CircleCI Atomic Red Team doc generator
74 KiB
74 KiB
| 1 | Tactic | Technique # | Technique Name | Test # | Test Name | Test GUID | Executor Name |
|---|---|---|---|---|---|---|---|
| 2 | credential-access | T1056.004 | Credential API Hooking | 1 | Hook PowerShell TLS Encrypt/Decrypt Messages | de1934ea-1fbf-425b-8795-65fb27dd7e33 | powershell |
| 3 | credential-access | T1552.001 | Credentials In Files | 3 | Extracting passwords with findstr | 0e56bf29-ff49-4ea5-9af4-3b81283fd513 | powershell |
| 4 | credential-access | T1552.001 | Credentials In Files | 4 | Access unattend.xml | 367d4004-5fc0-446d-823f-960c74ae52c3 | command_prompt |
| 5 | credential-access | T1555 | Credentials from Password Stores | 1 | Extract Windows Credential Manager via VBA | 234f9b7c-b53d-4f32-897b-b880a6c9ea7b | powershell |
| 6 | credential-access | T1555.003 | Credentials from Web Browsers | 1 | Run Chrome-password Collector | 8c05b133-d438-47ca-a630-19cc464c4622 | powershell |
| 7 | credential-access | T1555.003 | Credentials from Web Browsers | 3 | LaZagne - Credentials from Browser | 9a2915b3-3954-4cce-8c76-00fbf4dbd014 | command_prompt |
| 8 | credential-access | T1552.002 | Credentials in Registry | 1 | Enumeration for Credentials in Registry | b6ec082c-7384-46b3-a111-9a9b8b14e5e7 | command_prompt |
| 9 | credential-access | T1552.002 | Credentials in Registry | 2 | Enumeration for PuTTY Credentials in Registry | af197fd7-e868-448e-9bd5-05d1bcd9d9e5 | command_prompt |
| 10 | credential-access | T1056.002 | GUI Input Capture | 2 | PowerShell - Prompt User for Password | 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 | powershell |
| 11 | credential-access | T1552.006 | Group Policy Preferences | 1 | GPP Passwords (findstr) | 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f | command_prompt |
| 12 | credential-access | T1552.006 | Group Policy Preferences | 2 | GPP Passwords (Get-GPPPassword) | e9584f82-322c-474a-b831-940fd8b4455c | powershell |
| 13 | credential-access | T1558.003 | Kerberoasting | 1 | Request for service tickets | 3f987809-3681-43c8-bcd8-b3ff3a28533a | powershell |
| 14 | credential-access | T1056.001 | Keylogging | 1 | Input Capture | d9b633ca-8efb-45e6-b838-70f595c6ae26 | powershell |
| 15 | credential-access | T1003.004 | LSA Secrets | 1 | Dumping LSA Secrets | 55295ab0-a703-433b-9ca4-ae13807de12f | command_prompt |
| 16 | credential-access | T1003.001 | LSASS Memory | 1 | Windows Credential Editor | 0f7c5301-6859-45ba-8b4d-1fac30fc31ed | command_prompt |
| 17 | credential-access | T1003.001 | LSASS Memory | 2 | Dump LSASS.exe Memory using ProcDump | 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8 | command_prompt |
| 18 | credential-access | T1003.001 | LSASS Memory | 3 | Dump LSASS.exe Memory using comsvcs.dll | 2536dee2-12fb-459a-8c37-971844fa73be | powershell |
| 19 | credential-access | T1003.001 | LSASS Memory | 4 | Dump LSASS.exe Memory using direct system calls and API unhooking | 7ae7102c-a099-45c8-b985-4c7a2d05790d | command_prompt |
| 20 | credential-access | T1003.001 | LSASS Memory | 5 | Dump LSASS.exe Memory using Windows Task Manager | dea6c349-f1c6-44f3-87a1-1ed33a59a607 | manual |
| 21 | credential-access | T1003.001 | LSASS Memory | 6 | Offline Credential Theft With Mimikatz | 453acf13-1dbd-47d7-b28a-172ce9228023 | command_prompt |
| 22 | credential-access | T1003.001 | LSASS Memory | 7 | LSASS read with pypykatz | c37bc535-5c62-4195-9cc3-0517673171d8 | command_prompt |
| 23 | credential-access | T1003.003 | NTDS | 1 | Create Volume Shadow Copy with vssadmin | dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f | command_prompt |
| 24 | credential-access | T1003.003 | NTDS | 2 | Copy NTDS.dit from Volume Shadow Copy | c6237146-9ea6-4711-85c9-c56d263a6b03 | command_prompt |
| 25 | credential-access | T1003.003 | NTDS | 3 | Dump Active Directory Database with NTDSUtil | 2364e33d-ceab-4641-8468-bfb1d7cc2723 | command_prompt |
| 26 | credential-access | T1003.003 | NTDS | 4 | Create Volume Shadow Copy with WMI | 224f7de0-8f0a-4a94-b5d8-989b036c86da | command_prompt |
| 27 | credential-access | T1003.003 | NTDS | 5 | Create Volume Shadow Copy with Powershell | 542bb97e-da53-436b-8e43-e0a7d31a6c24 | powershell |
| 28 | credential-access | T1003.003 | NTDS | 6 | Create Symlink to Volume Shadow Copy | 21748c28-2793-4284-9e07-d6d028b66702 | command_prompt |
| 29 | credential-access | T1040 | Network Sniffing | 3 | Packet Capture Windows Command Prompt | a5b2f6a0-24b4-493e-9590-c699f75723ca | command_prompt |
| 30 | credential-access | T1040 | Network Sniffing | 4 | Windows Internal Packet Capture | b5656f67-d67f-4de8-8e62-b5581630f528 | command_prompt |
| 31 | credential-access | T1003 | OS Credential Dumping | 1 | Powershell Mimikatz | 66fb0bc1-3c3f-47e9-a298-550ecfefacbc | powershell |
| 32 | credential-access | T1003 | OS Credential Dumping | 2 | Gsecdump | 96345bfc-8ae7-4b6a-80b7-223200f24ef9 | command_prompt |
| 33 | credential-access | T1003 | OS Credential Dumping | 3 | Credential Dumping with NPPSpy | 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 | powershell |
| 34 | credential-access | T1110.002 | Password Cracking | 1 | Password Cracking with Hashcat | 6d27df5d-69d4-4c91-bc33-5983ffe91692 | command_prompt |
| 35 | credential-access | T1556.002 | Password Filter DLL | 1 | Install and Register Password Filter DLL | a7961770-beb5-4134-9674-83d7e1fa865c | powershell |
| 36 | credential-access | T1110.001 | Password Guessing | 1 | Brute Force Credentials | 09480053-2f98-4854-be6e-71ae5f672224 | command_prompt |
| 37 | credential-access | T1110.003 | Password Spraying | 1 | Password Spray all Domain Users | 90bc2e54-6c84-47a5-9439-0a2a92b4b175 | command_prompt |
| 38 | credential-access | T1110.003 | Password Spraying | 2 | Password Spray (DomainPasswordSpray) | 263ae743-515f-4786-ac7d-41ef3a0d4b2b | powershell |
| 39 | credential-access | T1552.004 | Private Keys | 1 | Private Keys | 520ce462-7ca7-441e-b5a5-f8347f632696 | command_prompt |
| 40 | credential-access | T1003.002 | Security Account Manager | 1 | Registry dump of SAM, creds, and secrets | 5c2571d0-1572-416d-9676-812e64ca9f44 | command_prompt |
| 41 | credential-access | T1003.002 | Security Account Manager | 2 | Registry parse with pypykatz | a96872b2-cbf3-46cf-8eb4-27e8c0e85263 | command_prompt |
| 42 | credential-access | T1003.002 | Security Account Manager | 3 | esentutl.exe SAM copy | a90c2f4d-6726-444e-99d2-a00cd7c20480 | command_prompt |
| 43 | credential-access | T1003.002 | Security Account Manager | 4 | PowerDump Registry dump of SAM for hashes and usernames | 804f28fc-68fc-40da-b5a2-e9d0bce5c193 | powershell |
| 44 | collection | T1560 | Archive Collected Data | 1 | Compress Data for Exfiltration With PowerShell | 41410c60-614d-4b9d-b66e-b0192dd9c597 | powershell |
| 45 | collection | T1560.001 | Archive via Utility | 1 | Compress Data for Exfiltration With Rar | 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0 | command_prompt |
| 46 | collection | T1560.001 | Archive via Utility | 2 | Compress Data and lock with password for Exfiltration with winrar | 8dd61a55-44c6-43cc-af0c-8bdda276860c | command_prompt |
| 47 | collection | T1560.001 | Archive via Utility | 3 | Compress Data and lock with password for Exfiltration with winzip | 01df0353-d531-408d-a0c5-3161bf822134 | command_prompt |
| 48 | collection | T1560.001 | Archive via Utility | 4 | Compress Data and lock with password for Exfiltration with 7zip | d1334303-59cb-4a03-8313-b3e24d02c198 | command_prompt |
| 49 | collection | T1123 | Audio Capture | 1 | using device audio capture commandlet | 9c3ad250-b185-4444-b5a9-d69218a10c95 | powershell |
| 50 | collection | T1119 | Automated Collection | 1 | Automated Collection Command Prompt | cb379146-53f1-43e0-b884-7ce2c635ff5b | command_prompt |
| 51 | collection | T1119 | Automated Collection | 2 | Automated Collection PowerShell | 634bd9b9-dc83-4229-b19f-7f83ba9ad313 | powershell |
| 52 | collection | T1119 | Automated Collection | 3 | Recon information for export with PowerShell | c3f6d794-50dd-482f-b640-0384fbb7db26 | powershell |
| 53 | collection | T1119 | Automated Collection | 4 | Recon information for export with Command Prompt | aa1180e2-f329-4e1e-8625-2472ec0bfaf3 | command_prompt |
| 54 | collection | T1115 | Clipboard Data | 1 | Utilize Clipboard to store or execute commands from | 0cd14633-58d4-4422-9ede-daa2c9474ae7 | command_prompt |
| 55 | collection | T1115 | Clipboard Data | 2 | Execute Commands from Clipboard using PowerShell | d6dc21af-bec9-4152-be86-326b6babd416 | powershell |
| 56 | collection | T1115 | Clipboard Data | 4 | Collect Clipboard Data via VBA | 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52 | powershell |
| 57 | collection | T1056.004 | Credential API Hooking | 1 | Hook PowerShell TLS Encrypt/Decrypt Messages | de1934ea-1fbf-425b-8795-65fb27dd7e33 | powershell |
| 58 | collection | T1056.002 | GUI Input Capture | 2 | PowerShell - Prompt User for Password | 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 | powershell |
| 59 | collection | T1056.001 | Keylogging | 1 | Input Capture | d9b633ca-8efb-45e6-b838-70f595c6ae26 | powershell |
| 60 | collection | T1074.001 | Local Data Staging | 1 | Stage data from Discovery.bat | 107706a5-6f9f-451a-adae-bab8c667829f | powershell |
| 61 | collection | T1074.001 | Local Data Staging | 3 | Zip a Folder with PowerShell for Staging in Temp | a57fbe4b-3440-452a-88a7-943531ac872a | powershell |
| 62 | collection | T1114.001 | Local Email Collection | 1 | Email Collection with PowerShell Get-Inbox | 3f1b5096-0139-4736-9b78-19bcb02bb1cb | powershell |
| 63 | collection | T1113 | Screen Capture | 5 | Windows Screencapture | 3c898f62-626c-47d5-aad2-6de873d69153 | powershell |
| 64 | privilege-escalation | T1546.008 | Accessibility Features | 1 | Attaches Command Prompt as a Debugger to a List of Target Processes | 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 | powershell |
| 65 | privilege-escalation | T1546.008 | Accessibility Features | 2 | Replace binary of sticky keys | 934e90cf-29ca-48b3-863c-411737ad44e3 | command_prompt |
| 66 | privilege-escalation | T1546.010 | AppInit DLLs | 1 | Install AppInit Shim | a58d9386-3080-4242-ab5f-454c16503d18 | command_prompt |
| 67 | privilege-escalation | T1546.011 | Application Shimming | 1 | Application Shim Installation | 9ab27e22-ee62-4211-962b-d36d9a0e6a18 | command_prompt |
| 68 | privilege-escalation | T1546.011 | Application Shimming | 2 | New shim database files created in the default shim database directory | aefd6866-d753-431f-a7a4-215ca7e3f13d | powershell |
| 69 | privilege-escalation | T1546.011 | Application Shimming | 3 | Registry key creation and/or modification events for SDB | 9b6a06f9-ab5e-4e8d-8289-1df4289db02f | powershell |
| 70 | privilege-escalation | T1055.004 | Asynchronous Procedure Call | 1 | Process Injection via C# | 611b39b7-e243-4c81-87a4-7145a90358b1 | command_prompt |
| 71 | privilege-escalation | T1053.002 | At (Windows) | 1 | At.exe Scheduled task | 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 | command_prompt |
| 72 | privilege-escalation | T1548.002 | Bypass User Account Control | 1 | Bypass UAC using Event Viewer (cmd) | 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 | command_prompt |
| 73 | privilege-escalation | T1548.002 | Bypass User Account Control | 2 | Bypass UAC using Event Viewer (PowerShell) | a6ce9acf-842a-4af6-8f79-539be7608e2b | powershell |
| 74 | privilege-escalation | T1548.002 | Bypass User Account Control | 3 | Bypass UAC using Fodhelper | 58f641ea-12e3-499a-b684-44dee46bd182 | command_prompt |
| 75 | privilege-escalation | T1548.002 | Bypass User Account Control | 4 | Bypass UAC using Fodhelper - PowerShell | 3f627297-6c38-4e7d-a278-fc2563eaaeaa | powershell |
| 76 | privilege-escalation | T1548.002 | Bypass User Account Control | 5 | Bypass UAC using ComputerDefaults (PowerShell) | 3c51abf2-44bf-42d8-9111-dc96ff66750f | powershell |
| 77 | privilege-escalation | T1548.002 | Bypass User Account Control | 6 | Bypass UAC by Mocking Trusted Directories | f7a35090-6f7f-4f64-bb47-d657bf5b10c1 | command_prompt |
| 78 | privilege-escalation | T1548.002 | Bypass User Account Control | 7 | Bypass UAC using sdclt DelegateExecute | 3be891eb-4608-4173-87e8-78b494c029b7 | powershell |
| 79 | privilege-escalation | T1548.002 | Bypass User Account Control | 8 | Disable UAC using reg.exe | 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 | command_prompt |
| 80 | privilege-escalation | T1574.012 | COR_PROFILER | 1 | User scope COR_PROFILER | 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a | powershell |
| 81 | privilege-escalation | T1574.012 | COR_PROFILER | 2 | System Scope COR_PROFILER | f373b482-48c8-4ce4-85ed-d40c8b3f7310 | powershell |
| 82 | privilege-escalation | T1574.012 | COR_PROFILER | 3 | Registry-free process scope COR_PROFILER | 79d57242-bbef-41db-b301-9d01d9f6e817 | powershell |
| 83 | privilege-escalation | T1546.001 | Change Default File Association | 1 | Change Default File Association | 10a08978-2045-4d62-8c42-1957bbbea102 | command_prompt |
| 84 | privilege-escalation | T1574.001 | DLL Search Order Hijacking | 1 | DLL Search Order Hijacking - amsi.dll | 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 | command_prompt |
| 85 | privilege-escalation | T1574.002 | DLL Side-Loading | 1 | DLL Side-Loading using the Notepad++ GUP.exe binary | 65526037-7079-44a9-bda1-2cb624838040 | command_prompt |
| 86 | privilege-escalation | T1078.001 | Default Accounts | 1 | Enable Guest account with RDP capability and admin priviliges | 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 | command_prompt |
| 87 | privilege-escalation | T1546.012 | Image File Execution Options Injection | 1 | IFEO Add Debugger | fdda2626-5234-4c90-b163-60849a24c0b8 | command_prompt |
| 88 | privilege-escalation | T1546.012 | Image File Execution Options Injection | 2 | IFEO Global Flags | 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 | command_prompt |
| 89 | privilege-escalation | T1078.003 | Local Accounts | 1 | Create local account with admin priviliges | a524ce99-86de-4db6-b4f9-e08f35a47a15 | command_prompt |
| 90 | privilege-escalation | T1037.001 | Logon Script (Windows) | 1 | Logon Scripts | d6042746-07d4-4c92-9ad8-e644c114a231 | command_prompt |
| 91 | privilege-escalation | T1546.007 | Netsh Helper DLL | 1 | Netsh Helper DLL Registration | 3244697d-5a3a-4dfc-941c-550f69f91a4d | command_prompt |
| 92 | privilege-escalation | T1134.004 | Parent PID Spoofing | 1 | Parent PID Spoofing using PowerShell | 069258f4-2162-46e9-9a25-c9c6c56150d2 | powershell |
| 93 | privilege-escalation | T1134.004 | Parent PID Spoofing | 2 | Parent PID Spoofing - Spawn from Current Process | 14920ebd-1d61-491a-85e0-fe98efe37f25 | powershell |
| 94 | privilege-escalation | T1134.004 | Parent PID Spoofing | 3 | Parent PID Spoofing - Spawn from Specified Process | cbbff285-9051-444a-9d17-c07cd2d230eb | powershell |
| 95 | privilege-escalation | T1134.004 | Parent PID Spoofing | 4 | Parent PID Spoofing - Spawn from svchost.exe | e9f2b777-3123-430b-805d-5cedc66ab591 | powershell |
| 96 | privilege-escalation | T1134.004 | Parent PID Spoofing | 5 | Parent PID Spoofing - Spawn from New Process | 2988133e-561c-4e42-a15f-6281e6a9b2db | powershell |
| 97 | privilege-escalation | T1574.009 | Path Interception by Unquoted Path | 1 | Execution of program.exe as service with unquoted service path | 2770dea7-c50f-457b-84c4-c40a47460d9f | command_prompt |
| 98 | privilege-escalation | T1546.013 | PowerShell Profile | 1 | Append malicious start-process cmdlet | 090e5aa5-32b6-473b-a49b-21e843a56896 | powershell |
| 99 | privilege-escalation | T1055.012 | Process Hollowing | 1 | Process Hollowing using PowerShell | 562427b4-39ef-4e8c-af88-463a78e70b9c | powershell |
| 100 | privilege-escalation | T1055.012 | Process Hollowing | 2 | RunPE via VBA | 3ad4a037-1598-4136-837c-4027e4fa319b | powershell |
| 101 | privilege-escalation | T1055 | Process Injection | 1 | Process Injection via mavinject.exe | 74496461-11a1-4982-b439-4d87a550d254 | powershell |
| 102 | privilege-escalation | T1055 | Process Injection | 2 | Shellcode execution via VBA | 1c91e740-1729-4329-b779-feba6e71d048 | powershell |
| 103 | privilege-escalation | T1547.001 | Registry Run Keys / Startup Folder | 1 | Reg Key Run | e55be3fd-3521-4610-9d1a-e210e42dcf05 | command_prompt |
| 104 | privilege-escalation | T1547.001 | Registry Run Keys / Startup Folder | 2 | Reg Key RunOnce | 554cbd88-cde1-4b56-8168-0be552eed9eb | command_prompt |
| 105 | privilege-escalation | T1547.001 | Registry Run Keys / Startup Folder | 3 | PowerShell Registry RunOnce | eb44f842-0457-4ddc-9b92-c4caa144ac42 | powershell |
| 106 | privilege-escalation | T1547.001 | Registry Run Keys / Startup Folder | 4 | Suspicious vbs file run from startup Folder | 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 | powershell |
| 107 | privilege-escalation | T1547.001 | Registry Run Keys / Startup Folder | 5 | Suspicious jse file run from startup Folder | dade9447-791e-4c8f-b04b-3a35855dfa06 | powershell |
| 108 | privilege-escalation | T1547.001 | Registry Run Keys / Startup Folder | 6 | Suspicious bat file run from startup Folder | 5b6768e4-44d2-44f0-89da-a01d1430fd5e | powershell |
| 109 | privilege-escalation | T1547.001 | Registry Run Keys / Startup Folder | 7 | Add Executable Shortcut Link to User Startup Folder | 24e55612-85f6-4bd6-ae74-a73d02e3441d | powershell |
| 110 | privilege-escalation | T1053.005 | Scheduled Task | 1 | Scheduled Task Startup Script | fec27f65-db86-4c2d-b66c-61945aee87c2 | command_prompt |
| 111 | privilege-escalation | T1053.005 | Scheduled Task | 2 | Scheduled task Local | 42f53695-ad4a-4546-abb6-7d837f644a71 | command_prompt |
| 112 | privilege-escalation | T1053.005 | Scheduled Task | 3 | Scheduled task Remote | 2e5eac3e-327b-4a88-a0c0-c4057039a8dd | command_prompt |
| 113 | privilege-escalation | T1053.005 | Scheduled Task | 4 | Powershell Cmdlet Scheduled Task | af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd | powershell |
| 114 | privilege-escalation | T1053.005 | Scheduled Task | 5 | Task Scheduler via VBA | ecd3fa21-7792-41a2-8726-2c5c673414d3 | powershell |
| 115 | privilege-escalation | T1546.002 | Screensaver | 1 | Set Arbitrary Binary as Screensaver | 281201e7-de41-4dc9-b73d-f288938cbb64 | command_prompt |
| 116 | privilege-escalation | T1547.005 | Security Support Provider | 1 | Modify SSP configuration in registry | afdfd7e3-8a0b-409f-85f7-886fdf249c9e | powershell |
| 117 | privilege-escalation | T1574.011 | Services Registry Permissions Weakness | 1 | Service Registry Permissions Weakness | f7536d63-7fd4-466f-89da-7e48d550752a | powershell |
| 118 | privilege-escalation | T1574.011 | Services Registry Permissions Weakness | 2 | Service ImagePath Change with reg.exe | f38e9eea-e1d7-4ba6-b716-584791963827 | command_prompt |
| 119 | privilege-escalation | T1547.009 | Shortcut Modification | 1 | Shortcut Modification | ce4fc678-364f-4282-af16-2fb4c78005ce | command_prompt |
| 120 | privilege-escalation | T1547.009 | Shortcut Modification | 2 | Create shortcut to cmd in startup folders | cfdc954d-4bb0-4027-875b-a1893ce406f2 | powershell |
| 121 | privilege-escalation | T1134.001 | Token Impersonation/Theft | 1 | Named pipe client impersonation | 90db9e27-8e7c-4c04-b602-a45927884966 | powershell |
| 122 | privilege-escalation | T1134.001 | Token Impersonation/Theft | 2 | `SeDebugPrivilege` token duplication | 34f0a430-9d04-4d98-bcb5-1989f14719f0 | powershell |
| 123 | privilege-escalation | T1546.003 | Windows Management Instrumentation Event Subscription | 1 | Persistence via WMI Event Subscription | 3c64f177-28e2-49eb-a799-d767b24dd1e0 | powershell |
| 124 | privilege-escalation | T1543.003 | Windows Service | 1 | Modify Fax service to run PowerShell | ed366cde-7d12-49df-a833-671904770b9f | command_prompt |
| 125 | privilege-escalation | T1543.003 | Windows Service | 2 | Service Installation CMD | 981e2942-e433-44e9-afc1-8c957a1496b6 | command_prompt |
| 126 | privilege-escalation | T1543.003 | Windows Service | 3 | Service Installation PowerShell | 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 | powershell |
| 127 | privilege-escalation | T1547.004 | Winlogon Helper DLL | 1 | Winlogon Shell Key Persistence - PowerShell | bf9f9d65-ee4d-4c3e-a843-777d04f19c38 | powershell |
| 128 | privilege-escalation | T1547.004 | Winlogon Helper DLL | 2 | Winlogon Userinit Key Persistence - PowerShell | fb32c935-ee2e-454b-8fa3-1c46b42e8dfb | powershell |
| 129 | privilege-escalation | T1547.004 | Winlogon Helper DLL | 3 | Winlogon Notify Key Logon Persistence - PowerShell | d40da266-e073-4e5a-bb8b-2b385023e5f9 | powershell |
| 130 | defense-evasion | T1055.004 | Asynchronous Procedure Call | 1 | Process Injection via C# | 611b39b7-e243-4c81-87a4-7145a90358b1 | command_prompt |
| 131 | defense-evasion | T1197 | BITS Jobs | 1 | Bitsadmin Download (cmd) | 3c73d728-75fb-4180-a12f-6712864d7421 | command_prompt |
| 132 | defense-evasion | T1197 | BITS Jobs | 2 | Bitsadmin Download (PowerShell) | f63b8bc4-07e5-4112-acba-56f646f3f0bc | powershell |
| 133 | defense-evasion | T1197 | BITS Jobs | 3 | Persist, Download, & Execute | 62a06ec5-5754-47d2-bcfc-123d8314c6ae | command_prompt |
| 134 | defense-evasion | T1197 | BITS Jobs | 4 | Bits download using destktopimgdownldr.exe (cmd) | afb5e09e-e385-4dee-9a94-6ee60979d114 | command_prompt |
| 135 | defense-evasion | T1548.002 | Bypass User Account Control | 1 | Bypass UAC using Event Viewer (cmd) | 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 | command_prompt |
| 136 | defense-evasion | T1548.002 | Bypass User Account Control | 2 | Bypass UAC using Event Viewer (PowerShell) | a6ce9acf-842a-4af6-8f79-539be7608e2b | powershell |
| 137 | defense-evasion | T1548.002 | Bypass User Account Control | 3 | Bypass UAC using Fodhelper | 58f641ea-12e3-499a-b684-44dee46bd182 | command_prompt |
| 138 | defense-evasion | T1548.002 | Bypass User Account Control | 4 | Bypass UAC using Fodhelper - PowerShell | 3f627297-6c38-4e7d-a278-fc2563eaaeaa | powershell |
| 139 | defense-evasion | T1548.002 | Bypass User Account Control | 5 | Bypass UAC using ComputerDefaults (PowerShell) | 3c51abf2-44bf-42d8-9111-dc96ff66750f | powershell |
| 140 | defense-evasion | T1548.002 | Bypass User Account Control | 6 | Bypass UAC by Mocking Trusted Directories | f7a35090-6f7f-4f64-bb47-d657bf5b10c1 | command_prompt |
| 141 | defense-evasion | T1548.002 | Bypass User Account Control | 7 | Bypass UAC using sdclt DelegateExecute | 3be891eb-4608-4173-87e8-78b494c029b7 | powershell |
| 142 | defense-evasion | T1548.002 | Bypass User Account Control | 8 | Disable UAC using reg.exe | 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 | command_prompt |
| 143 | defense-evasion | T1218.003 | CMSTP | 1 | CMSTP Executing Remote Scriptlet | 34e63321-9683-496b-bbc1-7566bc55e624 | command_prompt |
| 144 | defense-evasion | T1218.003 | CMSTP | 2 | CMSTP Executing UAC Bypass | 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 | command_prompt |
| 145 | defense-evasion | T1574.012 | COR_PROFILER | 1 | User scope COR_PROFILER | 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a | powershell |
| 146 | defense-evasion | T1574.012 | COR_PROFILER | 2 | System Scope COR_PROFILER | f373b482-48c8-4ce4-85ed-d40c8b3f7310 | powershell |
| 147 | defense-evasion | T1574.012 | COR_PROFILER | 3 | Registry-free process scope COR_PROFILER | 79d57242-bbef-41db-b301-9d01d9f6e817 | powershell |
| 148 | defense-evasion | T1070.003 | Clear Command History | 9 | Prevent Powershell History Logging | 2f898b81-3e97-4abb-bc3f-a95138988370 | powershell |
| 149 | defense-evasion | T1070.003 | Clear Command History | 10 | Clear Powershell History by Deleting History File | da75ae8d-26d6-4483-b0fe-700e4df4f037 | powershell |
| 150 | defense-evasion | T1070.001 | Clear Windows Event Logs | 1 | Clear Logs | e6abb60e-26b8-41da-8aae-0c35174b0967 | command_prompt |
| 151 | defense-evasion | T1070.001 | Clear Windows Event Logs | 2 | Delete System Logs Using Clear-EventLog | b13e9306-3351-4b4b-a6e8-477358b0b498 | powershell |
| 152 | defense-evasion | T1070.001 | Clear Windows Event Logs | 3 | Clear Event Logs via VBA | 1b682d84-f075-4f93-9a89-8a8de19ffd6e | powershell |
| 153 | defense-evasion | T1027.004 | Compile After Delivery | 1 | Compile After Delivery using csc.exe | ffcdbd6a-b0e8-487d-927a-09127fe9a206 | command_prompt |
| 154 | defense-evasion | T1027.004 | Compile After Delivery | 2 | Dynamic C# Compile | 453614d8-3ba6-4147-acc0-7ec4b3e1faef | powershell |
| 155 | defense-evasion | T1218.001 | Compiled HTML File | 1 | Compiled HTML Help Local Payload | 5cb87818-0d7c-4469-b7ef-9224107aebe8 | command_prompt |
| 156 | defense-evasion | T1218.001 | Compiled HTML File | 2 | Compiled HTML Help Remote Payload | 0f8af516-9818-4172-922b-42986ef1e81d | command_prompt |
| 157 | defense-evasion | T1218.001 | Compiled HTML File | 3 | Invoke CHM with default Shortcut Command Execution | 29d6f0d7-be63-4482-8827-ea77126c1ef7 | powershell |
| 158 | defense-evasion | T1218.001 | Compiled HTML File | 4 | Invoke CHM with InfoTech Storage Protocol Handler | b4094750-5fc7-4e8e-af12-b4e36bf5e7f6 | powershell |
| 159 | defense-evasion | T1218.001 | Compiled HTML File | 5 | Invoke CHM Simulate Double click | 5decef42-92b8-4a93-9eb2-877ddcb9401a | powershell |
| 160 | defense-evasion | T1218.001 | Compiled HTML File | 6 | Invoke CHM with Script Engine and Help Topic | 4f83adda-f5ec-406d-b318-9773c9ca92e5 | powershell |
| 161 | defense-evasion | T1218.001 | Compiled HTML File | 7 | Invoke CHM Shortcut Command with ITS and Help Topic | 15756147-7470-4a83-87fb-bb5662526247 | powershell |
| 162 | defense-evasion | T1218.002 | Control Panel | 1 | Control Panel Items | 037e9d8a-9e46-4255-8b33-2ae3b545ca6f | command_prompt |
| 163 | defense-evasion | T1574.001 | DLL Search Order Hijacking | 1 | DLL Search Order Hijacking - amsi.dll | 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 | command_prompt |
| 164 | defense-evasion | T1574.002 | DLL Side-Loading | 1 | DLL Side-Loading using the Notepad++ GUP.exe binary | 65526037-7079-44a9-bda1-2cb624838040 | command_prompt |
| 165 | defense-evasion | T1078.001 | Default Accounts | 1 | Enable Guest account with RDP capability and admin priviliges | 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 | command_prompt |
| 166 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 1 | Deobfuscate/Decode Files Or Information | dc6fe391-69e6-4506-bd06-ea5eeb4082f8 | command_prompt |
| 167 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 2 | Certutil Rename and Decode | 71abc534-3c05-4d0c-80f7-cbe93cb2aa94 | command_prompt |
| 168 | defense-evasion | T1006 | Direct Volume Access | 1 | Read volume boot sector via DOS device path (PowerShell) | 88f6327e-51ec-4bbf-b2e8-3fea534eab8b | powershell |
| 169 | defense-evasion | T1562.002 | Disable Windows Event Logging | 1 | Disable Windows IIS HTTP Logging | 69435dcf-c66f-4ec0-a8b1-82beb76b34db | powershell |
| 170 | defense-evasion | T1562.002 | Disable Windows Event Logging | 2 | Kill Event Log Service Threads | 41ac52ba-5d5e-40c0-b267-573ed90489bd | powershell |
| 171 | defense-evasion | T1562.004 | Disable or Modify System Firewall | 2 | Disable Microsoft Defender Firewall | 88d05800-a5e4-407e-9b53-ece4174f197f | command_prompt |
| 172 | defense-evasion | T1562.004 | Disable or Modify System Firewall | 3 | Allow SMB and RDP on Microsoft Defender Firewall | d9841bf8-f161-4c73-81e9-fd773a5ff8c1 | command_prompt |
| 173 | defense-evasion | T1562.004 | Disable or Modify System Firewall | 4 | Opening ports for proxy - HARDRAIN | 15e57006-79dd-46df-9bf9-31bc24fb5a80 | command_prompt |
| 174 | defense-evasion | T1562.004 | Disable or Modify System Firewall | 5 | Open a local port through Windows Firewall to any profile | 9636dd6e-7599-40d2-8eee-ac16434f35ed | powershell |
| 175 | defense-evasion | T1562.004 | Disable or Modify System Firewall | 6 | Allow Executable Through Firewall Located in Non-Standard Location | 6f5822d2-d38d-4f48-9bfc-916607ff6b8c | powershell |
| 176 | defense-evasion | T1562.001 | Disable or Modify Tools | 10 | Unload Sysmon Filter Driver | 811b3e76-c41b-430c-ac0d-e2380bfaa164 | command_prompt |
| 177 | defense-evasion | T1562.001 | Disable or Modify Tools | 11 | Uninstall Sysmon | a316fb2e-5344-470d-91c1-23e15c374edc | command_prompt |
| 178 | defense-evasion | T1562.001 | Disable or Modify Tools | 12 | AMSI Bypass - AMSI InitFailed | 695eed40-e949-40e5-b306-b4031e4154bd | powershell |
| 179 | defense-evasion | T1562.001 | Disable or Modify Tools | 13 | AMSI Bypass - Remove AMSI Provider Reg Key | 13f09b91-c953-438e-845b-b585e51cac9b | powershell |
| 180 | defense-evasion | T1562.001 | Disable or Modify Tools | 14 | Disable Arbitrary Security Windows Service | a1230893-56ac-4c81-b644-2108e982f8f5 | command_prompt |
| 181 | defense-evasion | T1562.001 | Disable or Modify Tools | 15 | Tamper with Windows Defender ATP PowerShell | 6b8df440-51ec-4d53-bf83-899591c9b5d7 | powershell |
| 182 | defense-evasion | T1562.001 | Disable or Modify Tools | 16 | Tamper with Windows Defender Command Prompt | aa875ed4-8935-47e2-b2c5-6ec00ab220d2 | command_prompt |
| 183 | defense-evasion | T1562.001 | Disable or Modify Tools | 17 | Tamper with Windows Defender Registry | 1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45 | powershell |
| 184 | defense-evasion | T1562.001 | Disable or Modify Tools | 18 | Disable Microsoft Office Security Features | 6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7 | powershell |
| 185 | defense-evasion | T1562.001 | Disable or Modify Tools | 19 | Remove Windows Defender Definition Files | 3d47daaa-2f56-43e0-94cc-caf5d8d52a68 | command_prompt |
| 186 | defense-evasion | T1562.001 | Disable or Modify Tools | 20 | Stop and Remove Arbitrary Security Windows Service | ae753dda-0f15-4af6-a168-b9ba16143143 | powershell |
| 187 | defense-evasion | T1562.001 | Disable or Modify Tools | 21 | Uninstall Crowdstrike Falcon on Windows | b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297 | powershell |
| 188 | defense-evasion | T1562.001 | Disable or Modify Tools | 22 | Tamper with Windows Defender Evade Scanning -Folder | 0b19f4ee-de90-4059-88cb-63c800c683ed | powershell |
| 189 | defense-evasion | T1562.001 | Disable or Modify Tools | 23 | Tamper with Windows Defender Evade Scanning -Extension | 315f4be6-2240-4552-b3e1-d1047f5eecea | powershell |
| 190 | defense-evasion | T1562.001 | Disable or Modify Tools | 24 | Tamper with Windows Defender Evade Scanning -Process | a123ce6a-3916-45d6-ba9c-7d4081315c27 | powershell |
| 191 | defense-evasion | T1070.004 | File Deletion | 4 | Delete a single file - Windows cmd | 861ea0b4-708a-4d17-848d-186c9c7f17e3 | command_prompt |
| 192 | defense-evasion | T1070.004 | File Deletion | 5 | Delete an entire folder - Windows cmd | ded937c4-2add-42f7-9c2c-c742b7a98698 | command_prompt |
| 193 | defense-evasion | T1070.004 | File Deletion | 6 | Delete a single file - Windows PowerShell | 9dee89bd-9a98-4c4f-9e2d-4256690b0e72 | powershell |
| 194 | defense-evasion | T1070.004 | File Deletion | 7 | Delete an entire folder - Windows PowerShell | edd779e4-a509-4cba-8dfa-a112543dbfb1 | powershell |
| 195 | defense-evasion | T1070.004 | File Deletion | 9 | Delete Prefetch File | 36f96049-0ad7-4a5f-8418-460acaeb92fb | powershell |
| 196 | defense-evasion | T1070.004 | File Deletion | 10 | Delete TeamViewer Log Files | 69f50a5f-967c-4327-a5bb-e1a9a9983785 | powershell |
| 197 | defense-evasion | T1564.001 | Hidden Files and Directories | 3 | Create Windows System File with Attrib | f70974c8-c094-4574-b542-2c545af95a32 | command_prompt |
| 198 | defense-evasion | T1564.001 | Hidden Files and Directories | 4 | Create Windows Hidden File with Attrib | dadb792e-4358-4d8d-9207-b771faa0daa5 | command_prompt |
| 199 | defense-evasion | T1564.003 | Hidden Window | 1 | Hidden Window | f151ee37-9e2b-47e6-80e4-550b9f999b7a | powershell |
| 200 | defense-evasion | T1564 | Hide Artifacts | 1 | Extract binary files via VBA | 6afe288a-8a8b-4d33-a629-8d03ba9dad3a | powershell |
| 201 | defense-evasion | T1070 | Indicator Removal on Host | 1 | Indicator Removal using FSUtil | b4115c7a-0e92-47f0-a61e-17e7218b2435 | command_prompt |
| 202 | defense-evasion | T1202 | Indirect Command Execution | 1 | Indirect Command Execution - pcalua.exe | cecfea7a-5f03-4cdd-8bc8-6f7c22862440 | command_prompt |
| 203 | defense-evasion | T1202 | Indirect Command Execution | 2 | Indirect Command Execution - forfiles.exe | 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc | command_prompt |
| 204 | defense-evasion | T1202 | Indirect Command Execution | 3 | Indirect Command Execution - conhost.exe | cf3391e0-b482-4b02-87fc-ca8362269b29 | command_prompt |
| 205 | defense-evasion | T1553.004 | Install Root Certificate | 4 | Install root CA on Windows | 76f49d86-5eb1-461a-a032-a480f86652f1 | powershell |
| 206 | defense-evasion | T1553.004 | Install Root Certificate | 5 | Install root CA on Windows with certutil | 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f | powershell |
| 207 | defense-evasion | T1218.004 | InstallUtil | 1 | CheckIfInstallable method call | ffd9c807-d402-47d2-879d-f915cf2a3a94 | powershell |
| 208 | defense-evasion | T1218.004 | InstallUtil | 2 | InstallHelper method call | d43a5bde-ae28-4c55-a850-3f4c80573503 | powershell |
| 209 | defense-evasion | T1218.004 | InstallUtil | 3 | InstallUtil class constructor method call | 9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93 | powershell |
| 210 | defense-evasion | T1218.004 | InstallUtil | 4 | InstallUtil Install method call | 9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b | powershell |
| 211 | defense-evasion | T1218.004 | InstallUtil | 5 | InstallUtil Uninstall method call - /U variant | 34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b | powershell |
| 212 | defense-evasion | T1218.004 | InstallUtil | 6 | InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant | 06d9deba-f732-48a8-af8e-bdd6e4d98c1d | powershell |
| 213 | defense-evasion | T1218.004 | InstallUtil | 7 | InstallUtil HelpText method call | 5a683850-1145-4326-a0e5-e91ced3c6022 | powershell |
| 214 | defense-evasion | T1218.004 | InstallUtil | 8 | InstallUtil evasive invocation | 559e6d06-bb42-4307-bff7-3b95a8254bad | powershell |
| 215 | defense-evasion | T1078.003 | Local Accounts | 1 | Create local account with admin priviliges | a524ce99-86de-4db6-b4f9-e08f35a47a15 | command_prompt |
| 216 | defense-evasion | T1127.001 | MSBuild | 1 | MSBuild Bypass Using Inline Tasks | 58742c0f-cb01-44cd-a60b-fb26e8871c93 | command_prompt |
| 217 | defense-evasion | T1036.004 | Masquerade Task or Service | 1 | Creating W32Time similar named service using schtasks | f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9 | command_prompt |
| 218 | defense-evasion | T1036.004 | Masquerade Task or Service | 2 | Creating W32Time similar named service using sc | b721c6ef-472c-4263-a0d9-37f1f4ecff66 | command_prompt |
| 219 | defense-evasion | T1112 | Modify Registry | 1 | Modify Registry of Current User Profile - cmd | 1324796b-d0f6-455a-b4ae-21ffee6aa6b9 | command_prompt |
| 220 | defense-evasion | T1112 | Modify Registry | 2 | Modify Registry of Local Machine - cmd | 282f929a-6bc5-42b8-bd93-960c3ba35afe | command_prompt |
| 221 | defense-evasion | T1112 | Modify Registry | 3 | Modify registry to store logon credentials | c0413fb5-33e2-40b7-9b6f-60b29f4a7a18 | command_prompt |
| 222 | defense-evasion | T1112 | Modify Registry | 4 | Add domain to Trusted sites Zone | cf447677-5a4e-4937-a82c-e47d254afd57 | powershell |
| 223 | defense-evasion | T1112 | Modify Registry | 5 | Javascript in registry | 15f44ea9-4571-4837-be9e-802431a7bfae | powershell |
| 224 | defense-evasion | T1112 | Modify Registry | 6 | Change Powershell Execution Policy to Bypass | f3a6cceb-06c9-48e5-8df8-8867a6814245 | powershell |
| 225 | defense-evasion | T1218.005 | Mshta | 1 | Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject | 1483fab9-4f52-4217-a9ce-daa9d7747cae | command_prompt |
| 226 | defense-evasion | T1218.005 | Mshta | 2 | Mshta executes VBScript to execute malicious command | 906865c3-e05f-4acc-85c4-fbc185455095 | command_prompt |
| 227 | defense-evasion | T1218.005 | Mshta | 3 | Mshta Executes Remote HTML Application (HTA) | c4b97eeb-5249-4455-a607-59f95485cb45 | powershell |
| 228 | defense-evasion | T1218.005 | Mshta | 4 | Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement | 007e5672-2088-4853-a562-7490ddc19447 | powershell |
| 229 | defense-evasion | T1218.005 | Mshta | 5 | Invoke HTML Application - Jscript Engine Simulating Double Click | 58a193ec-131b-404e-b1ca-b35cf0b18c33 | powershell |
| 230 | defense-evasion | T1218.005 | Mshta | 6 | Invoke HTML Application - Direct download from URI | 39ceed55-f653-48ac-bd19-aceceaf525db | powershell |
| 231 | defense-evasion | T1218.005 | Mshta | 7 | Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler | e7e3a525-7612-4d68-a5d3-c4649181b8af | powershell |
| 232 | defense-evasion | T1218.005 | Mshta | 8 | Invoke HTML Application - JScript Engine with Inline Protocol Handler | d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840 | powershell |
| 233 | defense-evasion | T1218.005 | Mshta | 9 | Invoke HTML Application - Simulate Lateral Movement over UNC Path | b8a8bdb2-7eae-490d-8251-d5e0295b2362 | powershell |
| 234 | defense-evasion | T1218.007 | Msiexec | 1 | Msiexec.exe - Execute Local MSI file | 0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8 | command_prompt |
| 235 | defense-evasion | T1218.007 | Msiexec | 2 | Msiexec.exe - Execute Remote MSI file | bde7d2fe-d049-458d-a362-abda32a7e649 | command_prompt |
| 236 | defense-evasion | T1218.007 | Msiexec | 3 | Msiexec.exe - Execute Arbitrary DLL | 66f64bd5-7c35-4c24-953a-04ca30a0a0ec | command_prompt |
| 237 | defense-evasion | T1564.004 | NTFS File Attributes | 1 | Alternate Data Streams (ADS) | 8822c3b0-d9f9-4daf-a043-49f4602364f4 | command_prompt |
| 238 | defense-evasion | T1564.004 | NTFS File Attributes | 2 | Store file in Alternate Data Stream (ADS) | 2ab75061-f5d5-4c1a-b666-ba2a50df5b02 | powershell |
| 239 | defense-evasion | T1564.004 | NTFS File Attributes | 3 | Create ADS command prompt | 17e7637a-ddaf-4a82-8622-377e20de8fdb | command_prompt |
| 240 | defense-evasion | T1564.004 | NTFS File Attributes | 4 | Create ADS PowerShell | 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1 | powershell |
| 241 | defense-evasion | T1070.005 | Network Share Connection Removal | 1 | Add Network Share | 14c38f32-6509-46d8-ab43-d53e32d2b131 | command_prompt |
| 242 | defense-evasion | T1070.005 | Network Share Connection Removal | 2 | Remove Network Share | 09210ad5-1ef2-4077-9ad3-7351e13e9222 | command_prompt |
| 243 | defense-evasion | T1070.005 | Network Share Connection Removal | 3 | Remove Network Share PowerShell | 0512d214-9512-4d22-bde7-f37e058259b3 | powershell |
| 244 | defense-evasion | T1027 | Obfuscated Files or Information | 2 | Execute base64-encoded PowerShell | a50d5a97-2531-499e-a1de-5544c74432c6 | powershell |
| 245 | defense-evasion | T1027 | Obfuscated Files or Information | 3 | Execute base64-encoded PowerShell from Windows Registry | 450e7218-7915-4be4-8b9b-464a49eafcec | powershell |
| 246 | defense-evasion | T1027 | Obfuscated Files or Information | 4 | Execution from Compressed File | f8c8a909-5f29-49ac-9244-413936ce6d1f | command_prompt |
| 247 | defense-evasion | T1218.008 | Odbcconf | 1 | Odbcconf.exe - Execute Arbitrary DLL | 2430498b-06c0-4b92-a448-8ad263c388e2 | command_prompt |
| 248 | defense-evasion | T1134.004 | Parent PID Spoofing | 1 | Parent PID Spoofing using PowerShell | 069258f4-2162-46e9-9a25-c9c6c56150d2 | powershell |
| 249 | defense-evasion | T1134.004 | Parent PID Spoofing | 2 | Parent PID Spoofing - Spawn from Current Process | 14920ebd-1d61-491a-85e0-fe98efe37f25 | powershell |
| 250 | defense-evasion | T1134.004 | Parent PID Spoofing | 3 | Parent PID Spoofing - Spawn from Specified Process | cbbff285-9051-444a-9d17-c07cd2d230eb | powershell |
| 251 | defense-evasion | T1134.004 | Parent PID Spoofing | 4 | Parent PID Spoofing - Spawn from svchost.exe | e9f2b777-3123-430b-805d-5cedc66ab591 | powershell |
| 252 | defense-evasion | T1134.004 | Parent PID Spoofing | 5 | Parent PID Spoofing - Spawn from New Process | 2988133e-561c-4e42-a15f-6281e6a9b2db | powershell |
| 253 | defense-evasion | T1550.002 | Pass the Hash | 1 | Mimikatz Pass the Hash | ec23cef9-27d9-46e4-a68d-6f75f7b86908 | command_prompt |
| 254 | defense-evasion | T1550.002 | Pass the Hash | 2 | crackmapexec Pass the Hash | eb05b028-16c8-4ad8-adea-6f5b219da9a9 | command_prompt |
| 255 | defense-evasion | T1550.003 | Pass the Ticket | 1 | Mimikatz Kerberos Ticket Attack | dbf38128-7ba7-4776-bedf-cc2eed432098 | command_prompt |
| 256 | defense-evasion | T1556.002 | Password Filter DLL | 1 | Install and Register Password Filter DLL | a7961770-beb5-4134-9674-83d7e1fa865c | powershell |
| 257 | defense-evasion | T1574.009 | Path Interception by Unquoted Path | 1 | Execution of program.exe as service with unquoted service path | 2770dea7-c50f-457b-84c4-c40a47460d9f | command_prompt |
| 258 | defense-evasion | T1055.012 | Process Hollowing | 1 | Process Hollowing using PowerShell | 562427b4-39ef-4e8c-af88-463a78e70b9c | powershell |
| 259 | defense-evasion | T1055.012 | Process Hollowing | 2 | RunPE via VBA | 3ad4a037-1598-4136-837c-4027e4fa319b | powershell |
| 260 | defense-evasion | T1055 | Process Injection | 1 | Process Injection via mavinject.exe | 74496461-11a1-4982-b439-4d87a550d254 | powershell |
| 261 | defense-evasion | T1055 | Process Injection | 2 | Shellcode execution via VBA | 1c91e740-1729-4329-b779-feba6e71d048 | powershell |
| 262 | defense-evasion | T1216.001 | PubPrn | 1 | PubPrn.vbs Signed Script Bypass | 9dd29a1f-1e16-4862-be83-913b10a88f6c | command_prompt |
| 263 | defense-evasion | T1218.009 | Regsvcs/Regasm | 1 | Regasm Uninstall Method Call Test | 71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112 | command_prompt |
| 264 | defense-evasion | T1218.009 | Regsvcs/Regasm | 2 | Regsvcs Uninstall Method Call Test | fd3c1c6a-02d2-4b72-82d9-71c527abb126 | powershell |
| 265 | defense-evasion | T1218.010 | Regsvr32 | 1 | Regsvr32 local COM scriptlet execution | 449aa403-6aba-47ce-8a37-247d21ef0306 | command_prompt |
| 266 | defense-evasion | T1218.010 | Regsvr32 | 2 | Regsvr32 remote COM scriptlet execution | c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36 | command_prompt |
| 267 | defense-evasion | T1218.010 | Regsvr32 | 3 | Regsvr32 local DLL execution | 08ffca73-9a3d-471a-aeb0-68b4aa3ab37b | command_prompt |
| 268 | defense-evasion | T1218.010 | Regsvr32 | 4 | Regsvr32 Registering Non DLL | 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421 | command_prompt |
| 269 | defense-evasion | T1036.003 | Rename System Utilities | 1 | Masquerading as Windows LSASS process | 5ba5a3d1-cf3c-4499-968a-a93155d1f717 | command_prompt |
| 270 | defense-evasion | T1036.003 | Rename System Utilities | 3 | Masquerading - cscript.exe running as notepad.exe | 3a2a578b-0a01-46e4-92e3-62e2859b42f0 | command_prompt |
| 271 | defense-evasion | T1036.003 | Rename System Utilities | 4 | Masquerading - wscript.exe running as svchost.exe | 24136435-c91a-4ede-9da1-8b284a1c1a23 | command_prompt |
| 272 | defense-evasion | T1036.003 | Rename System Utilities | 5 | Masquerading - powershell.exe running as taskhostw.exe | ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa | command_prompt |
| 273 | defense-evasion | T1036.003 | Rename System Utilities | 6 | Masquerading - non-windows exe running as windows exe | bc15c13f-d121-4b1f-8c7d-28d95854d086 | powershell |
| 274 | defense-evasion | T1036.003 | Rename System Utilities | 7 | Masquerading - windows exe running as different windows exe | c3d24a39-2bfe-4c6a-b064-90cd73896cb0 | powershell |
| 275 | defense-evasion | T1036.003 | Rename System Utilities | 8 | Malicious process Masquerading as LSM.exe | 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f | command_prompt |
| 276 | defense-evasion | T1036.003 | Rename System Utilities | 9 | File Extension Masquerading | c7fa0c3b-b57f-4cba-9118-863bf4e653fc | command_prompt |
| 277 | defense-evasion | T1207 | Rogue Domain Controller | 1 | DCShadow - Mimikatz | 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6 | manual |
| 278 | defense-evasion | T1014 | Rootkit | 3 | Windows Signed Driver Rootkit Test | 8e4e1985-9a19-4529-b4b8-b7a49ff87fae | command_prompt |
| 279 | defense-evasion | T1218.011 | Rundll32 | 1 | Rundll32 execute JavaScript Remote Payload With GetObject | cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be | command_prompt |
| 280 | defense-evasion | T1218.011 | Rundll32 | 2 | Rundll32 execute VBscript command | 638730e7-7aed-43dc-bf8c-8117f805f5bb | command_prompt |
| 281 | defense-evasion | T1218.011 | Rundll32 | 3 | Rundll32 advpack.dll Execution | d91cae26-7fc1-457b-a854-34c8aad48c89 | command_prompt |
| 282 | defense-evasion | T1218.011 | Rundll32 | 4 | Rundll32 ieadvpack.dll Execution | 5e46a58e-cbf6-45ef-a289-ed7754603df9 | command_prompt |
| 283 | defense-evasion | T1218.011 | Rundll32 | 5 | Rundll32 syssetup.dll Execution | 41fa324a-3946-401e-bbdd-d7991c628125 | command_prompt |
| 284 | defense-evasion | T1218.011 | Rundll32 | 6 | Rundll32 setupapi.dll Execution | 71d771cd-d6b3-4f34-bc76-a63d47a10b19 | command_prompt |
| 285 | defense-evasion | T1218.011 | Rundll32 | 7 | Execution of HTA and VBS Files using Rundll32 and URL.dll | 22cfde89-befe-4e15-9753-47306b37a6e3 | command_prompt |
| 286 | defense-evasion | T1574.011 | Services Registry Permissions Weakness | 1 | Service Registry Permissions Weakness | f7536d63-7fd4-466f-89da-7e48d550752a | powershell |
| 287 | defense-evasion | T1574.011 | Services Registry Permissions Weakness | 2 | Service ImagePath Change with reg.exe | f38e9eea-e1d7-4ba6-b716-584791963827 | command_prompt |
| 288 | defense-evasion | T1218 | Signed Binary Proxy Execution | 1 | mavinject - Inject DLL into running process | c426dacf-575d-4937-8611-a148a86a5e61 | command_prompt |
| 289 | defense-evasion | T1218 | Signed Binary Proxy Execution | 2 | SyncAppvPublishingServer - Execute arbitrary PowerShell code | d590097e-d402-44e2-ad72-2c6aa1ce78b1 | command_prompt |
| 290 | defense-evasion | T1218 | Signed Binary Proxy Execution | 3 | Register-CimProvider - Execute evil dll | ad2c17ed-f626-4061-b21e-b9804a6f3655 | command_prompt |
| 291 | defense-evasion | T1218 | Signed Binary Proxy Execution | 4 | InfDefaultInstall.exe .inf Execution | 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef | command_prompt |
| 292 | defense-evasion | T1218 | Signed Binary Proxy Execution | 5 | ProtocolHandler.exe Downloaded a Suspicious File | db020456-125b-4c8b-a4a7-487df8afb5a2 | command_prompt |
| 293 | defense-evasion | T1218 | Signed Binary Proxy Execution | 6 | Microsoft.Workflow.Compiler.exe Payload Execution | 7cbb0f26-a4c1-4f77-b180-a009aa05637e | powershell |
| 294 | defense-evasion | T1218 | Signed Binary Proxy Execution | 7 | Renamed Microsoft.Workflow.Compiler.exe Payload Executions | 4cc40fd7-87b8-4b16-b2d7-57534b86b911 | powershell |
| 295 | defense-evasion | T1216 | Signed Script Proxy Execution | 1 | SyncAppvPublishingServer Signed Script PowerShell Command Execution | 275d963d-3f36-476c-8bef-a2a3960ee6eb | command_prompt |
| 296 | defense-evasion | T1216 | Signed Script Proxy Execution | 2 | manage-bde.wsf Signed Script Command Execution | 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a | command_prompt |
| 297 | defense-evasion | T1497.001 | System Checks | 2 | Detect Virtualization Environment (Windows) | 502a7dc4-9d6f-4d28-abf2-f0e84692562d | powershell |
| 298 | defense-evasion | T1070.006 | Timestomp | 5 | Windows - Modify file creation timestamp with PowerShell | b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c | powershell |
| 299 | defense-evasion | T1070.006 | Timestomp | 6 | Windows - Modify file last modified timestamp with PowerShell | f8f6634d-93e1-4238-8510-f8a90a20dcf2 | powershell |
| 300 | defense-evasion | T1070.006 | Timestomp | 7 | Windows - Modify file last access timestamp with PowerShell | da627f63-b9bd-4431-b6f8-c5b44d061a62 | powershell |
| 301 | defense-evasion | T1070.006 | Timestomp | 8 | Windows - Timestomp a File | d7512c33-3a75-4806-9893-69abc3ccdd43 | powershell |
| 302 | defense-evasion | T1134.001 | Token Impersonation/Theft | 1 | Named pipe client impersonation | 90db9e27-8e7c-4c04-b602-a45927884966 | powershell |
| 303 | defense-evasion | T1134.001 | Token Impersonation/Theft | 2 | `SeDebugPrivilege` token duplication | 34f0a430-9d04-4d98-bcb5-1989f14719f0 | powershell |
| 304 | defense-evasion | T1222.001 | Windows File and Directory Permissions Modification | 1 | Take ownership using takeown utility | 98d34bb4-6e75-42ad-9c41-1dae7dc6a001 | command_prompt |
| 305 | defense-evasion | T1222.001 | Windows File and Directory Permissions Modification | 2 | cacls - Grant permission to specified user or group recursively | a8206bcc-f282-40a9-a389-05d9c0263485 | command_prompt |
| 306 | defense-evasion | T1222.001 | Windows File and Directory Permissions Modification | 3 | attrib - Remove read-only attribute | bec1e95c-83aa-492e-ab77-60c71bbd21b0 | command_prompt |
| 307 | defense-evasion | T1222.001 | Windows File and Directory Permissions Modification | 4 | attrib - hide file | 32b979da-7b68-42c9-9a99-0e39900fc36c | command_prompt |
| 308 | defense-evasion | T1222.001 | Windows File and Directory Permissions Modification | 5 | Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style | ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 | powershell |
| 309 | defense-evasion | T1220 | XSL Script Processing | 1 | MSXSL Bypass using local files | ca23bfb2-023f-49c5-8802-e66997de462d | command_prompt |
| 310 | defense-evasion | T1220 | XSL Script Processing | 2 | MSXSL Bypass using remote files | a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 | command_prompt |
| 311 | defense-evasion | T1220 | XSL Script Processing | 3 | WMIC bypass using local XSL file | 1b237334-3e21-4a0c-8178-b8c996124988 | command_prompt |
| 312 | defense-evasion | T1220 | XSL Script Processing | 4 | WMIC bypass using remote XSL file | 7f5be499-33be-4129-a560-66021f379b9b | command_prompt |
| 313 | persistence | T1546.008 | Accessibility Features | 1 | Attaches Command Prompt as a Debugger to a List of Target Processes | 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 | powershell |
| 314 | persistence | T1546.008 | Accessibility Features | 2 | Replace binary of sticky keys | 934e90cf-29ca-48b3-863c-411737ad44e3 | command_prompt |
| 315 | persistence | T1098 | Account Manipulation | 1 | Admin Account Manipulate | 5598f7cb-cf43-455e-883a-f6008c5d46af | powershell |
| 316 | persistence | T1098 | Account Manipulation | 2 | Domain Account and Group Manipulate | a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 | powershell |
| 317 | persistence | T1546.010 | AppInit DLLs | 1 | Install AppInit Shim | a58d9386-3080-4242-ab5f-454c16503d18 | command_prompt |
| 318 | persistence | T1546.011 | Application Shimming | 1 | Application Shim Installation | 9ab27e22-ee62-4211-962b-d36d9a0e6a18 | command_prompt |
| 319 | persistence | T1546.011 | Application Shimming | 2 | New shim database files created in the default shim database directory | aefd6866-d753-431f-a7a4-215ca7e3f13d | powershell |
| 320 | persistence | T1546.011 | Application Shimming | 3 | Registry key creation and/or modification events for SDB | 9b6a06f9-ab5e-4e8d-8289-1df4289db02f | powershell |
| 321 | persistence | T1053.002 | At (Windows) | 1 | At.exe Scheduled task | 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 | command_prompt |
| 322 | persistence | T1197 | BITS Jobs | 1 | Bitsadmin Download (cmd) | 3c73d728-75fb-4180-a12f-6712864d7421 | command_prompt |
| 323 | persistence | T1197 | BITS Jobs | 2 | Bitsadmin Download (PowerShell) | f63b8bc4-07e5-4112-acba-56f646f3f0bc | powershell |
| 324 | persistence | T1197 | BITS Jobs | 3 | Persist, Download, & Execute | 62a06ec5-5754-47d2-bcfc-123d8314c6ae | command_prompt |
| 325 | persistence | T1197 | BITS Jobs | 4 | Bits download using destktopimgdownldr.exe (cmd) | afb5e09e-e385-4dee-9a94-6ee60979d114 | command_prompt |
| 326 | persistence | T1176 | Browser Extensions | 1 | Chrome (Developer Mode) | 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 | manual |
| 327 | persistence | T1176 | Browser Extensions | 2 | Chrome (Chrome Web Store) | 4c83940d-8ca5-4bb2-8100-f46dc914bc3f | manual |
| 328 | persistence | T1176 | Browser Extensions | 3 | Firefox | cb790029-17e6-4c43-b96f-002ce5f10938 | manual |
| 329 | persistence | T1176 | Browser Extensions | 4 | Edge Chromium Addon - VPN | 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 | manual |
| 330 | persistence | T1574.012 | COR_PROFILER | 1 | User scope COR_PROFILER | 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a | powershell |
| 331 | persistence | T1574.012 | COR_PROFILER | 2 | System Scope COR_PROFILER | f373b482-48c8-4ce4-85ed-d40c8b3f7310 | powershell |
| 332 | persistence | T1574.012 | COR_PROFILER | 3 | Registry-free process scope COR_PROFILER | 79d57242-bbef-41db-b301-9d01d9f6e817 | powershell |
| 333 | persistence | T1546.001 | Change Default File Association | 1 | Change Default File Association | 10a08978-2045-4d62-8c42-1957bbbea102 | command_prompt |
| 334 | persistence | T1574.001 | DLL Search Order Hijacking | 1 | DLL Search Order Hijacking - amsi.dll | 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 | command_prompt |
| 335 | persistence | T1574.002 | DLL Side-Loading | 1 | DLL Side-Loading using the Notepad++ GUP.exe binary | 65526037-7079-44a9-bda1-2cb624838040 | command_prompt |
| 336 | persistence | T1078.001 | Default Accounts | 1 | Enable Guest account with RDP capability and admin priviliges | 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 | command_prompt |
| 337 | persistence | T1136.002 | Domain Account | 1 | Create a new Windows domain admin user | fcec2963-9951-4173-9bfa-98d8b7834e62 | command_prompt |
| 338 | persistence | T1136.002 | Domain Account | 2 | Create a new account similar to ANONYMOUS LOGON | dc7726d2-8ccb-4cc6-af22-0d5afb53a548 | command_prompt |
| 339 | persistence | T1133 | External Remote Services | 1 | Running Chrome VPN Extensions via the Registry 2 vpn extension | 4c8db261-a58b-42a6-a866-0a294deedde4 | powershell |
| 340 | persistence | T1546.012 | Image File Execution Options Injection | 1 | IFEO Add Debugger | fdda2626-5234-4c90-b163-60849a24c0b8 | command_prompt |
| 341 | persistence | T1546.012 | Image File Execution Options Injection | 2 | IFEO Global Flags | 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 | command_prompt |
| 342 | persistence | T1136.001 | Local Account | 3 | Create a new user in a command prompt | 6657864e-0323-4206-9344-ac9cd7265a4f | command_prompt |
| 343 | persistence | T1136.001 | Local Account | 4 | Create a new user in PowerShell | bc8be0ac-475c-4fbf-9b1d-9fffd77afbde | powershell |
| 344 | persistence | T1136.001 | Local Account | 6 | Create a new Windows admin user | fda74566-a604-4581-a4cc-fbbe21d66559 | command_prompt |
| 345 | persistence | T1078.003 | Local Accounts | 1 | Create local account with admin priviliges | a524ce99-86de-4db6-b4f9-e08f35a47a15 | command_prompt |
| 346 | persistence | T1037.001 | Logon Script (Windows) | 1 | Logon Scripts | d6042746-07d4-4c92-9ad8-e644c114a231 | command_prompt |
| 347 | persistence | T1546.007 | Netsh Helper DLL | 1 | Netsh Helper DLL Registration | 3244697d-5a3a-4dfc-941c-550f69f91a4d | command_prompt |
| 348 | persistence | T1137.002 | Office Test | 1 | Office Apllication Startup Test Persistence | c3e35b58-fe1c-480b-b540-7600fb612563 | command_prompt |
| 349 | persistence | T1574.009 | Path Interception by Unquoted Path | 1 | Execution of program.exe as service with unquoted service path | 2770dea7-c50f-457b-84c4-c40a47460d9f | command_prompt |
| 350 | persistence | T1546.013 | PowerShell Profile | 1 | Append malicious start-process cmdlet | 090e5aa5-32b6-473b-a49b-21e843a56896 | powershell |
| 351 | persistence | T1547.001 | Registry Run Keys / Startup Folder | 1 | Reg Key Run | e55be3fd-3521-4610-9d1a-e210e42dcf05 | command_prompt |
| 352 | persistence | T1547.001 | Registry Run Keys / Startup Folder | 2 | Reg Key RunOnce | 554cbd88-cde1-4b56-8168-0be552eed9eb | command_prompt |
| 353 | persistence | T1547.001 | Registry Run Keys / Startup Folder | 3 | PowerShell Registry RunOnce | eb44f842-0457-4ddc-9b92-c4caa144ac42 | powershell |
| 354 | persistence | T1547.001 | Registry Run Keys / Startup Folder | 4 | Suspicious vbs file run from startup Folder | 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 | powershell |
| 355 | persistence | T1547.001 | Registry Run Keys / Startup Folder | 5 | Suspicious jse file run from startup Folder | dade9447-791e-4c8f-b04b-3a35855dfa06 | powershell |
| 356 | persistence | T1547.001 | Registry Run Keys / Startup Folder | 6 | Suspicious bat file run from startup Folder | 5b6768e4-44d2-44f0-89da-a01d1430fd5e | powershell |
| 357 | persistence | T1547.001 | Registry Run Keys / Startup Folder | 7 | Add Executable Shortcut Link to User Startup Folder | 24e55612-85f6-4bd6-ae74-a73d02e3441d | powershell |
| 358 | persistence | T1053.005 | Scheduled Task | 1 | Scheduled Task Startup Script | fec27f65-db86-4c2d-b66c-61945aee87c2 | command_prompt |
| 359 | persistence | T1053.005 | Scheduled Task | 2 | Scheduled task Local | 42f53695-ad4a-4546-abb6-7d837f644a71 | command_prompt |
| 360 | persistence | T1053.005 | Scheduled Task | 3 | Scheduled task Remote | 2e5eac3e-327b-4a88-a0c0-c4057039a8dd | command_prompt |
| 361 | persistence | T1053.005 | Scheduled Task | 4 | Powershell Cmdlet Scheduled Task | af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd | powershell |
| 362 | persistence | T1053.005 | Scheduled Task | 5 | Task Scheduler via VBA | ecd3fa21-7792-41a2-8726-2c5c673414d3 | powershell |
| 363 | persistence | T1546.002 | Screensaver | 1 | Set Arbitrary Binary as Screensaver | 281201e7-de41-4dc9-b73d-f288938cbb64 | command_prompt |
| 364 | persistence | T1547.005 | Security Support Provider | 1 | Modify SSP configuration in registry | afdfd7e3-8a0b-409f-85f7-886fdf249c9e | powershell |
| 365 | persistence | T1574.011 | Services Registry Permissions Weakness | 1 | Service Registry Permissions Weakness | f7536d63-7fd4-466f-89da-7e48d550752a | powershell |
| 366 | persistence | T1574.011 | Services Registry Permissions Weakness | 2 | Service ImagePath Change with reg.exe | f38e9eea-e1d7-4ba6-b716-584791963827 | command_prompt |
| 367 | persistence | T1547.009 | Shortcut Modification | 1 | Shortcut Modification | ce4fc678-364f-4282-af16-2fb4c78005ce | command_prompt |
| 368 | persistence | T1547.009 | Shortcut Modification | 2 | Create shortcut to cmd in startup folders | cfdc954d-4bb0-4027-875b-a1893ce406f2 | powershell |
| 369 | persistence | T1505.002 | Transport Agent | 1 | Install MS Exchange Transport Agent Persistence | 43e92449-ff60-46e9-83a3-1a38089df94d | powershell |
| 370 | persistence | T1505.003 | Web Shell | 1 | Web Shell Written to Disk | 0a2ce662-1efa-496f-a472-2fe7b080db16 | command_prompt |
| 371 | persistence | T1546.003 | Windows Management Instrumentation Event Subscription | 1 | Persistence via WMI Event Subscription | 3c64f177-28e2-49eb-a799-d767b24dd1e0 | powershell |
| 372 | persistence | T1543.003 | Windows Service | 1 | Modify Fax service to run PowerShell | ed366cde-7d12-49df-a833-671904770b9f | command_prompt |
| 373 | persistence | T1543.003 | Windows Service | 2 | Service Installation CMD | 981e2942-e433-44e9-afc1-8c957a1496b6 | command_prompt |
| 374 | persistence | T1543.003 | Windows Service | 3 | Service Installation PowerShell | 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 | powershell |
| 375 | persistence | T1547.004 | Winlogon Helper DLL | 1 | Winlogon Shell Key Persistence - PowerShell | bf9f9d65-ee4d-4c3e-a843-777d04f19c38 | powershell |
| 376 | persistence | T1547.004 | Winlogon Helper DLL | 2 | Winlogon Userinit Key Persistence - PowerShell | fb32c935-ee2e-454b-8fa3-1c46b42e8dfb | powershell |
| 377 | persistence | T1547.004 | Winlogon Helper DLL | 3 | Winlogon Notify Key Logon Persistence - PowerShell | d40da266-e073-4e5a-bb8b-2b385023e5f9 | powershell |
| 378 | impact | T1531 | Account Access Removal | 1 | Change User Password - Windows | 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2 | command_prompt |
| 379 | impact | T1531 | Account Access Removal | 2 | Delete User - Windows | f21a1d7d-a62f-442a-8c3a-2440d43b19e5 | command_prompt |
| 380 | impact | T1531 | Account Access Removal | 3 | Remove Account From Domain Admin Group | 43f71395-6c37-498e-ab17-897d814a0947 | powershell |
| 381 | impact | T1485 | Data Destruction | 1 | Windows - Overwrite file with Sysinternals SDelete | 476419b5-aebf-4366-a131-ae3e8dae5fc2 | powershell |
| 382 | impact | T1490 | Inhibit System Recovery | 1 | Windows - Delete Volume Shadow Copies | 43819286-91a9-4369-90ed-d31fb4da2c01 | command_prompt |
| 383 | impact | T1490 | Inhibit System Recovery | 2 | Windows - Delete Volume Shadow Copies via WMI | 6a3ff8dd-f49c-4272-a658-11c2fe58bd88 | command_prompt |
| 384 | impact | T1490 | Inhibit System Recovery | 3 | Windows - Delete Windows Backup Catalog | 263ba6cb-ea2b-41c9-9d4e-b652dadd002c | command_prompt |
| 385 | impact | T1490 | Inhibit System Recovery | 4 | Windows - Disable Windows Recovery Console Repair | cf21060a-80b3-4238-a595-22525de4ab81 | command_prompt |
| 386 | impact | T1490 | Inhibit System Recovery | 5 | Windows - Delete Volume Shadow Copies via WMI with PowerShell | 39a295ca-7059-4a88-86f6-09556c1211e7 | powershell |
| 387 | impact | T1490 | Inhibit System Recovery | 6 | Windows - Delete Backup Files | 6b1dbaf6-cc8a-4ea6-891f-6058569653bf | command_prompt |
| 388 | impact | T1489 | Service Stop | 1 | Windows - Stop service using Service Controller | 21dfb440-830d-4c86-a3e5-2a491d5a8d04 | command_prompt |
| 389 | impact | T1489 | Service Stop | 2 | Windows - Stop service using net.exe | 41274289-ec9c-4213-bea4-e43c4aa57954 | command_prompt |
| 390 | impact | T1489 | Service Stop | 3 | Windows - Stop service by killing process | f3191b84-c38b-400b-867e-3a217a27795f | command_prompt |
| 391 | impact | T1529 | System Shutdown/Reboot | 1 | Shutdown System - Windows | ad254fa8-45c0-403b-8c77-e00b3d3e7a64 | command_prompt |
| 392 | impact | T1529 | System Shutdown/Reboot | 2 | Restart System - Windows | f4648f0d-bf78-483c-bafc-3ec99cd1c302 | command_prompt |
| 393 | discovery | T1010 | Application Window Discovery | 1 | List Process Main Windows - C# .NET | fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4 | command_prompt |
| 394 | discovery | T1217 | Browser Bookmark Discovery | 4 | List Google Chrome Bookmarks on Windows with powershell | faab755e-4299-48ec-8202-fc7885eb6545 | powershell |
| 395 | discovery | T1217 | Browser Bookmark Discovery | 5 | List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt | 76f71e2f-480e-4bed-b61e-398fe17499d5 | command_prompt |
| 396 | discovery | T1217 | Browser Bookmark Discovery | 6 | List Mozilla Firefox bookmarks on Windows with command prompt | 4312cdbc-79fc-4a9c-becc-53d49c734bc5 | command_prompt |
| 397 | discovery | T1217 | Browser Bookmark Discovery | 7 | List Internet Explorer Bookmarks using the command prompt | 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 | command_prompt |
| 398 | discovery | T1087.002 | Domain Account | 1 | Enumerate all accounts (Domain) | 6fbc9e68-5ad7-444a-bd11-8bf3136c477e | command_prompt |
| 399 | discovery | T1087.002 | Domain Account | 2 | Enumerate all accounts via PowerShell (Domain) | 8b8a6449-be98-4f42-afd2-dedddc7453b2 | powershell |
| 400 | discovery | T1087.002 | Domain Account | 3 | Enumerate logged on users via CMD (Domain) | 161dcd85-d014-4f5e-900c-d3eaae82a0f7 | command_prompt |
| 401 | discovery | T1087.002 | Domain Account | 4 | Automated AD Recon (ADRecon) | 95018438-454a-468c-a0fa-59c800149b59 | powershell |
| 402 | discovery | T1087.002 | Domain Account | 5 | Adfind -Listing password policy | 736b4f53-f400-4c22-855d-1a6b5a551600 | command_prompt |
| 403 | discovery | T1087.002 | Domain Account | 6 | Adfind - Enumerate Active Directory Admins | b95fd967-4e62-4109-b48d-265edfd28c3a | command_prompt |
| 404 | discovery | T1087.002 | Domain Account | 7 | Adfind - Enumerate Active Directory User Objects | e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 | command_prompt |
| 405 | discovery | T1087.002 | Domain Account | 8 | Adfind - Enumerate Active Directory Exchange AD Objects | 5e2938fb-f919-47b6-8b29-2f6a1f718e99 | command_prompt |
| 406 | discovery | T1087.002 | Domain Account | 9 | Enumerate Default Domain Admin Details (Domain) | c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef | command_prompt |
| 407 | discovery | T1069.002 | Domain Groups | 1 | Basic Permission Groups Discovery Windows (Domain) | dd66d77d-8998-48c0-8024-df263dc2ce5d | command_prompt |
| 408 | discovery | T1069.002 | Domain Groups | 2 | Permission Groups Discovery PowerShell (Domain) | 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7 | powershell |
| 409 | discovery | T1069.002 | Domain Groups | 3 | Elevated group enumeration using net group (Domain) | 0afb5163-8181-432e-9405-4322710c0c37 | command_prompt |
| 410 | discovery | T1069.002 | Domain Groups | 4 | Find machines where user has local admin access (PowerView) | a2d71eee-a353-4232-9f86-54f4288dd8c1 | powershell |
| 411 | discovery | T1069.002 | Domain Groups | 5 | Find local admins on all machines in domain (PowerView) | a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd | powershell |
| 412 | discovery | T1069.002 | Domain Groups | 6 | Find Local Admins via Group Policy (PowerView) | 64fdb43b-5259-467a-b000-1b02c00e510a | powershell |
| 413 | discovery | T1069.002 | Domain Groups | 7 | Enumerate Users Not Requiring Pre Auth (ASRepRoast) | 870ba71e-6858-4f6d-895c-bb6237f6121b | powershell |
| 414 | discovery | T1069.002 | Domain Groups | 8 | Adfind - Query Active Directory Groups | 48ddc687-82af-40b7-8472-ff1e742e8274 | command_prompt |
| 415 | discovery | T1482 | Domain Trust Discovery | 1 | Windows - Discover domain trusts with dsquery | 4700a710-c821-4e17-a3ec-9e4c81d6845f | command_prompt |
| 416 | discovery | T1482 | Domain Trust Discovery | 2 | Windows - Discover domain trusts with nltest | 2e22641d-0498-48d2-b9ff-c71e496ccdbe | command_prompt |
| 417 | discovery | T1482 | Domain Trust Discovery | 3 | Powershell enumerate domains and forests | c58fbc62-8a62-489e-8f2d-3565d7d96f30 | powershell |
| 418 | discovery | T1482 | Domain Trust Discovery | 4 | Adfind - Enumerate Active Directory OUs | d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec | command_prompt |
| 419 | discovery | T1482 | Domain Trust Discovery | 5 | Adfind - Enumerate Active Directory Trusts | 15fe436d-e771-4ff3-b655-2dca9ba52834 | command_prompt |
| 420 | discovery | T1083 | File and Directory Discovery | 1 | File and Directory Discovery (cmd.exe) | 0e36303b-6762-4500-b003-127743b80ba6 | command_prompt |
| 421 | discovery | T1083 | File and Directory Discovery | 2 | File and Directory Discovery (PowerShell) | 2158908e-b7ef-4c21-8a83-3ce4dd05a924 | powershell |
| 422 | discovery | T1087.001 | Local Account | 8 | Enumerate all accounts on Windows (Local) | 80887bec-5a9b-4efc-a81d-f83eb2eb32ab | command_prompt |
| 423 | discovery | T1087.001 | Local Account | 9 | Enumerate all accounts via PowerShell (Local) | ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b | powershell |
| 424 | discovery | T1087.001 | Local Account | 10 | Enumerate logged on users via CMD (Local) | a138085e-bfe5-46ba-a242-74a6fb884af3 | command_prompt |
| 425 | discovery | T1087.001 | Local Account | 11 | Enumerate logged on users via PowerShell | 2bdc42c7-8907-40c2-9c2b-42919a00fe03 | powershell |
| 426 | discovery | T1069.001 | Local Groups | 2 | Basic Permission Groups Discovery Windows (Local) | 1f454dd6-e134-44df-bebb-67de70fb6cd8 | command_prompt |
| 427 | discovery | T1069.001 | Local Groups | 3 | Permission Groups Discovery PowerShell (Local) | a580462d-2c19-4bc7-8b9a-57a41b7d3ba4 | powershell |
| 428 | discovery | T1046 | Network Service Scanning | 3 | Port Scan NMap for Windows | d696a3cb-d7a8-4976-8eb5-5af4abf2e3df | powershell |
| 429 | discovery | T1135 | Network Share Discovery | 2 | Network Share Discovery command prompt | 20f1097d-81c1-405c-8380-32174d493bbb | command_prompt |
| 430 | discovery | T1135 | Network Share Discovery | 3 | Network Share Discovery PowerShell | 1b0814d1-bb24-402d-9615-1b20c50733fb | powershell |
| 431 | discovery | T1135 | Network Share Discovery | 4 | View available share drives | ab39a04f-0c93-4540-9ff2-83f862c385ae | command_prompt |
| 432 | discovery | T1135 | Network Share Discovery | 5 | Share Discovery with PowerView | b1636f0a-ba82-435c-b699-0d78794d8bfd | powershell |
| 433 | discovery | T1040 | Network Sniffing | 3 | Packet Capture Windows Command Prompt | a5b2f6a0-24b4-493e-9590-c699f75723ca | command_prompt |
| 434 | discovery | T1040 | Network Sniffing | 4 | Windows Internal Packet Capture | b5656f67-d67f-4de8-8e62-b5581630f528 | command_prompt |
| 435 | discovery | T1201 | Password Policy Discovery | 5 | Examine local password policy - Windows | 4588d243-f24e-4549-b2e3-e627acc089f6 | command_prompt |
| 436 | discovery | T1201 | Password Policy Discovery | 6 | Examine domain password policy - Windows | 46c2c362-2679-4ef5-aec9-0e958e135be4 | command_prompt |
| 437 | discovery | T1057 | Process Discovery | 2 | Process Discovery - tasklist | c5806a4f-62b8-4900-980b-c7ec004e9908 | command_prompt |
| 438 | discovery | T1012 | Query Registry | 1 | Query Registry | 8f7578c4-9863-4d83-875c-a565573bbdf0 | command_prompt |
| 439 | discovery | T1018 | Remote System Discovery | 1 | Remote System Discovery - net | 85321a9c-897f-4a60-9f20-29788e50bccd | command_prompt |
| 440 | discovery | T1018 | Remote System Discovery | 2 | Remote System Discovery - net group Domain Computers | f1bf6c8f-9016-4edf-aff9-80b65f5d711f | command_prompt |
| 441 | discovery | T1018 | Remote System Discovery | 3 | Remote System Discovery - nltest | 52ab5108-3f6f-42fb-8ba3-73bc054f22c8 | command_prompt |
| 442 | discovery | T1018 | Remote System Discovery | 4 | Remote System Discovery - ping sweep | 6db1f57f-d1d5-4223-8a66-55c9c65a9592 | command_prompt |
| 443 | discovery | T1018 | Remote System Discovery | 5 | Remote System Discovery - arp | 2d5a61f5-0447-4be4-944a-1f8530ed6574 | command_prompt |
| 444 | discovery | T1018 | Remote System Discovery | 8 | Remote System Discovery - nslookup | baa01aaa-5e13-45ec-8a0d-e46c93c9760f | powershell |
| 445 | discovery | T1018 | Remote System Discovery | 9 | Remote System Discovery - adidnsdump | 95e19466-469e-4316-86d2-1dc401b5a959 | command_prompt |
| 446 | discovery | T1018 | Remote System Discovery | 10 | Adfind - Enumerate Active Directory Computer Objects | a889f5be-2d54-4050-bd05-884578748bb4 | command_prompt |
| 447 | discovery | T1018 | Remote System Discovery | 11 | Adfind - Enumerate Active Directory Domain Controller Objects | 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e | command_prompt |
| 448 | discovery | T1518.001 | Security Software Discovery | 1 | Security Software Discovery | f92a380f-ced9-491f-b338-95a991418ce2 | command_prompt |
| 449 | discovery | T1518.001 | Security Software Discovery | 2 | Security Software Discovery - powershell | 7f566051-f033-49fb-89de-b6bacab730f0 | powershell |
| 450 | discovery | T1518.001 | Security Software Discovery | 4 | Security Software Discovery - Sysmon Service | fe613cf3-8009-4446-9a0f-bc78a15b66c9 | command_prompt |
| 451 | discovery | T1518.001 | Security Software Discovery | 5 | Security Software Discovery - AV Discovery via WMI | 1553252f-14ea-4d3b-8a08-d7a4211aa945 | command_prompt |
| 452 | discovery | T1518 | Software Discovery | 1 | Find and Display Internet Explorer Browser Version | 68981660-6670-47ee-a5fa-7e74806420a4 | command_prompt |
| 453 | discovery | T1518 | Software Discovery | 2 | Applications Installed | c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b | powershell |
| 454 | discovery | T1497.001 | System Checks | 2 | Detect Virtualization Environment (Windows) | 502a7dc4-9d6f-4d28-abf2-f0e84692562d | powershell |
| 455 | discovery | T1082 | System Information Discovery | 1 | System Information Discovery | 66703791-c902-4560-8770-42b8a91f7667 | command_prompt |
| 456 | discovery | T1082 | System Information Discovery | 6 | Hostname Discovery (Windows) | 85cfbf23-4a1e-4342-8792-007e004b975f | command_prompt |
| 457 | discovery | T1082 | System Information Discovery | 8 | Windows MachineGUID Discovery | 224b4daf-db44-404e-b6b2-f4d1f0126ef8 | command_prompt |
| 458 | discovery | T1082 | System Information Discovery | 9 | Griffon Recon | 69bd4abe-8759-49a6-8d21-0f15822d6370 | powershell |
| 459 | discovery | T1016 | System Network Configuration Discovery | 1 | System Network Configuration Discovery on Windows | 970ab6a1-0157-4f3f-9a73-ec4166754b23 | command_prompt |
| 460 | discovery | T1016 | System Network Configuration Discovery | 2 | List Windows Firewall Rules | 038263cb-00f4-4b0a-98ae-0696c67e1752 | command_prompt |
| 461 | discovery | T1016 | System Network Configuration Discovery | 4 | System Network Configuration Discovery (TrickBot Style) | dafaf052-5508-402d-bf77-51e0700c02e2 | command_prompt |
| 462 | discovery | T1016 | System Network Configuration Discovery | 5 | List Open Egress Ports | 4b467538-f102-491d-ace7-ed487b853bf5 | powershell |
| 463 | discovery | T1016 | System Network Configuration Discovery | 6 | Adfind - Enumerate Active Directory Subnet Objects | 9bb45dd7-c466-4f93-83a1-be30e56033ee | command_prompt |
| 464 | discovery | T1016 | System Network Configuration Discovery | 7 | Qakbot Recon | 121de5c6-5818-4868-b8a7-8fd07c455c1b | command_prompt |
| 465 | discovery | T1049 | System Network Connections Discovery | 1 | System Network Connections Discovery | 0940a971-809a-48f1-9c4d-b1d785e96ee5 | command_prompt |
| 466 | discovery | T1049 | System Network Connections Discovery | 2 | System Network Connections Discovery with PowerShell | f069f0f1-baad-4831-aa2b-eddac4baac4a | powershell |
| 467 | discovery | T1033 | System Owner/User Discovery | 1 | System Owner/User Discovery | 4c4959bf-addf-4b4a-be86-8d09cc1857aa | command_prompt |
| 468 | discovery | T1033 | System Owner/User Discovery | 3 | Find computers where user has session - Stealth mode (PowerView) | 29857f27-a36f-4f7e-8084-4557cd6207ca | powershell |
| 469 | discovery | T1007 | System Service Discovery | 1 | System Service Discovery | 89676ba1-b1f8-47ee-b940-2e1a113ebc71 | command_prompt |
| 470 | discovery | T1007 | System Service Discovery | 2 | System Service Discovery - net.exe | 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3 | command_prompt |
| 471 | discovery | T1124 | System Time Discovery | 1 | System Time Discovery | 20aba24b-e61f-4b26-b4ce-4784f763ca20 | command_prompt |
| 472 | discovery | T1124 | System Time Discovery | 2 | System Time Discovery - PowerShell | 1d5711d6-655c-4a47-ae9c-6503c74fa877 | powershell |
| 473 | command-and-control | T1071.004 | DNS | 1 | DNS Large Query Volume | 1700f5d6-5a44-487b-84de-bc66f507b0a6 | powershell |
| 474 | command-and-control | T1071.004 | DNS | 2 | DNS Regular Beaconing | 3efc144e-1af8-46bb-8ca2-1376bb6db8b6 | powershell |
| 475 | command-and-control | T1071.004 | DNS | 3 | DNS Long Domain Query | fef31710-223a-40ee-8462-a396d6b66978 | powershell |
| 476 | command-and-control | T1071.004 | DNS | 4 | DNS C2 | e7bf9802-2e78-4db9-93b5-181b7bcd37d7 | powershell |
| 477 | command-and-control | T1573 | Encrypted Channel | 1 | OpenSSL C2 | 21caf58e-87ad-440c-a6b8-3ac259964003 | powershell |
| 478 | command-and-control | T1105 | Ingress Tool Transfer | 7 | certutil download (urlcache) | dd3b61dd-7bbc-48cd-ab51-49ad1a776df0 | command_prompt |
| 479 | command-and-control | T1105 | Ingress Tool Transfer | 8 | certutil download (verifyctl) | ffd492e3-0455-4518-9fb1-46527c9f241b | powershell |
| 480 | command-and-control | T1105 | Ingress Tool Transfer | 9 | Windows - BITSAdmin BITS Download | a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b | command_prompt |
| 481 | command-and-control | T1105 | Ingress Tool Transfer | 10 | Windows - PowerShell Download | 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8 | powershell |
| 482 | command-and-control | T1105 | Ingress Tool Transfer | 11 | OSTAP Worming Activity | 2ca61766-b456-4fcf-a35a-1233685e1cad | command_prompt |
| 483 | command-and-control | T1105 | Ingress Tool Transfer | 12 | svchost writing a file to a UNC path | fa5a2759-41d7-4e13-a19c-e8f28a53566f | command_prompt |
| 484 | command-and-control | T1105 | Ingress Tool Transfer | 13 | Download a File with Windows Defender MpCmdRun.exe | 815bef8b-bf91-4b67-be4c-abe4c2a94ccc | command_prompt |
| 485 | command-and-control | T1090.001 | Internal Proxy | 3 | portproxy reg key | b8223ea9-4be2-44a6-b50a-9657a3d4e72a | powershell |
| 486 | command-and-control | T1095 | Non-Application Layer Protocol | 1 | ICMP C2 | 0268e63c-e244-42db-bef7-72a9e59fc1fc | powershell |
| 487 | command-and-control | T1095 | Non-Application Layer Protocol | 2 | Netcat C2 | bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37 | powershell |
| 488 | command-and-control | T1095 | Non-Application Layer Protocol | 3 | Powercat C2 | 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e | powershell |
| 489 | command-and-control | T1571 | Non-Standard Port | 1 | Testing usage of uncommonly used port with PowerShell | 21fe622f-8e53-4b31-ba83-6d333c2583f4 | powershell |
| 490 | command-and-control | T1219 | Remote Access Software | 1 | TeamViewer Files Detected Test on Windows | 8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0 | powershell |
| 491 | command-and-control | T1219 | Remote Access Software | 2 | AnyDesk Files Detected Test on Windows | 6b8b7391-5c0a-4f8c-baee-78d8ce0ce330 | powershell |
| 492 | command-and-control | T1219 | Remote Access Software | 3 | LogMeIn Files Detected Test on Windows | d03683ec-aae0-42f9-9b4c-534780e0f8e1 | powershell |
| 493 | command-and-control | T1071.001 | Web Protocols | 1 | Malicious User Agents - Powershell | 81c13829-f6c9-45b8-85a6-053366d55297 | powershell |
| 494 | command-and-control | T1071.001 | Web Protocols | 2 | Malicious User Agents - CMD | dc3488b0-08c7-4fea-b585-905c83b48180 | command_prompt |
| 495 | execution | T1053.002 | At (Windows) | 1 | At.exe Scheduled task | 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 | command_prompt |
| 496 | execution | T1559.002 | Dynamic Data Exchange | 1 | Execute Commands | f592ba2a-e9e8-4d62-a459-ef63abd819fd | manual |
| 497 | execution | T1559.002 | Dynamic Data Exchange | 2 | Execute PowerShell script via Word DDE | 47c21fb6-085e-4b0d-b4d2-26d72c3830b3 | command_prompt |
| 498 | execution | T1559.002 | Dynamic Data Exchange | 3 | DDEAUTO | cf91174c-4e74-414e-bec0-8d60a104d181 | manual |
| 499 | execution | T1204.002 | Malicious File | 1 | OSTap Style Macro Execution | 8bebc690-18c7-4549-bc98-210f7019efff | powershell |
| 500 | execution | T1204.002 | Malicious File | 2 | OSTap Payload Download | 3f3af983-118a-4fa1-85d3-ba4daa739d80 | command_prompt |
| 501 | execution | T1204.002 | Malicious File | 3 | Maldoc choice flags command execution | 0330a5d2-a45a-4272-a9ee-e364411c4b18 | powershell |
| 502 | execution | T1204.002 | Malicious File | 4 | OSTAP JS version | add560ef-20d6-4011-a937-2c340f930911 | powershell |
| 503 | execution | T1204.002 | Malicious File | 5 | Office launching .bat file from AppData | 9215ea92-1ded-41b7-9cd6-79f9a78397aa | powershell |
| 504 | execution | T1204.002 | Malicious File | 6 | Excel 4 Macro | 4ea1fc97-8a46-4b4e-ba48-af43d2a98052 | powershell |
| 505 | execution | T1106 | Native API | 1 | Execution through API - CreateProcess | 99be2089-c52d-4a4a-b5c3-261ee42c8b62 | command_prompt |
| 506 | execution | T1059.001 | PowerShell | 1 | Mimikatz | f3132740-55bc-48c4-bcc0-758a459cd027 | command_prompt |
| 507 | execution | T1059.001 | PowerShell | 2 | Run BloodHound from local disk | a21bb23e-e677-4ee7-af90-6931b57b6350 | powershell |
| 508 | execution | T1059.001 | PowerShell | 3 | Run Bloodhound from Memory using Download Cradle | bf8c1441-4674-4dab-8e4e-39d93d08f9b7 | powershell |
| 509 | execution | T1059.001 | PowerShell | 4 | Obfuscation Tests | 4297c41a-8168-4138-972d-01f3ee92c804 | powershell |
| 510 | execution | T1059.001 | PowerShell | 5 | Mimikatz - Cradlecraft PsSendKeys | af1800cf-9f9d-4fd1-a709-14b1e6de020d | powershell |
| 511 | execution | T1059.001 | PowerShell | 6 | Invoke-AppPathBypass | 06a220b6-7e29-4bd8-9d07-5b4d86742372 | command_prompt |
| 512 | execution | T1059.001 | PowerShell | 7 | Powershell MsXml COM object - with prompt | 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da | command_prompt |
| 513 | execution | T1059.001 | PowerShell | 8 | Powershell XML requests | 4396927f-e503-427b-b023-31049b9b09a6 | command_prompt |
| 514 | execution | T1059.001 | PowerShell | 9 | Powershell invoke mshta.exe download | 8a2ad40b-12c7-4b25-8521-2737b0a415af | command_prompt |
| 515 | execution | T1059.001 | PowerShell | 10 | Powershell Invoke-DownloadCradle | cc50fa2a-a4be-42af-a88f-e347ba0bf4d7 | manual |
| 516 | execution | T1059.001 | PowerShell | 11 | PowerShell Fileless Script Execution | fa050f5e-bc75-4230-af73-b6fd7852cd73 | powershell |
| 517 | execution | T1059.001 | PowerShell | 12 | PowerShell Downgrade Attack | 9148e7c4-9356-420e-a416-e896e9c0f73e | powershell |
| 518 | execution | T1059.001 | PowerShell | 13 | NTFS Alternate Data Stream Access | 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680 | powershell |
| 519 | execution | T1059.001 | PowerShell | 14 | PowerShell Session Creation and Use | 7c1acec2-78fa-4305-a3e0-db2a54cddecd | powershell |
| 520 | execution | T1059.001 | PowerShell | 15 | ATHPowerShellCommandLineParameter -Command parameter variations | 686a9785-f99b-41d4-90df-66ed515f81d7 | powershell |
| 521 | execution | T1059.001 | PowerShell | 16 | ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments | 1c0a870f-dc74-49cf-9afc-eccc45e58790 | powershell |
| 522 | execution | T1059.001 | PowerShell | 17 | ATHPowerShellCommandLineParameter -EncodedCommand parameter variations | 86a43bad-12e3-4e85-b97c-4d5cf25b95c3 | powershell |
| 523 | execution | T1059.001 | PowerShell | 18 | ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments | 0d181431-ddf3-4826-8055-2dbf63ae848b | powershell |
| 524 | execution | T1053.005 | Scheduled Task | 1 | Scheduled Task Startup Script | fec27f65-db86-4c2d-b66c-61945aee87c2 | command_prompt |
| 525 | execution | T1053.005 | Scheduled Task | 2 | Scheduled task Local | 42f53695-ad4a-4546-abb6-7d837f644a71 | command_prompt |
| 526 | execution | T1053.005 | Scheduled Task | 3 | Scheduled task Remote | 2e5eac3e-327b-4a88-a0c0-c4057039a8dd | command_prompt |
| 527 | execution | T1053.005 | Scheduled Task | 4 | Powershell Cmdlet Scheduled Task | af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd | powershell |
| 528 | execution | T1053.005 | Scheduled Task | 5 | Task Scheduler via VBA | ecd3fa21-7792-41a2-8726-2c5c673414d3 | powershell |
| 529 | execution | T1569.002 | Service Execution | 1 | Execute a Command as a Service | 2382dee2-a75f-49aa-9378-f52df6ed3fb1 | command_prompt |
| 530 | execution | T1569.002 | Service Execution | 2 | Use PsExec to execute a command on a remote host | 873106b7-cfed-454b-8680-fa9f6400431c | command_prompt |
| 531 | execution | T1059.005 | Visual Basic | 1 | Visual Basic script execution to gather local computer information | 1620de42-160a-4fe5-bbaf-d3fef0181ce9 | powershell |
| 532 | execution | T1059.005 | Visual Basic | 2 | Encoded VBS code execution | e8209d5f-e42d-45e6-9c2f-633ac4f1eefa | powershell |
| 533 | execution | T1059.005 | Visual Basic | 3 | Extract Memory via VBA | 8faff437-a114-4547-9a60-749652a03df6 | powershell |
| 534 | execution | T1059.003 | Windows Command Shell | 1 | Create and Execute Batch Script | 9e8894c0-50bd-4525-a96c-d4ac78ece388 | powershell |
| 535 | execution | T1047 | Windows Management Instrumentation | 1 | WMI Reconnaissance Users | c107778c-dcf5-47c5-af2e-1d058a3df3ea | command_prompt |
| 536 | execution | T1047 | Windows Management Instrumentation | 2 | WMI Reconnaissance Processes | 5750aa16-0e59-4410-8b9a-8a47ca2788e2 | command_prompt |
| 537 | execution | T1047 | Windows Management Instrumentation | 3 | WMI Reconnaissance Software | 718aebaa-d0e0-471a-8241-c5afa69c7414 | command_prompt |
| 538 | execution | T1047 | Windows Management Instrumentation | 4 | WMI Reconnaissance List Remote Services | 0fd48ef7-d890-4e93-a533-f7dedd5191d3 | command_prompt |
| 539 | execution | T1047 | Windows Management Instrumentation | 5 | WMI Execute Local Process | b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3 | command_prompt |
| 540 | execution | T1047 | Windows Management Instrumentation | 6 | WMI Execute Remote Process | 9c8ef159-c666-472f-9874-90c8d60d136b | command_prompt |
| 541 | exfiltration | T1020 | Automated Exfiltration | 1 | IcedID Botnet HTTP PUT | 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0 | powershell |
| 542 | exfiltration | T1048.003 | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | 2 | Exfiltration Over Alternative Protocol - ICMP | dd4b4421-2e25-4593-90ae-7021947ad12e | powershell |
| 543 | lateral-movement | T1021.003 | Distributed Component Object Model | 1 | PowerShell Lateral Movement using MMC20 | 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 | powershell |
| 544 | lateral-movement | T1550.002 | Pass the Hash | 1 | Mimikatz Pass the Hash | ec23cef9-27d9-46e4-a68d-6f75f7b86908 | command_prompt |
| 545 | lateral-movement | T1550.002 | Pass the Hash | 2 | crackmapexec Pass the Hash | eb05b028-16c8-4ad8-adea-6f5b219da9a9 | command_prompt |
| 546 | lateral-movement | T1550.003 | Pass the Ticket | 1 | Mimikatz Kerberos Ticket Attack | dbf38128-7ba7-4776-bedf-cc2eed432098 | command_prompt |
| 547 | lateral-movement | T1563.002 | RDP Hijacking | 1 | RDP hijacking | a37ac520-b911-458e-8aed-c5f1576d9f46 | command_prompt |
| 548 | lateral-movement | T1021.001 | Remote Desktop Protocol | 1 | RDP to DomainController | 355d4632-8cb9-449d-91ce-b566d0253d3e | powershell |
| 549 | lateral-movement | T1021.001 | Remote Desktop Protocol | 2 | RDP to Server | 7382a43e-f19c-46be-8f09-5c63af7d3e2b | powershell |
| 550 | lateral-movement | T1021.002 | SMB/Windows Admin Shares | 1 | Map admin share | 3386975b-367a-4fbb-9d77-4dcf3639ffd3 | command_prompt |
| 551 | lateral-movement | T1021.002 | SMB/Windows Admin Shares | 2 | Map Admin Share PowerShell | 514e9cd7-9207-4882-98b1-c8f791bae3c5 | powershell |
| 552 | lateral-movement | T1021.002 | SMB/Windows Admin Shares | 3 | Copy and Execute File with PsExec | 0eb03d41-79e4-4393-8e57-6344856be1cf | command_prompt |
| 553 | lateral-movement | T1021.002 | SMB/Windows Admin Shares | 4 | Execute command writing output to local Admin Share | d41aaab5-bdfe-431d-a3d5-c29e9136ff46 | command_prompt |
| 554 | lateral-movement | T1021.006 | Windows Remote Management | 1 | Enable Windows Remote Management | 9059e8de-3d7d-4954-a322-46161880b9cf | powershell |
| 555 | lateral-movement | T1021.006 | Windows Remote Management | 2 | Invoke-Command | 5295bd61-bd7e-4744-9d52-85962a4cf2d6 | powershell |
| 556 | lateral-movement | T1021.006 | Windows Remote Management | 3 | WinRM Access with Evil-WinRM | efe86d95-44c4-4509-ae42-7bfd9d1f5b3d | powershell |
| 557 | initial-access | T1078.001 | Default Accounts | 1 | Enable Guest account with RDP capability and admin priviliges | 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 | command_prompt |
| 558 | initial-access | T1133 | External Remote Services | 1 | Running Chrome VPN Extensions via the Registry 2 vpn extension | 4c8db261-a58b-42a6-a866-0a294deedde4 | powershell |
| 559 | initial-access | T1078.003 | Local Accounts | 1 | Create local account with admin priviliges | a524ce99-86de-4db6-b4f9-e08f35a47a15 | command_prompt |
| 560 | initial-access | T1566.001 | Spearphishing Attachment | 1 | Download Phishing Attachment - VBScript | 114ccff9-ae6d-4547-9ead-4cd69f687306 | powershell |
| 561 | initial-access | T1566.001 | Spearphishing Attachment | 2 | Word spawned a command shell and used an IP address in the command line | cbb6799a-425c-4f83-9194-5447a909d67f | powershell |