedded EXE	55080eb0-49ae-4f55-a440-4167b7974f79	powershell
97	defense-evasion	T1218.007	Signed Binary Proxy Execution: Msiexec	9	Msiexec.exe - Execute the DllRegisterServer function of a DLL	0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d	command_prompt
98	defense-evasion	T1218.007	Signed Binary Proxy Execution: Msiexec	10	Msiexec.exe - Execute the DllUnregisterServer function of a DLL	ab09ec85-4955-4f9c-b8e0-6851baf4d47f	command_prompt
99	defense-evasion	T1218.007	Signed Binary Proxy Execution: Msiexec	11	Msiexec.exe - Execute Remote MSI file	44a4bedf-ffe3-452e-bee4-6925ab125662	command_prompt
100	defense-evasion	T1556.002	Modify Authentication Process: Password Filter DLL	1	Install and Register Password Filter DLL	a7961770-beb5-4134-9674-83d7e1fa865c	powershell
101	defense-evasion	T1070.003	Indicator Removal on Host: Clear Command History	1	Clear Bash history (rm)	a934276e-2be5-4a36-93fd-98adbb5bd4fc	sh
102	defense-evasion	T1070.003	Indicator Removal on Host: Clear Command History	2	Clear Bash history (echo)	cbf506a5-dd78-43e5-be7e-a46b7c7a0a11	sh
103	defense-evasion	T1070.003	Indicator Removal on Host: Clear Command History	3	Clear Bash history (cat dev/null)	b1251c35-dcd3-4ea1-86da-36d27b54f31f	sh
104	defense-evasion	T1070.003	Indicator Removal on Host: Clear Command History	4	Clear Bash history (ln dev/null)	23d348f3-cc5c-4ba9-bd0a-ae09069f0914	sh
105	defense-evasion	T1070.003	Indicator Removal on Host: Clear Command History	5	Clear Bash history (truncate)	47966a1d-df4f-4078-af65-db6d9aa20739	sh
106	defense-evasion	T1070.003	Indicator Removal on Host: Clear Command History	6	Clear history of a bunch of shells	7e6721df-5f08-4370-9255-f06d8a77af4c	sh
107	defense-evasion	T1070.003	Indicator Removal on Host: Clear Command History	7	Clear and Disable Bash History Logging	784e4011-bd1a-4ecd-a63a-8feb278512e6	sh
108	defense-evasion	T1070.003	Indicator Removal on Host: Clear Command History	8	Use Space Before Command to Avoid Logging to History	53b03a54-4529-4992-852d-a00b4b7215a6	sh
109	defense-evasion	T1070.003	Indicator Removal on Host: Clear Command History	9	Disable Bash History Logging with SSH -T	5f8abd62-f615-43c5-b6be-f780f25790a1	sh
110	defense-evasion	T1070.003	Indicator Removal on Host: Clear Command History	10	Prevent Powershell History Logging	2f898b81-3e97-4abb-bc3f-a95138988370	powershell
111	defense-evasion	T1070.003	Indicator Removal on Host: Clear Command History	11	Clear Powershell History by Deleting History File	da75ae8d-26d6-4483-b0fe-700e4df4f037	powershell
112	defense-evasion	T1070.003	Indicator Removal on Host: Clear Command History	12	Set Custom AddToHistoryHandler to Avoid History File Logging	1d0d9aa6-6111-4f89-927b-53e8afae7f94	powershell
113	defense-evasion	T1202	Indirect Command Execution	1	Indirect Command Execution - pcalua.exe	cecfea7a-5f03-4cdd-8bc8-6f7c22862440	command_prompt
114	defense-evasion	T1202	Indirect Command Execution	2	Indirect Command Execution - forfiles.exe	8b34a448-40d9-4fc3-a8c8-4bb286faf7dc	command_prompt
115	defense-evasion	T1202	Indirect Command Execution	3	Indirect Command Execution - conhost.exe	cf3391e0-b482-4b02-87fc-ca8362269b29	command_prompt
116	defense-evasion	T1140	Deobfuscate/Decode Files or Information	1	Deobfuscate/Decode Files Or Information	dc6fe391-69e6-4506-bd06-ea5eeb4082f8	command_prompt
117	defense-evasion	T1140	Deobfuscate/Decode Files or Information	2	Certutil Rename and Decode	71abc534-3c05-4d0c-80f7-cbe93cb2aa94	command_prompt
118	defense-evasion	T1140	Deobfuscate/Decode Files or Information	3	Base64 decoding with Python	356dc0e8-684f-4428-bb94-9313998ad608	sh
119	defense-evasion	T1140	Deobfuscate/Decode Files or Information	4	Base64 decoding with Perl	6604d964-b9f6-4d4b-8ce8-499829a14d0a	sh
120	defense-evasion	T1140	Deobfuscate/Decode Files or Information	5	Base64 decoding with shell utilities	b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e	sh
121	defense-evasion	T1140	Deobfuscate/Decode Files or Information	6	Hex decoding with shell utilities	005943f9-8dd5-4349-8b46-0313c0a9f973	sh
122	defense-evasion	T1036	Masquerading	1	System File Copied to Unusual Location	51005ac7-52e2-45e0-bdab-d17c6d4916cd	powershell
123	defense-evasion	T1036	Masquerading	2	Malware Masquerading and Execution from Zip File	4449c89b-ec82-43a4-89c1-91e2f1abeecc	powershell
124	defense-evasion	T1055	Process Injection	1	Shellcode execution via VBA	1c91e740-1729-4329-b779-feba6e71d048	powershell
125	defense-evasion	T1055	Process Injection	2	Remote Process Injection in LSASS via mimikatz	3203ad24-168e-4bec-be36-f79b13ef8a83	command_prompt
126	defense-evasion	T1218	Signed Binary Proxy Execution	1	mavinject - Inject DLL into running process	c426dacf-575d-4937-8611-a148a86a5e61	command_prompt
127	defense-evasion	T1218	Signed Binary Proxy Execution	2	Register-CimProvider - Execute evil dll	ad2c17ed-f626-4061-b21e-b9804a6f3655	command_prompt
128	defense-evasion	T1218	Signed Binary Proxy Execution	3	InfDefaultInstall.exe .inf Execution	54ad7d5a-a1b5-472c-b6c4-f8090fb2daef	command_prompt
129	defense-evasion	T1218	Signed Binary Proxy Execution	4	ProtocolHandler.exe Downloaded a Suspicious File	db020456-125b-4c8b-a4a7-487df8afb5a2	command_prompt
130	defense-evasion	T1218	Signed Binary Proxy Execution	5	Microsoft.Workflow.Compiler.exe Payload Execution	7cbb0f26-a4c1-4f77-b180-a009aa05637e	powershell
131	defense-evasion	T1218	Signed Binary Proxy Execution	6	Renamed Microsoft.Workflow.Compiler.exe Payload Executions	4cc40fd7-87b8-4b16-b2d7-57534b86b911	powershell
132	defense-evasion	T1218	Signed Binary Proxy Execution	7	Invoke-ATHRemoteFXvGPUDisablementCommand base test	9ebe7901-7edf-45c0-b5c7-8366300919db	powershell
133	defense-evasion	T1218	Signed Binary Proxy Execution	8	DiskShadow Command Execution	0e1483ba-8f0c-425d-b8c6-42736e058eaa	powershell
134	defense-evasion	T1218	Signed Binary Proxy Execution	9	Load Arbitrary DLL via Wuauclt (Windows Update Client)	49fbd548-49e9-4bb7-94a6-3769613912b8	command_prompt
135	defense-evasion	T1218	Signed Binary Proxy Execution	10	Lolbin Gpscript logon option	5bcda9cd-8e85-48fa-861d-b5a85d91d48c	command_prompt
136	defense-evasion	T1218	Signed Binary Proxy Execution	11	Lolbin Gpscript startup option	f8da74bb-21b8-4af9-8d84-f2c8e4a220e3	command_prompt
137	defense-evasion	T1218	Signed Binary Proxy Execution	12	Lolbas ie4uinit.exe use as proxy	13c0804e-615e-43ad-b223-2dfbacd0b0b3	command_prompt
138	defense-evasion	T1070.006	Indicator Removal on Host: Timestomp	1	Set a file's access timestamp	5f9113d5-ed75-47ed-ba23-ea3573d05810	sh
139	defense-evasion	T1070.006	Indicator Removal on Host: Timestomp	2	Set a file's modification timestamp	20ef1523-8758-4898-b5a2-d026cc3d2c52	sh
140	defense-evasion	T1070.006	Indicator Removal on Host: Timestomp	3	Set a file's creation timestamp	8164a4a6-f99c-4661-ac4f-80f5e4e78d2b	sh
141	defense-evasion	T1070.006	Indicator Removal on Host: Timestomp	4	Modify file timestamps using reference file	631ea661-d661-44b0-abdb-7a7f3fc08e50	sh
142	defense-evasion	T1070.006	Indicator Removal on Host: Timestomp	5	Windows - Modify file creation timestamp with PowerShell	b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c	powershell
143	defense-evasion	T1070.006	Indicator Removal on Host: Timestomp	6	Windows - Modify file last modified timestamp with PowerShell	f8f6634d-93e1-4238-8510-f8a90a20dcf2	powershell
144	defense-evasion	T1070.006	Indicator Removal on Host: Timestomp	7	Windows - Modify file last access timestamp with PowerShell	da627f63-b9bd-4431-b6f8-c5b44d061a62	powershell
145	defense-evasion	T1070.006	Indicator Removal on Host: Timestomp	8	Windows - Timestomp a File	d7512c33-3a75-4806-9893-69abc3ccdd43	powershell
146	defense-evasion	T1620	Reflective Code Loading	1	WinPwn - Reflectively load Mimik@tz into memory	56b9589c-9170-4682-8c3d-33b86ecb5119	powershell
147	defense-evasion	T1218.003	Signed Binary Proxy Execution: CMSTP	1	CMSTP Executing Remote Scriptlet	34e63321-9683-496b-bbc1-7566bc55e624	command_prompt
148	defense-evasion	T1218.003	Signed Binary Proxy Execution: CMSTP	2	CMSTP Executing UAC Bypass	748cb4f6-2fb3-4e97-b7ad-b22635a09ab0	command_prompt
149	defense-evasion	T1562.002	Impair Defenses: Disable Windows Event Logging	1	Disable Windows IIS HTTP Logging	69435dcf-c66f-4ec0-a8b1-82beb76b34db	powershell
150	defense-evasion	T1562.002	Impair Defenses: Disable Windows Event Logging	2	Kill Event Log Service Threads	41ac52ba-5d5e-40c0-b267-573ed90489bd	powershell
151	defense-evasion	T1562.002	Impair Defenses: Disable Windows Event Logging	3	Impair Windows Audit Log Policy	5102a3a7-e2d7-4129-9e45-f483f2e0eea8	command_prompt
152	defense-evasion	T1562.002	Impair Defenses: Disable Windows Event Logging	4	Clear Windows Audit Policy Config	913c0e4e-4b37-4b78-ad0b-90e7b25010f6	command_prompt
153	defense-evasion	T1562.002	Impair Defenses: Disable Windows Event Logging	5	Disable Event Logging with wevtutil	b26a3340-dad7-4360-9176-706269c74103	command_prompt
154	defense-evasion	T1562.002	Impair Defenses: Disable Windows Event Logging	6	Makes Eventlog blind with Phant0m	3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741	command_prompt
155	defense-evasion	T1218.002	Signed Binary Proxy Execution: Control Panel	1	Control Panel Items	037e9d8a-9e46-4255-8b33-2ae3b545ca6f	command_prompt
156	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	1	Disable Microsoft Defender Firewall	88d05800-a5e4-407e-9b53-ece4174f197f	command_prompt
157	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	2	Disable Microsoft Defender Firewall via Registry	afedc8c4-038c-4d82-b3e5-623a95f8a612	command_prompt
158	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	3	Allow SMB and RDP on Microsoft Defender Firewall	d9841bf8-f161-4c73-81e9-fd773a5ff8c1	command_prompt
159	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	4	Opening ports for proxy - HARDRAIN	15e57006-79dd-46df-9bf9-31bc24fb5a80	command_prompt
160	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	5	Open a local port through Windows Firewall to any profile	9636dd6e-7599-40d2-8eee-ac16434f35ed	powershell
161	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	6	Allow Executable Through Firewall Located in Non-Standard Location	6f5822d2-d38d-4f48-9bfc-916607ff6b8c	powershell
162	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	7	Stop/Start UFW firewall	fe135572-edcd-49a2-afe6-1d39521c5a9a	sh
163	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	8	Stop/Start UFW firewall systemctl	9fd99609-1854-4f3c-b47b-97d9a5972bd1	sh
164	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	9	Turn off UFW logging	8a95b832-2c2a-494d-9cb0-dc9dd97c8bad	sh
165	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	10	Add and delete UFW firewall rules	b2563a4e-c4b8-429c-8d47-d5bcb227ba7a	sh
166	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	11	Edit UFW firewall user.rules file	beaf815a-c883-4194-97e9-fdbbb2bbdd7c	sh
167	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	12	Edit UFW firewall ufw.conf file	c1d8c4eb-88da-4927-ae97-c7c25893803b	sh
168	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	13	Edit UFW firewall sysctl.conf file	c4ae0701-88d3-4cd8-8bce-4801ed9f97e4	sh
169	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	14	Edit UFW firewall main configuration file	7b697ece-8270-46b5-bbc7-6b9e27081831	sh
170	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	15	Tail the UFW firewall log file	419cca0c-fa52-4572-b0d7-bc7c6f388a27	sh
171	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	16	LockBit Black - Unusual Windows firewall registry modification -cmd	a4651931-ebbb-4cde-9363-ddf3d66214cb	command_prompt
172	defense-evasion	T1562.004	Impair Defenses: Disable or Modify System Firewall	17	LockBit Black - Unusual Windows firewall registry modification -Powershell	80b453d1-eec5-4144-bf08-613a6c3ffe12	powershell
173	defense-evasion	T1207	Rogue Domain Controller	1	DCShadow (Active Directory)	0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6	powershell
174	defense-evasion	T1112	Modify Registry	1	Modify Registry of Current User Profile - cmd	1324796b-d0f6-455a-b4ae-21ffee6aa6b9	command_prompt
175	defense-evasion	T1112	Modify Registry	2	Modify Registry of Local Machine - cmd	282f929a-6bc5-42b8-bd93-960c3ba35afe	command_prompt
176	defense-evasion	T1112	Modify Registry	3	Modify registry to store logon credentials	c0413fb5-33e2-40b7-9b6f-60b29f4a7a18	command_prompt
177	defense-evasion	T1112	Modify Registry	4	Add domain to Trusted sites Zone	cf447677-5a4e-4937-a82c-e47d254afd57	powershell
178	defense-evasion	T1112	Modify Registry	5	Javascript in registry	15f44ea9-4571-4837-be9e-802431a7bfae	powershell
179	defense-evasion	T1112	Modify Registry	6	Change Powershell Execution Policy to Bypass	f3a6cceb-06c9-48e5-8df8-8867a6814245	powershell
180	defense-evasion	T1112	Modify Registry	7	BlackByte Ransomware Registry Changes - CMD	4f4e2f9f-6209-4fcf-9b15-3b7455706f5b	command_prompt
181	defense-evasion	T1112	Modify Registry	8	BlackByte Ransomware Registry Changes - Powershell	0b79c06f-c788-44a2-8630-d69051f1123d	powershell
182	defense-evasion	T1112	Modify Registry	9	Disable Windows Registry Tool	ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8	command_prompt
183	defense-evasion	T1112	Modify Registry	10	Disable Windows CMD application	d2561a6d-72bd-408c-b150-13efe1801c2a	powershell
184	defense-evasion	T1112	Modify Registry	11	Disable Windows Task Manager application	af254e70-dd0e-4de6-9afe-a994d9ea8b62	command_prompt
185	defense-evasion	T1112	Modify Registry	12	Disable Windows Notification Center	c0d6d67f-1f63-42cc-95c0-5fd6b20082ad	command_prompt
186	defense-evasion	T1112	Modify Registry	13	Disable Windows Shutdown Button	6e0d1131-2d7e-4905-8ca5-d6172f05d03d	command_prompt
187	defense-evasion	T1112	Modify Registry	14	Disable Windows LogOff Button	e246578a-c24d-46a7-9237-0213ff86fb0c	command_prompt
188	defense-evasion	T1112	Modify Registry	15	Disable Windows Change Password Feature	d4a6da40-618f-454d-9a9e-26af552aaeb0	command_prompt
189	defense-evasion	T1112	Modify Registry	16	Disable Windows Lock Workstation Feature	3dacb0d2-46ee-4c27-ac1b-f9886bf91a56	command_prompt
190	defense-evasion	T1112	Modify Registry	17	Activate Windows NoDesktop Group Policy Feature	93386d41-525c-4a1b-8235-134a628dee17	command_prompt
191	defense-evasion	T1112	Modify Registry	18	Activate Windows NoRun Group Policy Feature	d49ff3cc-8168-4123-b5b3-f057d9abbd55	command_prompt
192	defense-evasion	T1112	Modify Registry	19	Activate Windows NoFind Group Policy Feature	ffbb407e-7f1d-4c95-b22e-548169db1fbd	command_prompt
193	defense-evasion	T1112	Modify Registry	20	Activate Windows NoControlPanel Group Policy Feature	a450e469-ba54-4de1-9deb-9023a6111690	command_prompt
194	defense-evasion	T1112	Modify Registry	21	Activate Windows NoFileMenu Group Policy Feature	5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4	command_prompt
195	defense-evasion	T1112	Modify Registry	22	Activate Windows NoClose Group Policy Feature	12f50e15-dbc6-478b-a801-a746e8ba1723	command_prompt
196	defense-evasion	T1112	Modify Registry	23	Activate Windows NoSetTaskbar Group Policy Feature	d29b7faf-7355-4036-9ed3-719bd17951ed	command_prompt
197	defense-evasion	T1112	Modify Registry	24	Activate Windows NoTrayContextMenu Group Policy Feature	4d72d4b1-fa7b-4374-b423-0fe326da49d2	command_prompt
198	defense-evasion	T1112	Modify Registry	25	Activate Windows NoPropertiesMyDocuments Group Policy Feature	20fc9daa-bd48-4325-9aff-81b967a84b1d	command_prompt
199	defense-evasion	T1112	Modify Registry	26	Hide Windows Clock Group Policy Feature	8023db1e-ad06-4966-934b-b6a0ae52689e	command_prompt
200	defense-evasion	T1112	Modify Registry	27	Windows HideSCAHealth Group Policy Feature	a4637291-40b1-4a96-8c82-b28f1d73e54e	command_prompt
201	defense-evasion	T1112	Modify Registry	28	Windows HideSCANetwork Group Policy Feature	3e757ce7-eca0-411a-9583-1c33b8508d52	command_prompt
202	defense-evasion	T1112	Modify Registry	29	Windows HideSCAPower Group Policy Feature	8d85a5d8-702f-436f-bc78-fcd9119496fc	command_prompt
203	defense-evasion	T1112	Modify Registry	30	Windows HideSCAVolume Group Policy Feature	7f037590-b4c6-4f13-b3cc-e424c5ab8ade	command_prompt
204	defense-evasion	T1112	Modify Registry	31	Windows Modify Show Compress Color And Info Tip Registry	795d3248-0394-4d4d-8e86-4e8df2a2693f	command_prompt
205	defense-evasion	T1112	Modify Registry	32	Windows Powershell Logging Disabled	95b25212-91a7-42ff-9613-124aca6845a8	command_prompt
206	defense-evasion	T1112	Modify Registry	33	Windows Add Registry Value to Load Service in Safe Mode without Network	1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5	command_prompt
207	defense-evasion	T1112	Modify Registry	34	Windows Add Registry Value to Load Service in Safe Mode with Network	c173c948-65e5-499c-afbe-433722ed5bd4	command_prompt
208	defense-evasion	T1112	Modify Registry	35	Disable Windows Toast Notifications	003f466a-6010-4b15-803a-cbb478a314d7	command_prompt
209	defense-evasion	T1112	Modify Registry	36	Disable Windows Security Center Notifications	45914594-8df6-4ea9-b3cc-7eb9321a807e	command_prompt
210	defense-evasion	T1112	Modify Registry	37	Suppress Win Defender Notifications	c30dada3-7777-4590-b970-dc890b8cf113	command_prompt
211	defense-evasion	T1112	Modify Registry	38	Allow RDP Remote Assistance Feature	86677d0e-0b5e-4a2b-b302-454175f9aa9e	command_prompt
212	defense-evasion	T1112	Modify Registry	39	NetWire RAT Registry Key Creation	65704cd4-6e36-4b90-b6c1-dc29a82c8e56	command_prompt
213	defense-evasion	T1112	Modify Registry	40	Ursnif Malware Registry Key Creation	c375558d-7c25-45e9-bd64-7b23a97c1db0	command_prompt
214	defense-evasion	T1112	Modify Registry	41	Terminal Server Client Connection History Cleared	3448824b-3c35-4a9e-a8f5-f887f68bea21	command_prompt
215	defense-evasion	T1112	Modify Registry	42	Disable Windows Error Reporting Settings	d2c9e41e-cd86-473d-980d-b6403562e3e1	command_prompt
216	defense-evasion	T1112	Modify Registry	43	DisallowRun Execution Of Certain Application	71db768a-5a9c-4047-b5e7-59e01f188e84	command_prompt
217	defense-evasion	T1574.008	Hijack Execution Flow: Path Interception by Search Order Hijacking	1	powerShell Persistence via hijacking default modules - Get-Variable.exe	1561de08-0b4b-498e-8261-e922f3494aae	powershell
218	defense-evasion	T1027.001	Obfuscated Files or Information: Binary Padding	1	Pad Binary to Change Hash - Linux/macOS dd	ffe2346c-abd5-4b45-a713-bf5f1ebd573a	sh
219	defense-evasion	T1484.001	Domain Policy Modification: Group Policy Modification	1	LockBit Black - Modify Group policy settings -cmd	9ab80952-74ee-43da-a98c-1e740a985f28	command_prompt
220	defense-evasion	T1484.001	Domain Policy Modification: Group Policy Modification	2	LockBit Black - Modify Group policy settings -Powershell	b51eae65-5441-4789-b8e8-64783c26c1d1	powershell
221	defense-evasion	T1078.001	Valid Accounts: Default Accounts	1	Enable Guest account with RDP capability and admin privileges	99747561-ed8d-47f2-9c91-1e5fde1ed6e0	command_prompt
222	defense-evasion	T1078.001	Valid Accounts: Default Accounts	2	Activate Guest Account	aa6cb8c4-b582-4f8e-b677-37733914abda	command_prompt
223	defense-evasion	T1574.006	Hijack Execution Flow: LD_PRELOAD	1	Shared Library Injection via /etc/ld.so.preload	39cb0e67-dd0d-4b74-a74b-c072db7ae991	bash
224	defense-evasion	T1574.006	Hijack Execution Flow: LD_PRELOAD	2	Shared Library Injection via LD_PRELOAD	bc219ff7-789f-4d51-9142-ecae3397deae	bash
225	defense-evasion	T1574.006	Hijack Execution Flow: LD_PRELOAD	3	Dylib Injection via DYLD_INSERT_LIBRARIES	4d66029d-7355-43fd-93a4-b63ba92ea1be	bash
226	defense-evasion	T1070.001	Indicator Removal on Host: Clear Windows Event Logs	1	Clear Logs	e6abb60e-26b8-41da-8aae-0c35174b0967	command_prompt
227	defense-evasion	T1070.001	Indicator Removal on Host: Clear Windows Event Logs	2	Delete System Logs Using Clear-EventLog	b13e9306-3351-4b4b-a6e8-477358b0b498	powershell
228	defense-evasion	T1070.001	Indicator Removal on Host: Clear Windows Event Logs	3	Clear Event Logs via VBA	1b682d84-f075-4f93-9a89-8a8de19ffd6e	powershell
229	defense-evasion	T1134.002	Create Process with Token	1	Access Token Manipulation	dbf4f5a9-b8e0-46a3-9841-9ad71247239e	powershell
230	defense-evasion	T1134.002	Create Process with Token	2	WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique	ccf4ac39-ec93-42be-9035-90e2f26bcd92	powershell
231	defense-evasion	T1548.001	Abuse Elevation Control Mechanism: Setuid and Setgid	1	Make and modify binary from C source	896dfe97-ae43-4101-8e96-9a7996555d80	sh
232	defense-evasion	T1548.001	Abuse Elevation Control Mechanism: Setuid and Setgid	2	Set a SetUID flag on file	759055b3-3885-4582-a8ec-c00c9d64dd79	sh
233	defense-evasion	T1548.001	Abuse Elevation Control Mechanism: Setuid and Setgid	3	Set a SetGID flag on file	db55f666-7cba-46c6-9fe6-205a05c3242c	sh
234	defense-evasion	T1548.001	Abuse Elevation Control Mechanism: Setuid and Setgid	4	Make and modify capabilities of a binary	db53959c-207d-4000-9e7a-cd8eb417e072	sh
235	defense-evasion	T1548.001	Abuse Elevation Control Mechanism: Setuid and Setgid	5	Provide the SetUID capability to a file	1ac3272f-9bcf-443a-9888-4b1d3de785c1	sh
236	defense-evasion	T1218.008	Signed Binary Proxy Execution: Odbcconf	1	Odbcconf.exe - Execute Arbitrary DLL	2430498b-06c0-4b92-a448-8ad263c388e2	command_prompt
237	defense-evasion	T1218.008	Signed Binary Proxy Execution: Odbcconf	2	Odbcconf.exe - Load Response File	331ce274-f9c9-440b-9f8c-a1006e1fce0b	command_prompt
238	defense-evasion	T1562.006	Impair Defenses: Indicator Blocking	1	Auditing Configuration Changes on Linux Host	212cfbcf-4770-4980-bc21-303e37abd0e3	bash
239	defense-evasion	T1562.006	Impair Defenses: Indicator Blocking	2	Logging Configuration Changes on Linux Host	7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c	bash
240	defense-evasion	T1562.006	Impair Defenses: Indicator Blocking	3	Disable Powershell ETW Provider - Windows	6f118276-121d-4c09-bb58-a8fb4a72ee84	powershell
241	defense-evasion	T1562.006	Impair Defenses: Indicator Blocking	4	Disable .NET Event Tracing for Windows Via Registry (cmd)	8a4c33be-a0d3-434a-bee6-315405edbd5b	command_prompt
242	defense-evasion	T1562.006	Impair Defenses: Indicator Blocking	5	Disable .NET Event Tracing for Windows Via Registry (powershell)	19c07a45-452d-4620-90ed-4c34fffbe758	powershell
243	defense-evasion	T1562.006	Impair Defenses: Indicator Blocking	6	LockBit Black - Disable the ETW Provider of Windows Defender -cmd	f6df0b8e-2c83-44c7-ba5e-0fa4386bec41	command_prompt
244	defense-evasion	T1562.006	Impair Defenses: Indicator Blocking	7	LockBit Black - Disable the ETW Provider of Windows Defender -Powershell	69fc085b-5444-4879-8002-b24c8e1a3e02	powershell
245	defense-evasion	T1070	Indicator Removal on Host	1	Indicator Removal using FSUtil	b4115c7a-0e92-47f0-a61e-17e7218b2435	command_prompt
246	defense-evasion	T1550.003	Use Alternate Authentication Material: Pass the Ticket	1	Mimikatz Kerberos Ticket Attack	dbf38128-7ba7-4776-bedf-cc2eed432098	command_prompt
247	defense-evasion	T1550.003	Use Alternate Authentication Material: Pass the Ticket	2	Rubeus Kerberos Pass The Ticket	a2fc4ec5-12c6-4fb4-b661-961f23f359cb	powershell
248	defense-evasion	T1036.004	Masquerading: Masquerade Task or Service	1	Creating W32Time similar named service using schtasks	f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9	command_prompt
249	defense-evasion	T1036.004	Masquerading: Masquerade Task or Service	2	Creating W32Time similar named service using sc	b721c6ef-472c-4263-a0d9-37f1f4ecff66	command_prompt
250	defense-evasion	T1055.004	Process Injection: Asynchronous Procedure Call	1	Process Injection via C#	611b39b7-e243-4c81-87a4-7145a90358b1	command_prompt
251	defense-evasion	T1647	Plist File Modification	1	Plist Modification	394a538e-09bb-4a4a-95d1-b93cf12682a8	manual
252	defense-evasion	T1553.005	Subvert Trust Controls: Mark-of-the-Web Bypass	1	Mount ISO image	002cca30-4778-4891-878a-aaffcfa502fa	powershell
253	defense-evasion	T1553.005	Subvert Trust Controls: Mark-of-the-Web Bypass	2	Mount an ISO image and run executable from the ISO	42f22b00-0242-4afc-a61b-0da05041f9cc	powershell
254	defense-evasion	T1553.005	Subvert Trust Controls: Mark-of-the-Web Bypass	3	Remove the Zone.Identifier alternate data stream	64b12afc-18b8-4d3f-9eab-7f6cae7c73f9	powershell
255	defense-evasion	T1553.005	Subvert Trust Controls: Mark-of-the-Web Bypass	4	Execute LNK file from ISO	c2587b8d-743d-4985-aa50-c83394eaeb68	powershell
256	defense-evasion	T1218.005	Signed Binary Proxy Execution: Mshta	1	Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject	1483fab9-4f52-4217-a9ce-daa9d7747cae	command_prompt
257	defense-evasion	T1218.005	Signed Binary Proxy Execution: Mshta	2	Mshta executes VBScript to execute malicious command	906865c3-e05f-4acc-85c4-fbc185455095	command_prompt
258	defense-evasion	T1218.005	Signed Binary Proxy Execution: Mshta	3	Mshta Executes Remote HTML Application (HTA)	c4b97eeb-5249-4455-a607-59f95485cb45	powershell
259	defense-evasion	T1218.005	Signed Binary Proxy Execution: Mshta	4	Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement	007e5672-2088-4853-a562-7490ddc19447	powershell
260	defense-evasion	T1218.005	Signed Binary Proxy Execution: Mshta	5	Invoke HTML Application - Jscript Engine Simulating Double Click	58a193ec-131b-404e-b1ca-b35cf0b18c33	powershell
261	defense-evasion	T1218.005	Signed Binary Proxy Execution: Mshta	6	Invoke HTML Application - Direct download from URI	39ceed55-f653-48ac-bd19-aceceaf525db	powershell
262	defense-evasion	T1218.005	Signed Binary Proxy Execution: Mshta	7	Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler	e7e3a525-7612-4d68-a5d3-c4649181b8af	powershell
263	defense-evasion	T1218.005	Signed Binary Proxy Execution: Mshta	8	Invoke HTML Application - JScript Engine with Inline Protocol Handler	d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840	powershell
264	defense-evasion	T1218.005	Signed Binary Proxy Execution: Mshta	9	Invoke HTML Application - Simulate Lateral Movement over UNC Path	b8a8bdb2-7eae-490d-8251-d5e0295b2362	powershell
265	defense-evasion	T1218.005	Signed Binary Proxy Execution: Mshta	10	Mshta used to Execute PowerShell	8707a805-2b76-4f32-b1c0-14e558205772	command_prompt
266	defense-evasion	T1134.001	Access Token Manipulation: Token Impersonation/Theft	1	Named pipe client impersonation	90db9e27-8e7c-4c04-b602-a45927884966	powershell
267	defense-evasion	T1134.001	Access Token Manipulation: Token Impersonation/Theft	2	`SeDebugPrivilege` token duplication	34f0a430-9d04-4d98-bcb5-1989f14719f0	powershell
268	defense-evasion	T1134.001	Access Token Manipulation: Token Impersonation/Theft	3	Launch NSudo Executable	7be1bc0f-d8e5-4345-9333-f5f67d742cb9	powershell
269	defense-evasion	T1134.001	Access Token Manipulation: Token Impersonation/Theft	4	Bad Potato	9c6d799b-c111-4749-a42f-ec2f8cb51448	powershell
270	defense-evasion	T1564.002	Hide Artifacts: Hidden Users	1	Create Hidden User using UniqueID < 500	4238a7f0-a980-4fff-98a2-dfc0a363d507	sh
271	defense-evasion	T1564.002	Hide Artifacts: Hidden Users	2	Create Hidden User using IsHidden option	de87ed7b-52c3-43fd-9554-730f695e7f31	sh
272	defense-evasion	T1564.002	Hide Artifacts: Hidden Users	3	Create Hidden User in Registry	173126b7-afe4-45eb-8680-fa9f6400431c	command_prompt
273	defense-evasion	T1562.003	Impair Defenses: HISTCONTROL	1	Disable history collection	4eafdb45-0f79-4d66-aa86-a3e2c08791f5	sh
274	defense-evasion	T1562.003	Impair Defenses: HISTCONTROL	2	Mac HISTCONTROL	468566d5-83e5-40c1-b338-511e1659628d	manual
275	defense-evasion	T1134.004	Access Token Manipulation: Parent PID Spoofing	1	Parent PID Spoofing using PowerShell	069258f4-2162-46e9-9a25-c9c6c56150d2	powershell
276	defense-evasion	T1134.004	Access Token Manipulation: Parent PID Spoofing	2	Parent PID Spoofing - Spawn from Current Process	14920ebd-1d61-491a-85e0-fe98efe37f25	powershell
277	defense-evasion	T1134.004	Access Token Manipulation: Parent PID Spoofing	3	Parent PID Spoofing - Spawn from Specified Process	cbbff285-9051-444a-9d17-c07cd2d230eb	powershell
278	defense-evasion	T1134.004	Access Token Manipulation: Parent PID Spoofing	4	Parent PID Spoofing - Spawn from svchost.exe	e9f2b777-3123-430b-805d-5cedc66ab591	powershell
279	defense-evasion	T1134.004	Access Token Manipulation: Parent PID Spoofing	5	Parent PID Spoofing - Spawn from New Process	2988133e-561c-4e42-a15f-6281e6a9b2db	powershell
280	defense-evasion	T1218.001	Signed Binary Proxy Execution: Compiled HTML File	1	Compiled HTML Help Local Payload	5cb87818-0d7c-4469-b7ef-9224107aebe8	command_prompt
281	defense-evasion	T1218.001	Signed Binary Proxy Execution: Compiled HTML File	2	Compiled HTML Help Remote Payload	0f8af516-9818-4172-922b-42986ef1e81d	command_prompt
282	defense-evasion	T1218.001	Signed Binary Proxy Execution: Compiled HTML File	3	Invoke CHM with default Shortcut Command Execution	29d6f0d7-be63-4482-8827-ea77126c1ef7	powershell
283	defense-evasion	T1218.001	Signed Binary Proxy Execution: Compiled HTML File	4	Invoke CHM with InfoTech Storage Protocol Handler	b4094750-5fc7-4e8e-af12-b4e36bf5e7f6	powershell
284	defense-evasion	T1218.001	Signed Binary Proxy Execution: Compiled HTML File	5	Invoke CHM Simulate Double click	5decef42-92b8-4a93-9eb2-877ddcb9401a	powershell
285	defense-evasion	T1218.001	Signed Binary Proxy Execution: Compiled HTML File	6	Invoke CHM with Script Engine and Help Topic	4f83adda-f5ec-406d-b318-9773c9ca92e5	powershell
286	defense-evasion	T1218.001	Signed Binary Proxy Execution: Compiled HTML File	7	Invoke CHM Shortcut Command with ITS and Help Topic	15756147-7470-4a83-87fb-bb5662526247	powershell
287	defense-evasion	T1218.001	Signed Binary Proxy Execution: Compiled HTML File	8	Decompile Local CHM File	20cb05e0-1fa5-406d-92c1-84da4ba01813	command_prompt
288	defense-evasion	T1070.005	Indicator Removal on Host: Network Share Connection Removal	1	Add Network Share	14c38f32-6509-46d8-ab43-d53e32d2b131	command_prompt
289	defense-evasion	T1070.005	Indicator Removal on Host: Network Share Connection Removal	2	Remove Network Share	09210ad5-1ef2-4077-9ad3-7351e13e9222	command_prompt
290	defense-evasion	T1070.005	Indicator Removal on Host: Network Share Connection Removal	3	Remove Network Share PowerShell	0512d214-9512-4d22-bde7-f37e058259b3	powershell
291	defense-evasion	T1070.005	Indicator Removal on Host: Network Share Connection Removal	4	Disable Administrative Share Creation at Startup	99c657aa-ebeb-4179-a665-69288fdd12b8	command_prompt
292	defense-evasion	T1070.005	Indicator Removal on Host: Network Share Connection Removal	5	Remove Administrative Shares	4299eff5-90f1-4446-b2f3-7f4f5cfd5d62	command_prompt
293	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	1	Disable syslog	4ce786f8-e601-44b5-bfae-9ebb15a7d1c8	sh
294	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	2	Disable Cb Response	ae8943f7-0f8d-44de-962d-fbc2e2f03eb8	sh
295	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	3	Disable SELinux	fc225f36-9279-4c39-b3f9-5141ab74f8d8	sh
296	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	4	Stop Crowdstrike Falcon on Linux	828a1278-81cc-4802-96ab-188bf29ca77d	sh
297	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	5	Disable Carbon Black Response	8fba7766-2d11-4b4a-979a-1e3d9cc9a88c	sh
298	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	6	Disable LittleSnitch	62155dd8-bb3d-4f32-b31c-6532ff3ac6a3	sh
299	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	7	Disable OpenDNS Umbrella	07f43b33-1e15-4e99-be70-bc094157c849	sh
300	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	8	Disable macOS Gatekeeper	2a821573-fb3f-4e71-92c3-daac7432f053	sh
301	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	9	Stop and unload Crowdstrike Falcon on macOS	b3e7510c-2d4c-4249-a33f-591a2bc83eef	sh
302	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	10	Unload Sysmon Filter Driver	811b3e76-c41b-430c-ac0d-e2380bfaa164	command_prompt
303	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	11	Uninstall Sysmon	a316fb2e-5344-470d-91c1-23e15c374edc	command_prompt
304	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	12	AMSI Bypass - AMSI InitFailed	695eed40-e949-40e5-b306-b4031e4154bd	powershell
305	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	13	AMSI Bypass - Remove AMSI Provider Reg Key	13f09b91-c953-438e-845b-b585e51cac9b	powershell
306	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	14	Disable Arbitrary Security Windows Service	a1230893-56ac-4c81-b644-2108e982f8f5	command_prompt
307	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	15	Tamper with Windows Defender ATP PowerShell	6b8df440-51ec-4d53-bf83-899591c9b5d7	powershell
308	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	16	Tamper with Windows Defender Command Prompt	aa875ed4-8935-47e2-b2c5-6ec00ab220d2	command_prompt
309	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	17	Tamper with Windows Defender Registry	1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45	powershell
310	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	18	Disable Microsoft Office Security Features	6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7	powershell
311	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	19	Remove Windows Defender Definition Files	3d47daaa-2f56-43e0-94cc-caf5d8d52a68	command_prompt
312	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	20	Stop and Remove Arbitrary Security Windows Service	ae753dda-0f15-4af6-a168-b9ba16143143	powershell
313	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	21	Uninstall Crowdstrike Falcon on Windows	b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297	powershell
314	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	22	Tamper with Windows Defender Evade Scanning -Folder	0b19f4ee-de90-4059-88cb-63c800c683ed	powershell
315	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	23	Tamper with Windows Defender Evade Scanning -Extension	315f4be6-2240-4552-b3e1-d1047f5eecea	powershell
316	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	24	Tamper with Windows Defender Evade Scanning -Process	a123ce6a-3916-45d6-ba9c-7d4081315c27	powershell
317	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	25	office-365-Disable-AntiPhishRule	b9bbae2c-2ba6-4cf3-b452-8e8f908696f3	powershell
318	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	26	Disable Windows Defender with DISM	871438ac-7d6e-432a-b27d-3e7db69faf58	command_prompt
319	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	27	Disable Defender with Defender Control	178136d8-2778-4d7a-81f3-d517053a4fd6	powershell
320	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	28	Disable Defender Using NirSoft AdvancedRun	81ce22fd-9612-4154-918e-8a1f285d214d	powershell
321	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	29	Kill antimalware protected processes using Backstab	24a12b91-05a7-4deb-8d7f-035fa98591bc	powershell
322	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	30	WinPwn - Kill the event log services for stealth	7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66	powershell
323	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	31	Tamper with Windows Defender ATP using Aliases - PowerShell	c531aa6e-9c97-4b29-afee-9b7be6fc8a64	powershell
324	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	32	LockBit Black - Disable Privacy Settings Experience Using Registry -cmd	d6d22332-d07d-498f-aea0-6139ecb7850e	command_prompt
325	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	33	LockBit Black - Use Registry Editor to turn on automatic logon -cmd	9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70	command_prompt
326	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	34	LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell	d8c57eaa-497a-4a08-961e-bd5efd7c9374	powershell
327	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	35	Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell	5e27f36d-5132-4537-b43b-413b0d5eec9a	powershell
328	defense-evasion	T1562.001	Impair Defenses: Disable or Modify Tools	36	Disable Windows Defender with PwSh Disable-WindowsOptionalFeature	f542ffd3-37b4-4528-837f-682874faa012	powershell
329	defense-evasion	T1055.012	Process Injection: Process Hollowing	1	Process Hollowing using PowerShell	562427b4-39ef-4e8c-af88-463a78e70b9c	powershell
330	defense-evasion	T1055.012	Process Injection: Process Hollowing	2	RunPE via VBA	3ad4a037-1598-4136-837c-4027e4fa319b	powershell
331	defense-evasion	T1027	Obfuscated Files or Information	1	Decode base64 Data into Script	f45df6be-2e1e-4136-a384-8f18ab3826fb	sh
332	defense-evasion	T1027	Obfuscated Files or Information	2	Execute base64-encoded PowerShell	a50d5a97-2531-499e-a1de-5544c74432c6	powershell
333	defense-evasion	T1027	Obfuscated Files or Information	3	Execute base64-encoded PowerShell from Windows Registry	450e7218-7915-4be4-8b9b-464a49eafcec	powershell
334	defense-evasion	T1027	Obfuscated Files or Information	4	Execution from Compressed File	f8c8a909-5f29-49ac-9244-413936ce6d1f	command_prompt
335	defense-evasion	T1027	Obfuscated Files or Information	5	DLP Evasion via Sensitive Data in VBA Macro over email	129edb75-d7b8-42cd-a8ba-1f3db64ec4ad	powershell
336	defense-evasion	T1027	Obfuscated Files or Information	6	DLP Evasion via Sensitive Data in VBA Macro over HTTP	e2d85e66-cb66-4ed7-93b1-833fc56c9319	powershell
337	defense-evasion	T1027	Obfuscated Files or Information	7	Obfuscated Command in PowerShell	8b3f4ed6-077b-4bdd-891c-2d237f19410f	powershell
338	defense-evasion	T1027	Obfuscated Files or Information	8	Obfuscated Command Line using special Unicode characters	e68b945c-52d0-4dd9-a5e8-d173d70c448f	manual
339	defense-evasion	T1564.006	Run Virtual Instance	1	Register Portable Virtualbox	c59f246a-34f8-4e4d-9276-c295ef9ba0dd	command_prompt
340	defense-evasion	T1564.006	Run Virtual Instance	2	Create and start VirtualBox virtual machine	88b81702-a1c0-49a9-95b2-2dd53d755767	command_prompt
341	defense-evasion	T1564.006	Run Virtual Instance	3	Create and start Hyper-V virtual machine	fb8d4d7e-f5a4-481c-8867-febf13f8b6d3	powershell
342	defense-evasion	T1134.005	Access Token Manipulation: SID-History Injection	1	Injection SID-History with mimikatz	6bef32e5-9456-4072-8f14-35566fb85401	command_prompt
343	defense-evasion	T1218.010	Signed Binary Proxy Execution: Regsvr32	1	Regsvr32 local COM scriptlet execution	449aa403-6aba-47ce-8a37-247d21ef0306	command_prompt
344	defense-evasion	T1218.010	Signed Binary Proxy Execution: Regsvr32	2	Regsvr32 remote COM scriptlet execution	c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36	command_prompt
345	defense-evasion	T1218.010	Signed Binary Proxy Execution: Regsvr32	3	Regsvr32 local DLL execution	08ffca73-9a3d-471a-aeb0-68b4aa3ab37b	command_prompt
346	defense-evasion	T1218.010	Signed Binary Proxy Execution: Regsvr32	4	Regsvr32 Registering Non DLL	1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421	command_prompt
347	defense-evasion	T1218.010	Signed Binary Proxy Execution: Regsvr32	5	Regsvr32 Silent DLL Install Call DllRegisterServer	9d71c492-ea2e-4c08-af16-c6994cdf029f	command_prompt
348	defense-evasion	T1036.003	Masquerading: Rename System Utilities	1	Masquerading as Windows LSASS process	5ba5a3d1-cf3c-4499-968a-a93155d1f717	command_prompt
349	defense-evasion	T1036.003	Masquerading: Rename System Utilities	2	Masquerading as Linux crond process.	a315bfff-7a98-403b-b442-2ea1b255e556	sh
350	defense-evasion	T1036.003	Masquerading: Rename System Utilities	3	Masquerading - cscript.exe running as notepad.exe	3a2a578b-0a01-46e4-92e3-62e2859b42f0	command_prompt
351	defense-evasion	T1036.003	Masquerading: Rename System Utilities	4	Masquerading - wscript.exe running as svchost.exe	24136435-c91a-4ede-9da1-8b284a1c1a23	command_prompt
352	defense-evasion	T1036.003	Masquerading: Rename System Utilities	5	Masquerading - powershell.exe running as taskhostw.exe	ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa	command_prompt
353	defense-evasion	T1036.003	Masquerading: Rename System Utilities	6	Masquerading - non-windows exe running as windows exe	bc15c13f-d121-4b1f-8c7d-28d95854d086	powershell
354	defense-evasion	T1036.003	Masquerading: Rename System Utilities	7	Masquerading - windows exe running as different windows exe	c3d24a39-2bfe-4c6a-b064-90cd73896cb0	powershell
355	defense-evasion	T1036.003	Masquerading: Rename System Utilities	8	Malicious process Masquerading as LSM.exe	83810c46-f45e-4485-9ab6-8ed0e9e6ed7f	command_prompt
356	defense-evasion	T1036.003	Masquerading: Rename System Utilities	9	File Extension Masquerading	c7fa0c3b-b57f-4cba-9118-863bf4e653fc	command_prompt
357	defense-evasion	T1574.009	Hijack Execution Flow: Path Interception by Unquoted Path	1	Execution of program.exe as service with unquoted service path	2770dea7-c50f-457b-84c4-c40a47460d9f	command_prompt
358	defense-evasion	T1218.009	Signed Binary Proxy Execution: Regsvcs/Regasm	1	Regasm Uninstall Method Call Test	71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112	command_prompt
359	defense-evasion	T1218.009	Signed Binary Proxy Execution: Regsvcs/Regasm	2	Regsvcs Uninstall Method Call Test	fd3c1c6a-02d2-4b72-82d9-71c527abb126	powershell
360	defense-evasion	T1553.004	Subvert Trust Controls: Install Root Certificate	1	Install root CA on CentOS/RHEL	9c096ec4-fd42-419d-a762-d64cc950627e	sh
361	defense-evasion	T1553.004	Subvert Trust Controls: Install Root Certificate	2	Install root CA on Debian/Ubuntu	53bcf8a0-1549-4b85-b919-010c56d724ff	sh
362	defense-evasion	T1553.004	Subvert Trust Controls: Install Root Certificate	3	Install root CA on macOS	cc4a0b8c-426f-40ff-9426-4e10e5bf4c49	sh
363	defense-evasion	T1553.004	Subvert Trust Controls: Install Root Certificate	4	Install root CA on Windows	76f49d86-5eb1-461a-a032-a480f86652f1	powershell
364	defense-evasion	T1553.004	Subvert Trust Controls: Install Root Certificate	5	Install root CA on Windows with certutil	5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f	powershell
365	defense-evasion	T1553.004	Subvert Trust Controls: Install Root Certificate	6	Add Root Certificate to CurrentUser Certificate Store	ca20a3f1-42b5-4e21-ad3f-1049199ec2e0	powershell
366	defense-evasion	T1027.004	Obfuscated Files or Information: Compile After Delivery	1	Compile After Delivery using csc.exe	ffcdbd6a-b0e8-487d-927a-09127fe9a206	command_prompt
367	defense-evasion	T1027.004	Obfuscated Files or Information: Compile After Delivery	2	Dynamic C# Compile	453614d8-3ba6-4147-acc0-7ec4b3e1faef	powershell
368	defense-evasion	T1027.004	Obfuscated Files or Information: Compile After Delivery	3	C compile	d0377aa6-850a-42b2-95f0-de558d80be57	bash
369	defense-evasion	T1027.004	Obfuscated Files or Information: Compile After Delivery	4	CC compile	da97bb11-d6d0-4fc1-b445-e443d1346efe	bash
370	defense-evasion	T1027.004	Obfuscated Files or Information: Compile After Delivery	5	Go compile	78bd3fa7-773c-449e-a978-dc1f1500bc52	bash
371	defense-evasion	T1197	BITS Jobs	1	Bitsadmin Download (cmd)	3c73d728-75fb-4180-a12f-6712864d7421	command_prompt
372	defense-evasion	T1197	BITS Jobs	2	Bitsadmin Download (PowerShell)	f63b8bc4-07e5-4112-acba-56f646f3f0bc	powershell
373	defense-evasion	T1197	BITS Jobs	3	Persist, Download, & Execute	62a06ec5-5754-47d2-bcfc-123d8314c6ae	command_prompt
374	defense-evasion	T1197	BITS Jobs	4	Bits download using desktopimgdownldr.exe (cmd)	afb5e09e-e385-4dee-9a94-6ee60979d114	command_prompt
375	defense-evasion	T1127.001	Trusted Developer Utilities Proxy Execution: MSBuild	1	MSBuild Bypass Using Inline Tasks (C#)	58742c0f-cb01-44cd-a60b-fb26e8871c93	command_prompt
376	defense-evasion	T1127.001	Trusted Developer Utilities Proxy Execution: MSBuild	2	MSBuild Bypass Using Inline Tasks (VB)	ab042179-c0c5-402f-9bc8-42741f5ce359	command_prompt
377	defense-evasion	T1562.008	Impair Defenses: Disable Cloud Logs	1	AWS - CloudTrail Changes	9c10dc6b-20bd-403a-8e67-50ef7d07ed4e	sh
378	defense-evasion	T1562.008	Impair Defenses: Disable Cloud Logs	2	Azure - Eventhub Deletion	5e09bed0-7d33-453b-9bf3-caea32bff719	powershell
379	defense-evasion	T1562.008	Impair Defenses: Disable Cloud Logs	3	Office 365 - Exchange Audit Log Disabled	1ee572f3-056c-4632-a7fc-7e7c42b1543c	powershell
380	defense-evasion	T1562.008	Impair Defenses: Disable Cloud Logs	4	AWS - Disable CloudTrail Logging Through Event Selectors using Stratus	a27418de-bdce-4ebd-b655-38f11142bf0c	sh
381	defense-evasion	T1562.008	Impair Defenses: Disable Cloud Logs	5	AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus	22d89a2f-d475-4895-b2d4-68626d49c029	sh
382	defense-evasion	T1562.008	Impair Defenses: Disable Cloud Logs	6	AWS - Remove VPC Flow Logs using Stratus	93c150f5-ad7b-4ee3-8992-df06dec2ac79	sh
383	defense-evasion	T1562.008	Impair Defenses: Disable Cloud Logs	7	AWS - CloudWatch Log Group Deletes	89422c87-b57b-4a04-a8ca-802bb9d06121	sh
384	defense-evasion	T1562.008	Impair Defenses: Disable Cloud Logs	8	AWS - CloudWatch Log Stream Deletes	89422c87-b57b-4a04-a12a-802bb11d06121	sh
385	defense-evasion	T1562.008	Impair Defenses: Disable Cloud Logs	9	AWS CloudWatch Log Stream Deletes	33ca84bc-4259-4943-bd36-4655dc420932	sh
386	defense-evasion	T1564.003	Hide Artifacts: Hidden Window	1	Hidden Window	f151ee37-9e2b-47e6-80e4-550b9f999b7a	powershell
387	defense-evasion	T1070.004	Indicator Removal on Host: File Deletion	1	Delete a single file - Linux/macOS	562d737f-2fc6-4b09-8c2a-7f8ff0828480	sh
388	defense-evasion	T1070.004	Indicator Removal on Host: File Deletion	2	Delete an entire folder - Linux/macOS	a415f17e-ce8d-4ce2-a8b4-83b674e7017e	sh
389	defense-evasion	T1070.004	Indicator Removal on Host: File Deletion	3	Overwrite and delete a file with shred	039b4b10-2900-404b-b67f-4b6d49aa6499	sh
390	defense-evasion	T1070.004	Indicator Removal on Host: File Deletion	4	Delete a single file - Windows cmd	861ea0b4-708a-4d17-848d-186c9c7f17e3	command_prompt
391	defense-evasion	T1070.004	Indicator Removal on Host: File Deletion	5	Delete an entire folder - Windows cmd	ded937c4-2add-42f7-9c2c-c742b7a98698	command_prompt
392	defense-evasion	T1070.004	Indicator Removal on Host: File Deletion	6	Delete a single file - Windows PowerShell	9dee89bd-9a98-4c4f-9e2d-4256690b0e72	powershell
393	defense-evasion	T1070.004	Indicator Removal on Host: File Deletion	7	Delete an entire folder - Windows PowerShell	edd779e4-a509-4cba-8dfa-a112543dbfb1	powershell
394	defense-evasion	T1070.004	Indicator Removal on Host: File Deletion	8	Delete Filesystem - Linux	f3aa95fe-4f10-4485-ad26-abf22a764c52	bash
395	defense-evasion	T1070.004	Indicator Removal on Host: File Deletion	9	Delete Prefetch File	36f96049-0ad7-4a5f-8418-460acaeb92fb	powershell
396	defense-evasion	T1070.004	Indicator Removal on Host: File Deletion	10	Delete TeamViewer Log Files	69f50a5f-967c-4327-a5bb-e1a9a9983785	powershell
397	defense-evasion	T1221	Template Injection	1	WINWORD Remote Template Injection	1489e08a-82c7-44ee-b769-51b72d03521d	command_prompt
398	defense-evasion	T1027.002	Obfuscated Files or Information: Software Packing	1	Binary simply packed by UPX (linux)	11c46cd8-e471-450e-acb8-52a1216ae6a4	sh
399	defense-evasion	T1027.002	Obfuscated Files or Information: Software Packing	2	Binary packed by UPX, with modified headers (linux)	f06197f8-ff46-48c2-a0c6-afc1b50665e1	sh
400	defense-evasion	T1027.002	Obfuscated Files or Information: Software Packing	3	Binary simply packed by UPX	b16ef901-00bb-4dda-b4fc-a04db5067e20	sh
401	defense-evasion	T1027.002	Obfuscated Files or Information: Software Packing	4	Binary packed by UPX, with modified headers	4d46e16b-5765-4046-9f25-a600d3e65e4d	sh
402	defense-evasion	T1036.006	Masquerading: Space after Filename	1	Space After Filename (Manual)	89a7dd26-e510-4c9f-9b15-f3bae333360f	manual
403	defense-evasion	T1036.006	Masquerading: Space after Filename	2	Space After Filename	b95ce2eb-a093-4cd8-938d-5258cef656ea	bash
404	defense-evasion	T1550.002	Use Alternate Authentication Material: Pass the Hash	1	Mimikatz Pass the Hash	ec23cef9-27d9-46e4-a68d-6f75f7b86908	command_prompt
405	defense-evasion	T1550.002	Use Alternate Authentication Material: Pass the Hash	2	crackmapexec Pass the Hash	eb05b028-16c8-4ad8-adea-6f5b219da9a9	command_prompt
406	defense-evasion	T1550.002	Use Alternate Authentication Material: Pass the Hash	3	Invoke-WMIExec Pass the Hash	f8757545-b00a-4e4e-8cfb-8cfb961ee713	powershell
407	defense-evasion	T1574.002	Hijack Execution Flow: DLL Side-Loading	1	DLL Side-Loading using the Notepad++ GUP.exe binary	65526037-7079-44a9-bda1-2cb624838040	command_prompt
408	defense-evasion	T1574.002	Hijack Execution Flow: DLL Side-Loading	2	DLL Side-Loading using the dotnet startup hook environment variable	d322cdd7-7d60-46e3-9111-648848da7c02	command_prompt
409	defense-evasion	T1220	XSL Script Processing	1	MSXSL Bypass using local files	ca23bfb2-023f-49c5-8802-e66997de462d	command_prompt
410	defense-evasion	T1220	XSL Script Processing	2	MSXSL Bypass using remote files	a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985	command_prompt
411	defense-evasion	T1220	XSL Script Processing	3	WMIC bypass using local XSL file	1b237334-3e21-4a0c-8178-b8c996124988	command_prompt
412	defense-evasion	T1220	XSL Script Processing	4	WMIC bypass using remote XSL file	7f5be499-33be-4129-a560-66021f379b9b	command_prompt
413	defense-evasion	T1564.001	Hide Artifacts: Hidden Files and Directories	1	Create a hidden file in a hidden directory	61a782e5-9a19-40b5-8ba4-69a4b9f3d7be	sh
414	defense-evasion	T1564.001	Hide Artifacts: Hidden Files and Directories	2	Mac Hidden file	cddb9098-3b47-4e01-9d3b-6f5f323288a9	sh
415	defense-evasion	T1564.001	Hide Artifacts: Hidden Files and Directories	3	Create Windows System File with Attrib	f70974c8-c094-4574-b542-2c545af95a32	command_prompt
416	defense-evasion	T1564.001	Hide Artifacts: Hidden Files and Directories	4	Create Windows Hidden File with Attrib	dadb792e-4358-4d8d-9207-b771faa0daa5	command_prompt
417	defense-evasion	T1564.001	Hide Artifacts: Hidden Files and Directories	5	Hidden files	3b7015f2-3144-4205-b799-b05580621379	sh
418	defense-evasion	T1564.001	Hide Artifacts: Hidden Files and Directories	6	Hide a Directory	b115ecaf-3b24-4ed2-aefe-2fcb9db913d3	sh
419	defense-evasion	T1564.001	Hide Artifacts: Hidden Files and Directories	7	Show all hidden files	9a1ec7da-b892-449f-ad68-67066d04380c	sh
420	defense-evasion	T1564.001	Hide Artifacts: Hidden Files and Directories	8	Hide Files Through Registry	f650456b-bd49-4bc1-ae9d-271b5b9581e7	command_prompt
421	defense-evasion	T1078.004	Valid Accounts: Cloud Accounts	1	Creating GCP Service Account and Service Account Key	9fdd83fd-bd53-46e5-a716-9dec89c8ae8e	sh
422	defense-evasion	T1564.004	Hide Artifacts: NTFS File Attributes	1	Alternate Data Streams (ADS)	8822c3b0-d9f9-4daf-a043-49f4602364f4	command_prompt
423	defense-evasion	T1564.004	Hide Artifacts: NTFS File Attributes	2	Store file in Alternate Data Stream (ADS)	2ab75061-f5d5-4c1a-b666-ba2a50df5b02	powershell
424	defense-evasion	T1564.004	Hide Artifacts: NTFS File Attributes	3	Create ADS command prompt	17e7637a-ddaf-4a82-8622-377e20de8fdb	command_prompt
425	defense-evasion	T1564.004	Hide Artifacts: NTFS File Attributes	4	Create ADS PowerShell	0045ea16-ed3c-4d4c-a9ee-15e44d1560d1	powershell
426	defense-evasion	T1055.001	Process Injection: Dynamic-link Library Injection	1	Process Injection via mavinject.exe	74496461-11a1-4982-b439-4d87a550d254	powershell
427	defense-evasion	T1055.001	Process Injection: Dynamic-link Library Injection	2	WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique	8b56f787-73d9-4f1d-87e8-d07e89cbc7f5	powershell
428	defense-evasion	T1216	Signed Script Proxy Execution	1	SyncAppvPublishingServer Signed Script PowerShell Command Execution	275d963d-3f36-476c-8bef-a2a3960ee6eb	command_prompt
429	defense-evasion	T1216	Signed Script Proxy Execution	2	manage-bde.wsf Signed Script Command Execution	2a8f2d3c-3dec-4262-99dd-150cb2a4d63a	command_prompt
430	defense-evasion	T1078.003	Valid Accounts: Local Accounts	1	Create local account with admin privileges	a524ce99-86de-4db6-b4f9-e08f35a47a15	command_prompt
431	defense-evasion	T1078.003	Valid Accounts: Local Accounts	2	Create local account with admin privileges - MacOS	f1275566-1c26-4b66-83e3-7f9f7f964daa	bash
432	defense-evasion	T1078.003	Valid Accounts: Local Accounts	3	WinPwn - Loot local Credentials - powerhell kittie	9e9fd066-453d-442f-88c1-ad7911d32912	powershell
433	defense-evasion	T1078.003	Valid Accounts: Local Accounts	4	WinPwn - Loot local Credentials - Safetykatz	e9fdb899-a980-4ba4-934b-486ad22e22f4	powershell
434	defense-evasion	T1127	Trusted Developer Utilities Proxy Execution	1	Lolbin Jsc.exe compile javascript to exe	1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8	command_prompt
435	defense-evasion	T1127	Trusted Developer Utilities Proxy Execution	2	Lolbin Jsc.exe compile javascript to dll	3fc9fea2-871d-414d-8ef6-02e85e322b80	command_prompt
436	defense-evasion	T1574.012	Hijack Execution Flow: COR_PROFILER	1	User scope COR_PROFILER	9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a	powershell
437	defense-evasion	T1574.012	Hijack Execution Flow: COR_PROFILER	2	System Scope COR_PROFILER	f373b482-48c8-4ce4-85ed-d40c8b3f7310	powershell
438	defense-evasion	T1574.012	Hijack Execution Flow: COR_PROFILER	3	Registry-free process scope COR_PROFILER	79d57242-bbef-41db-b301-9d01d9f6e817	powershell
439	privilege-escalation	T1053.005	Scheduled Task/Job: Scheduled Task	1	Scheduled Task Startup Script	fec27f65-db86-4c2d-b66c-61945aee87c2	command_prompt
440	privilege-escalation	T1053.005	Scheduled Task/Job: Scheduled Task	2	Scheduled task Local	42f53695-ad4a-4546-abb6-7d837f644a71	command_prompt
441	privilege-escalation	T1053.005	Scheduled Task/Job: Scheduled Task	3	Scheduled task Remote	2e5eac3e-327b-4a88-a0c0-c4057039a8dd	command_prompt
442	privilege-escalation	T1053.005	Scheduled Task/Job: Scheduled Task	4	Powershell Cmdlet Scheduled Task	af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd	powershell
443	privilege-escalation	T1053.005	Scheduled Task/Job: Scheduled Task	5	Task Scheduler via VBA	ecd3fa21-7792-41a2-8726-2c5c673414d3	powershell
444	privilege-escalation	T1053.005	Scheduled Task/Job: Scheduled Task	6	WMI Invoke-CimMethod Scheduled Task	e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b	powershell
445	privilege-escalation	T1053.005	Scheduled Task/Job: Scheduled Task	7	Scheduled Task Executing Base64 Encoded Commands From Registry	e895677d-4f06-49ab-91b6-ae3742d0a2ba	command_prompt
446	privilege-escalation	T1053.005	Scheduled Task/Job: Scheduled Task	8	Import XML Schedule Task with Hidden Attribute	cd925593-fbb4-486d-8def-16cbdf944bf4	powershell
447	privilege-escalation	T1053.005	Scheduled Task/Job: Scheduled Task	9	PowerShell Modify A Scheduled Task	dda6fc7b-c9a6-4c18-b98d-95ec6542af6d	powershell
448	privilege-escalation	T1546.013	Event Triggered Execution: PowerShell Profile	1	Append malicious start-process cmdlet	090e5aa5-32b6-473b-a49b-21e843a56896	powershell
449	privilege-escalation	T1053.007	Kubernetes Cronjob	1	ListCronjobs	ddfb0bc1-3c3f-47e9-a298-550ecfefacbd	bash
450	privilege-escalation	T1053.007	Kubernetes Cronjob	2	CreateCronjob	f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3	bash
451	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	1	Bypass UAC using Event Viewer (cmd)	5073adf8-9a50-4bd9-b298-a9bd2ead8af9	command_prompt
452	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	2	Bypass UAC using Event Viewer (PowerShell)	a6ce9acf-842a-4af6-8f79-539be7608e2b	powershell
453	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	3	Bypass UAC using Fodhelper	58f641ea-12e3-499a-b684-44dee46bd182	command_prompt
454	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	4	Bypass UAC using Fodhelper - PowerShell	3f627297-6c38-4e7d-a278-fc2563eaaeaa	powershell
455	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	5	Bypass UAC using ComputerDefaults (PowerShell)	3c51abf2-44bf-42d8-9111-dc96ff66750f	powershell
456	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	6	Bypass UAC by Mocking Trusted Directories	f7a35090-6f7f-4f64-bb47-d657bf5b10c1	command_prompt
457	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	7	Bypass UAC using sdclt DelegateExecute	3be891eb-4608-4173-87e8-78b494c029b7	powershell
458	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	8	Disable UAC using reg.exe	9e8af564-53ec-407e-aaa8-3cb20c3af7f9	command_prompt
459	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	9	Bypass UAC using SilentCleanup task	28104f8a-4ff1-4582-bcf6-699dce156608	command_prompt
460	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	10	UACME Bypass Method 23	8ceab7a2-563a-47d2-b5ba-0995211128d7	command_prompt
461	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	11	UACME Bypass Method 31	b0f76240-9f33-4d34-90e8-3a7d501beb15	command_prompt
462	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	12	UACME Bypass Method 33	e514bb03-f71c-4b22-9092-9f961ec6fb03	command_prompt
463	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	13	UACME Bypass Method 34	695b2dac-423e-448e-b6ef-5b88e93011d6	command_prompt
464	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	14	UACME Bypass Method 39	56163687-081f-47da-bb9c-7b231c5585cf	command_prompt
465	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	15	UACME Bypass Method 56	235ec031-cd2d-465d-a7ae-68bab281e80e	command_prompt
466	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	16	UACME Bypass Method 59	dfb1b667-4bb8-4a63-a85e-29936ea75f29	command_prompt
467	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	17	UACME Bypass Method 61	7825b576-744c-4555-856d-caf3460dc236	command_prompt
468	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	18	WinPwn - UAC Magic	964d8bf8-37bc-4fd3-ba36-ad13761ebbcc	powershell
469	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	19	WinPwn - UAC Bypass ccmstp technique	f3c145f9-3c8d-422c-bd99-296a17a8f567	powershell
470	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	20	WinPwn - UAC Bypass DiskCleanup technique	1ed67900-66cd-4b09-b546-2a0ef4431a0c	powershell
471	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	21	WinPwn - UAC Bypass DccwBypassUAC technique	2b61977b-ae2d-4ae4-89cb-5c36c89586be	powershell
472	privilege-escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass User Access Control	22	Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key	251c5936-569f-42f4-9ac2-87a173b9e9b8	powershell
473	privilege-escalation	T1548.003	Abuse Elevation Control Mechanism: Sudo and Sudo Caching	1	Sudo usage	150c3a08-ee6e-48a6-aeaf-3659d24ceb4e	sh
474	privilege-escalation	T1548.003	Abuse Elevation Control Mechanism: Sudo and Sudo Caching	2	Unlimited sudo cache timeout	a7b17659-dd5e-46f7-b7d1-e6792c91d0bc	sh
475	privilege-escalation	T1548.003	Abuse Elevation Control Mechanism: Sudo and Sudo Caching	3	Disable tty_tickets for sudo caching	91a60b03-fb75-4d24-a42e-2eb8956e8de1	sh
476	privilege-escalation	T1574.011	Hijack Execution Flow: Services Registry Permissions Weakness	1	Service Registry Permissions Weakness	f7536d63-7fd4-466f-89da-7e48d550752a	powershell
477	privilege-escalation	T1574.011	Hijack Execution Flow: Services Registry Permissions Weakness	2	Service ImagePath Change with reg.exe	f38e9eea-e1d7-4ba6-b716-584791963827	command_prompt
478	privilege-escalation	T1547	Boot or Logon Autostart Execution	1	Add a driver	cb01b3da-b0e7-4e24-bf6d-de5223526785	command_prompt
479	privilege-escalation	T1484.002	Domain Trust Modification	1	Add Federation to Azure AD	8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7	powershell
480	privilege-escalation	T1543.003	Create or Modify System Process: Windows Service	1	Modify Fax service to run PowerShell	ed366cde-7d12-49df-a833-671904770b9f	command_prompt
481	privilege-escalation	T1543.003	Create or Modify System Process: Windows Service	2	Service Installation CMD	981e2942-e433-44e9-afc1-8c957a1496b6	command_prompt
482	privilege-escalation	T1543.003	Create or Modify System Process: Windows Service	3	Service Installation PowerShell	491a4af6-a521-4b74-b23b-f7b3f1ee9e77	powershell
483	privilege-escalation	T1543.003	Create or Modify System Process: Windows Service	4	TinyTurla backdoor service w64time	ef0581fd-528e-4662-87bc-4c2affb86940	command_prompt
484	privilege-escalation	T1053.003	Scheduled Task/Job: Cron	1	Cron - Replace crontab with referenced file	435057fb-74b1-410e-9403-d81baf194f75	bash
485	privilege-escalation	T1053.003	Scheduled Task/Job: Cron	2	Cron - Add script to all cron subfolders	b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0	bash
486	privilege-escalation	T1053.003	Scheduled Task/Job: Cron	3	Cron - Add script to /var/spool/cron/crontabs/ folder	2d943c18-e74a-44bf-936f-25ade6cccab4	bash
487	privilege-escalation	T1574.001	Hijack Execution Flow: DLL Search Order Hijacking	1	DLL Search Order Hijacking - amsi.dll	8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3	command_prompt
488	privilege-escalation	T1546.011	Event Triggered Execution: Application Shimming	1	Application Shim Installation	9ab27e22-ee62-4211-962b-d36d9a0e6a18	command_prompt
489	privilege-escalation	T1546.011	Event Triggered Execution: Application Shimming	2	New shim database files created in the default shim database directory	aefd6866-d753-431f-a7a4-215ca7e3f13d	powershell
490	privilege-escalation	T1546.011	Event Triggered Execution: Application Shimming	3	Registry key creation and/or modification events for SDB	9b6a06f9-ab5e-4e8d-8289-1df4289db02f	powershell
491	privilege-escalation	T1547.010	Boot or Logon Autostart Execution: Port Monitors	1	Add Port Monitor persistence in Registry	d34ef297-f178-4462-871e-9ce618d44e50	command_prompt
492	privilege-escalation	T1037.002	Boot or Logon Initialization Scripts: Logon Script (Mac)	1	Logon Scripts - Mac	f047c7de-a2d9-406e-a62b-12a09d9516f4	manual
493	privilege-escalation	T1055	Process Injection	1	Shellcode execution via VBA	1c91e740-1729-4329-b779-feba6e71d048	powershell
494	privilege-escalation	T1055	Process Injection	2	Remote Process Injection in LSASS via mimikatz	3203ad24-168e-4bec-be36-f79b13ef8a83	command_prompt
495	privilege-escalation	T1611	Escape to Host	1	Deploy container using nsenter container escape	0b2f9520-a17a-4671-9dba-3bd034099fff	sh
496	privilege-escalation	T1611	Escape to Host	2	Mount host filesystem to escape privileged Docker container	6c499943-b098-4bc6-8d38-0956fc182984	sh
497	privilege-escalation	T1547.009	Boot or Logon Autostart Execution: Shortcut Modification	1	Shortcut Modification	ce4fc678-364f-4282-af16-2fb4c78005ce	command_prompt
498	privilege-escalation	T1547.009	Boot or Logon Autostart Execution: Shortcut Modification	2	Create shortcut to cmd in startup folders	cfdc954d-4bb0-4027-875b-a1893ce406f2	powershell
499	privilege-escalation	T1547.005	Boot or Logon Autostart Execution: Security Support Provider	1	Modify SSP configuration in registry	afdfd7e3-8a0b-409f-85f7-886fdf249c9e	powershell
500	privilege-escalation	T1543.004	Create or Modify System Process: Launch Daemon	1	Launch Daemon	03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf	bash
501	privilege-escalation	T1574.008	Hijack Execution Flow: Path Interception by Search Order Hijacking	1	powerShell Persistence via hijacking default modules - Get-Variable.exe	1561de08-0b4b-498e-8261-e922f3494aae	powershell
502	privilege-escalation	T1484.001	Domain Policy Modification: Group Policy Modification	1	LockBit Black - Modify Group policy settings -cmd	9ab80952-74ee-43da-a98c-1e740a985f28	command_prompt
503	privilege-escalation	T1484.001	Domain Policy Modification: Group Policy Modification	2	LockBit Black - Modify Group policy settings -Powershell	b51eae65-5441-4789-b8e8-64783c26c1d1	powershell
504	privilege-escalation	T1078.001	Valid Accounts: Default Accounts	1	Enable Guest account with RDP capability and admin privileges	99747561-ed8d-47f2-9c91-1e5fde1ed6e0	command_prompt
505	privilege-escalation	T1078.001	Valid Accounts: Default Accounts	2	Activate Guest Account	aa6cb8c4-b582-4f8e-b677-37733914abda	command_prompt
506	privilege-escalation	T1547.003	Time Providers	1	Create a new time provider	df1efab7-bc6d-4b88-8be9-91f55ae017aa	powershell
507	privilege-escalation	T1547.003	Time Providers	2	Edit an existing time provider	29e0afca-8d1d-471a-8d34-25512fc48315	powershell
508	privilege-escalation	T1546.005	Event Triggered Execution: Trap	1	Trap	a74b2e07-5952-4c03-8b56-56274b076b61	sh
509	privilege-escalation	T1574.006	Hijack Execution Flow: LD_PRELOAD	1	Shared Library Injection via /etc/ld.so.preload	39cb0e67-dd0d-4b74-a74b-c072db7ae991	bash
510	privilege-escalation	T1574.006	Hijack Execution Flow: LD_PRELOAD	2	Shared Library Injection via LD_PRELOAD	bc219ff7-789f-4d51-9142-ecae3397deae	bash
511	privilege-escalation	T1574.006	Hijack Execution Flow: LD_PRELOAD	3	Dylib Injection via DYLD_INSERT_LIBRARIES	4d66029d-7355-43fd-93a4-b63ba92ea1be	bash
512	privilege-escalation	T1134.002	Create Process with Token	1	Access Token Manipulation	dbf4f5a9-b8e0-46a3-9841-9ad71247239e	powershell
513	privilege-escalation	T1134.002	Create Process with Token	2	WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique	ccf4ac39-ec93-42be-9035-90e2f26bcd92	powershell
514	privilege-escalation	T1548.001	Abuse Elevation Control Mechanism: Setuid and Setgid	1	Make and modify binary from C source	896dfe97-ae43-4101-8e96-9a7996555d80	sh
515	privilege-escalation	T1548.001	Abuse Elevation Control Mechanism: Setuid and Setgid	2	Set a SetUID flag on file	759055b3-3885-4582-a8ec-c00c9d64dd79	sh
516	privilege-escalation	T1548.001	Abuse Elevation Control Mechanism: Setuid and Setgid	3	Set a SetGID flag on file	db55f666-7cba-46c6-9fe6-205a05c3242c	sh
517	privilege-escalation	T1548.001	Abuse Elevation Control Mechanism: Setuid and Setgid	4	Make and modify capabilities of a binary	db53959c-207d-4000-9e7a-cd8eb417e072	sh
518	privilege-escalation	T1548.001	Abuse Elevation Control Mechanism: Setuid and Setgid	5	Provide the SetUID capability to a file	1ac3272f-9bcf-443a-9888-4b1d3de785c1	sh
519	privilege-escalation	T1547.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	1	Winlogon Shell Key Persistence - PowerShell	bf9f9d65-ee4d-4c3e-a843-777d04f19c38	powershell
520	privilege-escalation	T1547.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	2	Winlogon Userinit Key Persistence - PowerShell	fb32c935-ee2e-454b-8fa3-1c46b42e8dfb	powershell
521	privilege-escalation	T1547.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	3	Winlogon Notify Key Logon Persistence - PowerShell	d40da266-e073-4e5a-bb8b-2b385023e5f9	powershell
522	privilege-escalation	T1546.012	Event Triggered Execution: Image File Execution Options Injection	1	IFEO Add Debugger	fdda2626-5234-4c90-b163-60849a24c0b8	command_prompt
523	privilege-escalation	T1546.012	Event Triggered Execution: Image File Execution Options Injection	2	IFEO Global Flags	46b1f278-c8ee-4aa5-acce-65e77b11f3c1	command_prompt
524	privilege-escalation	T1546.012	Event Triggered Execution: Image File Execution Options Injection	3	GlobalFlags in Image File Execution Options	13117939-c9b2-4a43-999e-0a543df92f0d	powershell
525	privilege-escalation	T1546.008	Event Triggered Execution: Accessibility Features	1	Attaches Command Prompt as a Debugger to a List of Target Processes	3309f53e-b22b-4eb6-8fd2-a6cf58b355a9	powershell
526	privilege-escalation	T1546.008	Event Triggered Execution: Accessibility Features	2	Replace binary of sticky keys	934e90cf-29ca-48b3-863c-411737ad44e3	command_prompt
527	privilege-escalation	T1055.004	Process Injection: Asynchronous Procedure Call	1	Process Injection via C#	611b39b7-e243-4c81-87a4-7145a90358b1	command_prompt
528	privilege-escalation	T1546.009	Event Triggered Execution: AppCert DLLs	1	Create registry persistence via AppCert DLL	a5ad6104-5bab-4c43-b295-b4c44c7c6b05	powershell
529	privilege-escalation	T1547.015	Boot or Logon Autostart Execution: Login Items	1	Persistence by modifying Windows Terminal profile	ec5d76ef-82fe-48da-b931-bdb25a62bc65	powershell
530	privilege-escalation	T1134.001	Access Token Manipulation: Token Impersonation/Theft	1	Named pipe client impersonation	90db9e27-8e7c-4c04-b602-a45927884966	powershell
531	privilege-escalation	T1134.001	Access Token Manipulation: Token Impersonation/Theft	2	`SeDebugPrivilege` token duplication	34f0a430-9d04-4d98-bcb5-1989f14719f0	powershell
532	privilege-escalation	T1134.001	Access Token Manipulation: Token Impersonation/Theft	3	Launch NSudo Executable	7be1bc0f-d8e5-4345-9333-f5f67d742cb9	powershell
533	privilege-escalation	T1134.001	Access Token Manipulation: Token Impersonation/Theft	4	Bad Potato	9c6d799b-c111-4749-a42f-ec2f8cb51448	powershell
534	privilege-escalation	T1546.003	Event Triggered Execution: Windows Management Instrumentation Event Subscription	1	Persistence via WMI Event Subscription - CommandLineEventConsumer	3c64f177-28e2-49eb-a799-d767b24dd1e0	powershell
535	privilege-escalation	T1546.003	Event Triggered Execution: Windows Management Instrumentation Event Subscription	2	Persistence via WMI Event Subscription - ActiveScriptEventConsumer	fecd0dfd-fb55-45fa-a10b-6250272d0832	powershell
536	privilege-escalation	T1546.003	Event Triggered Execution: Windows Management Instrumentation Event Subscription	3	Windows MOFComp.exe Load MOF File	29786d7e-8916-4de6-9c55-be7b093b2706	powershell
537	privilege-escalation	T1134.004	Access Token Manipulation: Parent PID Spoofing	1	Parent PID Spoofing using PowerShell	069258f4-2162-46e9-9a25-c9c6c56150d2	powershell
538	privilege-escalation	T1134.004	Access Token Manipulation: Parent PID Spoofing	2	Parent PID Spoofing - Spawn from Current Process	14920ebd-1d61-491a-85e0-fe98efe37f25	powershell
539	privilege-escalation	T1134.004	Access Token Manipulation: Parent PID Spoofing	3	Parent PID Spoofing - Spawn from Specified Process	cbbff285-9051-444a-9d17-c07cd2d230eb	powershell
540	privilege-escalation	T1134.004	Access Token Manipulation: Parent PID Spoofing	4	Parent PID Spoofing - Spawn from svchost.exe	e9f2b777-3123-430b-805d-5cedc66ab591	powershell
541	privilege-escalation	T1134.004	Access Token Manipulation: Parent PID Spoofing	5	Parent PID Spoofing - Spawn from New Process	2988133e-561c-4e42-a15f-6281e6a9b2db	powershell
542	privilege-escalation	T1546.001	Event Triggered Execution: Change Default File Association	1	Change Default File Association	10a08978-2045-4d62-8c42-1957bbbea102	command_prompt
543	privilege-escalation	T1546.014	Event Triggered Execution: Emond	1	Persistance with Event Monitor - emond	23c9c127-322b-4c75-95ca-eff464906114	sh
544	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	1	Reg Key Run	e55be3fd-3521-4610-9d1a-e210e42dcf05	command_prompt
545	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	2	Reg Key RunOnce	554cbd88-cde1-4b56-8168-0be552eed9eb	command_prompt
546	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	3	PowerShell Registry RunOnce	eb44f842-0457-4ddc-9b92-c4caa144ac42	powershell
547	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	4	Suspicious vbs file run from startup Folder	2cb98256-625e-4da9-9d44-f2e5f90b8bd5	powershell
548	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	5	Suspicious jse file run from startup Folder	dade9447-791e-4c8f-b04b-3a35855dfa06	powershell
549	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	6	Suspicious bat file run from startup Folder	5b6768e4-44d2-44f0-89da-a01d1430fd5e	powershell
550	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	7	Add Executable Shortcut Link to User Startup Folder	24e55612-85f6-4bd6-ae74-a73d02e3441d	powershell
551	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	8	Add persistance via Recycle bin	bda6a3d6-7aa7-4e89-908b-306772e9662f	command_prompt
552	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	9	SystemBC Malware-as-a-Service Registry	9dc7767b-30c1-4cc4-b999-50cab5e27891	powershell
553	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	10	Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value	acfef903-7662-447e-a391-9c91c2f00f7b	powershell
554	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	11	Change Startup Folder - HKCU Modify User Shell Folders Startup Value	8834b65a-f808-4ece-ad7e-2acdf647aafa	powershell
555	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	12	HKCU - Policy Settings Explorer Run Key	a70faea1-e206-4f6f-8d9a-67379be8f6f1	powershell
556	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	13	HKLM - Policy Settings Explorer Run Key	b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f	powershell
557	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	14	HKLM - Append Command to Winlogon Userinit KEY Value	f7fab6cc-8ece-4ca7-a0f1-30a22fccd374	powershell
558	privilege-escalation	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	15	HKLM - Modify default System Shell - Winlogon Shell KEY Value	1d958c61-09c6-4d9e-b26b-4130314e520e	powershell
559	privilege-escalation	T1547.006	Boot or Logon Autostart Execution: Kernel Modules and Extensions	1	Linux - Load Kernel Module via insmod	687dcb93-9656-4853-9c36-9977315e9d23	bash
560	privilege-escalation	T1053.006	Scheduled Task/Job: Systemd Timers	1	Create Systemd Service and Timer	f4983098-bb13-44fb-9b2c-46149961807b	bash
561	privilege-escalation	T1053.006	Scheduled Task/Job: Systemd Timers	2	Create a user level transient systemd service and timer	3de33f5b-62e5-4e63-a2a0-6fd8808c80ec	sh
562	privilege-escalation	T1053.006	Scheduled Task/Job: Systemd Timers	3	Create a system level transient systemd service and timer	d3eda496-1fc0-49e9-aff5-3bec5da9fa22	sh
563	privilege-escalation	T1055.012	Process Injection: Process Hollowing	1	Process Hollowing using PowerShell	562427b4-39ef-4e8c-af88-463a78e70b9c	powershell
564	privilege-escalation	T1055.012	Process Injection: Process Hollowing	2	RunPE via VBA	3ad4a037-1598-4136-837c-4027e4fa319b	powershell
565	privilege-escalation	T1546.004	Event Triggered Execution: .bash_profile and .bashrc	1	Add command to .bash_profile	94500ae1-7e31-47e3-886b-c328da46872f	sh
566	privilege-escalation	T1546.004	Event Triggered Execution: .bash_profile and .bashrc	2	Add command to .bashrc	0a898315-4cfa-4007-bafe-33a4646d115f	sh
567	privilege-escalation	T1134.005	Access Token Manipulation: SID-History Injection	1	Injection SID-History with mimikatz	6bef32e5-9456-4072-8f14-35566fb85401	command_prompt
568	privilege-escalation	T1547.002	Authentication Package	1	Authentication Package	be2590e8-4ac3-47ac-b4b5-945820f2fbe9	powershell
569	privilege-escalation	T1546.015	Event Triggered Execution: Component Object Model Hijacking	1	COM Hijacking - InprocServer32	48117158-d7be-441b-bc6a-d9e36e47b52b	powershell
570	privilege-escalation	T1546.015	Event Triggered Execution: Component Object Model Hijacking	2	Powershell Execute COM Object	752191b1-7c71-445c-9dbe-21bb031b18eb	powershell
571	privilege-escalation	T1546.015	Event Triggered Execution: Component Object Model Hijacking	3	COM Hijacking with RunDLL32 (Local Server Switch)	123520cc-e998-471b-a920-bd28e3feafa0	powershell
572	privilege-escalation	T1546.015	Event Triggered Execution: Component Object Model Hijacking	4	COM hijacking via TreatAs	33eacead-f117-4863-8eb0-5c6304fbfaa9	powershell
573	privilege-escalation	T1574.009	Hijack Execution Flow: Path Interception by Unquoted Path	1	Execution of program.exe as service with unquoted service path	2770dea7-c50f-457b-84c4-c40a47460d9f	command_prompt
574	privilege-escalation	T1037.005	Boot or Logon Initialization Scripts: Startup Items	1	Add file to Local Library StartupItems	134627c3-75db-410e-bff8-7a920075f198	sh
575	privilege-escalation	T1546.010	Event Triggered Execution: AppInit DLLs	1	Install AppInit Shim	a58d9386-3080-4242-ab5f-454c16503d18	command_prompt
576	privilege-escalation	T1546.002	Event Triggered Execution: Screensaver	1	Set Arbitrary Binary as Screensaver	281201e7-de41-4dc9-b73d-f288938cbb64	command_prompt
577	privilege-escalation	T1543.001	Create or Modify System Process: Launch Agent	1	Launch Agent	a5983dee-bf6c-4eaf-951c-dbc1a7b90900	bash
578	privilege-escalation	T1543.001	Create or Modify System Process: Launch Agent	2	Event Monitor Daemon Persistence	11979f23-9b9d-482a-9935-6fc9cd022c3e	bash
579	privilege-escalation	T1037.004	Boot or Logon Initialization Scripts: Rc.common	1	rc.common	97a48daa-8bca-4bc0-b1a9-c1d163e762de	bash
580	privilege-escalation	T1037.004	Boot or Logon Initialization Scripts: Rc.common	2	rc.common	c33f3d80-5f04-419b-a13a-854d1cbdbf3a	bash
581	privilege-escalation	T1037.004	Boot or Logon Initialization Scripts: Rc.common	3	rc.local	126f71af-e1c9-405c-94ef-26a47b16c102	bash
582	privilege-escalation	T1543.002	Create or Modify System Process: Systemd Service	1	Create Systemd Service	d9e4f24f-aa67-4c6e-bcbf-85622b697a7c	bash
583	privilege-escalation	T1543.002	Create or Modify System Process: Systemd Service	2	Create Systemd Service file, Enable the service , Modify and Reload the service.	c35ac4a8-19de-43af-b9f8-755da7e89c89	bash
584	privilege-escalation	T1547.007	Boot or Logon Autostart Execution: Re-opened Applications	1	Re-Opened Applications	5fefd767-ef54-4ac6-84d3-751ab85e8aba	manual
585	privilege-escalation	T1547.007	Boot or Logon Autostart Execution: Re-opened Applications	2	Re-Opened Applications	5f5b71da-e03f-42e7-ac98-d63f9e0465cb	sh
586	privilege-escalation	T1574.002	Hijack Execution Flow: DLL Side-Loading	1	DLL Side-Loading using the Notepad++ GUP.exe binary	65526037-7079-44a9-bda1-2cb624838040	command_prompt
587	privilege-escalation	T1574.002	Hijack Execution Flow: DLL Side-Loading	2	DLL Side-Loading using the dotnet startup hook environment variable	d322cdd7-7d60-46e3-9111-648848da7c02	command_prompt
588	privilege-escalation	T1037.001	Boot or Logon Initialization Scripts: Logon Script (Windows)	1	Logon Scripts	d6042746-07d4-4c92-9ad8-e644c114a231	command_prompt
589	privilege-escalation	T1547.008	Boot or Logon Autostart Execution: LSASS Driver	1	Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt	8ecef16d-d289-46b4-917b-0dba6dc81cf1	powershell
590	privilege-escalation	T1078.004	Valid Accounts: Cloud Accounts	1	Creating GCP Service Account and Service Account Key	9fdd83fd-bd53-46e5-a716-9dec89c8ae8e	sh
591	privilege-escalation	T1053.002	Scheduled Task/Job: At	1	At.exe Scheduled task	4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8	command_prompt
592	privilege-escalation	T1053.002	Scheduled Task/Job: At	2	At - Schedule a job	7266d898-ac82-4ec0-97c7-436075d0d08e	sh
593	privilege-escalation	T1055.001	Process Injection: Dynamic-link Library Injection	1	Process Injection via mavinject.exe	74496461-11a1-4982-b439-4d87a550d254	powershell
594	privilege-escalation	T1055.001	Process Injection: Dynamic-link Library Injection	2	WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique	8b56f787-73d9-4f1d-87e8-d07e89cbc7f5	powershell
595	privilege-escalation	T1546.007	Event Triggered Execution: Netsh Helper DLL	1	Netsh Helper DLL Registration	3244697d-5a3a-4dfc-941c-550f69f91a4d	command_prompt
596	privilege-escalation	T1078.003	Valid Accounts: Local Accounts	1	Create local account with admin privileges	a524ce99-86de-4db6-b4f9-e08f35a47a15	command_prompt
597	privilege-escalation	T1078.003	Valid Accounts: Local Accounts	2	Create local account with admin privileges - MacOS	f1275566-1c26-4b66-83e3-7f9f7f964daa	bash
598	privilege-escalation	T1078.003	Valid Accounts: Local Accounts	3	WinPwn - Loot local Credentials - powerhell kittie	9e9fd066-453d-442f-88c1-ad7911d32912	powershell
599	privilege-escalation	T1078.003	Valid Accounts: Local Accounts	4	WinPwn - Loot local Credentials - Safetykatz	e9fdb899-a980-4ba4-934b-486ad22e22f4	powershell
600	privilege-escalation	T1574.012	Hijack Execution Flow: COR_PROFILER	1	User scope COR_PROFILER	9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a	powershell
601	privilege-escalation	T1574.012	Hijack Execution Flow: COR_PROFILER	2	System Scope COR_PROFILER	f373b482-48c8-4ce4-85ed-d40c8b3f7310	powershell
602	privilege-escalation	T1574.012	Hijack Execution Flow: COR_PROFILER	3	Registry-free process scope COR_PROFILER	79d57242-bbef-41db-b301-9d01d9f6e817	powershell
603	execution	T1053.005	Scheduled Task/Job: Scheduled Task	1	Scheduled Task Startup Script	fec27f65-db86-4c2d-b66c-61945aee87c2	command_prompt
604	execution	T1053.005	Scheduled Task/Job: Scheduled Task	2	Scheduled task Local	42f53695-ad4a-4546-abb6-7d837f644a71	command_prompt
605	execution	T1053.005	Scheduled Task/Job: Scheduled Task	3	Scheduled task Remote	2e5eac3e-327b-4a88-a0c0-c4057039a8dd	command_prompt
606	execution	T1053.005	Scheduled Task/Job: Scheduled Task	4	Powershell Cmdlet Scheduled Task	af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd	powershell
607	execution	T1053.005	Scheduled Task/Job: Scheduled Task	5	Task Scheduler via VBA	ecd3fa21-7792-41a2-8726-2c5c673414d3	powershell
608	execution	T1053.005	Scheduled Task/Job: Scheduled Task	6	WMI Invoke-CimMethod Scheduled Task	e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b	powershell
609	execution	T1053.005	Scheduled Task/Job: Scheduled Task	7	Scheduled Task Executing Base64 Encoded Commands From Registry	e895677d-4f06-49ab-91b6-ae3742d0a2ba	command_prompt
610	execution	T1053.005	Scheduled Task/Job: Scheduled Task	8	Import XML Schedule Task with Hidden Attribute	cd925593-fbb4-486d-8def-16cbdf944bf4	powershell
611	execution	T1053.005	Scheduled Task/Job: Scheduled Task	9	PowerShell Modify A Scheduled Task	dda6fc7b-c9a6-4c18-b98d-95ec6542af6d	powershell
612	execution	T1047	Windows Management Instrumentation	1	WMI Reconnaissance Users	c107778c-dcf5-47c5-af2e-1d058a3df3ea	command_prompt
613	execution	T1047	Windows Management Instrumentation	2	WMI Reconnaissance Processes	5750aa16-0e59-4410-8b9a-8a47ca2788e2	command_prompt
614	execution	T1047	Windows Management Instrumentation	3	WMI Reconnaissance Software	718aebaa-d0e0-471a-8241-c5afa69c7414	command_prompt
615	execution	T1047	Windows Management Instrumentation	4	WMI Reconnaissance List Remote Services	0fd48ef7-d890-4e93-a533-f7dedd5191d3	command_prompt
616	execution	T1047	Windows Management Instrumentation	5	WMI Execute Local Process	b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3	command_prompt
617	execution	T1047	Windows Management Instrumentation	6	WMI Execute Remote Process	9c8ef159-c666-472f-9874-90c8d60d136b	command_prompt
618	execution	T1047	Windows Management Instrumentation	7	Create a Process using WMI Query and an Encoded Command	7db7a7f9-9531-4840-9b30-46220135441c	command_prompt
619	execution	T1047	Windows Management Instrumentation	8	Create a Process using obfuscated Win32_Process	10447c83-fc38-462a-a936-5102363b1c43	powershell
620	execution	T1047	Windows Management Instrumentation	9	WMI Execute rundll32	00738d2a-4651-4d76-adf2-c43a41dfb243	powershell
621	execution	T1047	Windows Management Instrumentation	10	Application uninstall using WMIC	c510d25b-1667-467d-8331-a56d3e9bc4ff	command_prompt
622	execution	T1053.007	Kubernetes Cronjob	1	ListCronjobs	ddfb0bc1-3c3f-47e9-a298-550ecfefacbd	bash
623	execution	T1053.007	Kubernetes Cronjob	2	CreateCronjob	f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3	bash
624	execution	T1559.002	Inter-Process Communication: Dynamic Data Exchange	1	Execute Commands	f592ba2a-e9e8-4d62-a459-ef63abd819fd	manual
625	execution	T1559.002	Inter-Process Communication: Dynamic Data Exchange	2	Execute PowerShell script via Word DDE	47c21fb6-085e-4b0d-b4d2-26d72c3830b3	command_prompt
626	execution	T1559.002	Inter-Process Communication: Dynamic Data Exchange	3	DDEAUTO	cf91174c-4e74-414e-bec0-8d60a104d181	manual
627	execution	T1204.002	User Execution: Malicious File	1	OSTap Style Macro Execution	8bebc690-18c7-4549-bc98-210f7019efff	powershell
628	execution	T1204.002	User Execution: Malicious File	2	OSTap Payload Download	3f3af983-118a-4fa1-85d3-ba4daa739d80	command_prompt
629	execution	T1204.002	User Execution: Malicious File	3	Maldoc choice flags command execution	0330a5d2-a45a-4272-a9ee-e364411c4b18	powershell
630	execution	T1204.002	User Execution: Malicious File	4	OSTAP JS version	add560ef-20d6-4011-a937-2c340f930911	powershell
631	execution	T1204.002	User Execution: Malicious File	5	Office launching .bat file from AppData	9215ea92-1ded-41b7-9cd6-79f9a78397aa	powershell
632	execution	T1204.002	User Execution: Malicious File	6	Excel 4 Macro	4ea1fc97-8a46-4b4e-ba48-af43d2a98052	powershell
633	execution	T1204.002	User Execution: Malicious File	7	Headless Chrome code execution via VBA	a19ee671-ed98-4e9d-b19c-d1954a51585a	powershell
634	execution	T1204.002	User Execution: Malicious File	8	Potentially Unwanted Applications (PUA)	02f35d62-9fdc-4a97-b899-a5d9a876d295	powershell
635	execution	T1204.002	User Execution: Malicious File	9	Office Generic Payload Download	5202ee05-c420-4148-bf5e-fd7f7d24850c	powershell
636	execution	T1204.002	User Execution: Malicious File	10	LNK Payload Download	581d7521-9c4b-420e-9695-2aec5241167f	powershell
637	execution	T1204.002	User Execution: Malicious File	11	Mirror Blast Emulation	24fd9719-7419-42dd-bce6-ab3463110b3c	powershell
638	execution	T1053.003	Scheduled Task/Job: Cron	1	Cron - Replace crontab with referenced file	435057fb-74b1-410e-9403-d81baf194f75	bash
639	execution	T1053.003	Scheduled Task/Job: Cron	2	Cron - Add script to all cron subfolders	b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0	bash
640	execution	T1053.003	Scheduled Task/Job: Cron	3	Cron - Add script to /var/spool/cron/crontabs/ folder	2d943c18-e74a-44bf-936f-25ade6cccab4	bash
641	execution	T1059.002	Command and Scripting Interpreter: AppleScript	1	AppleScript	3600d97d-81b9-4171-ab96-e4386506e2c2	sh
642	execution	T1106	Native API	1	Execution through API - CreateProcess	99be2089-c52d-4a4a-b5c3-261ee42c8b62	command_prompt
643	execution	T1106	Native API	2	WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique	ce4e76e6-de70-4392-9efe-b281fc2b4087	powershell
644	execution	T1106	Native API	3	WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique	7ec5b74e-8289-4ff2-a162-b6f286a33abd	powershell
645	execution	T1106	Native API	4	WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique	e1f93a06-1649-4f07-89a8-f57279a7d60e	powershell
646	execution	T1609	Kubernetes Exec Into Container	1	ExecIntoContainer	d03bfcd3-ed87-49c8-8880-44bb772dea4b	bash
647	execution	T1569.001	System Services: Launchctl	1	Launchctl	6fb61988-724e-4755-a595-07743749d4e2	bash
648	execution	T1072	Software Deployment Tools	1	Radmin Viewer Utility	b4988cad-6ed2-434d-ace5-ea2670782129	command_prompt
649	execution	T1072	Software Deployment Tools	2	PDQ Deploy RAT	e447b83b-a698-4feb-bed1-a7aaf45c3443	command_prompt
650	execution	T1059.001	Command and Scripting Interpreter: PowerShell	1	Mimikatz	f3132740-55bc-48c4-bcc0-758a459cd027	command_prompt
651	execution	T1059.001	Command and Scripting Interpreter: PowerShell	2	Run BloodHound from local disk	a21bb23e-e677-4ee7-af90-6931b57b6350	powershell
652	execution	T1059.001	Command and Scripting Interpreter: PowerShell	3	Run Bloodhound from Memory using Download Cradle	bf8c1441-4674-4dab-8e4e-39d93d08f9b7	powershell
653	execution	T1059.001	Command and Scripting Interpreter: PowerShell	4	Obfuscation Tests	4297c41a-8168-4138-972d-01f3ee92c804	powershell
654	execution	T1059.001	Command and Scripting Interpreter: PowerShell	5	Mimikatz - Cradlecraft PsSendKeys	af1800cf-9f9d-4fd1-a709-14b1e6de020d	powershell
655	execution	T1059.001	Command and Scripting Interpreter: PowerShell	6	Invoke-AppPathBypass	06a220b6-7e29-4bd8-9d07-5b4d86742372	command_prompt
656	execution	T1059.001	Command and Scripting Interpreter: PowerShell	7	Powershell MsXml COM object - with prompt	388a7340-dbc1-4c9d-8e59-b75ad8c6d5da	command_prompt
657	execution	T1059.001	Command and Scripting Interpreter: PowerShell	8	Powershell XML requests	4396927f-e503-427b-b023-31049b9b09a6	command_prompt
658	execution	T1059.001	Command and Scripting Interpreter: PowerShell	9	Powershell invoke mshta.exe download	8a2ad40b-12c7-4b25-8521-2737b0a415af	command_prompt
659	execution	T1059.001	Command and Scripting Interpreter: PowerShell	10	Powershell Invoke-DownloadCradle	cc50fa2a-a4be-42af-a88f-e347ba0bf4d7	manual
660	execution	T1059.001	Command and Scripting Interpreter: PowerShell	11	PowerShell Fileless Script Execution	fa050f5e-bc75-4230-af73-b6fd7852cd73	powershell
661	execution	T1059.001	Command and Scripting Interpreter: PowerShell	12	PowerShell Downgrade Attack	9148e7c4-9356-420e-a416-e896e9c0f73e	powershell
662	execution	T1059.001	Command and Scripting Interpreter: PowerShell	13	NTFS Alternate Data Stream Access	8e5c5532-1181-4c1d-bb79-b3a9f5dbd680	powershell
663	execution	T1059.001	Command and Scripting Interpreter: PowerShell	14	PowerShell Session Creation and Use	7c1acec2-78fa-4305-a3e0-db2a54cddecd	powershell
664	execution	T1059.001	Command and Scripting Interpreter: PowerShell	15	ATHPowerShellCommandLineParameter -Command parameter variations	686a9785-f99b-41d4-90df-66ed515f81d7	powershell
665	execution	T1059.001	Command and Scripting Interpreter: PowerShell	16	ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments	1c0a870f-dc74-49cf-9afc-eccc45e58790	powershell
666	execution	T1059.001	Command and Scripting Interpreter: PowerShell	17	ATHPowerShellCommandLineParameter -EncodedCommand parameter variations	86a43bad-12e3-4e85-b97c-4d5cf25b95c3	powershell
667	execution	T1059.001	Command and Scripting Interpreter: PowerShell	18	ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments	0d181431-ddf3-4826-8055-2dbf63ae848b	powershell
668	execution	T1059.001	Command and Scripting Interpreter: PowerShell	19	PowerShell Command Execution	a538de64-1c74-46ed-aa60-b995ed302598	command_prompt
669	execution	T1059.001	Command and Scripting Interpreter: PowerShell	20	PowerShell Invoke Known Malicious Cmdlets	49eb9404-5e0f-4031-a179-b40f7be385e3	powershell
670	execution	T1059.001	Command and Scripting Interpreter: PowerShell	21	PowerUp Invoke-AllChecks	1289f78d-22d2-4590-ac76-166737e1811b	powershell
671	execution	T1053.006	Scheduled Task/Job: Systemd Timers	1	Create Systemd Service and Timer	f4983098-bb13-44fb-9b2c-46149961807b	bash
672	execution	T1053.006	Scheduled Task/Job: Systemd Timers	2	Create a user level transient systemd service and timer	3de33f5b-62e5-4e63-a2a0-6fd8808c80ec	sh
673	execution	T1053.006	Scheduled Task/Job: Systemd Timers	3	Create a system level transient systemd service and timer	d3eda496-1fc0-49e9-aff5-3bec5da9fa22	sh
674	execution	T1059.004	Command and Scripting Interpreter: Bash	1	Create and Execute Bash Shell Script	7e7ac3ed-f795-4fa5-b711-09d6fbe9b873	sh
675	execution	T1059.004	Command and Scripting Interpreter: Bash	2	Command-Line Interface	d0c88567-803d-4dca-99b4-7ce65e7b257c	sh
676	execution	T1059.004	Command and Scripting Interpreter: Bash	3	Harvest SUID executable files	46274fc6-08a7-4956-861b-24cbbaa0503c	sh
677	execution	T1059.004	Command and Scripting Interpreter: Bash	4	LinEnum tool execution	a2b35a63-9df1-4806-9a4d-5fe0500845f2	sh
678	execution	T1059.006	Command and Scripting Interpreter: Python	1	Execute shell script via python's command mode arguement	3a95cdb2-c6ea-4761-b24e-02b71889b8bb	sh
679	execution	T1059.006	Command and Scripting Interpreter: Python	2	Execute Python via scripts (Linux)	6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8	sh
680	execution	T1059.006	Command and Scripting Interpreter: Python	3	Execute Python via Python executables (Linux)	0b44d79b-570a-4b27-a31f-3bf2156e5eaa	sh
681	execution	T1059.006	Command and Scripting Interpreter: Python	4	Python pty module and spawn function used to spawn sh or bash	161d694c-b543-4434-85c3-c3a433e33792	bash
682	execution	T1059.003	Command and Scripting Interpreter: Windows Command Shell	1	Create and Execute Batch Script	9e8894c0-50bd-4525-a96c-d4ac78ece388	powershell
683	execution	T1059.003	Command and Scripting Interpreter: Windows Command Shell	2	Writes text to a file and displays it.	127b4afe-2346-4192-815c-69042bec570e	command_prompt
684	execution	T1059.003	Command and Scripting Interpreter: Windows Command Shell	3	Suspicious Execution via Windows Command Shell	d0eb3597-a1b3-4d65-b33b-2cda8d397f20	command_prompt
685	execution	T1059.003	Command and Scripting Interpreter: Windows Command Shell	4	Simulate BlackByte Ransomware Print Bombing	6b2903ac-8f36-450d-9ad5-b220e8a2dcb9	powershell
686	execution	T1059.003	Command and Scripting Interpreter: Windows Command Shell	5	Command Prompt read contents from CMD file and execute	df81db1b-066c-4802-9bc8-b6d030c3ba8e	command_prompt
687	execution	T1059.005	Command and Scripting Interpreter: Visual Basic	1	Visual Basic script execution to gather local computer information	1620de42-160a-4fe5-bbaf-d3fef0181ce9	powershell
688	execution	T1059.005	Command and Scripting Interpreter: Visual Basic	2	Encoded VBS code execution	e8209d5f-e42d-45e6-9c2f-633ac4f1eefa	powershell
689	execution	T1059.005	Command and Scripting Interpreter: Visual Basic	3	Extract Memory via VBA	8faff437-a114-4547-9a60-749652a03df6	powershell
690	execution	T1569.002	System Services: Service Execution	1	Execute a Command as a Service	2382dee2-a75f-49aa-9378-f52df6ed3fb1	command_prompt
691	execution	T1569.002	System Services: Service Execution	2	Use PsExec to execute a command on a remote host	873106b7-cfed-454b-8680-fa9f6400431c	command_prompt
692	execution	T1569.002	System Services: Service Execution	3	psexec.py (Impacket)	edbcd8c9-3639-4844-afad-455c91e95a35	bash
693	execution	T1569.002	System Services: Service Execution	4	BlackCat pre-encryption cmds with Lateral Movement	31eb7828-97d7-4067-9c1e-c6feb85edc4b	powershell
694	execution	T1053.002	Scheduled Task/Job: At	1	At.exe Scheduled task	4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8	command_prompt
695	execution	T1053.002	Scheduled Task/Job: At	2	At - Schedule a job	7266d898-ac82-4ec0-97c7-436075d0d08e	sh
696	persistence	T1053.005	Scheduled Task/Job: Scheduled Task	1	Scheduled Task Startup Script	fec27f65-db86-4c2d-b66c-61945aee87c2	command_prompt
697	persistence	T1053.005	Scheduled Task/Job: Scheduled Task	2	Scheduled task Local	42f53695-ad4a-4546-abb6-7d837f644a71	command_prompt
698	persistence	T1053.005	Scheduled Task/Job: Scheduled Task	3	Scheduled task Remote	2e5eac3e-327b-4a88-a0c0-c4057039a8dd	command_prompt
699	persistence	T1053.005	Scheduled Task/Job: Scheduled Task	4	Powershell Cmdlet Scheduled Task	af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd	powershell
700	persistence	T1053.005	Scheduled Task/Job: Scheduled Task	5	Task Scheduler via VBA	ecd3fa21-7792-41a2-8726-2c5c673414d3	powershell
701	persistence	T1053.005	Scheduled Task/Job: Scheduled Task	6	WMI Invoke-CimMethod Scheduled Task	e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b	powershell
702	persistence	T1053.005	Scheduled Task/Job: Scheduled Task	7	Scheduled Task Executing Base64 Encoded Commands From Registry	e895677d-4f06-49ab-91b6-ae3742d0a2ba	command_prompt
703	persistence	T1053.005	Scheduled Task/Job: Scheduled Task	8	Import XML Schedule Task with Hidden Attribute	cd925593-fbb4-486d-8def-16cbdf944bf4	powershell
704	persistence	T1053.005	Scheduled Task/Job: Scheduled Task	9	PowerShell Modify A Scheduled Task	dda6fc7b-c9a6-4c18-b98d-95ec6542af6d	powershell
705	persistence	T1556.003	Modify Authentication Process: Pluggable Authentication Modules	1	Malicious PAM rule	4b9dde80-ae22-44b1-a82a-644bf009eb9c	sh
706	persistence	T1556.003	Modify Authentication Process: Pluggable Authentication Modules	2	Malicious PAM module	65208808-3125-4a2e-8389-a0a00e9ab326	sh
707	persistence	T1546.013	Event Triggered Execution: PowerShell Profile	1	Append malicious start-process cmdlet	090e5aa5-32b6-473b-a49b-21e843a56896	powershell
708	persistence	T1133	External Remote Services	1	Running Chrome VPN Extensions via the Registry 2 vpn extension	4c8db261-a58b-42a6-a866-0a294deedde4	powershell
709	persistence	T1053.007	Kubernetes Cronjob	1	ListCronjobs	ddfb0bc1-3c3f-47e9-a298-550ecfefacbd	bash
710	persistence	T1053.007	Kubernetes Cronjob	2	CreateCronjob	f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3	bash
711	persistence	T1574.011	Hijack Execution Flow: Services Registry Permissions Weakness	1	Service Registry Permissions Weakness	f7536d63-7fd4-466f-89da-7e48d550752a	powershell
712	persistence	T1574.011	Hijack Execution Flow: Services Registry Permissions Weakness	2	Service ImagePath Change with reg.exe	f38e9eea-e1d7-4ba6-b716-584791963827	command_prompt
713	persistence	T1547	Boot or Logon Autostart Execution	1	Add a driver	cb01b3da-b0e7-4e24-bf6d-de5223526785	command_prompt
714	persistence	T1543.003	Create or Modify System Process: Windows Service	1	Modify Fax service to run PowerShell	ed366cde-7d12-49df-a833-671904770b9f	command_prompt
715	persistence	T1543.003	Create or Modify System Process: Windows Service	2	Service Installation CMD	981e2942-e433-44e9-afc1-8c957a1496b6	command_prompt
716	persistence	T1543.003	Create or Modify System Process: Windows Service	3	Service Installation PowerShell	491a4af6-a521-4b74-b23b-f7b3f1ee9e77	powershell
717	persistence	T1543.003	Create or Modify System Process: Windows Service	4	TinyTurla backdoor service w64time	ef0581fd-528e-4662-87bc-4c2affb86940	command_prompt
718	persistence	T1053.003	Scheduled Task/Job: Cron	1	Cron - Replace crontab with referenced file	435057fb-74b1-410e-9403-d81baf194f75	bash
719	persistence	T1053.003	Scheduled Task/Job: Cron	2	Cron - Add script to all cron subfolders	b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0	bash
720	persistence	T1053.003	Scheduled Task/Job: Cron	3	Cron - Add script to /var/spool/cron/crontabs/ folder	2d943c18-e74a-44bf-936f-25ade6cccab4	bash
721	persistence	T1137	Office Application Startup	1	Office Application Startup - Outlook as a C2	bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c	command_prompt
722	persistence	T1574.001	Hijack Execution Flow: DLL Search Order Hijacking	1	DLL Search Order Hijacking - amsi.dll	8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3	command_prompt
723	persistence	T1137.006	Office Application Startup: Add-ins	1	Code Executed Via Excel Add-in File (Xll)	441b1a0f-a771-428a-8af0-e99e4698cda3	powershell
724	persistence	T1505.002	Server Software Component: Transport Agent	1	Install MS Exchange Transport Agent Persistence	43e92449-ff60-46e9-83a3-1a38089df94d	powershell
725	persistence	T1556.002	Modify Authentication Process: Password Filter DLL	1	Install and Register Password Filter DLL	a7961770-beb5-4134-9674-83d7e1fa865c	powershell
726	persistence	T1176	Browser Extensions	1	Chrome (Developer Mode)	3ecd790d-2617-4abf-9a8c-4e8d47da9ee1	manual
727	persistence	T1176	Browser Extensions	2	Chrome (Chrome Web Store)	4c83940d-8ca5-4bb2-8100-f46dc914bc3f	manual
728	persistence	T1176	Browser Extensions	3	Firefox	cb790029-17e6-4c43-b96f-002ce5f10938	manual
729	persistence	T1176	Browser Extensions	4	Edge Chromium Addon - VPN	3d456e2b-a7db-4af8-b5b3-720e7c4d9da5	manual
730	persistence	T1546.011	Event Triggered Execution: Application Shimming	1	Application Shim Installation	9ab27e22-ee62-4211-962b-d36d9a0e6a18	command_prompt
731	persistence	T1546.011	Event Triggered Execution: Application Shimming	2	New shim database files created in the default shim database directory	aefd6866-d753-431f-a7a4-215ca7e3f13d	powershell
732	persistence	T1546.011	Event Triggered Execution: Application Shimming	3	Registry key creation and/or modification events for SDB	9b6a06f9-ab5e-4e8d-8289-1df4289db02f	powershell
733	persistence	T1547.010	Boot or Logon Autostart Execution: Port Monitors	1	Add Port Monitor persistence in Registry	d34ef297-f178-4462-871e-9ce618d44e50	command_prompt
734	persistence	T1037.002	Boot or Logon Initialization Scripts: Logon Script (Mac)	1	Logon Scripts - Mac	f047c7de-a2d9-406e-a62b-12a09d9516f4	manual
735	persistence	T1547.009	Boot or Logon Autostart Execution: Shortcut Modification	1	Shortcut Modification	ce4fc678-364f-4282-af16-2fb4c78005ce	command_prompt
736	persistence	T1547.009	Boot or Logon Autostart Execution: Shortcut Modification	2	Create shortcut to cmd in startup folders	cfdc954d-4bb0-4027-875b-a1893ce406f2	powershell
737	persistence	T1547.005	Boot or Logon Autostart Execution: Security Support Provider	1	Modify SSP configuration in registry	afdfd7e3-8a0b-409f-85f7-886fdf249c9e	powershell
738	persistence	T1543.004	Create or Modify System Process: Launch Daemon	1	Launch Daemon	03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf	bash
739	persistence	T1574.008	Hijack Execution Flow: Path Interception by Search Order Hijacking	1	powerShell Persistence via hijacking default modules - Get-Variable.exe	1561de08-0b4b-498e-8261-e922f3494aae	powershell
740	persistence	T1505.003	Server Software Component: Web Shell	1	Web Shell Written to Disk	0a2ce662-1efa-496f-a472-2fe7b080db16	command_prompt
741	persistence	T1078.001	Valid Accounts: Default Accounts	1	Enable Guest account with RDP capability and admin privileges	99747561-ed8d-47f2-9c91-1e5fde1ed6e0	command_prompt
742	persistence	T1078.001	Valid Accounts: Default Accounts	2	Activate Guest Account	aa6cb8c4-b582-4f8e-b677-37733914abda	command_prompt
743	persistence	T1547.003	Time Providers	1	Create a new time provider	df1efab7-bc6d-4b88-8be9-91f55ae017aa	powershell
744	persistence	T1547.003	Time Providers	2	Edit an existing time provider	29e0afca-8d1d-471a-8d34-25512fc48315	powershell
745	persistence	T1546.005	Event Triggered Execution: Trap	1	Trap	a74b2e07-5952-4c03-8b56-56274b076b61	sh
746	persistence	T1574.006	Hijack Execution Flow: LD_PRELOAD	1	Shared Library Injection via /etc/ld.so.preload	39cb0e67-dd0d-4b74-a74b-c072db7ae991	bash
747	persistence	T1574.006	Hijack Execution Flow: LD_PRELOAD	2	Shared Library Injection via LD_PRELOAD	bc219ff7-789f-4d51-9142-ecae3397deae	bash
748	persistence	T1574.006	Hijack Execution Flow: LD_PRELOAD	3	Dylib Injection via DYLD_INSERT_LIBRARIES	4d66029d-7355-43fd-93a4-b63ba92ea1be	bash
749	persistence	T1136.001	Create Account: Local Account	1	Create a user account on a Linux system	40d8eabd-e394-46f6-8785-b9bfa1d011d2	bash
750	persistence	T1136.001	Create Account: Local Account	2	Create a user account on a MacOS system	01993ba5-1da3-4e15-a719-b690d4f0f0b2	bash
751	persistence	T1136.001	Create Account: Local Account	3	Create a new user in a command prompt	6657864e-0323-4206-9344-ac9cd7265a4f	command_prompt
752	persistence	T1136.001	Create Account: Local Account	4	Create a new user in PowerShell	bc8be0ac-475c-4fbf-9b1d-9fffd77afbde	powershell
753	persistence	T1136.001	Create Account: Local Account	5	Create a new user in Linux with `root` UID and GID.	a1040a30-d28b-4eda-bd99-bb2861a4616c	bash
754	persistence	T1136.001	Create Account: Local Account	6	Create a new Windows admin user	fda74566-a604-4581-a4cc-fbbe21d66559	command_prompt
755	persistence	T1547.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	1	Winlogon Shell Key Persistence - PowerShell	bf9f9d65-ee4d-4c3e-a843-777d04f19c38	powershell
756	persistence	T1547.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	2	Winlogon Userinit Key Persistence - PowerShell	fb32c935-ee2e-454b-8fa3-1c46b42e8dfb	powershell
757	persistence	T1547.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	3	Winlogon Notify Key Logon Persistence - PowerShell	d40da266-e073-4e5a-bb8b-2b385023e5f9	powershell
758	persistence	T1098.004	SSH Authorized Keys	1	Modify SSH Authorized Keys	342cc723-127c-4d3a-8292-9c0c6b4ecadc	bash
759	persistence	T1546.012	Event Triggered Execution: Image File Execution Options Injection	1	IFEO Add Debugger	fdda2626-5234-4c90-b163-60849a24c0b8	command_prompt
760	persistence	T1546.012	Event Triggered Execution: Image File Execution Options Injection	2	IFEO Global Flags	46b1f278-c8ee-4aa5-acce-65e77b11f3c1	command_prompt
761	persistence	T1546.012	Event Triggered Execution: Image File Execution Options Injection	3	GlobalFlags in Image File Execution Options	13117939-c9b2-4a43-999e-0a543df92f0d	powershell
762	persistence	T1546.008	Event Triggered Execution: Accessibility Features	1	Attaches Command Prompt as a Debugger to a List of Target Processes	3309f53e-b22b-4eb6-8fd2-a6cf58b355a9	powershell
763	persistence	T1546.008	Event Triggered Execution: Accessibility Features	2	Replace binary of sticky keys	934e90cf-29ca-48b3-863c-411737ad44e3	command_prompt
764	persistence	T1136.002	Create Account: Domain Account	1	Create a new Windows domain admin user	fcec2963-9951-4173-9bfa-98d8b7834e62	command_prompt
765	persistence	T1136.002	Create Account: Domain Account	2	Create a new account similar to ANONYMOUS LOGON	dc7726d2-8ccb-4cc6-af22-0d5afb53a548	command_prompt
766	persistence	T1136.002	Create Account: Domain Account	3	Create a new Domain Account using PowerShell	5a3497a4-1568-4663-b12a-d4a5ed70c7d7	powershell
767	persistence	T1546.009	Event Triggered Execution: AppCert DLLs	1	Create registry persistence via AppCert DLL	a5ad6104-5bab-4c43-b295-b4c44c7c6b05	powershell
768	persistence	T1547.015	Boot or Logon Autostart Execution: Login Items	1	Persistence by modifying Windows Terminal profile	ec5d76ef-82fe-48da-b931-bdb25a62bc65	powershell
769	persistence	T1098.001	Account Manipulation: Additional Cloud Credentials	1	Azure AD Application Hijacking - Service Principal	b8e747c3-bdf7-4d71-bce2-f1df2a057406	powershell
770	persistence	T1098.001	Account Manipulation: Additional Cloud Credentials	2	Azure AD Application Hijacking - App Registration	a12b5531-acab-4618-a470-0dafb294a87a	powershell
771	persistence	T1098.001	Account Manipulation: Additional Cloud Credentials	3	AWS - Create Access Key and Secret Key	8822c3b0-d9f9-4daf-a043-491160a31122	sh
772	persistence	T1546.003	Event Triggered Execution: Windows Management Instrumentation Event Subscription	1	Persistence via WMI Event Subscription - CommandLineEventConsumer	3c64f177-28e2-49eb-a799-d767b24dd1e0	powershell
773	persistence	T1546.003	Event Triggered Execution: Windows Management Instrumentation Event Subscription	2	Persistence via WMI Event Subscription - ActiveScriptEventConsumer	fecd0dfd-fb55-45fa-a10b-6250272d0832	powershell
774	persistence	T1546.003	Event Triggered Execution: Windows Management Instrumentation Event Subscription	3	Windows MOFComp.exe Load MOF File	29786d7e-8916-4de6-9c55-be7b093b2706	powershell
775	persistence	T1546.001	Event Triggered Execution: Change Default File Association	1	Change Default File Association	10a08978-2045-4d62-8c42-1957bbbea102	command_prompt
776	persistence	T1546.014	Event Triggered Execution: Emond	1	Persistance with Event Monitor - emond	23c9c127-322b-4c75-95ca-eff464906114	sh
777	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	1	Reg Key Run	e55be3fd-3521-4610-9d1a-e210e42dcf05	command_prompt
778	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	2	Reg Key RunOnce	554cbd88-cde1-4b56-8168-0be552eed9eb	command_prompt
779	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	3	PowerShell Registry RunOnce	eb44f842-0457-4ddc-9b92-c4caa144ac42	powershell
780	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	4	Suspicious vbs file run from startup Folder	2cb98256-625e-4da9-9d44-f2e5f90b8bd5	powershell
781	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	5	Suspicious jse file run from startup Folder	dade9447-791e-4c8f-b04b-3a35855dfa06	powershell
782	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	6	Suspicious bat file run from startup Folder	5b6768e4-44d2-44f0-89da-a01d1430fd5e	powershell
783	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	7	Add Executable Shortcut Link to User Startup Folder	24e55612-85f6-4bd6-ae74-a73d02e3441d	powershell
784	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	8	Add persistance via Recycle bin	bda6a3d6-7aa7-4e89-908b-306772e9662f	command_prompt
785	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	9	SystemBC Malware-as-a-Service Registry	9dc7767b-30c1-4cc4-b999-50cab5e27891	powershell
786	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	10	Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value	acfef903-7662-447e-a391-9c91c2f00f7b	powershell
787	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	11	Change Startup Folder - HKCU Modify User Shell Folders Startup Value	8834b65a-f808-4ece-ad7e-2acdf647aafa	powershell
788	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	12	HKCU - Policy Settings Explorer Run Key	a70faea1-e206-4f6f-8d9a-67379be8f6f1	powershell
789	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	13	HKLM - Policy Settings Explorer Run Key	b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f	powershell
790	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	14	HKLM - Append Command to Winlogon Userinit KEY Value	f7fab6cc-8ece-4ca7-a0f1-30a22fccd374	powershell
791	persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	15	HKLM - Modify default System Shell - Winlogon Shell KEY Value	1d958c61-09c6-4d9e-b26b-4130314e520e	powershell
792	persistence	T1136.003	Create Account: Cloud Account	1	AWS - Create a new IAM user	8d1c2368-b503-40c9-9057-8e42f21c58ad	sh
793	persistence	T1098	Account Manipulation	1	Admin Account Manipulate	5598f7cb-cf43-455e-883a-f6008c5d46af	powershell
794	persistence	T1098	Account Manipulation	2	Domain Account and Group Manipulate	a55a22e9-a3d3-42ce-bd48-2653adb8f7a9	powershell
795	persistence	T1098	Account Manipulation	3	AWS - Create a group and add a user to that group	8822c3b0-d9f9-4daf-a043-49f110a31122	sh
796	persistence	T1098	Account Manipulation	4	Azure - adding user to Azure AD role	0e65ae27-5385-46b4-98ac-607a8ee82261	powershell
797	persistence	T1098	Account Manipulation	5	Azure - adding service principal to Azure AD role	92c40b3f-c406-4d1f-8d2b-c039bf5009e4	powershell
798	persistence	T1098	Account Manipulation	6	Azure - adding user to Azure role in subscription	1a94b3fc-b080-450a-b3d8-6d9b57b472ea	powershell
799	persistence	T1098	Account Manipulation	7	Azure - adding service principal to Azure role in subscription	c8f4bc29-a151-48da-b3be-4680af56f404	powershell
800	persistence	T1098	Account Manipulation	8	AzureAD - adding permission to application	94ea9cc3-81f9-4111-8dde-3fb54f36af4b	powershell
801	persistence	T1098	Account Manipulation	9	Password Change on Directory Service Restore Mode (DSRM) Account	d5b886d9-d1c7-4b6e-a7b0-460041bf2823	command_prompt
802	persistence	T1547.006	Boot or Logon Autostart Execution: Kernel Modules and Extensions	1	Linux - Load Kernel Module via insmod	687dcb93-9656-4853-9c36-9977315e9d23	bash
803	persistence	T1053.006	Scheduled Task/Job: Systemd Timers	1	Create Systemd Service and Timer	f4983098-bb13-44fb-9b2c-46149961807b	bash
804	persistence	T1053.006	Scheduled Task/Job: Systemd Timers	2	Create a user level transient systemd service and timer	3de33f5b-62e5-4e63-a2a0-6fd8808c80ec	sh
805	persistence	T1053.006	Scheduled Task/Job: Systemd Timers	3	Create a system level transient systemd service and timer	d3eda496-1fc0-49e9-aff5-3bec5da9fa22	sh
806	persistence	T1546.004	Event Triggered Execution: .bash_profile and .bashrc	1	Add command to .bash_profile	94500ae1-7e31-47e3-886b-c328da46872f	sh
807	persistence	T1546.004	Event Triggered Execution: .bash_profile and .bashrc	2	Add command to .bashrc	0a898315-4cfa-4007-bafe-33a4646d115f	sh
808	persistence	T1547.002	Authentication Package	1	Authentication Package	be2590e8-4ac3-47ac-b4b5-945820f2fbe9	powershell
809	persistence	T1546.015	Event Triggered Execution: Component Object Model Hijacking	1	COM Hijacking - InprocServer32	48117158-d7be-441b-bc6a-d9e36e47b52b	powershell
810	persistence	T1546.015	Event Triggered Execution: Component Object Model Hijacking	2	Powershell Execute COM Object	752191b1-7c71-445c-9dbe-21bb031b18eb	powershell
811	persistence	T1546.015	Event Triggered Execution: Component Object Model Hijacking	3	COM Hijacking with RunDLL32 (Local Server Switch)	123520cc-e998-471b-a920-bd28e3feafa0	powershell
812	persistence	T1546.015	Event Triggered Execution: Component Object Model Hijacking	4	COM hijacking via TreatAs	33eacead-f117-4863-8eb0-5c6304fbfaa9	powershell
813	persistence	T1137.004	Office Application Startup: Outlook Home Page	1	Install Outlook Home Page Persistence	7a91ad51-e6d2-4d43-9471-f26362f5738e	command_prompt
814	persistence	T1574.009	Hijack Execution Flow: Path Interception by Unquoted Path	1	Execution of program.exe as service with unquoted service path	2770dea7-c50f-457b-84c4-c40a47460d9f	command_prompt
815	persistence	T1037.005	Boot or Logon Initialization Scripts: Startup Items	1	Add file to Local Library StartupItems	134627c3-75db-410e-bff8-7a920075f198	sh
816	persistence	T1197	BITS Jobs	1	Bitsadmin Download (cmd)	3c73d728-75fb-4180-a12f-6712864d7421	command_prompt
817	persistence	T1197	BITS Jobs	2	Bitsadmin Download (PowerShell)	f63b8bc4-07e5-4112-acba-56f646f3f0bc	powershell
818	persistence	T1197	BITS Jobs	3	Persist, Download, & Execute	62a06ec5-5754-47d2-bcfc-123d8314c6ae	command_prompt
819	persistence	T1197	BITS Jobs	4	Bits download using desktopimgdownldr.exe (cmd)	afb5e09e-e385-4dee-9a94-6ee60979d114	command_prompt
820	persistence	T1546.010	Event Triggered Execution: AppInit DLLs	1	Install AppInit Shim	a58d9386-3080-4242-ab5f-454c16503d18	command_prompt
821	persistence	T1546.002	Event Triggered Execution: Screensaver	1	Set Arbitrary Binary as Screensaver	281201e7-de41-4dc9-b73d-f288938cbb64	command_prompt
822	persistence	T1543.001	Create or Modify System Process: Launch Agent	1	Launch Agent	a5983dee-bf6c-4eaf-951c-dbc1a7b90900	bash
823	persistence	T1543.001	Create or Modify System Process: Launch Agent	2	Event Monitor Daemon Persistence	11979f23-9b9d-482a-9935-6fc9cd022c3e	bash
824	persistence	T1037.004	Boot or Logon Initialization Scripts: Rc.common	1	rc.common	97a48daa-8bca-4bc0-b1a9-c1d163e762de	bash
825	persistence	T1037.004	Boot or Logon Initialization Scripts: Rc.common	2	rc.common	c33f3d80-5f04-419b-a13a-854d1cbdbf3a	bash
826	persistence	T1037.004	Boot or Logon Initialization Scripts: Rc.common	3	rc.local	126f71af-e1c9-405c-94ef-26a47b16c102	bash
827	persistence	T1543.002	Create or Modify System Process: Systemd Service	1	Create Systemd Service	d9e4f24f-aa67-4c6e-bcbf-85622b697a7c	bash
828	persistence	T1543.002	Create or Modify System Process: Systemd Service	2	Create Systemd Service file, Enable the service , Modify and Reload the service.	c35ac4a8-19de-43af-b9f8-755da7e89c89	bash
829	persistence	T1547.007	Boot or Logon Autostart Execution: Re-opened Applications	1	Re-Opened Applications	5fefd767-ef54-4ac6-84d3-751ab85e8aba	manual
830	persistence	T1547.007	Boot or Logon Autostart Execution: Re-opened Applications	2	Re-Opened Applications	5f5b71da-e03f-42e7-ac98-d63f9e0465cb	sh
831	persistence	T1574.002	Hijack Execution Flow: DLL Side-Loading	1	DLL Side-Loading using the Notepad++ GUP.exe binary	65526037-7079-44a9-bda1-2cb624838040	command_prompt
832	persistence	T1574.002	Hijack Execution Flow: DLL Side-Loading	2	DLL Side-Loading using the dotnet startup hook environment variable	d322cdd7-7d60-46e3-9111-648848da7c02	command_prompt
833	persistence	T1037.001	Boot or Logon Initialization Scripts: Logon Script (Windows)	1	Logon Scripts	d6042746-07d4-4c92-9ad8-e644c114a231	command_prompt
834	persistence	T1137.002	Office Application Startup: Office Test	1	Office Application Startup Test Persistence	c3e35b58-fe1c-480b-b540-7600fb612563	command_prompt
835	persistence	T1547.008	Boot or Logon Autostart Execution: LSASS Driver	1	Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt	8ecef16d-d289-46b4-917b-0dba6dc81cf1	powershell
836	persistence	T1078.004	Valid Accounts: Cloud Accounts	1	Creating GCP Service Account and Service Account Key	9fdd83fd-bd53-46e5-a716-9dec89c8ae8e	sh
837	persistence	T1053.002	Scheduled Task/Job: At	1	At.exe Scheduled task	4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8	command_prompt
838	persistence	T1053.002	Scheduled Task/Job: At	2	At - Schedule a job	7266d898-ac82-4ec0-97c7-436075d0d08e	sh
839	persistence	T1546.007	Event Triggered Execution: Netsh Helper DLL	1	Netsh Helper DLL Registration	3244697d-5a3a-4dfc-941c-550f69f91a4d	command_prompt
840	persistence	T1078.003	Valid Accounts: Local Accounts	1	Create local account with admin privileges	a524ce99-86de-4db6-b4f9-e08f35a47a15	command_prompt
841	persistence	T1078.003	Valid Accounts: Local Accounts	2	Create local account with admin privileges - MacOS	f1275566-1c26-4b66-83e3-7f9f7f964daa	bash
842	persistence	T1078.003	Valid Accounts: Local Accounts	3	WinPwn - Loot local Credentials - powerhell kittie	9e9fd066-453d-442f-88c1-ad7911d32912	powershell
843	persistence	T1078.003	Valid Accounts: Local Accounts	4	WinPwn - Loot local Credentials - Safetykatz	e9fdb899-a980-4ba4-934b-486ad22e22f4	powershell
844	persistence	T1574.012	Hijack Execution Flow: COR_PROFILER	1	User scope COR_PROFILER	9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a	powershell
845	persistence	T1574.012	Hijack Execution Flow: COR_PROFILER	2	System Scope COR_PROFILER	f373b482-48c8-4ce4-85ed-d40c8b3f7310	powershell
846	persistence	T1574.012	Hijack Execution Flow: COR_PROFILER	3	Registry-free process scope COR_PROFILER	79d57242-bbef-41db-b301-9d01d9f6e817	powershell
847	collection	T1560.001	Archive Collected Data: Archive via Utility	1	Compress Data for Exfiltration With Rar	02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0	command_prompt
848	collection	T1560.001	Archive Collected Data: Archive via Utility	2	Compress Data and lock with password for Exfiltration with winrar	8dd61a55-44c6-43cc-af0c-8bdda276860c	command_prompt
849	collection	T1560.001	Archive Collected Data: Archive via Utility	3	Compress Data and lock with password for Exfiltration with winzip	01df0353-d531-408d-a0c5-3161bf822134	command_prompt
850	collection	T1560.001	Archive Collected Data: Archive via Utility	4	Compress Data and lock with password for Exfiltration with 7zip	d1334303-59cb-4a03-8313-b3e24d02c198	command_prompt
851	collection	T1560.001	Archive Collected Data: Archive via Utility	5	Data Compressed - nix - zip	c51cec55-28dd-4ad2-9461-1eacbc82c3a0	sh
852	collection	T1560.001	Archive Collected Data: Archive via Utility	6	Data Compressed - nix - gzip Single File	cde3c2af-3485-49eb-9c1f-0ed60e9cc0af	sh
853	collection	T1560.001	Archive Collected Data: Archive via Utility	7	Data Compressed - nix - tar Folder or File	7af2b51e-ad1c-498c-aca8-d3290c19535a	sh
854	collection	T1560.001	Archive Collected Data: Archive via Utility	8	Data Encrypted with zip and gpg symmetric	0286eb44-e7ce-41a0-b109-3da516e05a5f	sh
855	collection	T1113	Screen Capture	1	Screencapture	0f47ceb1-720f-4275-96b8-21f0562217ac	bash
856	collection	T1113	Screen Capture	2	Screencapture (silent)	deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4	bash
857	collection	T1113	Screen Capture	3	X Windows Capture	8206dd0c-faf6-4d74-ba13-7fbe13dce6ac	bash
858	collection	T1113	Screen Capture	4	Capture Linux Desktop using Import Tool	9cd1cccb-91e4-4550-9139-e20a586fcea1	bash
859	collection	T1113	Screen Capture	5	Windows Screencapture	3c898f62-626c-47d5-aad2-6de873d69153	powershell
860	collection	T1113	Screen Capture	6	Windows Screen Capture (CopyFromScreen)	e9313014-985a-48ef-80d9-cde604ffc187	powershell
861	collection	T1056.001	Input Capture: Keylogging	1	Input Capture	d9b633ca-8efb-45e6-b838-70f595c6ae26	powershell
862	collection	T1056.001	Input Capture: Keylogging	2	Living off the land Terminal Input Capture on Linux with pam.d	9c6bdb34-a89f-4b90-acb1-5970614c711b	sh
863	collection	T1056.001	Input Capture: Keylogging	3	Logging bash history to syslog	0e59d59d-3265-4d35-bebd-bf5c1ec40db5	sh
864	collection	T1056.001	Input Capture: Keylogging	4	Bash session based keylogger	7f85a946-a0ea-48aa-b6ac-8ff539278258	sh
865	collection	T1056.001	Input Capture: Keylogging	5	SSHD PAM keylogger	81d7d2ad-d644-4b6a-bea7-28ffe43becca	sh
866	collection	T1056.001	Input Capture: Keylogging	6	Auditd keylogger	a668edb9-334e-48eb-8c2e-5413a40867af	sh
867	collection	T1056.001	Input Capture: Keylogging	7	MacOS Swift Keylogger	aee3a097-4c5c-4fff-bbd3-0a705867ae29	bash
868	collection	T1123	Audio Capture	1	using device audio capture commandlet	9c3ad250-b185-4444-b5a9-d69218a10c95	powershell
869	collection	T1123	Audio Capture	2	Registry artefact when application use microphone	7a21cce2-6ada-4f7c-afd9-e1e9c481e44a	command_prompt
870	collection	T1123	Audio Capture	3	using Quicktime Player	c7a0bb71-70ce-4a53-b115-881f241b795b	sh
871	collection	T1074.001	Data Staged: Local Data Staging	1	Stage data from Discovery.bat	107706a5-6f9f-451a-adae-bab8c667829f	powershell
872	collection	T1074.001	Data Staged: Local Data Staging	2	Stage data from Discovery.sh	39ce0303-ae16-4b9e-bb5b-4f53e8262066	bash
873	collection	T1074.001	Data Staged: Local Data Staging	3	Zip a Folder with PowerShell for Staging in Temp	a57fbe4b-3440-452a-88a7-943531ac872a	powershell
874	collection	T1114.001	Email Collection: Local Email Collection	1	Email Collection with PowerShell Get-Inbox	3f1b5096-0139-4736-9b78-19bcb02bb1cb	powershell
875	collection	T1119	Automated Collection	1	Automated Collection Command Prompt	cb379146-53f1-43e0-b884-7ce2c635ff5b	command_prompt
876	collection	T1119	Automated Collection	2	Automated Collection PowerShell	634bd9b9-dc83-4229-b19f-7f83ba9ad313	powershell
877	collection	T1119	Automated Collection	3	Recon information for export with PowerShell	c3f6d794-50dd-482f-b640-0384fbb7db26	powershell
878	collection	T1119	Automated Collection	4	Recon information for export with Command Prompt	aa1180e2-f329-4e1e-8625-2472ec0bfaf3	command_prompt
879	collection	T1115	Clipboard Data	1	Utilize Clipboard to store or execute commands from	0cd14633-58d4-4422-9ede-daa2c9474ae7	command_prompt
880	collection	T1115	Clipboard Data	2	Execute Commands from Clipboard using PowerShell	d6dc21af-bec9-4152-be86-326b6babd416	powershell
881	collection	T1115	Clipboard Data	3	Execute commands from clipboard	1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff	bash
882	collection	T1115	Clipboard Data	4	Collect Clipboard Data via VBA	9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52	powershell
883	collection	T1115	Clipboard Data	5	Add or copy content to clipboard with xClip	ee363e53-b083-4230-aff3-f8d955f2d5bb	sh
884	collection	T1530	Data from Cloud Storage Object	1	Azure - Enumerate Azure Blobs with MicroBurst	3dab4bcc-667f-4459-aea7-4162dd2d6590	powershell
885	collection	T1530	Data from Cloud Storage Object	2	Azure - Scan for Anonymous Access to Azure Storage (Powershell)	146af1f1-b74e-4aa7-9895-505eb559b4b0	powershell
886	collection	T1530	Data from Cloud Storage Object	3	AWS - Scan for Anonymous Access to S3	979356b9-b588-4e49-bba4-c35517c484f5	sh
887	collection	T1560.002	Archive Collected Data: Archive via Library	1	Compressing data using GZip in Python (Linux)	391f5298-b12d-4636-8482-35d9c17d53a8	bash
888	collection	T1560.002	Archive Collected Data: Archive via Library	2	Compressing data using bz2 in Python (Linux)	c75612b2-9de0-4d7c-879c-10d7b077072d	bash
889	collection	T1560.002	Archive Collected Data: Archive via Library	3	Compressing data using zipfile in Python (Linux)	001a042b-859f-44d9-bf81-fd1c4e2200b0	bash
890	collection	T1560.002	Archive Collected Data: Archive via Library	4	Compressing data using tarfile in Python (Linux)	e86f1b4b-fcc1-4a2a-ae10-b49da01458db	bash
891	collection	T1560	Archive Collected Data	1	Compress Data for Exfiltration With PowerShell	41410c60-614d-4b9d-b66e-b0192dd9c597	powershell
892	collection	T1557.001	Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay	1	LLMNR Poisoning with Inveigh (PowerShell)	deecd55f-afe0-4a62-9fba-4d1ba2deb321	powershell
893	collection	T1125	Video Capture	1	Registry artefact when application use webcam	6581e4a7-42e3-43c5-a0d2-5a0d62f9702a	command_prompt
894	collection	T1056.002	Input Capture: GUI Input Capture	1	AppleScript - Prompt User for Password	76628574-0bc1-4646-8fe2-8f4427b47d15	bash
895	collection	T1056.002	Input Capture: GUI Input Capture	2	PowerShell - Prompt User for Password	2b162bfd-0928-4d4c-9ec3-4d9f88374b52	powershell
896	collection	T1039	Data from Network Shared Drive	1	Copy a sensitive File over Administive share with copy	6ed67921-1774-44ba-bac6-adb51ed60660	command_prompt
897	collection	T1039	Data from Network Shared Drive	2	Copy a sensitive File over Administive share with Powershell	7762e120-5879-44ff-97f8-008b401b9a98	powershell
898	collection	T1056.004	Input Capture: Credential API Hooking	1	Hook PowerShell TLS Encrypt/Decrypt Messages	de1934ea-1fbf-425b-8795-65fb27dd7e33	powershell
899	lateral-movement	T1091	Replication Through Removable Media	1	USB Malware Spread Simulation	d44b7297-622c-4be8-ad88-ec40d7563c75	powershell
900	lateral-movement	T1021.002	Remote Services: SMB/Windows Admin Shares	1	Map admin share	3386975b-367a-4fbb-9d77-4dcf3639ffd3	command_prompt
901	lateral-movement	T1021.002	Remote Services: SMB/Windows Admin Shares	2	Map Admin Share PowerShell	514e9cd7-9207-4882-98b1-c8f791bae3c5	powershell
902	lateral-movement	T1021.002	Remote Services: SMB/Windows Admin Shares	3	Copy and Execute File with PsExec	0eb03d41-79e4-4393-8e57-6344856be1cf	command_prompt
903	lateral-movement	T1021.002	Remote Services: SMB/Windows Admin Shares	4	Execute command writing output to local Admin Share	d41aaab5-bdfe-431d-a3d5-c29e9136ff46	command_prompt
904	lateral-movement	T1021.006	Remote Services: Windows Remote Management	1	Enable Windows Remote Management	9059e8de-3d7d-4954-a322-46161880b9cf	powershell
905	lateral-movement	T1021.006	Remote Services: Windows Remote Management	2	Remote Code Execution with PS Credentials Using Invoke-Command	5295bd61-bd7e-4744-9d52-85962a4cf2d6	powershell
906	lateral-movement	T1021.006	Remote Services: Windows Remote Management	3	WinRM Access with Evil-WinRM	efe86d95-44c4-4509-ae42-7bfd9d1f5b3d	powershell
907	lateral-movement	T1021.003	Remote Services: Distributed Component Object Model	1	PowerShell Lateral Movement using MMC20	6dc74eb1-c9d6-4c53-b3b5-6f50ae339673	powershell
908	lateral-movement	T1550.003	Use Alternate Authentication Material: Pass the Ticket	1	Mimikatz Kerberos Ticket Attack	dbf38128-7ba7-4776-bedf-cc2eed432098	command_prompt
909	lateral-movement	T1550.003	Use Alternate Authentication Material: Pass the Ticket	2	Rubeus Kerberos Pass The Ticket	a2fc4ec5-12c6-4fb4-b661-961f23f359cb	powershell
910	lateral-movement	T1072	Software Deployment Tools	1	Radmin Viewer Utility	b4988cad-6ed2-434d-ace5-ea2670782129	command_prompt
911	lateral-movement	T1072	Software Deployment Tools	2	PDQ Deploy RAT	e447b83b-a698-4feb-bed1-a7aaf45c3443	command_prompt
912	lateral-movement	T1563.002	Remote Service Session Hijacking: RDP Hijacking	1	RDP hijacking	a37ac520-b911-458e-8aed-c5f1576d9f46	command_prompt
913	lateral-movement	T1550.002	Use Alternate Authentication Material: Pass the Hash	1	Mimikatz Pass the Hash	ec23cef9-27d9-46e4-a68d-6f75f7b86908	command_prompt
914	lateral-movement	T1550.002	Use Alternate Authentication Material: Pass the Hash	2	crackmapexec Pass the Hash	eb05b028-16c8-4ad8-adea-6f5b219da9a9	command_prompt
915	lateral-movement	T1550.002	Use Alternate Authentication Material: Pass the Hash	3	Invoke-WMIExec Pass the Hash	f8757545-b00a-4e4e-8cfb-8cfb961ee713	powershell
916	lateral-movement	T1021.001	Remote Services: Remote Desktop Protocol	1	RDP to DomainController	355d4632-8cb9-449d-91ce-b566d0253d3e	powershell
917	lateral-movement	T1021.001	Remote Services: Remote Desktop Protocol	2	RDP to Server	7382a43e-f19c-46be-8f09-5c63af7d3e2b	powershell
918	lateral-movement	T1021.001	Remote Services: Remote Desktop Protocol	3	Changing RDP Port to Non Standard Port via Powershell	2f840dd4-8a2e-4f44-beb3-6b2399ea3771	powershell
919	lateral-movement	T1021.001	Remote Services: Remote Desktop Protocol	4	Changing RDP Port to Non Standard Port via Command_Prompt	74ace21e-a31c-4f7d-b540-53e4eb6d1f73	command_prompt
920	credential-access	T1556.003	Modify Authentication Process: Pluggable Authentication Modules	1	Malicious PAM rule	4b9dde80-ae22-44b1-a82a-644bf009eb9c	sh
921	credential-access	T1556.003	Modify Authentication Process: Pluggable Authentication Modules	2	Malicious PAM module	65208808-3125-4a2e-8389-a0a00e9ab326	sh
922	credential-access	T1056.001	Input Capture: Keylogging	1	Input Capture	d9b633ca-8efb-45e6-b838-70f595c6ae26	powershell
923	credential-access	T1056.001	Input Capture: Keylogging	2	Living off the land Terminal Input Capture on Linux with pam.d	9c6bdb34-a89f-4b90-acb1-5970614c711b	sh
924	credential-access	T1056.001	Input Capture: Keylogging	3	Logging bash history to syslog	0e59d59d-3265-4d35-bebd-bf5c1ec40db5	sh
925	credential-access	T1056.001	Input Capture: Keylogging	4	Bash session based keylogger	7f85a946-a0ea-48aa-b6ac-8ff539278258	sh
926	credential-access	T1056.001	Input Capture: Keylogging	5	SSHD PAM keylogger	81d7d2ad-d644-4b6a-bea7-28ffe43becca	sh
927	credential-access	T1056.001	Input Capture: Keylogging	6	Auditd keylogger	a668edb9-334e-48eb-8c2e-5413a40867af	sh
928	credential-access	T1056.001	Input Capture: Keylogging	7	MacOS Swift Keylogger	aee3a097-4c5c-4fff-bbd3-0a705867ae29	bash
929	credential-access	T1110.001	Brute Force: Password Guessing	1	Brute Force Credentials of single Active Directory domain users via SMB	09480053-2f98-4854-be6e-71ae5f672224	command_prompt
930	credential-access	T1110.001	Brute Force: Password Guessing	2	Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)	c2969434-672b-4ec8-8df0-bbb91f40e250	powershell
931	credential-access	T1110.001	Brute Force: Password Guessing	3	Brute Force Credentials of single Azure AD user	5a51ef57-299e-4d62-8e11-2d440df55e69	powershell
932	credential-access	T1110.001	Brute Force: Password Guessing	4	SUDO brute force Debian	464b63e8-bf1f-422e-9e2c-2aa5080b6f9a	sh
933	credential-access	T1110.001	Brute Force: Password Guessing	5	SUDO brute force Redhat	b72958a7-53e3-4809-9ee1-58f6ecd99ade	sh
934	credential-access	T1110.001	Brute Force: Password Guessing	6	Password Brute User using Kerbrute Tool	59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4	powershell
935	credential-access	T1003	OS Credential Dumping	1	Gsecdump	96345bfc-8ae7-4b6a-80b7-223200f24ef9	command_prompt
936	credential-access	T1003	OS Credential Dumping	2	Credential Dumping with NPPSpy	9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6	powershell
937	credential-access	T1003	OS Credential Dumping	3	Dump svchost.exe to gather RDP credentials	d400090a-d8ca-4be0-982e-c70598a23de9	powershell
938	credential-access	T1539	Steal Web Session Cookie	1	Steal Firefox Cookies (Windows)	4b437357-f4e9-4c84-9fa6-9bcee6f826aa	powershell
939	credential-access	T1539	Steal Web Session Cookie	2	Steal Chrome Cookies (Windows)	26a6b840-4943-4965-8df5-ef1f9a282440	powershell
940	credential-access	T1003.002	OS Credential Dumping: Security Account Manager	1	Registry dump of SAM, creds, and secrets	5c2571d0-1572-416d-9676-812e64ca9f44	command_prompt
941	credential-access	T1003.002	OS Credential Dumping: Security Account Manager	2	Registry parse with pypykatz	a96872b2-cbf3-46cf-8eb4-27e8c0e85263	command_prompt
942	credential-access	T1003.002	OS Credential Dumping: Security Account Manager	3	esentutl.exe SAM copy	a90c2f4d-6726-444e-99d2-a00cd7c20480	command_prompt
943	credential-access	T1003.002	OS Credential Dumping: Security Account Manager	4	PowerDump Hashes and Usernames from Registry	804f28fc-68fc-40da-b5a2-e9d0bce5c193	powershell
944	credential-access	T1003.002	OS Credential Dumping: Security Account Manager	5	dump volume shadow copy hives with certutil	eeb9751a-d598-42d3-b11c-c122d9c3f6c7	powershell
945	credential-access	T1003.002	OS Credential Dumping: Security Account Manager	6	dump volume shadow copy hives with System.IO.File	9d77fed7-05f8-476e-a81b-8ff0472c64d0	powershell
946	credential-access	T1003.002	OS Credential Dumping: Security Account Manager	7	WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes	0c0f5f06-166a-4f4d-bb4a-719df9a01dbb	powershell
947	credential-access	T1552.005	Unsecured Credentials: Cloud Instance Metadata API	1	Azure - Search Azure AD User Attributes for Passwords	ae9b2e3e-efa1-4483-86e2-fae529ab9fb6	powershell
948	credential-access	T1552.005	Unsecured Credentials: Cloud Instance Metadata API	2	Azure - Dump Azure Instance Metadata from Virtual Machines	cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7	powershell
949	credential-access	T1110.002	Brute Force: Password Cracking	1	Password Cracking with Hashcat	6d27df5d-69d4-4c91-bc33-5983ffe91692	command_prompt
950	credential-access	T1555.001	Credentials from Password Stores: Keychain	1	Keychain	1864fdec-ff86-4452-8c30-f12507582a93	sh
951	credential-access	T1003.004	OS Credential Dumping: LSA Secrets	1	Dumping LSA Secrets	55295ab0-a703-433b-9ca4-ae13807de12f	command_prompt
952	credential-access	T1606.002	Forge Web Credentials: SAML token	1	Golden SAML	b16a03bc-1089-4dcc-ad98-30fe8f3a2b31	powershell
953	credential-access	T1003.007	OS Credential Dumping: Proc Filesystem	1	Dump individual process memory with sh (Local)	7e91138a-8e74-456d-a007-973d67a0bb80	sh
954	credential-access	T1003.007	OS Credential Dumping: Proc Filesystem	2	Dump individual process memory with Python (Local)	437b2003-a20d-4ed8-834c-4964f24eec63	sh
955	credential-access	T1003.007	OS Credential Dumping: Proc Filesystem	3	Capture Passwords with MimiPenguin	a27418de-bdce-4ebd-b655-38f04842bf0c	bash
956	credential-access	T1040	Network Sniffing	1	Packet Capture Linux	7fe741f7-b265-4951-a7c7-320889083b3e	bash
957	credential-access	T1040	Network Sniffing	2	Packet Capture macOS	9d04efee-eff5-4240-b8d2-07792b873608	bash
958	credential-access	T1040	Network Sniffing	3	Packet Capture Windows Command Prompt	a5b2f6a0-24b4-493e-9590-c699f75723ca	command_prompt
959	credential-access	T1040	Network Sniffing	4	Windows Internal Packet Capture	b5656f67-d67f-4de8-8e62-b5581630f528	command_prompt
960	credential-access	T1040	Network Sniffing	5	Windows Internal pktmon capture	c67ba807-f48b-446e-b955-e4928cd1bf91	command_prompt
961	credential-access	T1040	Network Sniffing	6	Windows Internal pktmon set filter	855fb8b4-b8ab-4785-ae77-09f5df7bff55	command_prompt
962	credential-access	T1552.002	Unsecured Credentials: Credentials in Registry	1	Enumeration for Credentials in Registry	b6ec082c-7384-46b3-a111-9a9b8b14e5e7	command_prompt
963	credential-access	T1552.002	Unsecured Credentials: Credentials in Registry	2	Enumeration for PuTTY Credentials in Registry	af197fd7-e868-448e-9bd5-05d1bcd9d9e5	command_prompt
964	credential-access	T1556.002	Modify Authentication Process: Password Filter DLL	1	Install and Register Password Filter DLL	a7961770-beb5-4134-9674-83d7e1fa865c	powershell
965	credential-access	T1558.004	Steal or Forge Kerberos Tickets: AS-REP Roasting	1	Rubeus asreproast	615bd568-2859-41b5-9aed-61f6a88e48dd	powershell
966	credential-access	T1558.004	Steal or Forge Kerberos Tickets: AS-REP Roasting	2	Get-DomainUser with PowerView	d6139549-7b72-4e48-9ea1-324fc9bdf88a	powershell
967	credential-access	T1558.004	Steal or Forge Kerberos Tickets: AS-REP Roasting	3	WinPwn - PowerSharpPack - Kerberoasting Using Rubeus	8c385f88-4d47-4c9a-814d-93d9deec8c71	powershell
968	credential-access	T1555	Credentials from Password Stores	1	Extract Windows Credential Manager via VBA	234f9b7c-b53d-4f32-897b-b880a6c9ea7b	powershell
969	credential-access	T1555	Credentials from Password Stores	2	Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]	c89becbe-1758-4e7d-a0f4-97d2188a23e3	powershell
970	credential-access	T1555	Credentials from Password Stores	3	Dump credentials from Windows Credential Manager With PowerShell [web Credentials]	8fd5a296-6772-4766-9991-ff4e92af7240	powershell
971	credential-access	T1555	Credentials from Password Stores	4	Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]	36753ded-e5c4-4eb5-bc3c-e8fba236878d	powershell
972	credential-access	T1555	Credentials from Password Stores	5	Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]	bc071188-459f-44d5-901a-f8f2625b2d2e	powershell
973	credential-access	T1555	Credentials from Password Stores	6	WinPwn - Loot local Credentials - lazagne	079ee2e9-6f16-47ca-a635-14efcd994118	powershell
974	credential-access	T1555	Credentials from Password Stores	7	WinPwn - Loot local Credentials - Wifi Credentials	afe369c2-b42e-447f-98a3-fb1f4e2b8552	powershell
975	credential-access	T1555	Credentials from Password Stores	8	WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords	db965264-3117-4bad-b7b7-2523b7856b92	powershell
976	credential-access	T1552	Unsecured Credentials	1	AWS - Retrieve EC2 Password Data using stratus	a21118de-b11e-4ebd-b655-42f11142df0c	sh
977	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	1	Run Chrome-password Collector	8c05b133-d438-47ca-a630-19cc464c4622	powershell
978	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	2	Search macOS Safari Cookies	c1402f7b-67ca-43a8-b5f3-3143abedc01b	sh
979	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	3	LaZagne - Credentials from Browser	9a2915b3-3954-4cce-8c76-00fbf4dbd014	command_prompt
980	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	4	Simulating access to Chrome Login Data	3d111226-d09a-4911-8715-fe11664f960d	powershell
981	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	5	Simulating access to Opera Login Data	28498c17-57e4-495a-b0be-cc1e36de408b	powershell
982	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	6	Simulating access to Windows Firefox Login Data	eb8da98a-2e16-4551-b3dd-83de49baa14c	powershell
983	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	7	Simulating access to Windows Edge Login Data	a6a5ec26-a2d1-4109-9d35-58b867689329	powershell
984	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	8	Decrypt Mozilla Passwords with Firepwd.py	dc9cd677-c70f-4df5-bd1c-f114af3c2381	powershell
985	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	9	LaZagne.py - Dump Credentials from Firefox Browser	87e88698-621b-4c45-8a89-4eaebdeaabb1	sh
986	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	10	Stage Popular Credential Files for Exfiltration	f543635c-1705-42c3-b180-efd6dc6e7ee7	powershell
987	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	11	WinPwn - BrowserPwn	764ea176-fb71-494c-90ea-72e9d85dce76	powershell
988	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	12	WinPwn - Loot local Credentials - mimi-kittenz	ec1d0b37-f659-4186-869f-31a554891611	powershell
989	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	13	WinPwn - PowerSharpPack - Sharpweb for Browser Credentials	e5e3d639-6ea8-4408-9ecd-d5a286268ca0	powershell
990	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	14	Simulating Access to Chrome Login Data - MacOS	124e13e5-d8a1-4378-a6ee-a53cd0c7e369	sh
991	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	15	WebBrowserPassView - Credentials from Browser	e359627f-2d90-4320-ba5e-b0f878155bbe	powershell
992	credential-access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	16	BrowserStealer (Chrome / Firefox / Microsoft Edge)	6f2c5c87-a4d5-4898-9bd1-47a55ecaf1dd	powershell
993	credential-access	T1552.004	Unsecured Credentials: Private Keys	1	Private Keys	520ce462-7ca7-441e-b5a5-f8347f632696	command_prompt
994	credential-access	T1552.004	Unsecured Credentials: Private Keys	2	Discover Private SSH Keys	46959285-906d-40fa-9437-5a439accd878	sh
995	credential-access	T1552.004	Unsecured Credentials: Private Keys	3	Copy Private SSH Keys with CP	7c247dc7-5128-4643-907b-73a76d9135c3	sh
996	credential-access	T1552.004	Unsecured Credentials: Private Keys	4	Copy Private SSH Keys with rsync	864bb0b2-6bb5-489a-b43b-a77b3a16d68a	sh
997	credential-access	T1552.004	Unsecured Credentials: Private Keys	5	Copy the users GnuPG directory with rsync	2a5a0601-f5fb-4e2e-aa09-73282ae6afca	sh
998	credential-access	T1552.004	Unsecured Credentials: Private Keys	6	ADFS token signing and encryption certificates theft - Local	78e95057-d429-4e66-8f82-0f060c1ac96f	powershell
999	credential-access	T1552.004	Unsecured Credentials: Private Keys	7	ADFS token signing and encryption certificates theft - Remote	cab413d8-9e4a-4b8d-9b84-c985bd73a442	powershell
1000	credential-access	T1557.001	Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay	1	LLMNR Poisoning with Inveigh (PowerShell)	deecd55f-afe0-4a62-9fba-4d1ba2deb321	powershell
1001	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	1	Dump LSASS.exe Memory using ProcDump	0be2230c-9ab3-4ac2-8826-3199b9a0ebf8	command_prompt
1002	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	2	Dump LSASS.exe Memory using comsvcs.dll	2536dee2-12fb-459a-8c37-971844fa73be	powershell
1003	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	3	Dump LSASS.exe Memory using direct system calls and API unhooking	7ae7102c-a099-45c8-b985-4c7a2d05790d	command_prompt
1004	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	4	Dump LSASS.exe Memory using NanoDump	dddd4aca-bbed-46f0-984d-e4c5971c51ea	command_prompt
1005	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	5	Dump LSASS.exe Memory using Windows Task Manager	dea6c349-f1c6-44f3-87a1-1ed33a59a607	manual
1006	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	6	Offline Credential Theft With Mimikatz	453acf13-1dbd-47d7-b28a-172ce9228023	command_prompt
1007	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	7	LSASS read with pypykatz	c37bc535-5c62-4195-9cc3-0517673171d8	command_prompt
1008	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	8	Dump LSASS.exe Memory using Out-Minidump.ps1	6502c8f0-b775-4dbd-9193-1298f56b6781	powershell
1009	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	9	Create Mini Dump of LSASS.exe using ProcDump	7cede33f-0acd-44ef-9774-15511300b24b	command_prompt
1010	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	10	Powershell Mimikatz	66fb0bc1-3c3f-47e9-a298-550ecfefacbc	powershell
1011	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	11	Dump LSASS with .Net 5 createdump.exe	9d0072c8-7cca-45c4-bd14-f852cfa35cf0	powershell
1012	credential-access	T1003.001	OS Credential Dumping: LSASS Memory	12	Dump LSASS.exe using imported Microsoft DLLs	86fc3f40-237f-4701-b155-81c01c48d697	powershell
1013	credential-access	T1110.003	Brute Force: Password Spraying	1	Password Spray all Domain Users	90bc2e54-6c84-47a5-9439-0a2a92b4b175	command_prompt
1014	credential-access	T1110.003	Brute Force: Password Spraying	2	Password Spray (DomainPasswordSpray)	263ae743-515f-4786-ac7d-41ef3a0d4b2b	powershell
1015	credential-access	T1110.003	Brute Force: Password Spraying	3	Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)	f14d956a-5b6e-4a93-847f-0c415142f07d	powershell
1016	credential-access	T1110.003	Brute Force: Password Spraying	4	Password spray all Azure AD users with a single password	a8aa2d3e-1c52-4016-bc73-0f8854cfa80a	powershell
1017	credential-access	T1110.003	Brute Force: Password Spraying	5	WinPwn - DomainPasswordSpray Attacks	5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82	powershell
1018	credential-access	T1110.003	Brute Force: Password Spraying	6	Password Spray Invoke-DomainPasswordSpray Light	b15bc9a5-a4f3-4879-9304-ea0011ace63a	powershell
1019	credential-access	T1110.003	Brute Force: Password Spraying	7	Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)	f3a10056-0160-4785-8744-d9bd7c12dc39	powershell
1020	credential-access	T1110.003	Brute Force: Password Spraying	8	Password Spray using Kerbrute Tool	c6f25ec3-6475-47a9-b75d-09ac593c5ecb	powershell
1021	credential-access	T1003.005	OS Credential Dumping: Cached Domain Credentials	1	Cached Credential Dump via Cmdkey	56506854-89d6-46a3-9804-b7fde90791f9	command_prompt
1022	credential-access	T1558.001	Steal or Forge Kerberos Tickets: Golden Ticket	1	Crafting Active Directory golden tickets with mimikatz	9726592a-dabc-4d4d-81cd-44070008b3af	powershell
1023	credential-access	T1558.001	Steal or Forge Kerberos Tickets: Golden Ticket	2	Crafting Active Directory golden tickets with Rubeus	e42d33cd-205c-4acf-ab59-a9f38f6bad9c	powershell
1024	credential-access	T1552.003	Unsecured Credentials: Bash History	1	Search Through Bash History	3cfde62b-7c33-4b26-a61e-755d6131c8ce	sh
1025	credential-access	T1552.001	Unsecured Credentials: Credentials In Files	1	Extract Browser and System credentials with LaZagne	9e507bb8-1d30-4e3b-a49b-cb5727d7ea79	bash
1026	credential-access	T1552.001	Unsecured Credentials: Credentials In Files	2	Extract passwords with grep	bd4cf0d1-7646-474e-8610-78ccf5a097c4	sh
1027	credential-access	T1552.001	Unsecured Credentials: Credentials In Files	3	Extracting passwords with findstr	0e56bf29-ff49-4ea5-9af4-3b81283fd513	powershell
1028	credential-access	T1552.001	Unsecured Credentials: Credentials In Files	4	Access unattend.xml	367d4004-5fc0-446d-823f-960c74ae52c3	command_prompt
1029	credential-access	T1552.001	Unsecured Credentials: Credentials In Files	5	Find and Access Github Credentials	da4f751a-020b-40d7-b9ff-d433b7799803	bash
1030	credential-access	T1552.001	Unsecured Credentials: Credentials In Files	6	WinPwn - sensitivefiles	114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0	powershell
1031	credential-access	T1552.001	Unsecured Credentials: Credentials In Files	7	WinPwn - Snaffler	fdd0c913-714b-4c13-b40f-1824d6c015f2	powershell
1032	credential-access	T1552.001	Unsecured Credentials: Credentials In Files	8	WinPwn - powershellsensitive	75f66e03-37d3-4704-9520-3210efbe33ce	powershell
1033	credential-access	T1552.001	Unsecured Credentials: Credentials In Files	9	WinPwn - passhunt	00e3e3c7-6c3c-455e-bd4b-461c7f0e7797	powershell
1034	credential-access	T1552.001	Unsecured Credentials: Credentials In Files	10	WinPwn - SessionGopher	c9dc9de3-f961-4284-bd2d-f959c9f9fda5	powershell
1035	credential-access	T1552.001	Unsecured Credentials: Credentials In Files	11	WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials	aaa87b0e-5232-4649-ae5c-f1724a4b2798	powershell
1036	credential-access	T1528	Steal Application Access Token	1	Azure - Dump All Azure Key Vaults with Microburst	1b83cddb-eaa7-45aa-98a5-85fb0a8807ea	powershell
1037	credential-access	T1552.006	Unsecured Credentials: Group Policy Preferences	1	GPP Passwords (findstr)	870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f	command_prompt
1038	credential-access	T1552.006	Unsecured Credentials: Group Policy Preferences	2	GPP Passwords (Get-GPPPassword)	e9584f82-322c-474a-b831-940fd8b4455c	powershell
1039	credential-access	T1056.002	Input Capture: GUI Input Capture	1	AppleScript - Prompt User for Password	76628574-0bc1-4646-8fe2-8f4427b47d15	bash
1040	credential-access	T1056.002	Input Capture: GUI Input Capture	2	PowerShell - Prompt User for Password	2b162bfd-0928-4d4c-9ec3-4d9f88374b52	powershell
1041	credential-access	T1110.004	Brute Force: Credential Stuffing	1	SSH Credential Stuffing From Linux	4f08197a-2a8a-472d-9589-cd2895ef22ad	bash
1042	credential-access	T1110.004	Brute Force: Credential Stuffing	2	SSH Credential Stuffing From MacOS	d546a3d9-0be5-40c7-ad82-5a7d79e1b66b	bash
1043	credential-access	T1110.004	Brute Force: Credential Stuffing	3	Brute Force:Credential Stuffing using Kerbrute Tool	4852c630-87a9-409b-bb5e-5dc12c9ebcde	powershell
1044	credential-access	T1187	Forced Authentication	1	PetitPotam	485ce873-2e65-4706-9c7e-ae3ab9e14213	powershell
1045	credential-access	T1187	Forced Authentication	2	WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS	7f06b25c-799e-40f1-89db-999c9cc84317	powershell
1046	credential-access	T1003.008	OS Credential Dumping: /etc/passwd and /etc/shadow	1	Access /etc/shadow (Local)	3723ab77-c546-403c-8fb4-bb577033b235	bash
1047	credential-access	T1003.008	OS Credential Dumping: /etc/passwd and /etc/shadow	2	Access /etc/passwd (Local)	60e860b6-8ae6-49db-ad07-5e73edd88f5d	sh
1048	credential-access	T1003.008	OS Credential Dumping: /etc/passwd and /etc/shadow	3	Access /etc/{shadow,passwd} with a standard bin that's not cat	df1a55ae-019d-4120-bc35-94f4bc5c4b0a	bash
1049	credential-access	T1003.008	OS Credential Dumping: /etc/passwd and /etc/shadow	4	Access /etc/{shadow,passwd} with shell builtins	f5aa6543-6cb2-4fae-b9c2-b96e14721713	bash
1050	credential-access	T1558.002	Steal or Forge Kerberos Tickets: Silver Ticket	1	Crafting Active Directory silver tickets with mimikatz	385e59aa-113e-4711-84d9-f637aef01f2c	powershell
1051	credential-access	T1555.004	Credentials from Password Stores: Windows Credential Manager	1	Access Saved Credentials via VaultCmd	9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439	command_prompt
1052	credential-access	T1555.004	Credentials from Password Stores: Windows Credential Manager	2	WinPwn - Loot local Credentials - Invoke-WCMDump	fa714db1-63dd-479e-a58e-7b2b52ca5997	powershell
1053	credential-access	T1003.003	OS Credential Dumping: NTDS	1	Create Volume Shadow Copy with vssadmin	dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f	command_prompt
1054	credential-access	T1003.003	OS Credential Dumping: NTDS	2	Copy NTDS.dit from Volume Shadow Copy	c6237146-9ea6-4711-85c9-c56d263a6b03	command_prompt
1055	credential-access	T1003.003	OS Credential Dumping: NTDS	3	Dump Active Directory Database with NTDSUtil	2364e33d-ceab-4641-8468-bfb1d7cc2723	command_prompt
1056	credential-access	T1003.003	OS Credential Dumping: NTDS	4	Create Volume Shadow Copy with WMI	224f7de0-8f0a-4a94-b5d8-989b036c86da	command_prompt
1057	credential-access	T1003.003	OS Credential Dumping: NTDS	5	Create Volume Shadow Copy remotely with WMI	d893459f-71f0-484d-9808-ec83b2b64226	command_prompt
1058	credential-access	T1003.003	OS Credential Dumping: NTDS	6	Create Volume Shadow Copy remotely (WMI) with esentutl	21c7bf80-3e8b-40fa-8f9d-f5b194ff2865	command_prompt
1059	credential-access	T1003.003	OS Credential Dumping: NTDS	7	Create Volume Shadow Copy with Powershell	542bb97e-da53-436b-8e43-e0a7d31a6c24	powershell
1060	credential-access	T1003.003	OS Credential Dumping: NTDS	8	Create Symlink to Volume Shadow Copy	21748c28-2793-4284-9e07-d6d028b66702	command_prompt
1061	credential-access	T1558.003	Steal or Forge Kerberos Tickets: Kerberoasting	1	Request for service tickets	3f987809-3681-43c8-bcd8-b3ff3a28533a	powershell
1062	credential-access	T1558.003	Steal or Forge Kerberos Tickets: Kerberoasting	2	Rubeus kerberoast	14625569-6def-4497-99ac-8e7817105b55	powershell
1063	credential-access	T1558.003	Steal or Forge Kerberos Tickets: Kerberoasting	3	Extract all accounts in use as SPN using setspn	e6f4affd-d826-4871-9a62-6c9004b8fe06	command_prompt
1064	credential-access	T1558.003	Steal or Forge Kerberos Tickets: Kerberoasting	4	Request A Single Ticket via PowerShell	988539bc-2ed7-4e62-aec6-7c5cf6680863	powershell
1065	credential-access	T1558.003	Steal or Forge Kerberos Tickets: Kerberoasting	5	Request All Tickets via PowerShell	902f4ed2-1aba-4133-90f2-cff6d299d6da	powershell
1066	credential-access	T1558.003	Steal or Forge Kerberos Tickets: Kerberoasting	6	WinPwn - Kerberoasting	78d10e20-c874-45f2-a9df-6fea0120ec27	powershell
1067	credential-access	T1558.003	Steal or Forge Kerberos Tickets: Kerberoasting	7	WinPwn - PowerSharpPack - Kerberoasting Using Rubeus	29094950-2c96-4cbd-b5e4-f7c65079678f	powershell
1068	credential-access	T1003.006	OS Credential Dumping: DCSync	1	DCSync (Active Directory)	129efd28-8497-4c87-a1b0-73b9a870ca3e	command_prompt
1069	credential-access	T1003.006	OS Credential Dumping: DCSync	2	Run DSInternals Get-ADReplAccount	a0bced08-3fc5-4d8b-93b7-e8344739376e	powershell
1070	credential-access	T1056.004	Input Capture: Credential API Hooking	1	Hook PowerShell TLS Encrypt/Decrypt Messages	de1934ea-1fbf-425b-8795-65fb27dd7e33	powershell
1071	credential-access	T1552.007	Kubernetes List Secrets	1	ListSecrets	43c3a49d-d15c-45e6-b303-f6e177e44a9a	bash
1072	credential-access	T1552.007	Kubernetes List Secrets	2	Cat the contents of a Kubernetes service account token file	788e0019-a483-45da-bcfe-96353d46820f	sh
1073	discovery	T1033	System Owner/User Discovery	1	System Owner/User Discovery	4c4959bf-addf-4b4a-be86-8d09cc1857aa	command_prompt
1074	discovery	T1033	System Owner/User Discovery	2	System Owner/User Discovery	2a9b677d-a230-44f4-ad86-782df1ef108c	sh
1075	discovery	T1033	System Owner/User Discovery	3	Find computers where user has session - Stealth mode (PowerView)	29857f27-a36f-4f7e-8084-4557cd6207ca	powershell
1076	discovery	T1033	System Owner/User Discovery	4	User Discovery With Env Vars PowerShell Script	dcb6cdee-1fb0-4087-8bf8-88cfd136ba51	powershell
1077	discovery	T1033	System Owner/User Discovery	5	GetCurrent User with PowerShell Script	1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b	powershell
1078	discovery	T1615	Group Policy Discovery	1	Display group policy information via gpresult	0976990f-53b1-4d3f-a185-6df5be429d3b	command_prompt
1079	discovery	T1615	Group Policy Discovery	2	Get-DomainGPO to display group policy information via PowerView	4e524c4e-0e02-49aa-8df5-93f3f7959b9f	powershell
1080	discovery	T1615	Group Policy Discovery	3	WinPwn - GPOAudit	bc25c04b-841e-4965-855f-d1f645d7ab73	powershell
1081	discovery	T1615	Group Policy Discovery	4	WinPwn - GPORemoteAccessPolicy	7230d01a-0a72-4bd5-9d7f-c6d472bc6a59	powershell
1082	discovery	T1615	Group Policy Discovery	5	MSFT Get-GPO Cmdlet	52778a8f-a10b-41a4-9eae-52ddb74072bf	powershell
1083	discovery	T1087.002	Account Discovery: Domain Account	1	Enumerate all accounts (Domain)	6fbc9e68-5ad7-444a-bd11-8bf3136c477e	command_prompt
1084	discovery	T1087.002	Account Discovery: Domain Account	2	Enumerate all accounts via PowerShell (Domain)	8b8a6449-be98-4f42-afd2-dedddc7453b2	powershell
1085	discovery	T1087.002	Account Discovery: Domain Account	3	Enumerate logged on users via CMD (Domain)	161dcd85-d014-4f5e-900c-d3eaae82a0f7	command_prompt
1086	discovery	T1087.002	Account Discovery: Domain Account	4	Automated AD Recon (ADRecon)	95018438-454a-468c-a0fa-59c800149b59	powershell
1087	discovery	T1087.002	Account Discovery: Domain Account	5	Adfind -Listing password policy	736b4f53-f400-4c22-855d-1a6b5a551600	command_prompt
1088	discovery	T1087.002	Account Discovery: Domain Account	6	Adfind - Enumerate Active Directory Admins	b95fd967-4e62-4109-b48d-265edfd28c3a	command_prompt
1089	discovery	T1087.002	Account Discovery: Domain Account	7	Adfind - Enumerate Active Directory User Objects	e1ec8d20-509a-4b9a-b820-06c9b2da8eb7	command_prompt
1090	discovery	T1087.002	Account Discovery: Domain Account	8	Adfind - Enumerate Active Directory Exchange AD Objects	5e2938fb-f919-47b6-8b29-2f6a1f718e99	command_prompt
1091	discovery	T1087.002	Account Discovery: Domain Account	9	Enumerate Default Domain Admin Details (Domain)	c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef	command_prompt
1092	discovery	T1087.002	Account Discovery: Domain Account	10	Enumerate Active Directory for Unconstrained Delegation	46f8dbe9-22a5-4770-8513-66119c5be63b	powershell
1093	discovery	T1087.002	Account Discovery: Domain Account	11	Get-DomainUser with PowerView	93662494-5ed7-4454-a04c-8c8372808ac2	powershell
1094	discovery	T1087.002	Account Discovery: Domain Account	12	Enumerate Active Directory Users with ADSISearcher	02e8be5a-3065-4e54-8cc8-a14d138834d3	powershell
1095	discovery	T1087.002	Account Discovery: Domain Account	13	Enumerate Linked Policies In ADSISearcher Discovery	7ab0205a-34e4-4a44-9b04-e1541d1a57be	powershell
1096	discovery	T1087.002	Account Discovery: Domain Account	14	Enumerate Root Domain linked policies Discovery	00c652e2-0750-4ca6-82ff-0204684a6fe4	powershell
1097	discovery	T1087.002	Account Discovery: Domain Account	15	WinPwn - generaldomaininfo	ce483c35-c74b-45a7-a670-631d1e69db3d	powershell
1098	discovery	T1087.002	Account Discovery: Domain Account	16	Kerbrute - userenum	f450461c-18d1-4452-9f0d-2c42c3f08624	powershell
1099	discovery	T1087.001	Account Discovery: Local Account	1	Enumerate all accounts (Local)	f8aab3dd-5990-4bf8-b8ab-2226c951696f	sh
1100	discovery	T1087.001	Account Discovery: Local Account	2	View sudoers access	fed9be70-0186-4bde-9f8a-20945f9370c2	sh
1101	discovery	T1087.001	Account Discovery: Local Account	3	View accounts with UID 0	c955a599-3653-4fe5-b631-f11c00eb0397	sh
1102	discovery	T1087.001	Account Discovery: Local Account	4	List opened files by user	7e46c7a5-0142-45be-a858-1a3ecb4fd3cb	sh
1103	discovery	T1087.001	Account Discovery: Local Account	5	Show if a user account has ever logged in remotely	0f0b6a29-08c3-44ad-a30b-47fd996b2110	sh
1104	discovery	T1087.001	Account Discovery: Local Account	6	Enumerate users and groups	e6f36545-dc1e-47f0-9f48-7f730f54a02e	sh
1105	discovery	T1087.001	Account Discovery: Local Account	7	Enumerate users and groups	319e9f6c-7a9e-432e-8c62-9385c803b6f2	sh
1106	discovery	T1087.001	Account Discovery: Local Account	8	Enumerate all accounts on Windows (Local)	80887bec-5a9b-4efc-a81d-f83eb2eb32ab	command_prompt
1107	discovery	T1087.001	Account Discovery: Local Account	9	Enumerate all accounts via PowerShell (Local)	ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b	powershell
1108	discovery	T1087.001	Account Discovery: Local Account	10	Enumerate logged on users via CMD (Local)	a138085e-bfe5-46ba-a242-74a6fb884af3	command_prompt
1109	discovery	T1497.001	Virtualization/Sandbox Evasion: System Checks	1	Detect Virtualization Environment (Linux)	dfbd1a21-540d-4574-9731-e852bd6fe840	sh
1110	discovery	T1497.001	Virtualization/Sandbox Evasion: System Checks	2	Detect Virtualization Environment (Windows)	502a7dc4-9d6f-4d28-abf2-f0e84692562d	powershell
1111	discovery	T1497.001	Virtualization/Sandbox Evasion: System Checks	3	Detect Virtualization Environment (MacOS)	a960185f-aef6-4547-8350-d1ce16680d09	sh
1112	discovery	T1497.001	Virtualization/Sandbox Evasion: System Checks	4	Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)	4a41089a-48e0-47aa-82cb-5b81a463bc78	powershell
1113	discovery	T1069.002	Permission Groups Discovery: Domain Groups	1	Basic Permission Groups Discovery Windows (Domain)	dd66d77d-8998-48c0-8024-df263dc2ce5d	command_prompt
1114	discovery	T1069.002	Permission Groups Discovery: Domain Groups	2	Permission Groups Discovery PowerShell (Domain)	6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7	powershell
1115	discovery	T1069.002	Permission Groups Discovery: Domain Groups	3	Elevated group enumeration using net group (Domain)	0afb5163-8181-432e-9405-4322710c0c37	command_prompt
1116	discovery	T1069.002	Permission Groups Discovery: Domain Groups	4	Find machines where user has local admin access (PowerView)	a2d71eee-a353-4232-9f86-54f4288dd8c1	powershell
1117	discovery	T1069.002	Permission Groups Discovery: Domain Groups	5	Find local admins on all machines in domain (PowerView)	a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd	powershell
1118	discovery	T1069.002	Permission Groups Discovery: Domain Groups	6	Find Local Admins via Group Policy (PowerView)	64fdb43b-5259-467a-b000-1b02c00e510a	powershell
1119	discovery	T1069.002	Permission Groups Discovery: Domain Groups	7	Enumerate Users Not Requiring Pre Auth (ASRepRoast)	870ba71e-6858-4f6d-895c-bb6237f6121b	powershell
1120	discovery	T1069.002	Permission Groups Discovery: Domain Groups	8	Adfind - Query Active Directory Groups	48ddc687-82af-40b7-8472-ff1e742e8274	command_prompt
1121	discovery	T1069.002	Permission Groups Discovery: Domain Groups	9	Enumerate Active Directory Groups with Get-AdGroup	3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8	powershell
1122	discovery	T1069.002	Permission Groups Discovery: Domain Groups	10	Enumerate Active Directory Groups with ADSISearcher	9f4e344b-8434-41b3-85b1-d38f29d148d0	powershell
1123	discovery	T1069.002	Permission Groups Discovery: Domain Groups	11	Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)	43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8	powershell
1124	discovery	T1069.002	Permission Groups Discovery: Domain Groups	12	Get-DomainGroupMember with PowerView	46352f40-f283-4fe5-b56d-d9a71750e145	powershell
1125	discovery	T1069.002	Permission Groups Discovery: Domain Groups	13	Get-DomainGroup with PowerView	5a8a181c-2c8e-478d-a943-549305a01230	powershell
1126	discovery	T1007	System Service Discovery	1	System Service Discovery	89676ba1-b1f8-47ee-b940-2e1a113ebc71	command_prompt
1127	discovery	T1007	System Service Discovery	2	System Service Discovery - net.exe	5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3	command_prompt
1128	discovery	T1007	System Service Discovery	3	System Service Discovery - systemctl	f4b26bce-4c2c-46c0-bcc5-fce062d38bef	bash
1129	discovery	T1040	Network Sniffing	1	Packet Capture Linux	7fe741f7-b265-4951-a7c7-320889083b3e	bash
1130	discovery	T1040	Network Sniffing	2	Packet Capture macOS	9d04efee-eff5-4240-b8d2-07792b873608	bash
1131	discovery	T1040	Network Sniffing	3	Packet Capture Windows Command Prompt	a5b2f6a0-24b4-493e-9590-c699f75723ca	command_prompt
1132	discovery	T1040	Network Sniffing	4	Windows Internal Packet Capture	b5656f67-d67f-4de8-8e62-b5581630f528	command_prompt
1133	discovery	T1040	Network Sniffing	5	Windows Internal pktmon capture	c67ba807-f48b-446e-b955-e4928cd1bf91	command_prompt
1134	discovery	T1040	Network Sniffing	6	Windows Internal pktmon set filter	855fb8b4-b8ab-4785-ae77-09f5df7bff55	command_prompt
1135	discovery	T1135	Network Share Discovery	1	Network Share Discovery	f94b5ad9-911c-4eff-9718-fd21899db4f7	sh
1136	discovery	T1135	Network Share Discovery	2	Network Share Discovery - linux	875805bc-9e86-4e87-be86-3a5527315cae	bash
1137	discovery	T1135	Network Share Discovery	3	Network Share Discovery command prompt	20f1097d-81c1-405c-8380-32174d493bbb	command_prompt
1138	discovery	T1135	Network Share Discovery	4	Network Share Discovery PowerShell	1b0814d1-bb24-402d-9615-1b20c50733fb	powershell
1139	discovery	T1135	Network Share Discovery	5	View available share drives	ab39a04f-0c93-4540-9ff2-83f862c385ae	command_prompt
1140	discovery	T1135	Network Share Discovery	6	Share Discovery with PowerView	b1636f0a-ba82-435c-b699-0d78794d8bfd	powershell
1141	discovery	T1135	Network Share Discovery	7	PowerView ShareFinder	d07e4cc1-98ae-447e-9d31-36cb430d28c4	powershell
1142	discovery	T1135	Network Share Discovery	8	WinPwn - shareenumeration	987901d1-5b87-4558-a6d9-cffcabc638b8	powershell
1143	discovery	T1120	Peripheral Device Discovery	1	Win32_PnPEntity Hardware Inventory	2cb4dbf2-2dca-4597-8678-4d39d207a3a5	powershell
1144	discovery	T1120	Peripheral Device Discovery	2	WinPwn - printercheck	cb6e76ca-861e-4a7f-be08-564caa3e6f75	powershell
1145	discovery	T1082	System Information Discovery	1	System Information Discovery	66703791-c902-4560-8770-42b8a91f7667	command_prompt
1146	discovery	T1082	System Information Discovery	2	System Information Discovery	edff98ec-0f73-4f63-9890-6b117092aff6	sh
1147	discovery	T1082	System Information Discovery	3	List OS Information	cccb070c-df86-4216-a5bc-9fb60c74e27c	sh
1148	discovery	T1082	System Information Discovery	4	Linux VM Check via Hardware	31dad7ad-2286-4c02-ae92-274418c85fec	bash
1149	discovery	T1082	System Information Discovery	5	Linux VM Check via Kernel Modules	8057d484-0fae-49a4-8302-4812c4f1e64e	bash
1150	discovery	T1082	System Information Discovery	6	Hostname Discovery (Windows)	85cfbf23-4a1e-4342-8792-007e004b975f	command_prompt
1151	discovery	T1082	System Information Discovery	7	Hostname Discovery	486e88ea-4f56-470f-9b57-3f4d73f39133	bash
1152	discovery	T1082	System Information Discovery	8	Windows MachineGUID Discovery	224b4daf-db44-404e-b6b2-f4d1f0126ef8	command_prompt
1153	discovery	T1082	System Information Discovery	9	Griffon Recon	69bd4abe-8759-49a6-8d21-0f15822d6370	powershell
1154	discovery	T1082	System Information Discovery	10	Environment variables discovery on windows	f400d1c0-1804-4ff8-b069-ef5ddd2adbf3	command_prompt
1155	discovery	T1082	System Information Discovery	11	Environment variables discovery on macos and linux	fcbdd43f-f4ad-42d5-98f3-0218097e2720	sh
1156	discovery	T1082	System Information Discovery	12	Show System Integrity Protection status (MacOS)	327cc050-9e99-4c8e-99b5-1d15f2fb6b96	sh
1157	discovery	T1082	System Information Discovery	13	WinPwn - winPEAS	eea1d918-825e-47dd-acc2-814d6c58c0e1	powershell
1158	discovery	T1082	System Information Discovery	14	WinPwn - itm4nprivesc	3d256a2f-5e57-4003-8eb6-64d91b1da7ce	powershell
1159	discovery	T1082	System Information Discovery	15	WinPwn - Powersploits privesc checks	345cb8e4-d2de-4011-a580-619cf5a9e2d7	powershell
1160	discovery	T1082	System Information Discovery	16	WinPwn - General privesc checks	5b6f39a2-6ec7-4783-a5fd-2c54a55409ed	powershell
1161	discovery	T1082	System Information Discovery	17	WinPwn - GeneralRecon	7804659b-fdbf-4cf6-b06a-c03e758590e8	powershell
1162	discovery	T1082	System Information Discovery	18	WinPwn - Morerecon	3278b2f6-f733-4875-9ef4-bfed34244f0a	powershell
1163	discovery	T1082	System Information Discovery	19	WinPwn - RBCD-Check	dec6a0d8-bcaf-4c22-9d48-2aee59fb692b	powershell
1164	discovery	T1082	System Information Discovery	20	WinPwn - PowerSharpPack - Watson searching for missing windows patches	07b18a66-6304-47d2-bad0-ef421eb2e107	powershell
1165	discovery	T1082	System Information Discovery	21	WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors	efb79454-1101-4224-a4d0-30c9c8b29ffc	powershell
1166	discovery	T1082	System Information Discovery	22	WinPwn - PowerSharpPack - Seatbelt	5c16ceb4-ba3a-43d7-b848-a13c1f216d95	powershell
1167	discovery	T1082	System Information Discovery	23	Azure Security Scan with SkyArk	26a18d3d-f8bc-486b-9a33-d6df5d78a594	powershell
1168	discovery	T1082	System Information Discovery	24	Linux List Kernel Modules	034fe21c-3186-49dd-8d5d-128b35f181c7	sh
1169	discovery	T1010	Application Window Discovery	1	List Process Main Windows - C# .NET	fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4	command_prompt
1170	discovery	T1217	Browser Bookmark Discovery	1	List Mozilla Firefox Bookmark Database Files on Linux	3a41f169-a5ab-407f-9269-abafdb5da6c2	sh
1171	discovery	T1217	Browser Bookmark Discovery	2	List Mozilla Firefox Bookmark Database Files on macOS	1ca1f9c7-44bc-46bb-8c85-c50e2e94267b	sh
1172	discovery	T1217	Browser Bookmark Discovery	3	List Google Chrome Bookmark JSON Files on macOS	b789d341-154b-4a42-a071-9111588be9bc	sh
1173	discovery	T1217	Browser Bookmark Discovery	4	List Google Chrome / Opera Bookmarks on Windows with powershell	faab755e-4299-48ec-8202-fc7885eb6545	powershell
1174	discovery	T1217	Browser Bookmark Discovery	5	List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt	76f71e2f-480e-4bed-b61e-398fe17499d5	command_prompt
1175	discovery	T1217	Browser Bookmark Discovery	6	List Mozilla Firefox bookmarks on Windows with command prompt	4312cdbc-79fc-4a9c-becc-53d49c734bc5	command_prompt
1176	discovery	T1217	Browser Bookmark Discovery	7	List Internet Explorer Bookmarks using the command prompt	727dbcdb-e495-4ab1-a6c4-80c7f77aef85	command_prompt
1177	discovery	T1217	Browser Bookmark Discovery	8	List Safari Bookmarks on MacOS	5fc528dd-79de-47f5-8188-25572b7fafe0	sh
1178	discovery	T1016	System Network Configuration Discovery	1	System Network Configuration Discovery on Windows	970ab6a1-0157-4f3f-9a73-ec4166754b23	command_prompt
1179	discovery	T1016	System Network Configuration Discovery	2	List Windows Firewall Rules	038263cb-00f4-4b0a-98ae-0696c67e1752	command_prompt
1180	discovery	T1016	System Network Configuration Discovery	3	System Network Configuration Discovery	c141bbdb-7fca-4254-9fd6-f47e79447e17	sh
1181	discovery	T1016	System Network Configuration Discovery	4	System Network Configuration Discovery (TrickBot Style)	dafaf052-5508-402d-bf77-51e0700c02e2	command_prompt
1182	discovery	T1016	System Network Configuration Discovery	5	List Open Egress Ports	4b467538-f102-491d-ace7-ed487b853bf5	powershell
1183	discovery	T1016	System Network Configuration Discovery	6	Adfind - Enumerate Active Directory Subnet Objects	9bb45dd7-c466-4f93-83a1-be30e56033ee	command_prompt
1184	discovery	T1016	System Network Configuration Discovery	7	Qakbot Recon	121de5c6-5818-4868-b8a7-8fd07c455c1b	command_prompt
1185	discovery	T1016	System Network Configuration Discovery	8	List macOS Firewall Rules	ff1d8c25-2aa4-4f18-a425-fede4a41ee88	bash
1186	discovery	T1482	Domain Trust Discovery	1	Windows - Discover domain trusts with dsquery	4700a710-c821-4e17-a3ec-9e4c81d6845f	command_prompt
1187	discovery	T1482	Domain Trust Discovery	2	Windows - Discover domain trusts with nltest	2e22641d-0498-48d2-b9ff-c71e496ccdbe	command_prompt
1188	discovery	T1482	Domain Trust Discovery	3	Powershell enumerate domains and forests	c58fbc62-8a62-489e-8f2d-3565d7d96f30	powershell
1189	discovery	T1482	Domain Trust Discovery	4	Adfind - Enumerate Active Directory OUs	d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec	command_prompt
1190	discovery	T1482	Domain Trust Discovery	5	Adfind - Enumerate Active Directory Trusts	15fe436d-e771-4ff3-b655-2dca9ba52834	command_prompt
1191	discovery	T1482	Domain Trust Discovery	6	Get-DomainTrust with PowerView	f974894c-5991-4b19-aaf5-7cc2fe298c5d	powershell
1192	discovery	T1482	Domain Trust Discovery	7	Get-ForestTrust with PowerView	58ed10e8-0738-4651-8408-3a3e9a526279	powershell
1193	discovery	T1482	Domain Trust Discovery	8	TruffleSnout - Listing AD Infrastructure	ea1b4f2d-5b82-4006-b64f-f2845608a3bf	command_prompt
1194	discovery	T1083	File and Directory Discovery	1	File and Directory Discovery (cmd.exe)	0e36303b-6762-4500-b003-127743b80ba6	command_prompt
1195	discovery	T1083	File and Directory Discovery	2	File and Directory Discovery (PowerShell)	2158908e-b7ef-4c21-8a83-3ce4dd05a924	powershell
1196	discovery	T1083	File and Directory Discovery	3	Nix File and Directory Discovery	ffc8b249-372a-4b74-adcd-e4c0430842de	sh
1197	discovery	T1083	File and Directory Discovery	4	Nix File and Directory Discovery 2	13c5e1ae-605b-46c4-a79f-db28c77ff24e	sh
1198	discovery	T1083	File and Directory Discovery	5	Simulating MAZE Directory Enumeration	c6c34f61-1c3e-40fb-8a58-d017d88286d8	powershell
1199	discovery	T1083	File and Directory Discovery	6	Launch DirLister Executable	c5bec457-43c9-4a18-9a24-fe151d8971b7	powershell
1200	discovery	T1049	System Network Connections Discovery	1	System Network Connections Discovery	0940a971-809a-48f1-9c4d-b1d785e96ee5	command_prompt
1201	discovery	T1049	System Network Connections Discovery	2	System Network Connections Discovery with PowerShell	f069f0f1-baad-4831-aa2b-eddac4baac4a	powershell
1202	discovery	T1049	System Network Connections Discovery	3	System Network Connections Discovery Linux & MacOS	9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2	sh
1203	discovery	T1049	System Network Connections Discovery	4	System Discovery using SharpView	96f974bb-a0da-4d87-a744-ff33e73367e9	powershell
1204	discovery	T1619	Cloud Storage Object Discovery	1	AWS S3 Enumeration	3c7094f8-71ec-4917-aeb8-a633d7ec4ef5	sh
1205	discovery	T1057	Process Discovery	1	Process Discovery - ps	4ff64f0b-aaf2-4866-b39d-38d9791407cc	sh
1206	discovery	T1057	Process Discovery	2	Process Discovery - tasklist	c5806a4f-62b8-4900-980b-c7ec004e9908	command_prompt
1207	discovery	T1057	Process Discovery	3	Process Discovery - Get-Process	3b3809b6-a54b-4f5b-8aff-cb51f2e97b34	powershell
1208	discovery	T1057	Process Discovery	4	Process Discovery - get-wmiObject	b51239b4-0129-474f-a2b4-70f855b9f2c2	powershell
1209	discovery	T1057	Process Discovery	5	Process Discovery - wmic process	640cbf6d-659b-498b-ba53-f6dd1a1cc02c	command_prompt
1210	discovery	T1069.001	Permission Groups Discovery: Local Groups	1	Permission Groups Discovery (Local)	952931a4-af0b-4335-bbbe-73c8c5b327ae	sh
1211	discovery	T1069.001	Permission Groups Discovery: Local Groups	2	Basic Permission Groups Discovery Windows (Local)	1f454dd6-e134-44df-bebb-67de70fb6cd8	command_prompt
1212	discovery	T1069.001	Permission Groups Discovery: Local Groups	3	Permission Groups Discovery PowerShell (Local)	a580462d-2c19-4bc7-8b9a-57a41b7d3ba4	powershell
1213	discovery	T1069.001	Permission Groups Discovery: Local Groups	4	SharpHound3 - LocalAdmin	e03ada14-0980-4107-aff1-7783b2b59bb1	powershell
1214	discovery	T1069.001	Permission Groups Discovery: Local Groups	5	Wmic Group Discovery	7413be50-be8e-430f-ad4d-07bf197884b2	powershell
1215	discovery	T1069.001	Permission Groups Discovery: Local Groups	6	WMIObject Group Discovery	69119e58-96db-4110-ad27-954e48f3bb13	powershell
1216	discovery	T1201	Password Policy Discovery	1	Examine password complexity policy - Ubuntu	085fe567-ac84-47c7-ac4c-2688ce28265b	bash
1217	discovery	T1201	Password Policy Discovery	2	Examine password complexity policy - CentOS/RHEL 7.x	78a12e65-efff-4617-bc01-88f17d71315d	bash
1218	discovery	T1201	Password Policy Discovery	3	Examine password complexity policy - CentOS/RHEL 6.x	6ce12552-0adb-4f56-89ff-95ce268f6358	bash
1219	discovery	T1201	Password Policy Discovery	4	Examine password expiration policy - All Linux	7c86c55c-70fa-4a05-83c9-3aa19b145d1a	bash
1220	discovery	T1201	Password Policy Discovery	5	Examine local password policy - Windows	4588d243-f24e-4549-b2e3-e627acc089f6	command_prompt
1221	discovery	T1201	Password Policy Discovery	6	Examine domain password policy - Windows	46c2c362-2679-4ef5-aec9-0e958e135be4	command_prompt
1222	discovery	T1201	Password Policy Discovery	7	Examine password policy - macOS	4b7fa042-9482-45e1-b348-4b756b2a0742	bash
1223	discovery	T1201	Password Policy Discovery	8	Get-DomainPolicy with PowerView	3177f4da-3d4b-4592-8bdc-aa23d0b2e843	powershell
1224	discovery	T1201	Password Policy Discovery	9	Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy	b2698b33-984c-4a1c-93bb-e4ba72a0babb	powershell
1225	discovery	T1614.001	System Location Discovery: System Language Discovery	1	Discover System Language by Registry Query	631d4cf1-42c9-4209-8fe9-6bd4de9421be	command_prompt
1226	discovery	T1614.001	System Location Discovery: System Language Discovery	2	Discover System Language with chcp	d91473ca-944e-477a-b484-0e80217cd789	command_prompt
1227	discovery	T1012	Query Registry	1	Query Registry	8f7578c4-9863-4d83-875c-a565573bbdf0	command_prompt
1228	discovery	T1012	Query Registry	2	Enumerate COM Objects in Registry with Powershell	0d80d088-a84c-4353-af1a-fc8b439f1564	powershell
1229	discovery	T1518.001	Software Discovery: Security Software Discovery	1	Security Software Discovery	f92a380f-ced9-491f-b338-95a991418ce2	command_prompt
1230	discovery	T1518.001	Software Discovery: Security Software Discovery	2	Security Software Discovery - powershell	7f566051-f033-49fb-89de-b6bacab730f0	powershell
1231	discovery	T1518.001	Software Discovery: Security Software Discovery	3	Security Software Discovery - ps (macOS)	ba62ce11-e820-485f-9c17-6f3c857cd840	sh
1232	discovery	T1518.001	Software Discovery: Security Software Discovery	4	Security Software Discovery - ps (Linux)	23b91cd2-c99c-4002-9e41-317c63e024a2	sh
1233	discovery	T1518.001	Software Discovery: Security Software Discovery	5	Security Software Discovery - Sysmon Service	fe613cf3-8009-4446-9a0f-bc78a15b66c9	command_prompt
1234	discovery	T1518.001	Software Discovery: Security Software Discovery	6	Security Software Discovery - AV Discovery via WMI	1553252f-14ea-4d3b-8a08-d7a4211aa945	command_prompt
1235	discovery	T1526	Cloud Service Discovery	1	Azure - Dump Subscription Data with MicroBurst	1e40bb1d-195e-401e-a86b-c192f55e005c	powershell
1236	discovery	T1018	Remote System Discovery	1	Remote System Discovery - net	85321a9c-897f-4a60-9f20-29788e50bccd	command_prompt
1237	discovery	T1018	Remote System Discovery	2	Remote System Discovery - net group Domain Computers	f1bf6c8f-9016-4edf-aff9-80b65f5d711f	command_prompt
1238	discovery	T1018	Remote System Discovery	3	Remote System Discovery - nltest	52ab5108-3f6f-42fb-8ba3-73bc054f22c8	command_prompt
1239	discovery	T1018	Remote System Discovery	4	Remote System Discovery - ping sweep	6db1f57f-d1d5-4223-8a66-55c9c65a9592	command_prompt
1240	discovery	T1018	Remote System Discovery	5	Remote System Discovery - arp	2d5a61f5-0447-4be4-944a-1f8530ed6574	command_prompt
1241	discovery	T1018	Remote System Discovery	6	Remote System Discovery - arp nix	acb6b1ff-e2ad-4d64-806c-6c35fe73b951	sh
1242	discovery	T1018	Remote System Discovery	7	Remote System Discovery - sweep	96db2632-8417-4dbb-b8bb-a8b92ba391de	sh
1243	discovery	T1018	Remote System Discovery	8	Remote System Discovery - nslookup	baa01aaa-5e13-45ec-8a0d-e46c93c9760f	powershell
1244	discovery	T1018	Remote System Discovery	9	Remote System Discovery - adidnsdump	95e19466-469e-4316-86d2-1dc401b5a959	command_prompt
1245	discovery	T1018	Remote System Discovery	10	Adfind - Enumerate Active Directory Computer Objects	a889f5be-2d54-4050-bd05-884578748bb4	command_prompt
1246	discovery	T1018	Remote System Discovery	11	Adfind - Enumerate Active Directory Domain Controller Objects	5838c31e-a0e2-4b9f-b60a-d79d2cb7995e	command_prompt
1247	discovery	T1018	Remote System Discovery	12	Remote System Discovery - ip neighbour	158bd4dd-6359-40ab-b13c-285b9ef6fa25	sh
1248	discovery	T1018	Remote System Discovery	13	Remote System Discovery - ip route	1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1	sh
1249	discovery	T1018	Remote System Discovery	14	Remote System Discovery - ip tcp_metrics	6c2da894-0b57-43cb-87af-46ea3b501388	sh
1250	discovery	T1018	Remote System Discovery	15	Enumerate domain computers within Active Directory using DirectorySearcher	962a6017-1c09-45a6-880b-adc9c57cb22e	powershell
1251	discovery	T1018	Remote System Discovery	16	Enumerate Active Directory Computers with Get-AdComputer	97e89d9e-e3f5-41b5-a90f-1e0825df0fdf	powershell
1252	discovery	T1018	Remote System Discovery	17	Enumerate Active Directory Computers with ADSISearcher	64ede6ac-b57a-41c2-a7d1-32c6cd35397d	powershell
1253	discovery	T1018	Remote System Discovery	18	Get-DomainController with PowerView	b9d2e8ca-5520-4737-8076-4f08913da2c4	powershell
1254	discovery	T1018	Remote System Discovery	19	Get-wmiobject to Enumerate Domain Controllers	e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad	powershell
1255	discovery	T1046	Network Service Scanning	1	Port Scan	68e907da-2539-48f6-9fc9-257a78c05540	bash
1256	discovery	T1046	Network Service Scanning	2	Port Scan Nmap	515942b0-a09f-4163-a7bb-22fefb6f185f	sh
1257	discovery	T1046	Network Service Scanning	3	Port Scan NMap for Windows	d696a3cb-d7a8-4976-8eb5-5af4abf2e3df	powershell
1258	discovery	T1046	Network Service Scanning	4	Port Scan using python	6ca45b04-9f15-4424-b9d3-84a217285a5c	powershell
1259	discovery	T1046	Network Service Scanning	5	WinPwn - spoolvulnscan	54574908-f1de-4356-9021-8053dd57439a	powershell
1260	discovery	T1046	Network Service Scanning	6	WinPwn - MS17-10	97585b04-5be2-40e9-8c31-82157b8af2d6	powershell
1261	discovery	T1046	Network Service Scanning	7	WinPwn - bluekeep	1cca5640-32a9-46e6-b8e0-fabbe2384a73	powershell
1262	discovery	T1046	Network Service Scanning	8	WinPwn - fruit	bb037826-cbe8-4a41-93ea-b94059d6bb98	powershell
1263	discovery	T1518	Software Discovery	1	Find and Display Internet Explorer Browser Version	68981660-6670-47ee-a5fa-7e74806420a4	command_prompt
1264	discovery	T1518	Software Discovery	2	Applications Installed	c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b	powershell
1265	discovery	T1518	Software Discovery	3	Find and Display Safari Browser Version	103d6533-fd2a-4d08-976a-4a598565280f	sh
1266	discovery	T1518	Software Discovery	4	WinPwn - Dotnetsearch	7e79a1b6-519e-433c-ad55-3ff293667101	powershell
1267	discovery	T1518	Software Discovery	5	WinPwn - DotNet	10ba02d0-ab76-4f80-940d-451633f24c5b	powershell
1268	discovery	T1518	Software Discovery	6	WinPwn - powerSQL	0bb64470-582a-4155-bde2-d6003a95ed34	powershell
1269	discovery	T1124	System Time Discovery	1	System Time Discovery	20aba24b-e61f-4b26-b4ce-4784f763ca20	command_prompt
1270	discovery	T1124	System Time Discovery	2	System Time Discovery - PowerShell	1d5711d6-655c-4a47-ae9c-6503c74fa877	powershell
1271	discovery	T1124	System Time Discovery	3	System Time Discovery in macOS	f449c933-0891-407f-821e-7916a21a1a6f	sh
1272	discovery	T1124	System Time Discovery	4	System Time Discovery W32tm as a Delay	d5d5a6b0-0f92-42d8-985d-47aafa2dd4db	command_prompt
1273	command-and-control	T1132.001	Data Encoding: Standard Encoding	1	Base64 Encoded data.	1164f70f-9a88-4dff-b9ff-dc70e7bf0c25	sh
1274	command-and-control	T1132.001	Data Encoding: Standard Encoding	2	XOR Encoded data.	c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08	powershell
1275	command-and-control	T1071.004	Application Layer Protocol: DNS	1	DNS Large Query Volume	1700f5d6-5a44-487b-84de-bc66f507b0a6	powershell
1276	command-and-control	T1071.004	Application Layer Protocol: DNS	2	DNS Regular Beaconing	3efc144e-1af8-46bb-8ca2-1376bb6db8b6	powershell
1277	command-and-control	T1071.004	Application Layer Protocol: DNS	3	DNS Long Domain Query	fef31710-223a-40ee-8462-a396d6b66978	powershell
1278	command-and-control	T1071.004	Application Layer Protocol: DNS	4	DNS C2	e7bf9802-2e78-4db9-93b5-181b7bcd37d7	powershell
1279	command-and-control	T1219	Remote Access Software	1	TeamViewer Files Detected Test on Windows	8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0	powershell
1280	command-and-control	T1219	Remote Access Software	2	AnyDesk Files Detected Test on Windows	6b8b7391-5c0a-4f8c-baee-78d8ce0ce330	powershell
1281	command-and-control	T1219	Remote Access Software	3	LogMeIn Files Detected Test on Windows	d03683ec-aae0-42f9-9b4c-534780e0f8e1	powershell
1282	command-and-control	T1219	Remote Access Software	4	GoToAssist Files Detected Test on Windows	1b72b3bd-72f8-4b63-a30b-84e91b9c3578	powershell
1283	command-and-control	T1219	Remote Access Software	5	ScreenConnect Application Download and Install on Windows	4a18cc4e-416f-4966-9a9d-75731c4684c0	powershell
1284	command-and-control	T1219	Remote Access Software	6	Ammyy Admin Software Execution	0ae9e327-3251-465a-a53b-485d4e3f58fa	powershell
1285	command-and-control	T1219	Remote Access Software	7	RemotePC Software Execution	fbff3f1f-b0bf-448e-840f-7e1687affdce	powershell
1286	command-and-control	T1219	Remote Access Software	8	NetSupport - RAT Execution	ecca999b-e0c8-40e8-8416-ad320b146a75	powershell
1287	command-and-control	T1219	Remote Access Software	9	UltraViewer - RAT Execution	19acf63b-55c4-4b6a-8552-00a8865105c8	powershell
1288	command-and-control	T1219	Remote Access Software	10	UltraVNC Execution	42e51815-a6cc-4c75-b970-3f0ff54b610e	powershell
1289	command-and-control	T1572	Protocol Tunneling	1	DNS over HTTPS Large Query Volume	ae9ef4b0-d8c1-49d4-8758-06206f19af0a	powershell
1290	command-and-control	T1572	Protocol Tunneling	2	DNS over HTTPS Regular Beaconing	0c5f9705-c575-42a6-9609-cbbff4b2fc9b	powershell
1291	command-and-control	T1572	Protocol Tunneling	3	DNS over HTTPS Long Domain Query	748a73d5-cea4-4f34-84d8-839da5baa99c	powershell
1292	command-and-control	T1090.003	Proxy: Multi-hop Proxy	1	Psiphon	14d55ca0-920e-4b44-8425-37eedd72b173	powershell
1293	command-and-control	T1090.003	Proxy: Multi-hop Proxy	2	Tor Proxy Usage - Windows	7b9d85e5-c4ce-4434-8060-d3de83595e69	powershell
1294	command-and-control	T1090.003	Proxy: Multi-hop Proxy	3	Tor Proxy Usage - Debian/Ubuntu	5ff9d047-6e9c-4357-b39b-5cf89d9b59c7	sh
1295	command-and-control	T1090.003	Proxy: Multi-hop Proxy	4	Tor Proxy Usage - MacOS	12631354-fdbc-4164-92be-402527e748da	sh
1296	command-and-control	T1571	Non-Standard Port	1	Testing usage of uncommonly used port with PowerShell	21fe622f-8e53-4b31-ba83-6d333c2583f4	powershell
1297	command-and-control	T1571	Non-Standard Port	2	Testing usage of uncommonly used port	5db21e1d-dd9c-4a50-b885-b1e748912767	sh
1298	command-and-control	T1573	Encrypted Channel	1	OpenSSL C2	21caf58e-87ad-440c-a6b8-3ac259964003	powershell
1299	command-and-control	T1095	Non-Application Layer Protocol	1	ICMP C2	0268e63c-e244-42db-bef7-72a9e59fc1fc	powershell
1300	command-and-control	T1095	Non-Application Layer Protocol	2	Netcat C2	bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37	powershell
1301	command-and-control	T1095	Non-Application Layer Protocol	3	Powercat C2	3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e	powershell
1302	command-and-control	T1071.001	Application Layer Protocol: Web Protocols	1	Malicious User Agents - Powershell	81c13829-f6c9-45b8-85a6-053366d55297	powershell
1303	command-and-control	T1071.001	Application Layer Protocol: Web Protocols	2	Malicious User Agents - CMD	dc3488b0-08c7-4fea-b585-905c83b48180	command_prompt
1304	command-and-control	T1071.001	Application Layer Protocol: Web Protocols	3	Malicious User Agents - Nix	2d7c471a-e887-4b78-b0dc-b0df1f2e0658	sh
1305	command-and-control	T1105	Ingress Tool Transfer	1	rsync remote file copy (push)	0fc6e977-cb12-44f6-b263-2824ba917409	bash
1306	command-and-control	T1105	Ingress Tool Transfer	2	rsync remote file copy (pull)	3180f7d5-52c0-4493-9ea0-e3431a84773f	bash
1307	command-and-control	T1105	Ingress Tool Transfer	3	scp remote file copy (push)	83a49600-222b-4866-80a0-37736ad29344	bash
1308	command-and-control	T1105	Ingress Tool Transfer	4	scp remote file copy (pull)	b9d22b9a-9778-4426-abf0-568ea64e9c33	bash
1309	command-and-control	T1105	Ingress Tool Transfer	5	sftp remote file copy (push)	f564c297-7978-4aa9-b37a-d90477feea4e	bash
1310	command-and-control	T1105	Ingress Tool Transfer	6	sftp remote file copy (pull)	0139dba1-f391-405e-a4f5-f3989f2c88ef	bash
1311	command-and-control	T1105	Ingress Tool Transfer	7	certutil download (urlcache)	dd3b61dd-7bbc-48cd-ab51-49ad1a776df0	command_prompt
1312	command-and-control	T1105	Ingress Tool Transfer	8	certutil download (verifyctl)	ffd492e3-0455-4518-9fb1-46527c9f241b	powershell
1313	command-and-control	T1105	Ingress Tool Transfer	9	Windows - BITSAdmin BITS Download	a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b	command_prompt
1314	command-and-control	T1105	Ingress Tool Transfer	10	Windows - PowerShell Download	42dc4460-9aa6-45d3-b1a6-3955d34e1fe8	powershell
1315	command-and-control	T1105	Ingress Tool Transfer	11	OSTAP Worming Activity	2ca61766-b456-4fcf-a35a-1233685e1cad	command_prompt
1316	command-and-control	T1105	Ingress Tool Transfer	12	svchost writing a file to a UNC path	fa5a2759-41d7-4e13-a19c-e8f28a53566f	command_prompt
1317	command-and-control	T1105	Ingress Tool Transfer	13	Download a File with Windows Defender MpCmdRun.exe	815bef8b-bf91-4b67-be4c-abe4c2a94ccc	command_prompt
1318	command-and-control	T1105	Ingress Tool Transfer	14	whois file download	c99a829f-0bb8-4187-b2c6-d47d1df74cab	sh
1319	command-and-control	T1105	Ingress Tool Transfer	15	File Download via PowerShell	54a4daf1-71df-4383-9ba7-f1a295d8b6d2	powershell
1320	command-and-control	T1105	Ingress Tool Transfer	16	File download with finger.exe on Windows	5f507e45-8411-4f99-84e7-e38530c45d01	command_prompt
1321	command-and-control	T1105	Ingress Tool Transfer	17	Download a file with IMEWDBLD.exe	1a02df58-09af-4064-a765-0babe1a0d1e2	powershell
1322	command-and-control	T1105	Ingress Tool Transfer	18	Curl Download File	2b080b99-0deb-4d51-af0f-833d37c4ca6a	command_prompt
1323	command-and-control	T1105	Ingress Tool Transfer	19	Curl Upload File	635c9a38-6cbf-47dc-8615-3810bc1167cf	command_prompt
1324	command-and-control	T1105	Ingress Tool Transfer	20	Download a file with Microsoft Connection Manager Auto-Download	d239772b-88e2-4a2e-8473-897503401bcc	command_prompt
1325	command-and-control	T1105	Ingress Tool Transfer	21	MAZE Propagation Script	70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf	powershell
1326	command-and-control	T1105	Ingress Tool Transfer	22	Printer Migration Command-Line Tool UNC share folder into a zip file	49845fc1-7961-4590-a0f0-3dbcf065ae7e	command_prompt
1327	command-and-control	T1105	Ingress Tool Transfer	23	Lolbas replace.exe use to copy file	54782d65-12f0-47a5-b4c1-b70ee23de6df	command_prompt
1328	command-and-control	T1105	Ingress Tool Transfer	24	Lolbas replace.exe use to copy UNC file	ed0335ac-0354-400c-8148-f6151d20035a	command_prompt
1329	command-and-control	T1105	Ingress Tool Transfer	25	certreq download	6fdaae87-c05b-42f8-842e-991a74e8376b	command_prompt
1330	command-and-control	T1105	Ingress Tool Transfer	26	Download a file using wscript	97116a3f-efac-4b26-8336-b9cb18c45188	command_prompt
1331	command-and-control	T1105	Ingress Tool Transfer	27	Linux Download File and Run	bdc373c5-e9cf-4563-8a7b-a9ba720a90f3	sh
1332	command-and-control	T1105	Ingress Tool Transfer	28	Nimgrab - Transfer Files	b1729c57-9384-4d1c-9b99-9b220afb384e	command_prompt
1333	command-and-control	T1105	Ingress Tool Transfer	29	iwr or Invoke Web-Request download	c01cad7f-7a4c-49df-985e-b190dcf6a279	command_prompt
1334	command-and-control	T1090.001	Proxy: Internal Proxy	1	Connection Proxy	0ac21132-4485-4212-a681-349e8a6637cd	sh
1335	command-and-control	T1090.001	Proxy: Internal Proxy	2	Connection Proxy for macOS UI	648d68c1-8bcd-4486-9abe-71c6655b6a2c	sh
1336	command-and-control	T1090.001	Proxy: Internal Proxy	3	portproxy reg key	b8223ea9-4be2-44a6-b50a-9657a3d4e72a	powershell
1337	reconnaissance	T1592.001	Gather Victim Host Information: Hardware	1	Enumerate PlugNPlay Camera	d430bf85-b656-40e7-b238-42db01df0183	powershell
1338	impact	T1489	Service Stop	1	Windows - Stop service using Service Controller	21dfb440-830d-4c86-a3e5-2a491d5a8d04	command_prompt
1339	impact	T1489	Service Stop	2	Windows - Stop service using net.exe	41274289-ec9c-4213-bea4-e43c4aa57954	command_prompt
1340	impact	T1489	Service Stop	3	Windows - Stop service by killing process	f3191b84-c38b-400b-867e-3a217a27795f	command_prompt
1341	impact	T1491.001	Defacement: Internal Defacement	1	Replace Desktop Wallpaper	30558d53-9d76-41c4-9267-a7bd5184bed3	powershell
1342	impact	T1531	Account Access Removal	1	Change User Password - Windows	1b99ef28-f83c-4ec5-8a08-1a56263a5bb2	command_prompt
1343	impact	T1531	Account Access Removal	2	Delete User - Windows	f21a1d7d-a62f-442a-8c3a-2440d43b19e5	command_prompt
1344	impact	T1531	Account Access Removal	3	Remove Account From Domain Admin Group	43f71395-6c37-498e-ab17-897d814a0947	powershell
1345	impact	T1486	Data Encrypted for Impact	1	Encrypt files using gpg (Linux)	7b8ce084-3922-4618-8d22-95f996173765	bash
1346	impact	T1486	Data Encrypted for Impact	2	Encrypt files using 7z (Linux)	53e6735a-4727-44cc-b35b-237682a151ad	bash
1347	impact	T1486	Data Encrypted for Impact	3	Encrypt files using ccrypt (Linux)	08cbf59f-85da-4369-a5f4-049cffd7709f	bash
1348	impact	T1486	Data Encrypted for Impact	4	Encrypt files using openssl (Linux)	142752dc-ca71-443b-9359-cf6f497315f1	bash
1349	impact	T1486	Data Encrypted for Impact	5	PureLocker Ransom Note	649349c7-9abf-493b-a7a2-b1aa4d141528	command_prompt
1350	impact	T1496	Resource Hijacking	1	macOS/Linux - Simulate CPU Load with Yes	904a5a0e-fb02-490d-9f8d-0e256eb37549	bash
1351	impact	T1485	Data Destruction	1	Windows - Overwrite file with Sysinternals SDelete	476419b5-aebf-4366-a131-ae3e8dae5fc2	powershell
1352	impact	T1485	Data Destruction	2	macOS/Linux - Overwrite file with DD	38deee99-fd65-4031-bec8-bfa4f9f26146	bash
1353	impact	T1485	Data Destruction	3	Overwrite deleted data on C drive	321fd25e-0007-417f-adec-33232252be19	command_prompt
1354	impact	T1490	Inhibit System Recovery	1	Windows - Delete Volume Shadow Copies	43819286-91a9-4369-90ed-d31fb4da2c01	command_prompt
1355	impact	T1490	Inhibit System Recovery	2	Windows - Delete Volume Shadow Copies via WMI	6a3ff8dd-f49c-4272-a658-11c2fe58bd88	command_prompt
1356	impact	T1490	Inhibit System Recovery	3	Windows - wbadmin Delete Windows Backup Catalog	263ba6cb-ea2b-41c9-9d4e-b652dadd002c	command_prompt
1357	impact	T1490	Inhibit System Recovery	4	Windows - Disable Windows Recovery Console Repair	cf21060a-80b3-4238-a595-22525de4ab81	command_prompt
1358	impact	T1490	Inhibit System Recovery	5	Windows - Delete Volume Shadow Copies via WMI with PowerShell	39a295ca-7059-4a88-86f6-09556c1211e7	powershell
1359	impact	T1490	Inhibit System Recovery	6	Windows - Delete Backup Files	6b1dbaf6-cc8a-4ea6-891f-6058569653bf	command_prompt
1360	impact	T1490	Inhibit System Recovery	7	Windows - wbadmin Delete systemstatebackup	584331dd-75bc-4c02-9e0b-17f5fd81c748	command_prompt
1361	impact	T1490	Inhibit System Recovery	8	Windows - Disable the SR scheduled task	1c68c68d-83a4-4981-974e-8993055fa034	command_prompt
1362	impact	T1490	Inhibit System Recovery	9	Disable System Restore Through Registry	66e647d1-8741-4e43-b7c1-334760c2047f	command_prompt
1363	impact	T1529	System Shutdown/Reboot	1	Shutdown System - Windows	ad254fa8-45c0-403b-8c77-e00b3d3e7a64	command_prompt
1364	impact	T1529	System Shutdown/Reboot	2	Restart System - Windows	f4648f0d-bf78-483c-bafc-3ec99cd1c302	command_prompt
1365	impact	T1529	System Shutdown/Reboot	3	Restart System via `shutdown` - macOS/Linux	6326dbc4-444b-4c04-88f4-27e94d0327cb	bash
1366	impact	T1529	System Shutdown/Reboot	4	Shutdown System via `shutdown` - macOS/Linux	4963a81e-a3ad-4f02-adda-812343b351de	bash
1367	impact	T1529	System Shutdown/Reboot	5	Restart System via `reboot` - macOS/Linux	47d0b042-a918-40ab-8cf9-150ffe919027	bash
1368	impact	T1529	System Shutdown/Reboot	6	Shutdown System via `halt` - Linux	918f70ab-e1ef-49ff-bc57-b27021df84dd	bash
1369	impact	T1529	System Shutdown/Reboot	7	Reboot System via `halt` - Linux	78f92e14-f1e9-4446-b3e9-f1b921f2459e	bash
1370	impact	T1529	System Shutdown/Reboot	8	Shutdown System via `poweroff` - Linux	73a90cd2-48a2-4ac5-8594-2af35fa909fa	bash
1371	impact	T1529	System Shutdown/Reboot	9	Reboot System via `poweroff` - Linux	61303105-ff60-427b-999e-efb90b314e41	bash
1372	impact	T1529	System Shutdown/Reboot	10	Logoff System - Windows	3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4	command_prompt
1373	initial-access	T1133	External Remote Services	1	Running Chrome VPN Extensions via the Registry 2 vpn extension	4c8db261-a58b-42a6-a866-0a294deedde4	powershell
1374	initial-access	T1566.001	Phishing: Spearphishing Attachment	1	Download Macro-Enabled Phishing Attachment	114ccff9-ae6d-4547-9ead-4cd69f687306	powershell
1375	initial-access	T1566.001	Phishing: Spearphishing Attachment	2	Word spawned a command shell and used an IP address in the command line	cbb6799a-425c-4f83-9194-5447a909d67f	powershell
1376	initial-access	T1091	Replication Through Removable Media	1	USB Malware Spread Simulation	d44b7297-622c-4be8-ad88-ec40d7563c75	powershell
1377	initial-access	T1195	Supply Chain Compromise	1	Octopus Scanner Malware Open Source Supply Chain	82a9f001-94c5-495e-9ed5-f530dbded5e2	command_prompt
1378	initial-access	T1078.001	Valid Accounts: Default Accounts	1	Enable Guest account with RDP capability and admin privileges	99747561-ed8d-47f2-9c91-1e5fde1ed6e0	command_prompt
1379	initial-access	T1078.001	Valid Accounts: Default Accounts	2	Activate Guest Account	aa6cb8c4-b582-4f8e-b677-37733914abda	command_prompt
1380	initial-access	T1078.004	Valid Accounts: Cloud Accounts	1	Creating GCP Service Account and Service Account Key	9fdd83fd-bd53-46e5-a716-9dec89c8ae8e	sh
1381	initial-access	T1078.003	Valid Accounts: Local Accounts	1	Create local account with admin privileges	a524ce99-86de-4db6-b4f9-e08f35a47a15	command_prompt
1382	initial-access	T1078.003	Valid Accounts: Local Accounts	2	Create local account with admin privileges - MacOS	f1275566-1c26-4b66-83e3-7f9f7f964daa	bash
1383	initial-access	T1078.003	Valid Accounts: Local Accounts	3	WinPwn - Loot local Credentials - powerhell kittie	9e9fd066-453d-442f-88c1-ad7911d32912	powershell
1384	initial-access	T1078.003	Valid Accounts: Local Accounts	4	WinPwn - Loot local Credentials - Safetykatz	e9fdb899-a980-4ba4-934b-486ad22e22f4	powershell
1385	exfiltration	T1567	Exfiltration Over Web Service	1	Data Exfiltration with ConfigSecurityPolicy	5568a8f4-a8b1-4c40-9399-4969b642f122	powershell
1386	exfiltration	T1020	Automated Exfiltration	1	IcedID Botnet HTTP PUT	9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0	powershell
1387	exfiltration	T1048.002	Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	1	Exfiltrate data HTTPS using curl windows	1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0	command_prompt
1388	exfiltration	T1048.002	Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	2	Exfiltrate data HTTPS using curl linux	4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01	bash
1389	exfiltration	T1041	Exfiltration Over C2 Channel	1	C2 Data Exfiltration	d1253f6e-c29b-49dc-b466-2147a6191932	powershell
1390	exfiltration	T1048	Exfiltration Over Alternative Protocol	1	Exfiltration Over Alternative Protocol - SSH	f6786cc8-beda-4915-a4d6-ac2f193bb988	sh
1391	exfiltration	T1048	Exfiltration Over Alternative Protocol	2	Exfiltration Over Alternative Protocol - SSH	7c3cb337-35ae-4d06-bf03-3032ed2ec268	sh
1392	exfiltration	T1048	Exfiltration Over Alternative Protocol	3	DNSExfiltration (doh)	c943d285-ada3-45ca-b3aa-7cd6500c6a48	powershell
1393	exfiltration	T1030	Data Transfer Size Limits	1	Data Transfer Size Limits	ab936c51-10f4-46ce-9144-e02137b2016a	sh
1394	exfiltration	T1048.003	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	1	Exfiltration Over Alternative Protocol - HTTP	1d1abbd6-a3d3-4b2e-bef5-c59293f46eff	manual
1395	exfiltration	T1048.003	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	2	Exfiltration Over Alternative Protocol - ICMP	dd4b4421-2e25-4593-90ae-7021947ad12e	powershell
1396	exfiltration	T1048.003	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	3	Exfiltration Over Alternative Protocol - DNS	c403b5a4-b5fc-49f2-b181-d1c80d27db45	manual
1397	exfiltration	T1048.003	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4	Exfiltration Over Alternative Protocol - HTTP	6aa58451-1121-4490-a8e9-1dada3f1c68c	powershell
1398	exfiltration	T1048.003	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	5	Exfiltration Over Alternative Protocol - SMTP	ec3a835e-adca-4c7c-88d2-853b69c11bb9	powershell
1399	exfiltration	T1048.003	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	6	MAZE FTP Upload	57799bc2-ad1e-4130-a793-fb0c385130ba	powershell