atomic-red-team/atomics/Indexes/Indexes-CSV/index.csv at 985fc5a85a58edddfeacdc354ed856460a596cf9

Files

T

Atomic Red Team doc generator 985fc5a85a Generated docs from job=generate-docs branch=master [ci skip]

2022-05-10 14:38:48 +00:00

154 KiB

Raw Blame History

1	Tactic	Technique #	Technique Name	Test #	Test Name	Test GUID	Executor Name
2	credential-access	T1003.008	/etc/passwd and /etc/shadow	1	Access /etc/shadow (Local)	3723ab77-c546-403c-8fb4-bb577033b235	bash
3	credential-access	T1003.008	/etc/passwd and /etc/shadow	2	Access /etc/passwd (Local)	60e860b6-8ae6-49db-ad07-5e73edd88f5d	sh
4	credential-access	T1003.008	/etc/passwd and /etc/shadow	3	Access /etc/{shadow,passwd} with a standard bin that's not cat	df1a55ae-019d-4120-bc35-94f4bc5c4b0a	bash
5	credential-access	T1003.008	/etc/passwd and /etc/shadow	4	Access /etc/{shadow,passwd} with shell builtins	f5aa6543-6cb2-4fae-b9c2-b96e14721713	bash
6	credential-access	T1558.004	AS-REP Roasting	1	Rubeus asreproast	615bd568-2859-41b5-9aed-61f6a88e48dd	powershell
7	credential-access	T1558.004	AS-REP Roasting	2	Get-DomainUser with PowerView	d6139549-7b72-4e48-9ea1-324fc9bdf88a	powershell
8	credential-access	T1552.003	Bash History	1	Search Through Bash History	3cfde62b-7c33-4b26-a61e-755d6131c8ce	sh
9	credential-access	T1003.005	Cached Domain Credentials	1	Cached Credential Dump via Cmdkey	56506854-89d6-46a3-9804-b7fde90791f9	command_prompt
10	credential-access	T1552.007	Container API	1	ListSecrets	43c3a49d-d15c-45e6-b303-f6e177e44a9a	bash
11	credential-access	T1552.007	Container API	2	Cat the contents of a Kubernetes service account token file	788e0019-a483-45da-bcfe-96353d46820f	sh
12	credential-access	T1056.004	Credential API Hooking	1	Hook PowerShell TLS Encrypt/Decrypt Messages	de1934ea-1fbf-425b-8795-65fb27dd7e33	powershell
13	credential-access	T1110.004	Credential Stuffing	1	SSH Credential Stuffing From Linux	4f08197a-2a8a-472d-9589-cd2895ef22ad	bash
14	credential-access	T1110.004	Credential Stuffing	2	SSH Credential Stuffing From MacOS	d546a3d9-0be5-40c7-ad82-5a7d79e1b66b	bash
15	credential-access	T1552.001	Credentials In Files	1	Extract Browser and System credentials with LaZagne	9e507bb8-1d30-4e3b-a49b-cb5727d7ea79	bash
16	credential-access	T1552.001	Credentials In Files	2	Extract passwords with grep	bd4cf0d1-7646-474e-8610-78ccf5a097c4	sh
17	credential-access	T1552.001	Credentials In Files	3	Extracting passwords with findstr	0e56bf29-ff49-4ea5-9af4-3b81283fd513	powershell
18	credential-access	T1552.001	Credentials In Files	4	Access unattend.xml	367d4004-5fc0-446d-823f-960c74ae52c3	command_prompt
19	credential-access	T1552.001	Credentials In Files	5	Find and Access Github Credentials	da4f751a-020b-40d7-b9ff-d433b7799803	bash
20	credential-access	T1552.001	Credentials In Files	6	WinPwn - sensitivefiles	114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0	powershell
21	credential-access	T1552.001	Credentials In Files	7	WinPwn - Snaffler	fdd0c913-714b-4c13-b40f-1824d6c015f2	powershell
22	credential-access	T1552.001	Credentials In Files	8	WinPwn - powershellsensitive	75f66e03-37d3-4704-9520-3210efbe33ce	powershell
23	credential-access	T1552.001	Credentials In Files	9	WinPwn - passhunt	00e3e3c7-6c3c-455e-bd4b-461c7f0e7797	powershell
24	credential-access	T1552.001	Credentials In Files	10	WinPwn - SessionGopher	c9dc9de3-f961-4284-bd2d-f959c9f9fda5	powershell
25	credential-access	T1555	Credentials from Password Stores	1	Extract Windows Credential Manager via VBA	234f9b7c-b53d-4f32-897b-b880a6c9ea7b	powershell
26	credential-access	T1555	Credentials from Password Stores	2	Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]	c89becbe-1758-4e7d-a0f4-97d2188a23e3	powershell
27	credential-access	T1555	Credentials from Password Stores	3	Dump credentials from Windows Credential Manager With PowerShell [web Credentials]	8fd5a296-6772-4766-9991-ff4e92af7240	powershell
28	credential-access	T1555	Credentials from Password Stores	4	Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]	36753ded-e5c4-4eb5-bc3c-e8fba236878d	powershell
29	credential-access	T1555	Credentials from Password Stores	5	Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]	bc071188-459f-44d5-901a-f8f2625b2d2e	powershell
30	credential-access	T1555.003	Credentials from Web Browsers	1	Run Chrome-password Collector	8c05b133-d438-47ca-a630-19cc464c4622	powershell
31	credential-access	T1555.003	Credentials from Web Browsers	2	Search macOS Safari Cookies	c1402f7b-67ca-43a8-b5f3-3143abedc01b	sh
32	credential-access	T1555.003	Credentials from Web Browsers	3	LaZagne - Credentials from Browser	9a2915b3-3954-4cce-8c76-00fbf4dbd014	command_prompt
33	credential-access	T1555.003	Credentials from Web Browsers	4	Simulating access to Chrome Login Data	3d111226-d09a-4911-8715-fe11664f960d	powershell
34	credential-access	T1555.003	Credentials from Web Browsers	5	Simulating access to Opera Login Data	28498c17-57e4-495a-b0be-cc1e36de408b	powershell
35	credential-access	T1555.003	Credentials from Web Browsers	6	Simulating access to Windows Firefox Login Data	eb8da98a-2e16-4551-b3dd-83de49baa14c	powershell
36	credential-access	T1555.003	Credentials from Web Browsers	7	Simulating access to Windows Edge Login Data	a6a5ec26-a2d1-4109-9d35-58b867689329	powershell
37	credential-access	T1555.003	Credentials from Web Browsers	8	Decrypt Mozilla Passwords with Firepwd.py	dc9cd677-c70f-4df5-bd1c-f114af3c2381	powershell
38	credential-access	T1555.003	Credentials from Web Browsers	9	LaZagne.py - Dump Credentials from Firefox Browser	87e88698-621b-4c45-8a89-4eaebdeaabb1	sh
39	credential-access	T1552.002	Credentials in Registry	1	Enumeration for Credentials in Registry	b6ec082c-7384-46b3-a111-9a9b8b14e5e7	command_prompt
40	credential-access	T1552.002	Credentials in Registry	2	Enumeration for PuTTY Credentials in Registry	af197fd7-e868-448e-9bd5-05d1bcd9d9e5	command_prompt
41	credential-access	T1003.006	DCSync	1	DCSync (Active Directory)	129efd28-8497-4c87-a1b0-73b9a870ca3e	command_prompt
42	credential-access	T1003.006	DCSync	2	Run DSInternals Get-ADReplAccount	a0bced08-3fc5-4d8b-93b7-e8344739376e	powershell
43	credential-access	T1187	Forced Authentication	1	PetitPotam	485ce873-2e65-4706-9c7e-ae3ab9e14213	powershell
44	credential-access	T1056.002	GUI Input Capture	1	AppleScript - Prompt User for Password	76628574-0bc1-4646-8fe2-8f4427b47d15	bash
45	credential-access	T1056.002	GUI Input Capture	2	PowerShell - Prompt User for Password	2b162bfd-0928-4d4c-9ec3-4d9f88374b52	powershell
46	credential-access	T1558.001	Golden Ticket	1	Crafting Active Directory golden tickets with mimikatz	9726592a-dabc-4d4d-81cd-44070008b3af	powershell
47	credential-access	T1558.001	Golden Ticket	2	Crafting Active Directory golden tickets with Rubeus	e42d33cd-205c-4acf-ab59-a9f38f6bad9c	powershell
48	credential-access	T1552.006	Group Policy Preferences	1	GPP Passwords (findstr)	870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f	command_prompt
49	credential-access	T1552.006	Group Policy Preferences	2	GPP Passwords (Get-GPPPassword)	e9584f82-322c-474a-b831-940fd8b4455c	powershell
50	credential-access	T1558.003	Kerberoasting	1	Request for service tickets	3f987809-3681-43c8-bcd8-b3ff3a28533a	powershell
51	credential-access	T1558.003	Kerberoasting	2	Rubeus kerberoast	14625569-6def-4497-99ac-8e7817105b55	powershell
52	credential-access	T1558.003	Kerberoasting	3	Extract all accounts in use as SPN using setspn	e6f4affd-d826-4871-9a62-6c9004b8fe06	command_prompt
53	credential-access	T1558.003	Kerberoasting	4	Request A Single Ticket via PowerShell	988539bc-2ed7-4e62-aec6-7c5cf6680863	powershell
54	credential-access	T1558.003	Kerberoasting	5	Request All Tickets via PowerShell	902f4ed2-1aba-4133-90f2-cff6d299d6da	powershell
55	credential-access	T1555.001	Keychain	1	Keychain	1864fdec-ff86-4452-8c30-f12507582a93	sh
56	credential-access	T1056.001	Keylogging	1	Input Capture	d9b633ca-8efb-45e6-b838-70f595c6ae26	powershell
57	credential-access	T1056.001	Keylogging	2	Living off the land Terminal Input Capture on Linux with pam.d	9c6bdb34-a89f-4b90-acb1-5970614c711b	sh
58	credential-access	T1056.001	Keylogging	3	Logging bash history to syslog	0e59d59d-3265-4d35-bebd-bf5c1ec40db5	sh
59	credential-access	T1056.001	Keylogging	4	Bash session based keylogger	7f85a946-a0ea-48aa-b6ac-8ff539278258	sh
60	credential-access	T1056.001	Keylogging	5	SSHD PAM keylogger	81d7d2ad-d644-4b6a-bea7-28ffe43becca	sh
61	credential-access	T1056.001	Keylogging	6	Auditd keylogger	a668edb9-334e-48eb-8c2e-5413a40867af	sh
62	credential-access	T1557.001	LLMNR/NBT-NS Poisoning and SMB Relay	1	LLMNR Poisoning with Inveigh (PowerShell)	deecd55f-afe0-4a62-9fba-4d1ba2deb321	powershell
63	credential-access	T1003.004	LSA Secrets	1	Dumping LSA Secrets	55295ab0-a703-433b-9ca4-ae13807de12f	command_prompt
64	credential-access	T1003.001	LSASS Memory	1	Dump LSASS.exe Memory using ProcDump	0be2230c-9ab3-4ac2-8826-3199b9a0ebf8	command_prompt
65	credential-access	T1003.001	LSASS Memory	2	Dump LSASS.exe Memory using comsvcs.dll	2536dee2-12fb-459a-8c37-971844fa73be	powershell
66	credential-access	T1003.001	LSASS Memory	3	Dump LSASS.exe Memory using direct system calls and API unhooking	7ae7102c-a099-45c8-b985-4c7a2d05790d	command_prompt
67	credential-access	T1003.001	LSASS Memory	4	Dump LSASS.exe Memory using NanoDump	dddd4aca-bbed-46f0-984d-e4c5971c51ea	command_prompt
68	credential-access	T1003.001	LSASS Memory	5	Dump LSASS.exe Memory using Windows Task Manager	dea6c349-f1c6-44f3-87a1-1ed33a59a607	manual
69	credential-access	T1003.001	LSASS Memory	6	Offline Credential Theft With Mimikatz	453acf13-1dbd-47d7-b28a-172ce9228023	command_prompt
70	credential-access	T1003.001	LSASS Memory	7	LSASS read with pypykatz	c37bc535-5c62-4195-9cc3-0517673171d8	command_prompt
71	credential-access	T1003.001	LSASS Memory	8	Dump LSASS.exe Memory using Out-Minidump.ps1	6502c8f0-b775-4dbd-9193-1298f56b6781	powershell
72	credential-access	T1003.001	LSASS Memory	9	Create Mini Dump of LSASS.exe using ProcDump	7cede33f-0acd-44ef-9774-15511300b24b	command_prompt
73	credential-access	T1003.001	LSASS Memory	10	Powershell Mimikatz	66fb0bc1-3c3f-47e9-a298-550ecfefacbc	powershell
74	credential-access	T1003.001	LSASS Memory	11	Dump LSASS with .Net 5 createdump.exe	9d0072c8-7cca-45c4-bd14-f852cfa35cf0	powershell
75	credential-access	T1003.001	LSASS Memory	12	Dump LSASS.exe using imported Microsoft DLLs	86fc3f40-237f-4701-b155-81c01c48d697	powershell
76	credential-access	T1003.003	NTDS	1	Create Volume Shadow Copy with vssadmin	dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f	command_prompt
77	credential-access	T1003.003	NTDS	2	Copy NTDS.dit from Volume Shadow Copy	c6237146-9ea6-4711-85c9-c56d263a6b03	command_prompt
78	credential-access	T1003.003	NTDS	3	Dump Active Directory Database with NTDSUtil	2364e33d-ceab-4641-8468-bfb1d7cc2723	command_prompt
79	credential-access	T1003.003	NTDS	4	Create Volume Shadow Copy with WMI	224f7de0-8f0a-4a94-b5d8-989b036c86da	command_prompt
80	credential-access	T1003.003	NTDS	5	Create Volume Shadow Copy remotely with WMI	d893459f-71f0-484d-9808-ec83b2b64226	command_prompt
81	credential-access	T1003.003	NTDS	6	Create Volume Shadow Copy remotely (WMI) with esentutl	21c7bf80-3e8b-40fa-8f9d-f5b194ff2865	command_prompt
82	credential-access	T1003.003	NTDS	7	Create Volume Shadow Copy with Powershell	542bb97e-da53-436b-8e43-e0a7d31a6c24	powershell
83	credential-access	T1003.003	NTDS	8	Create Symlink to Volume Shadow Copy	21748c28-2793-4284-9e07-d6d028b66702	command_prompt
84	credential-access	T1040	Network Sniffing	1	Packet Capture Linux	7fe741f7-b265-4951-a7c7-320889083b3e	bash
85	credential-access	T1040	Network Sniffing	2	Packet Capture macOS	9d04efee-eff5-4240-b8d2-07792b873608	bash
86	credential-access	T1040	Network Sniffing	3	Packet Capture Windows Command Prompt	a5b2f6a0-24b4-493e-9590-c699f75723ca	command_prompt
87	credential-access	T1040	Network Sniffing	4	Windows Internal Packet Capture	b5656f67-d67f-4de8-8e62-b5581630f528	command_prompt
88	credential-access	T1003	OS Credential Dumping	1	Gsecdump	96345bfc-8ae7-4b6a-80b7-223200f24ef9	command_prompt
89	credential-access	T1003	OS Credential Dumping	2	Credential Dumping with NPPSpy	9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6	powershell
90	credential-access	T1003	OS Credential Dumping	3	Dump svchost.exe to gather RDP credentials	d400090a-d8ca-4be0-982e-c70598a23de9	powershell
91	credential-access	T1110.002	Password Cracking	1	Password Cracking with Hashcat	6d27df5d-69d4-4c91-bc33-5983ffe91692	command_prompt
92	credential-access	T1556.002	Password Filter DLL	1	Install and Register Password Filter DLL	a7961770-beb5-4134-9674-83d7e1fa865c	powershell
93	credential-access	T1110.001	Password Guessing	1	Brute Force Credentials of single Active Directory domain users via SMB	09480053-2f98-4854-be6e-71ae5f672224	command_prompt
94	credential-access	T1110.001	Password Guessing	2	Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)	c2969434-672b-4ec8-8df0-bbb91f40e250	powershell
95	credential-access	T1110.001	Password Guessing	3	Brute Force Credentials of single Azure AD user	5a51ef57-299e-4d62-8e11-2d440df55e69	powershell
96	credential-access	T1110.001	Password Guessing	4	SUDO brute force Debian	464b63e8-bf1f-422e-9e2c-2aa5080b6f9a	sh
97	credential-access	T1110.001	Password Guessing	5	SUDO brute force Redhat	b72958a7-53e3-4809-9ee1-58f6ecd99ade	sh
98	credential-access	T1110.003	Password Spraying	1	Password Spray all Domain Users	90bc2e54-6c84-47a5-9439-0a2a92b4b175	command_prompt
99	credential-access	T1110.003	Password Spraying	2	Password Spray (DomainPasswordSpray)	263ae743-515f-4786-ac7d-41ef3a0d4b2b	powershell
100	credential-access	T1110.003	Password Spraying	3	Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)	f14d956a-5b6e-4a93-847f-0c415142f07d	powershell
101	credential-access	T1110.003	Password Spraying	4	Password spray all Azure AD users with a single password	a8aa2d3e-1c52-4016-bc73-0f8854cfa80a	powershell
102	credential-access	T1556.003	Pluggable Authentication Modules	1	Malicious PAM rule	4b9dde80-ae22-44b1-a82a-644bf009eb9c	sh
103	credential-access	T1556.003	Pluggable Authentication Modules	2	Malicious PAM module	65208808-3125-4a2e-8389-a0a00e9ab326	sh
104	credential-access	T1552.004	Private Keys	1	Private Keys	520ce462-7ca7-441e-b5a5-f8347f632696	command_prompt
105	credential-access	T1552.004	Private Keys	2	Discover Private SSH Keys	46959285-906d-40fa-9437-5a439accd878	sh
106	credential-access	T1552.004	Private Keys	3	Copy Private SSH Keys with CP	7c247dc7-5128-4643-907b-73a76d9135c3	sh
107	credential-access	T1552.004	Private Keys	4	Copy Private SSH Keys with rsync	864bb0b2-6bb5-489a-b43b-a77b3a16d68a	sh
108	credential-access	T1552.004	Private Keys	5	Copy the users GnuPG directory with rsync	2a5a0601-f5fb-4e2e-aa09-73282ae6afca	sh
109	credential-access	T1552.004	Private Keys	6	ADFS token signing and encryption certificates theft - Local	78e95057-d429-4e66-8f82-0f060c1ac96f	powershell
110	credential-access	T1552.004	Private Keys	7	ADFS token signing and encryption certificates theft - Remote	cab413d8-9e4a-4b8d-9b84-c985bd73a442	powershell
111	credential-access	T1003.007	Proc Filesystem	1	Dump individual process memory with sh (Local)	7e91138a-8e74-456d-a007-973d67a0bb80	sh
112	credential-access	T1003.007	Proc Filesystem	2	Dump individual process memory with Python (Local)	437b2003-a20d-4ed8-834c-4964f24eec63	sh
113	credential-access	T1003.007	Proc Filesystem	3	Capture Passwords with MimiPenguin	a27418de-bdce-4ebd-b655-38f04842bf0c	bash
114	credential-access	T1606.002	SAML Tokens	1	Golden SAML	b16a03bc-1089-4dcc-ad98-30fe8f3a2b31	powershell
115	credential-access	T1003.002	Security Account Manager	1	Registry dump of SAM, creds, and secrets	5c2571d0-1572-416d-9676-812e64ca9f44	command_prompt
116	credential-access	T1003.002	Security Account Manager	2	Registry parse with pypykatz	a96872b2-cbf3-46cf-8eb4-27e8c0e85263	command_prompt
117	credential-access	T1003.002	Security Account Manager	3	esentutl.exe SAM copy	a90c2f4d-6726-444e-99d2-a00cd7c20480	command_prompt
118	credential-access	T1003.002	Security Account Manager	4	PowerDump Hashes and Usernames from Registry	804f28fc-68fc-40da-b5a2-e9d0bce5c193	powershell
119	credential-access	T1003.002	Security Account Manager	5	dump volume shadow copy hives with certutil	eeb9751a-d598-42d3-b11c-c122d9c3f6c7	powershell
120	credential-access	T1003.002	Security Account Manager	6	dump volume shadow copy hives with System.IO.File	9d77fed7-05f8-476e-a81b-8ff0472c64d0	powershell
121	credential-access	T1558.002	Silver Ticket	1	Crafting Active Directory silver tickets with mimikatz	385e59aa-113e-4711-84d9-f637aef01f2c	powershell
122	credential-access	T1539	Steal Web Session Cookie	1	Steal Firefox Cookies (Windows)	4b437357-f4e9-4c84-9fa6-9bcee6f826aa	powershell
123	credential-access	T1539	Steal Web Session Cookie	2	Steal Chrome Cookies (Windows)	26a6b840-4943-4965-8df5-ef1f9a282440	powershell
124	credential-access	T1555.004	Windows Credential Manager	1	Access Saved Credentials via VaultCmd	9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439	command_prompt
125	collection	T1560	Archive Collected Data	1	Compress Data for Exfiltration With PowerShell	41410c60-614d-4b9d-b66e-b0192dd9c597	powershell
126	collection	T1560.002	Archive via Library	1	Compressing data using GZip in Python (Linux)	391f5298-b12d-4636-8482-35d9c17d53a8	bash
127	collection	T1560.002	Archive via Library	2	Compressing data using bz2 in Python (Linux)	c75612b2-9de0-4d7c-879c-10d7b077072d	bash
128	collection	T1560.002	Archive via Library	3	Compressing data using zipfile in Python (Linux)	001a042b-859f-44d9-bf81-fd1c4e2200b0	bash
129	collection	T1560.002	Archive via Library	4	Compressing data using tarfile in Python (Linux)	e86f1b4b-fcc1-4a2a-ae10-b49da01458db	bash
130	collection	T1560.001	Archive via Utility	1	Compress Data for Exfiltration With Rar	02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0	command_prompt
131	collection	T1560.001	Archive via Utility	2	Compress Data and lock with password for Exfiltration with winrar	8dd61a55-44c6-43cc-af0c-8bdda276860c	command_prompt
132	collection	T1560.001	Archive via Utility	3	Compress Data and lock with password for Exfiltration with winzip	01df0353-d531-408d-a0c5-3161bf822134	command_prompt
133	collection	T1560.001	Archive via Utility	4	Compress Data and lock with password for Exfiltration with 7zip	d1334303-59cb-4a03-8313-b3e24d02c198	command_prompt
134	collection	T1560.001	Archive via Utility	5	Data Compressed - nix - zip	c51cec55-28dd-4ad2-9461-1eacbc82c3a0	sh
135	collection	T1560.001	Archive via Utility	6	Data Compressed - nix - gzip Single File	cde3c2af-3485-49eb-9c1f-0ed60e9cc0af	sh
136	collection	T1560.001	Archive via Utility	7	Data Compressed - nix - tar Folder or File	7af2b51e-ad1c-498c-aca8-d3290c19535a	sh
137	collection	T1560.001	Archive via Utility	8	Data Encrypted with zip and gpg symmetric	0286eb44-e7ce-41a0-b109-3da516e05a5f	sh
138	collection	T1123	Audio Capture	1	using device audio capture commandlet	9c3ad250-b185-4444-b5a9-d69218a10c95	powershell
139	collection	T1123	Audio Capture	2	Registry artefact when application use microphone	7a21cce2-6ada-4f7c-afd9-e1e9c481e44a	command_prompt
140	collection	T1119	Automated Collection	1	Automated Collection Command Prompt	cb379146-53f1-43e0-b884-7ce2c635ff5b	command_prompt
141	collection	T1119	Automated Collection	2	Automated Collection PowerShell	634bd9b9-dc83-4229-b19f-7f83ba9ad313	powershell
142	collection	T1119	Automated Collection	3	Recon information for export with PowerShell	c3f6d794-50dd-482f-b640-0384fbb7db26	powershell
143	collection	T1119	Automated Collection	4	Recon information for export with Command Prompt	aa1180e2-f329-4e1e-8625-2472ec0bfaf3	command_prompt
144	collection	T1115	Clipboard Data	1	Utilize Clipboard to store or execute commands from	0cd14633-58d4-4422-9ede-daa2c9474ae7	command_prompt
145	collection	T1115	Clipboard Data	2	Execute Commands from Clipboard using PowerShell	d6dc21af-bec9-4152-be86-326b6babd416	powershell
146	collection	T1115	Clipboard Data	3	Execute commands from clipboard	1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff	bash
147	collection	T1115	Clipboard Data	4	Collect Clipboard Data via VBA	9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52	powershell
148	collection	T1056.004	Credential API Hooking	1	Hook PowerShell TLS Encrypt/Decrypt Messages	de1934ea-1fbf-425b-8795-65fb27dd7e33	powershell
149	collection	T1039	Data from Network Shared Drive	1	Copy a sensitive File over Administive share with copy	6ed67921-1774-44ba-bac6-adb51ed60660	command_prompt
150	collection	T1039	Data from Network Shared Drive	2	Copy a sensitive File over Administive share with Powershell	7762e120-5879-44ff-97f8-008b401b9a98	powershell
151	collection	T1056.002	GUI Input Capture	1	AppleScript - Prompt User for Password	76628574-0bc1-4646-8fe2-8f4427b47d15	bash
152	collection	T1056.002	GUI Input Capture	2	PowerShell - Prompt User for Password	2b162bfd-0928-4d4c-9ec3-4d9f88374b52	powershell
153	collection	T1056.001	Keylogging	1	Input Capture	d9b633ca-8efb-45e6-b838-70f595c6ae26	powershell
154	collection	T1056.001	Keylogging	2	Living off the land Terminal Input Capture on Linux with pam.d	9c6bdb34-a89f-4b90-acb1-5970614c711b	sh
155	collection	T1056.001	Keylogging	3	Logging bash history to syslog	0e59d59d-3265-4d35-bebd-bf5c1ec40db5	sh
156	collection	T1056.001	Keylogging	4	Bash session based keylogger	7f85a946-a0ea-48aa-b6ac-8ff539278258	sh
157	collection	T1056.001	Keylogging	5	SSHD PAM keylogger	81d7d2ad-d644-4b6a-bea7-28ffe43becca	sh
158	collection	T1056.001	Keylogging	6	Auditd keylogger	a668edb9-334e-48eb-8c2e-5413a40867af	sh
159	collection	T1557.001	LLMNR/NBT-NS Poisoning and SMB Relay	1	LLMNR Poisoning with Inveigh (PowerShell)	deecd55f-afe0-4a62-9fba-4d1ba2deb321	powershell
160	collection	T1074.001	Local Data Staging	1	Stage data from Discovery.bat	107706a5-6f9f-451a-adae-bab8c667829f	powershell
161	collection	T1074.001	Local Data Staging	2	Stage data from Discovery.sh	39ce0303-ae16-4b9e-bb5b-4f53e8262066	bash
162	collection	T1074.001	Local Data Staging	3	Zip a Folder with PowerShell for Staging in Temp	a57fbe4b-3440-452a-88a7-943531ac872a	powershell
163	collection	T1114.001	Local Email Collection	1	Email Collection with PowerShell Get-Inbox	3f1b5096-0139-4736-9b78-19bcb02bb1cb	powershell
164	collection	T1113	Screen Capture	1	Screencapture	0f47ceb1-720f-4275-96b8-21f0562217ac	bash
165	collection	T1113	Screen Capture	2	Screencapture (silent)	deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4	bash
166	collection	T1113	Screen Capture	3	X Windows Capture	8206dd0c-faf6-4d74-ba13-7fbe13dce6ac	bash
167	collection	T1113	Screen Capture	4	Capture Linux Desktop using Import Tool	9cd1cccb-91e4-4550-9139-e20a586fcea1	bash
168	collection	T1113	Screen Capture	5	Windows Screencapture	3c898f62-626c-47d5-aad2-6de873d69153	powershell
169	collection	T1113	Screen Capture	6	Windows Screen Capture (CopyFromScreen)	e9313014-985a-48ef-80d9-cde604ffc187	powershell
170	collection	T1125	Video Capture	1	Registry artefact when application use webcam	6581e4a7-42e3-43c5-a0d2-5a0d62f9702a	command_prompt
171	privilege-escalation	T1546.008	Accessibility Features	1	Attaches Command Prompt as a Debugger to a List of Target Processes	3309f53e-b22b-4eb6-8fd2-a6cf58b355a9	powershell
172	privilege-escalation	T1546.008	Accessibility Features	2	Replace binary of sticky keys	934e90cf-29ca-48b3-863c-411737ad44e3	command_prompt
173	privilege-escalation	T1546.010	AppInit DLLs	1	Install AppInit Shim	a58d9386-3080-4242-ab5f-454c16503d18	command_prompt
174	privilege-escalation	T1546.011	Application Shimming	1	Application Shim Installation	9ab27e22-ee62-4211-962b-d36d9a0e6a18	command_prompt
175	privilege-escalation	T1546.011	Application Shimming	2	New shim database files created in the default shim database directory	aefd6866-d753-431f-a7a4-215ca7e3f13d	powershell
176	privilege-escalation	T1546.011	Application Shimming	3	Registry key creation and/or modification events for SDB	9b6a06f9-ab5e-4e8d-8289-1df4289db02f	powershell
177	privilege-escalation	T1055.004	Asynchronous Procedure Call	1	Process Injection via C#	611b39b7-e243-4c81-87a4-7145a90358b1	command_prompt
178	privilege-escalation	T1053.001	At (Linux)	1	At - Schedule a job	7266d898-ac82-4ec0-97c7-436075d0d08e	sh
179	privilege-escalation	T1053.002	At (Windows)	1	At.exe Scheduled task	4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8	command_prompt
180	privilege-escalation	T1547.002	Authentication Package	1	Authentication Package	be2590e8-4ac3-47ac-b4b5-945820f2fbe9	powershell
181	privilege-escalation	T1547	Boot or Logon Autostart Execution	1	Add a driver	cb01b3da-b0e7-4e24-bf6d-de5223526785	command_prompt
182	privilege-escalation	T1548.002	Bypass User Account Control	1	Bypass UAC using Event Viewer (cmd)	5073adf8-9a50-4bd9-b298-a9bd2ead8af9	command_prompt
183	privilege-escalation	T1548.002	Bypass User Account Control	2	Bypass UAC using Event Viewer (PowerShell)	a6ce9acf-842a-4af6-8f79-539be7608e2b	powershell
184	privilege-escalation	T1548.002	Bypass User Account Control	3	Bypass UAC using Fodhelper	58f641ea-12e3-499a-b684-44dee46bd182	command_prompt
185	privilege-escalation	T1548.002	Bypass User Account Control	4	Bypass UAC using Fodhelper - PowerShell	3f627297-6c38-4e7d-a278-fc2563eaaeaa	powershell
186	privilege-escalation	T1548.002	Bypass User Account Control	5	Bypass UAC using ComputerDefaults (PowerShell)	3c51abf2-44bf-42d8-9111-dc96ff66750f	powershell
187	privilege-escalation	T1548.002	Bypass User Account Control	6	Bypass UAC by Mocking Trusted Directories	f7a35090-6f7f-4f64-bb47-d657bf5b10c1	command_prompt
188	privilege-escalation	T1548.002	Bypass User Account Control	7	Bypass UAC using sdclt DelegateExecute	3be891eb-4608-4173-87e8-78b494c029b7	powershell
189	privilege-escalation	T1548.002	Bypass User Account Control	8	Disable UAC using reg.exe	9e8af564-53ec-407e-aaa8-3cb20c3af7f9	command_prompt
190	privilege-escalation	T1548.002	Bypass User Account Control	9	Bypass UAC using SilentCleanup task	28104f8a-4ff1-4582-bcf6-699dce156608	command_prompt
191	privilege-escalation	T1548.002	Bypass User Account Control	10	UACME Bypass Method 23	8ceab7a2-563a-47d2-b5ba-0995211128d7	command_prompt
192	privilege-escalation	T1548.002	Bypass User Account Control	11	UACME Bypass Method 31	b0f76240-9f33-4d34-90e8-3a7d501beb15	command_prompt
193	privilege-escalation	T1548.002	Bypass User Account Control	12	UACME Bypass Method 33	e514bb03-f71c-4b22-9092-9f961ec6fb03	command_prompt
194	privilege-escalation	T1548.002	Bypass User Account Control	13	UACME Bypass Method 34	695b2dac-423e-448e-b6ef-5b88e93011d6	command_prompt
195	privilege-escalation	T1548.002	Bypass User Account Control	14	UACME Bypass Method 39	56163687-081f-47da-bb9c-7b231c5585cf	command_prompt
196	privilege-escalation	T1548.002	Bypass User Account Control	15	UACME Bypass Method 56	235ec031-cd2d-465d-a7ae-68bab281e80e	command_prompt
197	privilege-escalation	T1548.002	Bypass User Account Control	16	UACME Bypass Method 59	dfb1b667-4bb8-4a63-a85e-29936ea75f29	command_prompt
198	privilege-escalation	T1548.002	Bypass User Account Control	17	UACME Bypass Method 61	7825b576-744c-4555-856d-caf3460dc236	command_prompt
199	privilege-escalation	T1574.012	COR_PROFILER	1	User scope COR_PROFILER	9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a	powershell
200	privilege-escalation	T1574.012	COR_PROFILER	2	System Scope COR_PROFILER	f373b482-48c8-4ce4-85ed-d40c8b3f7310	powershell
201	privilege-escalation	T1574.012	COR_PROFILER	3	Registry-free process scope COR_PROFILER	79d57242-bbef-41db-b301-9d01d9f6e817	powershell
202	privilege-escalation	T1546.001	Change Default File Association	1	Change Default File Association	10a08978-2045-4d62-8c42-1957bbbea102	command_prompt
203	privilege-escalation	T1078.004	Cloud Accounts	1	Creating GCP Service Account and Service Account Key	9fdd83fd-bd53-46e5-a716-9dec89c8ae8e	gcloud
204	privilege-escalation	T1546.015	Component Object Model Hijacking	1	COM Hijacking - InprocServer32	48117158-d7be-441b-bc6a-d9e36e47b52b	powershell
205	privilege-escalation	T1546.015	Component Object Model Hijacking	2	Powershell Execute COM Object	752191b1-7c71-445c-9dbe-21bb031b18eb	powershell
206	privilege-escalation	T1053.007	Container Orchestration Job	1	ListCronjobs	ddfb0bc1-3c3f-47e9-a298-550ecfefacbd	bash
207	privilege-escalation	T1053.007	Container Orchestration Job	2	CreateCronjob	f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3	bash
208	privilege-escalation	T1134.002	Create Process with Token	1	Access Token Manipulation	dbf4f5a9-b8e0-46a3-9841-9ad71247239e	powershell
209	privilege-escalation	T1053.003	Cron	1	Cron - Replace crontab with referenced file	435057fb-74b1-410e-9403-d81baf194f75	bash
210	privilege-escalation	T1053.003	Cron	2	Cron - Add script to all cron subfolders	b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0	bash
211	privilege-escalation	T1053.003	Cron	3	Cron - Add script to /var/spool/cron/crontabs/ folder	2d943c18-e74a-44bf-936f-25ade6cccab4	bash
212	privilege-escalation	T1574.001	DLL Search Order Hijacking	1	DLL Search Order Hijacking - amsi.dll	8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3	command_prompt
213	privilege-escalation	T1574.002	DLL Side-Loading	1	DLL Side-Loading using the Notepad++ GUP.exe binary	65526037-7079-44a9-bda1-2cb624838040	command_prompt
214	privilege-escalation	T1078.001	Default Accounts	1	Enable Guest account with RDP capability and admin privileges	99747561-ed8d-47f2-9c91-1e5fde1ed6e0	command_prompt
215	privilege-escalation	T1078.001	Default Accounts	2	Activate Guest Account	aa6cb8c4-b582-4f8e-b677-37733914abda	command_prompt
216	privilege-escalation	T1484.002	Domain Trust Modification	1	Add Federation to Azure AD	8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7	powershell
217	privilege-escalation	T1574.006	Dynamic Linker Hijacking	1	Shared Library Injection via /etc/ld.so.preload	39cb0e67-dd0d-4b74-a74b-c072db7ae991	bash
218	privilege-escalation	T1574.006	Dynamic Linker Hijacking	2	Shared Library Injection via LD_PRELOAD	bc219ff7-789f-4d51-9142-ecae3397deae	bash
219	privilege-escalation	T1055.001	Dynamic-link Library Injection	1	Process Injection via mavinject.exe	74496461-11a1-4982-b439-4d87a550d254	powershell
220	privilege-escalation	T1546.014	Emond	1	Persistance with Event Monitor - emond	23c9c127-322b-4c75-95ca-eff464906114	sh
221	privilege-escalation	T1611	Escape to Host	1	Deploy container using nsenter container escape	0b2f9520-a17a-4671-9dba-3bd034099fff	sh
222	privilege-escalation	T1546.012	Image File Execution Options Injection	1	IFEO Add Debugger	fdda2626-5234-4c90-b163-60849a24c0b8	command_prompt
223	privilege-escalation	T1546.012	Image File Execution Options Injection	2	IFEO Global Flags	46b1f278-c8ee-4aa5-acce-65e77b11f3c1	command_prompt
224	privilege-escalation	T1547.006	Kernel Modules and Extensions	1	Linux - Load Kernel Module via insmod	687dcb93-9656-4853-9c36-9977315e9d23	bash
225	privilege-escalation	T1543.001	Launch Agent	1	Launch Agent	a5983dee-bf6c-4eaf-951c-dbc1a7b90900	bash
226	privilege-escalation	T1543.004	Launch Daemon	1	Launch Daemon	03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf	bash
227	privilege-escalation	T1053.004	Launchd	1	Event Monitor Daemon Persistence	11979f23-9b9d-482a-9935-6fc9cd022c3e	bash
228	privilege-escalation	T1078.003	Local Accounts	1	Create local account with admin privileges	a524ce99-86de-4db6-b4f9-e08f35a47a15	command_prompt
229	privilege-escalation	T1078.003	Local Accounts	2	Create local account with admin privileges - MacOS	f1275566-1c26-4b66-83e3-7f9f7f964daa	bash
230	privilege-escalation	T1037.002	Logon Script (Mac)	1	Logon Scripts - Mac	f047c7de-a2d9-406e-a62b-12a09d9516f4	manual
231	privilege-escalation	T1037.001	Logon Script (Windows)	1	Logon Scripts	d6042746-07d4-4c92-9ad8-e644c114a231	command_prompt
232	privilege-escalation	T1546.007	Netsh Helper DLL	1	Netsh Helper DLL Registration	3244697d-5a3a-4dfc-941c-550f69f91a4d	command_prompt
233	privilege-escalation	T1134.004	Parent PID Spoofing	1	Parent PID Spoofing using PowerShell	069258f4-2162-46e9-9a25-c9c6c56150d2	powershell
234	privilege-escalation	T1134.004	Parent PID Spoofing	2	Parent PID Spoofing - Spawn from Current Process	14920ebd-1d61-491a-85e0-fe98efe37f25	powershell
235	privilege-escalation	T1134.004	Parent PID Spoofing	3	Parent PID Spoofing - Spawn from Specified Process	cbbff285-9051-444a-9d17-c07cd2d230eb	powershell
236	privilege-escalation	T1134.004	Parent PID Spoofing	4	Parent PID Spoofing - Spawn from svchost.exe	e9f2b777-3123-430b-805d-5cedc66ab591	powershell
237	privilege-escalation	T1134.004	Parent PID Spoofing	5	Parent PID Spoofing - Spawn from New Process	2988133e-561c-4e42-a15f-6281e6a9b2db	powershell
238	privilege-escalation	T1574.009	Path Interception by Unquoted Path	1	Execution of program.exe as service with unquoted service path	2770dea7-c50f-457b-84c4-c40a47460d9f	command_prompt
239	privilege-escalation	T1547.011	Plist Modification	1	Plist Modification	394a538e-09bb-4a4a-95d1-b93cf12682a8	manual
240	privilege-escalation	T1547.010	Port Monitors	1	Add Port Monitor persistence in Registry	d34ef297-f178-4462-871e-9ce618d44e50	command_prompt
241	privilege-escalation	T1546.013	PowerShell Profile	1	Append malicious start-process cmdlet	090e5aa5-32b6-473b-a49b-21e843a56896	powershell
242	privilege-escalation	T1055.012	Process Hollowing	1	Process Hollowing using PowerShell	562427b4-39ef-4e8c-af88-463a78e70b9c	powershell
243	privilege-escalation	T1055.012	Process Hollowing	2	RunPE via VBA	3ad4a037-1598-4136-837c-4027e4fa319b	powershell
244	privilege-escalation	T1055	Process Injection	1	Shellcode execution via VBA	1c91e740-1729-4329-b779-feba6e71d048	powershell
245	privilege-escalation	T1055	Process Injection	2	Remote Process Injection in LSASS via mimikatz	3203ad24-168e-4bec-be36-f79b13ef8a83	command_prompt
246	privilege-escalation	T1037.004	RC Scripts	1	rc.common	97a48daa-8bca-4bc0-b1a9-c1d163e762de	bash
247	privilege-escalation	T1037.004	RC Scripts	2	rc.common	c33f3d80-5f04-419b-a13a-854d1cbdbf3a	bash
248	privilege-escalation	T1037.004	RC Scripts	3	rc.local	126f71af-e1c9-405c-94ef-26a47b16c102	bash
249	privilege-escalation	T1547.007	Re-opened Applications	1	Re-Opened Applications	5fefd767-ef54-4ac6-84d3-751ab85e8aba	manual
250	privilege-escalation	T1547.007	Re-opened Applications	2	Re-Opened Applications	5f5b71da-e03f-42e7-ac98-d63f9e0465cb	sh
251	privilege-escalation	T1547.001	Registry Run Keys / Startup Folder	1	Reg Key Run	e55be3fd-3521-4610-9d1a-e210e42dcf05	command_prompt
252	privilege-escalation	T1547.001	Registry Run Keys / Startup Folder	2	Reg Key RunOnce	554cbd88-cde1-4b56-8168-0be552eed9eb	command_prompt
253	privilege-escalation	T1547.001	Registry Run Keys / Startup Folder	3	PowerShell Registry RunOnce	eb44f842-0457-4ddc-9b92-c4caa144ac42	powershell
254	privilege-escalation	T1547.001	Registry Run Keys / Startup Folder	4	Suspicious vbs file run from startup Folder	2cb98256-625e-4da9-9d44-f2e5f90b8bd5	powershell
255	privilege-escalation	T1547.001	Registry Run Keys / Startup Folder	5	Suspicious jse file run from startup Folder	dade9447-791e-4c8f-b04b-3a35855dfa06	powershell
256	privilege-escalation	T1547.001	Registry Run Keys / Startup Folder	6	Suspicious bat file run from startup Folder	5b6768e4-44d2-44f0-89da-a01d1430fd5e	powershell
257	privilege-escalation	T1547.001	Registry Run Keys / Startup Folder	7	Add Executable Shortcut Link to User Startup Folder	24e55612-85f6-4bd6-ae74-a73d02e3441d	powershell
258	privilege-escalation	T1547.001	Registry Run Keys / Startup Folder	8	Add persistance via Recycle bin	bda6a3d6-7aa7-4e89-908b-306772e9662f	command_prompt
259	privilege-escalation	T1547.001	Registry Run Keys / Startup Folder	9	SystemBC Malware-as-a-Service Registry	9dc7767b-30c1-4cc4-b999-50cab5e27891	powershell
260	privilege-escalation	T1134.005	SID-History Injection	1	Injection SID-History with mimikatz	6bef32e5-9456-4072-8f14-35566fb85401	command_prompt
261	privilege-escalation	T1053.005	Scheduled Task	1	Scheduled Task Startup Script	fec27f65-db86-4c2d-b66c-61945aee87c2	command_prompt
262	privilege-escalation	T1053.005	Scheduled Task	2	Scheduled task Local	42f53695-ad4a-4546-abb6-7d837f644a71	command_prompt
263	privilege-escalation	T1053.005	Scheduled Task	3	Scheduled task Remote	2e5eac3e-327b-4a88-a0c0-c4057039a8dd	command_prompt
264	privilege-escalation	T1053.005	Scheduled Task	4	Powershell Cmdlet Scheduled Task	af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd	powershell
265	privilege-escalation	T1053.005	Scheduled Task	5	Task Scheduler via VBA	ecd3fa21-7792-41a2-8726-2c5c673414d3	powershell
266	privilege-escalation	T1053.005	Scheduled Task	6	WMI Invoke-CimMethod Scheduled Task	e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b	powershell
267	privilege-escalation	T1053.005	Scheduled Task	7	Scheduled Task Executing Base64 Encoded Commands From Registry	e895677d-4f06-49ab-91b6-ae3742d0a2ba	command_prompt
268	privilege-escalation	T1546.002	Screensaver	1	Set Arbitrary Binary as Screensaver	281201e7-de41-4dc9-b73d-f288938cbb64	command_prompt
269	privilege-escalation	T1547.005	Security Support Provider	1	Modify SSP configuration in registry	afdfd7e3-8a0b-409f-85f7-886fdf249c9e	powershell
270	privilege-escalation	T1574.011	Services Registry Permissions Weakness	1	Service Registry Permissions Weakness	f7536d63-7fd4-466f-89da-7e48d550752a	powershell
271	privilege-escalation	T1574.011	Services Registry Permissions Weakness	2	Service ImagePath Change with reg.exe	f38e9eea-e1d7-4ba6-b716-584791963827	command_prompt
272	privilege-escalation	T1548.001	Setuid and Setgid	1	Make and modify binary from C source	896dfe97-ae43-4101-8e96-9a7996555d80	sh
273	privilege-escalation	T1548.001	Setuid and Setgid	2	Set a SetUID flag on file	759055b3-3885-4582-a8ec-c00c9d64dd79	sh
274	privilege-escalation	T1548.001	Setuid and Setgid	3	Set a SetGID flag on file	db55f666-7cba-46c6-9fe6-205a05c3242c	sh
275	privilege-escalation	T1548.001	Setuid and Setgid	4	Make and modify capabilities of a binary	db53959c-207d-4000-9e7a-cd8eb417e072	sh
276	privilege-escalation	T1548.001	Setuid and Setgid	5	Provide the SetUID capability to a file	1ac3272f-9bcf-443a-9888-4b1d3de785c1	sh
277	privilege-escalation	T1547.009	Shortcut Modification	1	Shortcut Modification	ce4fc678-364f-4282-af16-2fb4c78005ce	command_prompt
278	privilege-escalation	T1547.009	Shortcut Modification	2	Create shortcut to cmd in startup folders	cfdc954d-4bb0-4027-875b-a1893ce406f2	powershell
279	privilege-escalation	T1037.005	Startup Items	1	Add file to Local Library StartupItems	134627c3-75db-410e-bff8-7a920075f198	sh
280	privilege-escalation	T1548.003	Sudo and Sudo Caching	1	Sudo usage	150c3a08-ee6e-48a6-aeaf-3659d24ceb4e	sh
281	privilege-escalation	T1548.003	Sudo and Sudo Caching	2	Unlimited sudo cache timeout	a7b17659-dd5e-46f7-b7d1-e6792c91d0bc	sh
282	privilege-escalation	T1548.003	Sudo and Sudo Caching	3	Disable tty_tickets for sudo caching	91a60b03-fb75-4d24-a42e-2eb8956e8de1	sh
283	privilege-escalation	T1543.002	Systemd Service	1	Create Systemd Service	d9e4f24f-aa67-4c6e-bcbf-85622b697a7c	bash
284	privilege-escalation	T1543.002	Systemd Service	2	Create Systemd Service file, Enable the service , Modify and Reload the service.	c35ac4a8-19de-43af-b9f8-755da7e89c89	bash
285	privilege-escalation	T1053.006	Systemd Timers	1	Create Systemd Service and Timer	f4983098-bb13-44fb-9b2c-46149961807b	bash
286	privilege-escalation	T1053.006	Systemd Timers	2	Create a user level transient systemd service and timer	3de33f5b-62e5-4e63-a2a0-6fd8808c80ec	sh
287	privilege-escalation	T1053.006	Systemd Timers	3	Create a system level transient systemd service and timer	d3eda496-1fc0-49e9-aff5-3bec5da9fa22	sh
288	privilege-escalation	T1134.001	Token Impersonation/Theft	1	Named pipe client impersonation	90db9e27-8e7c-4c04-b602-a45927884966	powershell
289	privilege-escalation	T1134.001	Token Impersonation/Theft	2	`SeDebugPrivilege` token duplication	34f0a430-9d04-4d98-bcb5-1989f14719f0	powershell
290	privilege-escalation	T1546.005	Trap	1	Trap	a74b2e07-5952-4c03-8b56-56274b076b61	sh
291	privilege-escalation	T1546.004	Unix Shell Configuration Modification	1	Add command to .bash_profile	94500ae1-7e31-47e3-886b-c328da46872f	sh
292	privilege-escalation	T1546.004	Unix Shell Configuration Modification	2	Add command to .bashrc	0a898315-4cfa-4007-bafe-33a4646d115f	sh
293	privilege-escalation	T1546.003	Windows Management Instrumentation Event Subscription	1	Persistence via WMI Event Subscription	3c64f177-28e2-49eb-a799-d767b24dd1e0	powershell
294	privilege-escalation	T1543.003	Windows Service	1	Modify Fax service to run PowerShell	ed366cde-7d12-49df-a833-671904770b9f	command_prompt
295	privilege-escalation	T1543.003	Windows Service	2	Service Installation CMD	981e2942-e433-44e9-afc1-8c957a1496b6	command_prompt
296	privilege-escalation	T1543.003	Windows Service	3	Service Installation PowerShell	491a4af6-a521-4b74-b23b-f7b3f1ee9e77	powershell
297	privilege-escalation	T1543.003	Windows Service	4	TinyTurla backdoor service w64time	ef0581fd-528e-4662-87bc-4c2affb86940	command_prompt
298	privilege-escalation	T1547.004	Winlogon Helper DLL	1	Winlogon Shell Key Persistence - PowerShell	bf9f9d65-ee4d-4c3e-a843-777d04f19c38	powershell
299	privilege-escalation	T1547.004	Winlogon Helper DLL	2	Winlogon Userinit Key Persistence - PowerShell	fb32c935-ee2e-454b-8fa3-1c46b42e8dfb	powershell
300	privilege-escalation	T1547.004	Winlogon Helper DLL	3	Winlogon Notify Key Logon Persistence - PowerShell	d40da266-e073-4e5a-bb8b-2b385023e5f9	powershell
301	defense-evasion	T1055.004	Asynchronous Procedure Call	1	Process Injection via C#	611b39b7-e243-4c81-87a4-7145a90358b1	command_prompt
302	defense-evasion	T1197	BITS Jobs	1	Bitsadmin Download (cmd)	3c73d728-75fb-4180-a12f-6712864d7421	command_prompt
303	defense-evasion	T1197	BITS Jobs	2	Bitsadmin Download (PowerShell)	f63b8bc4-07e5-4112-acba-56f646f3f0bc	powershell
304	defense-evasion	T1197	BITS Jobs	3	Persist, Download, & Execute	62a06ec5-5754-47d2-bcfc-123d8314c6ae	command_prompt
305	defense-evasion	T1197	BITS Jobs	4	Bits download using desktopimgdownldr.exe (cmd)	afb5e09e-e385-4dee-9a94-6ee60979d114	command_prompt
306	defense-evasion	T1027.001	Binary Padding	1	Pad Binary to Change Hash - Linux/macOS dd	ffe2346c-abd5-4b45-a713-bf5f1ebd573a	sh
307	defense-evasion	T1548.002	Bypass User Account Control	1	Bypass UAC using Event Viewer (cmd)	5073adf8-9a50-4bd9-b298-a9bd2ead8af9	command_prompt
308	defense-evasion	T1548.002	Bypass User Account Control	2	Bypass UAC using Event Viewer (PowerShell)	a6ce9acf-842a-4af6-8f79-539be7608e2b	powershell
309	defense-evasion	T1548.002	Bypass User Account Control	3	Bypass UAC using Fodhelper	58f641ea-12e3-499a-b684-44dee46bd182	command_prompt
310	defense-evasion	T1548.002	Bypass User Account Control	4	Bypass UAC using Fodhelper - PowerShell	3f627297-6c38-4e7d-a278-fc2563eaaeaa	powershell
311	defense-evasion	T1548.002	Bypass User Account Control	5	Bypass UAC using ComputerDefaults (PowerShell)	3c51abf2-44bf-42d8-9111-dc96ff66750f	powershell
312	defense-evasion	T1548.002	Bypass User Account Control	6	Bypass UAC by Mocking Trusted Directories	f7a35090-6f7f-4f64-bb47-d657bf5b10c1	command_prompt
313	defense-evasion	T1548.002	Bypass User Account Control	7	Bypass UAC using sdclt DelegateExecute	3be891eb-4608-4173-87e8-78b494c029b7	powershell
314	defense-evasion	T1548.002	Bypass User Account Control	8	Disable UAC using reg.exe	9e8af564-53ec-407e-aaa8-3cb20c3af7f9	command_prompt
315	defense-evasion	T1548.002	Bypass User Account Control	9	Bypass UAC using SilentCleanup task	28104f8a-4ff1-4582-bcf6-699dce156608	command_prompt
316	defense-evasion	T1548.002	Bypass User Account Control	10	UACME Bypass Method 23	8ceab7a2-563a-47d2-b5ba-0995211128d7	command_prompt
317	defense-evasion	T1548.002	Bypass User Account Control	11	UACME Bypass Method 31	b0f76240-9f33-4d34-90e8-3a7d501beb15	command_prompt
318	defense-evasion	T1548.002	Bypass User Account Control	12	UACME Bypass Method 33	e514bb03-f71c-4b22-9092-9f961ec6fb03	command_prompt
319	defense-evasion	T1548.002	Bypass User Account Control	13	UACME Bypass Method 34	695b2dac-423e-448e-b6ef-5b88e93011d6	command_prompt
320	defense-evasion	T1548.002	Bypass User Account Control	14	UACME Bypass Method 39	56163687-081f-47da-bb9c-7b231c5585cf	command_prompt
321	defense-evasion	T1548.002	Bypass User Account Control	15	UACME Bypass Method 56	235ec031-cd2d-465d-a7ae-68bab281e80e	command_prompt
322	defense-evasion	T1548.002	Bypass User Account Control	16	UACME Bypass Method 59	dfb1b667-4bb8-4a63-a85e-29936ea75f29	command_prompt
323	defense-evasion	T1548.002	Bypass User Account Control	17	UACME Bypass Method 61	7825b576-744c-4555-856d-caf3460dc236	command_prompt
324	defense-evasion	T1218.003	CMSTP	1	CMSTP Executing Remote Scriptlet	34e63321-9683-496b-bbc1-7566bc55e624	command_prompt
325	defense-evasion	T1218.003	CMSTP	2	CMSTP Executing UAC Bypass	748cb4f6-2fb3-4e97-b7ad-b22635a09ab0	command_prompt
326	defense-evasion	T1574.012	COR_PROFILER	1	User scope COR_PROFILER	9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a	powershell
327	defense-evasion	T1574.012	COR_PROFILER	2	System Scope COR_PROFILER	f373b482-48c8-4ce4-85ed-d40c8b3f7310	powershell
328	defense-evasion	T1574.012	COR_PROFILER	3	Registry-free process scope COR_PROFILER	79d57242-bbef-41db-b301-9d01d9f6e817	powershell
329	defense-evasion	T1070.003	Clear Command History	1	Clear Bash history (rm)	a934276e-2be5-4a36-93fd-98adbb5bd4fc	sh
330	defense-evasion	T1070.003	Clear Command History	2	Clear Bash history (echo)	cbf506a5-dd78-43e5-be7e-a46b7c7a0a11	sh
331	defense-evasion	T1070.003	Clear Command History	3	Clear Bash history (cat dev/null)	b1251c35-dcd3-4ea1-86da-36d27b54f31f	sh
332	defense-evasion	T1070.003	Clear Command History	4	Clear Bash history (ln dev/null)	23d348f3-cc5c-4ba9-bd0a-ae09069f0914	sh
333	defense-evasion	T1070.003	Clear Command History	5	Clear Bash history (truncate)	47966a1d-df4f-4078-af65-db6d9aa20739	sh
334	defense-evasion	T1070.003	Clear Command History	6	Clear history of a bunch of shells	7e6721df-5f08-4370-9255-f06d8a77af4c	sh
335	defense-evasion	T1070.003	Clear Command History	7	Clear and Disable Bash History Logging	784e4011-bd1a-4ecd-a63a-8feb278512e6	sh
336	defense-evasion	T1070.003	Clear Command History	8	Use Space Before Command to Avoid Logging to History	53b03a54-4529-4992-852d-a00b4b7215a6	sh
337	defense-evasion	T1070.003	Clear Command History	9	Disable Bash History Logging with SSH -T	5f8abd62-f615-43c5-b6be-f780f25790a1	sh
338	defense-evasion	T1070.003	Clear Command History	10	Prevent Powershell History Logging	2f898b81-3e97-4abb-bc3f-a95138988370	powershell
339	defense-evasion	T1070.003	Clear Command History	11	Clear Powershell History by Deleting History File	da75ae8d-26d6-4483-b0fe-700e4df4f037	powershell
340	defense-evasion	T1070.002	Clear Linux or Mac System Logs	1	rm -rf	989cc1b1-3642-4260-a809-54f9dd559683	sh
341	defense-evasion	T1070.002	Clear Linux or Mac System Logs	2	Overwrite Linux Mail Spool	1602ff76-ed7f-4c94-b550-2f727b4782d4	bash
342	defense-evasion	T1070.002	Clear Linux or Mac System Logs	3	Overwrite Linux Log	d304b2dc-90b4-4465-a650-16ddd503f7b5	bash
343	defense-evasion	T1070.001	Clear Windows Event Logs	1	Clear Logs	e6abb60e-26b8-41da-8aae-0c35174b0967	command_prompt
344	defense-evasion	T1070.001	Clear Windows Event Logs	2	Delete System Logs Using Clear-EventLog	b13e9306-3351-4b4b-a6e8-477358b0b498	powershell
345	defense-evasion	T1070.001	Clear Windows Event Logs	3	Clear Event Logs via VBA	1b682d84-f075-4f93-9a89-8a8de19ffd6e	powershell
346	defense-evasion	T1078.004	Cloud Accounts	1	Creating GCP Service Account and Service Account Key	9fdd83fd-bd53-46e5-a716-9dec89c8ae8e	gcloud
347	defense-evasion	T1027.004	Compile After Delivery	1	Compile After Delivery using csc.exe	ffcdbd6a-b0e8-487d-927a-09127fe9a206	command_prompt
348	defense-evasion	T1027.004	Compile After Delivery	2	Dynamic C# Compile	453614d8-3ba6-4147-acc0-7ec4b3e1faef	powershell
349	defense-evasion	T1027.004	Compile After Delivery	3	C compile	d0377aa6-850a-42b2-95f0-de558d80be57	bash
350	defense-evasion	T1027.004	Compile After Delivery	4	CC compile	da97bb11-d6d0-4fc1-b445-e443d1346efe	bash
351	defense-evasion	T1027.004	Compile After Delivery	5	Go compile	78bd3fa7-773c-449e-a978-dc1f1500bc52	bash
352	defense-evasion	T1218.001	Compiled HTML File	1	Compiled HTML Help Local Payload	5cb87818-0d7c-4469-b7ef-9224107aebe8	command_prompt
353	defense-evasion	T1218.001	Compiled HTML File	2	Compiled HTML Help Remote Payload	0f8af516-9818-4172-922b-42986ef1e81d	command_prompt
354	defense-evasion	T1218.001	Compiled HTML File	3	Invoke CHM with default Shortcut Command Execution	29d6f0d7-be63-4482-8827-ea77126c1ef7	powershell
355	defense-evasion	T1218.001	Compiled HTML File	4	Invoke CHM with InfoTech Storage Protocol Handler	b4094750-5fc7-4e8e-af12-b4e36bf5e7f6	powershell
356	defense-evasion	T1218.001	Compiled HTML File	5	Invoke CHM Simulate Double click	5decef42-92b8-4a93-9eb2-877ddcb9401a	powershell
357	defense-evasion	T1218.001	Compiled HTML File	6	Invoke CHM with Script Engine and Help Topic	4f83adda-f5ec-406d-b318-9773c9ca92e5	powershell
358	defense-evasion	T1218.001	Compiled HTML File	7	Invoke CHM Shortcut Command with ITS and Help Topic	15756147-7470-4a83-87fb-bb5662526247	powershell
359	defense-evasion	T1218.002	Control Panel	1	Control Panel Items	037e9d8a-9e46-4255-8b33-2ae3b545ca6f	command_prompt
360	defense-evasion	T1134.002	Create Process with Token	1	Access Token Manipulation	dbf4f5a9-b8e0-46a3-9841-9ad71247239e	powershell
361	defense-evasion	T1574.001	DLL Search Order Hijacking	1	DLL Search Order Hijacking - amsi.dll	8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3	command_prompt
362	defense-evasion	T1574.002	DLL Side-Loading	1	DLL Side-Loading using the Notepad++ GUP.exe binary	65526037-7079-44a9-bda1-2cb624838040	command_prompt
363	defense-evasion	T1078.001	Default Accounts	1	Enable Guest account with RDP capability and admin privileges	99747561-ed8d-47f2-9c91-1e5fde1ed6e0	command_prompt
364	defense-evasion	T1078.001	Default Accounts	2	Activate Guest Account	aa6cb8c4-b582-4f8e-b677-37733914abda	command_prompt
365	defense-evasion	T1140	Deobfuscate/Decode Files or Information	1	Deobfuscate/Decode Files Or Information	dc6fe391-69e6-4506-bd06-ea5eeb4082f8	command_prompt
366	defense-evasion	T1140	Deobfuscate/Decode Files or Information	2	Certutil Rename and Decode	71abc534-3c05-4d0c-80f7-cbe93cb2aa94	command_prompt
367	defense-evasion	T1140	Deobfuscate/Decode Files or Information	3	Base64 decoding with Python	356dc0e8-684f-4428-bb94-9313998ad608	sh
368	defense-evasion	T1140	Deobfuscate/Decode Files or Information	4	Base64 decoding with Perl	6604d964-b9f6-4d4b-8ce8-499829a14d0a	sh
369	defense-evasion	T1140	Deobfuscate/Decode Files or Information	5	Base64 decoding with shell utilities	b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e	sh
370	defense-evasion	T1140	Deobfuscate/Decode Files or Information	6	Hex decoding with shell utilities	005943f9-8dd5-4349-8b46-0313c0a9f973	sh
371	defense-evasion	T1006	Direct Volume Access	1	Read volume boot sector via DOS device path (PowerShell)	88f6327e-51ec-4bbf-b2e8-3fea534eab8b	powershell
372	defense-evasion	T1562.008	Disable Cloud Logs	1	AWS CloudTrail Changes	9c10dc6b-20bd-403a-8e67-50ef7d07ed4e	sh
373	defense-evasion	T1562.008	Disable Cloud Logs	2	Azure - Eventhub Deletion	5e09bed0-7d33-453b-9bf3-caea32bff719	powershell
374	defense-evasion	T1562.008	Disable Cloud Logs	3	Office 365 - Exchange Audit Log Disabled	1ee572f3-056c-4632-a7fc-7e7c42b1543c	powershell
375	defense-evasion	T1562.002	Disable Windows Event Logging	1	Disable Windows IIS HTTP Logging	69435dcf-c66f-4ec0-a8b1-82beb76b34db	powershell
376	defense-evasion	T1562.002	Disable Windows Event Logging	2	Kill Event Log Service Threads	41ac52ba-5d5e-40c0-b267-573ed90489bd	powershell
377	defense-evasion	T1562.002	Disable Windows Event Logging	3	Impair Windows Audit Log Policy	5102a3a7-e2d7-4129-9e45-f483f2e0eea8	command_prompt
378	defense-evasion	T1562.002	Disable Windows Event Logging	4	Clear Windows Audit Policy Config	913c0e4e-4b37-4b78-ad0b-90e7b25010f6	command_prompt
379	defense-evasion	T1562.002	Disable Windows Event Logging	5	Disable Event Logging with wevtutil	b26a3340-dad7-4360-9176-706269c74103	command_prompt
380	defense-evasion	T1562.002	Disable Windows Event Logging	6	Makes Eventlog blind with Phant0m	3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741	command_prompt
381	defense-evasion	T1562.004	Disable or Modify System Firewall	1	Disable Microsoft Defender Firewall	88d05800-a5e4-407e-9b53-ece4174f197f	command_prompt
382	defense-evasion	T1562.004	Disable or Modify System Firewall	2	Disable Microsoft Defender Firewall via Registry	afedc8c4-038c-4d82-b3e5-623a95f8a612	command_prompt
383	defense-evasion	T1562.004	Disable or Modify System Firewall	3	Allow SMB and RDP on Microsoft Defender Firewall	d9841bf8-f161-4c73-81e9-fd773a5ff8c1	command_prompt
384	defense-evasion	T1562.004	Disable or Modify System Firewall	4	Opening ports for proxy - HARDRAIN	15e57006-79dd-46df-9bf9-31bc24fb5a80	command_prompt
385	defense-evasion	T1562.004	Disable or Modify System Firewall	5	Open a local port through Windows Firewall to any profile	9636dd6e-7599-40d2-8eee-ac16434f35ed	powershell
386	defense-evasion	T1562.004	Disable or Modify System Firewall	6	Allow Executable Through Firewall Located in Non-Standard Location	6f5822d2-d38d-4f48-9bfc-916607ff6b8c	powershell
387	defense-evasion	T1562.004	Disable or Modify System Firewall	7	Stop/Start UFW firewall	fe135572-edcd-49a2-afe6-1d39521c5a9a	sh
388	defense-evasion	T1562.004	Disable or Modify System Firewall	8	Stop/Start UFW firewall systemctl	9fd99609-1854-4f3c-b47b-97d9a5972bd1	sh
389	defense-evasion	T1562.004	Disable or Modify System Firewall	9	Turn off UFW logging	8a95b832-2c2a-494d-9cb0-dc9dd97c8bad	sh
390	defense-evasion	T1562.004	Disable or Modify System Firewall	10	Add and delete UFW firewall rules	b2563a4e-c4b8-429c-8d47-d5bcb227ba7a	sh
391	defense-evasion	T1562.004	Disable or Modify System Firewall	11	Edit UFW firewall user.rules file	beaf815a-c883-4194-97e9-fdbbb2bbdd7c	sh
392	defense-evasion	T1562.004	Disable or Modify System Firewall	12	Edit UFW firewall ufw.conf file	c1d8c4eb-88da-4927-ae97-c7c25893803b	sh
393	defense-evasion	T1562.004	Disable or Modify System Firewall	13	Edit UFW firewall sysctl.conf file	c4ae0701-88d3-4cd8-8bce-4801ed9f97e4	sh
394	defense-evasion	T1562.004	Disable or Modify System Firewall	14	Edit UFW firewall main configuration file	7b697ece-8270-46b5-bbc7-6b9e27081831	sh
395	defense-evasion	T1562.004	Disable or Modify System Firewall	15	Tail the UFW firewall log file	419cca0c-fa52-4572-b0d7-bc7c6f388a27	sh
396	defense-evasion	T1562.001	Disable or Modify Tools	1	Disable syslog	4ce786f8-e601-44b5-bfae-9ebb15a7d1c8	sh
397	defense-evasion	T1562.001	Disable or Modify Tools	2	Disable Cb Response	ae8943f7-0f8d-44de-962d-fbc2e2f03eb8	sh
398	defense-evasion	T1562.001	Disable or Modify Tools	3	Disable SELinux	fc225f36-9279-4c39-b3f9-5141ab74f8d8	sh
399	defense-evasion	T1562.001	Disable or Modify Tools	4	Stop Crowdstrike Falcon on Linux	828a1278-81cc-4802-96ab-188bf29ca77d	sh
400	defense-evasion	T1562.001	Disable or Modify Tools	5	Disable Carbon Black Response	8fba7766-2d11-4b4a-979a-1e3d9cc9a88c	sh
401	defense-evasion	T1562.001	Disable or Modify Tools	6	Disable LittleSnitch	62155dd8-bb3d-4f32-b31c-6532ff3ac6a3	sh
402	defense-evasion	T1562.001	Disable or Modify Tools	7	Disable OpenDNS Umbrella	07f43b33-1e15-4e99-be70-bc094157c849	sh
403	defense-evasion	T1562.001	Disable or Modify Tools	8	Disable macOS Gatekeeper	2a821573-fb3f-4e71-92c3-daac7432f053	sh
404	defense-evasion	T1562.001	Disable or Modify Tools	9	Stop and unload Crowdstrike Falcon on macOS	b3e7510c-2d4c-4249-a33f-591a2bc83eef	sh
405	defense-evasion	T1562.001	Disable or Modify Tools	10	Unload Sysmon Filter Driver	811b3e76-c41b-430c-ac0d-e2380bfaa164	command_prompt
406	defense-evasion	T1562.001	Disable or Modify Tools	11	Uninstall Sysmon	a316fb2e-5344-470d-91c1-23e15c374edc	command_prompt
407	defense-evasion	T1562.001	Disable or Modify Tools	12	AMSI Bypass - AMSI InitFailed	695eed40-e949-40e5-b306-b4031e4154bd	powershell
408	defense-evasion	T1562.001	Disable or Modify Tools	13	AMSI Bypass - Remove AMSI Provider Reg Key	13f09b91-c953-438e-845b-b585e51cac9b	powershell
409	defense-evasion	T1562.001	Disable or Modify Tools	14	Disable Arbitrary Security Windows Service	a1230893-56ac-4c81-b644-2108e982f8f5	command_prompt
410	defense-evasion	T1562.001	Disable or Modify Tools	15	Tamper with Windows Defender ATP PowerShell	6b8df440-51ec-4d53-bf83-899591c9b5d7	powershell
411	defense-evasion	T1562.001	Disable or Modify Tools	16	Tamper with Windows Defender Command Prompt	aa875ed4-8935-47e2-b2c5-6ec00ab220d2	command_prompt
412	defense-evasion	T1562.001	Disable or Modify Tools	17	Tamper with Windows Defender Registry	1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45	powershell
413	defense-evasion	T1562.001	Disable or Modify Tools	18	Disable Microsoft Office Security Features	6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7	powershell
414	defense-evasion	T1562.001	Disable or Modify Tools	19	Remove Windows Defender Definition Files	3d47daaa-2f56-43e0-94cc-caf5d8d52a68	command_prompt
415	defense-evasion	T1562.001	Disable or Modify Tools	20	Stop and Remove Arbitrary Security Windows Service	ae753dda-0f15-4af6-a168-b9ba16143143	powershell
416	defense-evasion	T1562.001	Disable or Modify Tools	21	Uninstall Crowdstrike Falcon on Windows	b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297	powershell
417	defense-evasion	T1562.001	Disable or Modify Tools	22	Tamper with Windows Defender Evade Scanning -Folder	0b19f4ee-de90-4059-88cb-63c800c683ed	powershell
418	defense-evasion	T1562.001	Disable or Modify Tools	23	Tamper with Windows Defender Evade Scanning -Extension	315f4be6-2240-4552-b3e1-d1047f5eecea	powershell
419	defense-evasion	T1562.001	Disable or Modify Tools	24	Tamper with Windows Defender Evade Scanning -Process	a123ce6a-3916-45d6-ba9c-7d4081315c27	powershell
420	defense-evasion	T1562.001	Disable or Modify Tools	25	office-365-Disable-AntiPhishRule	b9bbae2c-2ba6-4cf3-b452-8e8f908696f3	powershell
421	defense-evasion	T1562.001	Disable or Modify Tools	26	Disable Windows Defender with DISM	871438ac-7d6e-432a-b27d-3e7db69faf58	command_prompt
422	defense-evasion	T1562.001	Disable or Modify Tools	27	Disable Defender with Defender Control	178136d8-2778-4d7a-81f3-d517053a4fd6	powershell
423	defense-evasion	T1562.001	Disable or Modify Tools	28	Disable Defender Using NirSoft AdvancedRun	81ce22fd-9612-4154-918e-8a1f285d214d	powershell
424	defense-evasion	T1562.001	Disable or Modify Tools	29	Kill antimalware protected processes using Backstab	24a12b91-05a7-4deb-8d7f-035fa98591bc	powershell
425	defense-evasion	T1484.002	Domain Trust Modification	1	Add Federation to Azure AD	8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7	powershell
426	defense-evasion	T1574.006	Dynamic Linker Hijacking	1	Shared Library Injection via /etc/ld.so.preload	39cb0e67-dd0d-4b74-a74b-c072db7ae991	bash
427	defense-evasion	T1574.006	Dynamic Linker Hijacking	2	Shared Library Injection via LD_PRELOAD	bc219ff7-789f-4d51-9142-ecae3397deae	bash
428	defense-evasion	T1055.001	Dynamic-link Library Injection	1	Process Injection via mavinject.exe	74496461-11a1-4982-b439-4d87a550d254	powershell
429	defense-evasion	T1070.004	File Deletion	1	Delete a single file - Linux/macOS	562d737f-2fc6-4b09-8c2a-7f8ff0828480	sh
430	defense-evasion	T1070.004	File Deletion	2	Delete an entire folder - Linux/macOS	a415f17e-ce8d-4ce2-a8b4-83b674e7017e	sh
431	defense-evasion	T1070.004	File Deletion	3	Overwrite and delete a file with shred	039b4b10-2900-404b-b67f-4b6d49aa6499	sh
432	defense-evasion	T1070.004	File Deletion	4	Delete a single file - Windows cmd	861ea0b4-708a-4d17-848d-186c9c7f17e3	command_prompt
433	defense-evasion	T1070.004	File Deletion	5	Delete an entire folder - Windows cmd	ded937c4-2add-42f7-9c2c-c742b7a98698	command_prompt
434	defense-evasion	T1070.004	File Deletion	6	Delete a single file - Windows PowerShell	9dee89bd-9a98-4c4f-9e2d-4256690b0e72	powershell
435	defense-evasion	T1070.004	File Deletion	7	Delete an entire folder - Windows PowerShell	edd779e4-a509-4cba-8dfa-a112543dbfb1	powershell
436	defense-evasion	T1070.004	File Deletion	8	Delete Filesystem - Linux	f3aa95fe-4f10-4485-ad26-abf22a764c52	bash
437	defense-evasion	T1070.004	File Deletion	9	Delete Prefetch File	36f96049-0ad7-4a5f-8418-460acaeb92fb	powershell
438	defense-evasion	T1070.004	File Deletion	10	Delete TeamViewer Log Files	69f50a5f-967c-4327-a5bb-e1a9a9983785	powershell
439	defense-evasion	T1553.001	Gatekeeper Bypass	1	Gatekeeper Bypass	fb3d46c6-9480-4803-8d7d-ce676e1f1a9b	sh
440	defense-evasion	T1564.001	Hidden Files and Directories	1	Create a hidden file in a hidden directory	61a782e5-9a19-40b5-8ba4-69a4b9f3d7be	sh
441	defense-evasion	T1564.001	Hidden Files and Directories	2	Mac Hidden file	cddb9098-3b47-4e01-9d3b-6f5f323288a9	sh
442	defense-evasion	T1564.001	Hidden Files and Directories	3	Create Windows System File with Attrib	f70974c8-c094-4574-b542-2c545af95a32	command_prompt
443	defense-evasion	T1564.001	Hidden Files and Directories	4	Create Windows Hidden File with Attrib	dadb792e-4358-4d8d-9207-b771faa0daa5	command_prompt
444	defense-evasion	T1564.001	Hidden Files and Directories	5	Hidden files	3b7015f2-3144-4205-b799-b05580621379	sh
445	defense-evasion	T1564.001	Hidden Files and Directories	6	Hide a Directory	b115ecaf-3b24-4ed2-aefe-2fcb9db913d3	sh
446	defense-evasion	T1564.001	Hidden Files and Directories	7	Show all hidden files	9a1ec7da-b892-449f-ad68-67066d04380c	sh
447	defense-evasion	T1564.001	Hidden Files and Directories	8	Hide Files Through Registry	f650456b-bd49-4bc1-ae9d-271b5b9581e7	command_prompt
448	defense-evasion	T1564.002	Hidden Users	1	Create Hidden User using UniqueID < 500	4238a7f0-a980-4fff-98a2-dfc0a363d507	sh
449	defense-evasion	T1564.002	Hidden Users	2	Create Hidden User using IsHidden option	de87ed7b-52c3-43fd-9554-730f695e7f31	sh
450	defense-evasion	T1564.003	Hidden Window	1	Hidden Window	f151ee37-9e2b-47e6-80e4-550b9f999b7a	powershell
451	defense-evasion	T1564	Hide Artifacts	1	Extract binary files via VBA	6afe288a-8a8b-4d33-a629-8d03ba9dad3a	powershell
452	defense-evasion	T1564	Hide Artifacts	2	Create a Hidden User Called "$"	2ec63cc2-4975-41a6-bf09-dffdfb610778	command_prompt
453	defense-evasion	T1564	Hide Artifacts	3	Create an "Administrator " user (with a space on the end)	5bb20389-39a5-4e99-9264-aeb92a55a85c	powershell
454	defense-evasion	T1562.003	Impair Command History Logging	1	Disable history collection	4eafdb45-0f79-4d66-aa86-a3e2c08791f5	sh
455	defense-evasion	T1562.003	Impair Command History Logging	2	Mac HISTCONTROL	468566d5-83e5-40c1-b338-511e1659628d	manual
456	defense-evasion	T1562.006	Indicator Blocking	1	Auditing Configuration Changes on Linux Host	212cfbcf-4770-4980-bc21-303e37abd0e3	bash
457	defense-evasion	T1562.006	Indicator Blocking	2	Logging Configuration Changes on Linux Host	7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c	bash
458	defense-evasion	T1562.006	Indicator Blocking	3	Disable Powershell ETW Provider - Windows	6f118276-121d-4c09-bb58-a8fb4a72ee84	powershell
459	defense-evasion	T1562.006	Indicator Blocking	4	Disable .NET Event Tracing for Windows Via Registry (cmd)	8a4c33be-a0d3-434a-bee6-315405edbd5b	command_prompt
460	defense-evasion	T1562.006	Indicator Blocking	5	Disable .NET Event Tracing for Windows Via Registry (powershell)	19c07a45-452d-4620-90ed-4c34fffbe758	powershell
461	defense-evasion	T1070	Indicator Removal on Host	1	Indicator Removal using FSUtil	b4115c7a-0e92-47f0-a61e-17e7218b2435	command_prompt
462	defense-evasion	T1202	Indirect Command Execution	1	Indirect Command Execution - pcalua.exe	cecfea7a-5f03-4cdd-8bc8-6f7c22862440	command_prompt
463	defense-evasion	T1202	Indirect Command Execution	2	Indirect Command Execution - forfiles.exe	8b34a448-40d9-4fc3-a8c8-4bb286faf7dc	command_prompt
464	defense-evasion	T1202	Indirect Command Execution	3	Indirect Command Execution - conhost.exe	cf3391e0-b482-4b02-87fc-ca8362269b29	command_prompt
465	defense-evasion	T1553.004	Install Root Certificate	1	Install root CA on CentOS/RHEL	9c096ec4-fd42-419d-a762-d64cc950627e	sh
466	defense-evasion	T1553.004	Install Root Certificate	2	Install root CA on Debian/Ubuntu	53bcf8a0-1549-4b85-b919-010c56d724ff	sh
467	defense-evasion	T1553.004	Install Root Certificate	3	Install root CA on macOS	cc4a0b8c-426f-40ff-9426-4e10e5bf4c49	sh
468	defense-evasion	T1553.004	Install Root Certificate	4	Install root CA on Windows	76f49d86-5eb1-461a-a032-a480f86652f1	powershell
469	defense-evasion	T1553.004	Install Root Certificate	5	Install root CA on Windows with certutil	5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f	powershell
470	defense-evasion	T1553.004	Install Root Certificate	6	Add Root Certificate to CurrentUser Certificate Store	ca20a3f1-42b5-4e21-ad3f-1049199ec2e0	powershell
471	defense-evasion	T1218.004	InstallUtil	1	CheckIfInstallable method call	ffd9c807-d402-47d2-879d-f915cf2a3a94	powershell
472	defense-evasion	T1218.004	InstallUtil	2	InstallHelper method call	d43a5bde-ae28-4c55-a850-3f4c80573503	powershell
473	defense-evasion	T1218.004	InstallUtil	3	InstallUtil class constructor method call	9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93	powershell
474	defense-evasion	T1218.004	InstallUtil	4	InstallUtil Install method call	9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b	powershell
475	defense-evasion	T1218.004	InstallUtil	5	InstallUtil Uninstall method call - /U variant	34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b	powershell
476	defense-evasion	T1218.004	InstallUtil	6	InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant	06d9deba-f732-48a8-af8e-bdd6e4d98c1d	powershell
477	defense-evasion	T1218.004	InstallUtil	7	InstallUtil HelpText method call	5a683850-1145-4326-a0e5-e91ced3c6022	powershell
478	defense-evasion	T1218.004	InstallUtil	8	InstallUtil evasive invocation	559e6d06-bb42-4307-bff7-3b95a8254bad	powershell
479	defense-evasion	T1222.002	Linux and Mac File and Directory Permissions Modification	1	chmod - Change file or folder mode (numeric mode)	34ca1464-de9d-40c6-8c77-690adf36a135	bash
480	defense-evasion	T1222.002	Linux and Mac File and Directory Permissions Modification	2	chmod - Change file or folder mode (symbolic mode)	fc9d6695-d022-4a80-91b1-381f5c35aff3	bash
481	defense-evasion	T1222.002	Linux and Mac File and Directory Permissions Modification	3	chmod - Change file or folder mode (numeric mode) recursively	ea79f937-4a4d-4348-ace6-9916aec453a4	bash
482	defense-evasion	T1222.002	Linux and Mac File and Directory Permissions Modification	4	chmod - Change file or folder mode (symbolic mode) recursively	0451125c-b5f6-488f-993b-5a32b09f7d8f	bash
483	defense-evasion	T1222.002	Linux and Mac File and Directory Permissions Modification	5	chown - Change file or folder ownership and group	d169e71b-85f9-44ec-8343-27093ff3dfc0	bash
484	defense-evasion	T1222.002	Linux and Mac File and Directory Permissions Modification	6	chown - Change file or folder ownership and group recursively	b78598be-ff39-448f-a463-adbf2a5b7848	bash
485	defense-evasion	T1222.002	Linux and Mac File and Directory Permissions Modification	7	chown - Change file or folder mode ownership only	967ba79d-f184-4e0e-8d09-6362b3162e99	bash
486	defense-evasion	T1222.002	Linux and Mac File and Directory Permissions Modification	8	chown - Change file or folder ownership recursively	3b015515-b3d8-44e9-b8cd-6fa84faf30b2	bash
487	defense-evasion	T1222.002	Linux and Mac File and Directory Permissions Modification	9	chattr - Remove immutable file attribute	e7469fe2-ad41-4382-8965-99b94dd3c13f	sh
488	defense-evasion	T1078.003	Local Accounts	1	Create local account with admin privileges	a524ce99-86de-4db6-b4f9-e08f35a47a15	command_prompt
489	defense-evasion	T1078.003	Local Accounts	2	Create local account with admin privileges - MacOS	f1275566-1c26-4b66-83e3-7f9f7f964daa	bash
490	defense-evasion	T1127.001	MSBuild	1	MSBuild Bypass Using Inline Tasks (C#)	58742c0f-cb01-44cd-a60b-fb26e8871c93	command_prompt
491	defense-evasion	T1127.001	MSBuild	2	MSBuild Bypass Using Inline Tasks (VB)	ab042179-c0c5-402f-9bc8-42741f5ce359	command_prompt
492	defense-evasion	T1553.005	Mark-of-the-Web Bypass	1	Mount ISO image	002cca30-4778-4891-878a-aaffcfa502fa	powershell
493	defense-evasion	T1553.005	Mark-of-the-Web Bypass	2	Mount an ISO image and run executable from the ISO	42f22b00-0242-4afc-a61b-0da05041f9cc	powershell
494	defense-evasion	T1553.005	Mark-of-the-Web Bypass	3	Remove the Zone.Identifier alternate data stream	64b12afc-18b8-4d3f-9eab-7f6cae7c73f9	powershell
495	defense-evasion	T1036.004	Masquerade Task or Service	1	Creating W32Time similar named service using schtasks	f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9	command_prompt
496	defense-evasion	T1036.004	Masquerade Task or Service	2	Creating W32Time similar named service using sc	b721c6ef-472c-4263-a0d9-37f1f4ecff66	command_prompt
497	defense-evasion	T1036	Masquerading	1	System File Copied to Unusual Location	51005ac7-52e2-45e0-bdab-d17c6d4916cd	powershell
498	defense-evasion	T1036	Masquerading	2	Malware Masquerading and Execution from Zip File	4449c89b-ec82-43a4-89c1-91e2f1abeecc	powershell
499	defense-evasion	T1036.005	Match Legitimate Name or Location	1	Execute a process from a directory masquerading as the current parent directory.	812c3ab8-94b0-4698-a9bf-9420af23ce24	sh
500	defense-evasion	T1036.005	Match Legitimate Name or Location	2	Masquerade as a built-in system executable	35eb8d16-9820-4423-a2a1-90c4f5edd9ca	powershell
501	defense-evasion	T1112	Modify Registry	1	Modify Registry of Current User Profile - cmd	1324796b-d0f6-455a-b4ae-21ffee6aa6b9	command_prompt
502	defense-evasion	T1112	Modify Registry	2	Modify Registry of Local Machine - cmd	282f929a-6bc5-42b8-bd93-960c3ba35afe	command_prompt
503	defense-evasion	T1112	Modify Registry	3	Modify registry to store logon credentials	c0413fb5-33e2-40b7-9b6f-60b29f4a7a18	command_prompt
504	defense-evasion	T1112	Modify Registry	4	Add domain to Trusted sites Zone	cf447677-5a4e-4937-a82c-e47d254afd57	powershell
505	defense-evasion	T1112	Modify Registry	5	Javascript in registry	15f44ea9-4571-4837-be9e-802431a7bfae	powershell
506	defense-evasion	T1112	Modify Registry	6	Change Powershell Execution Policy to Bypass	f3a6cceb-06c9-48e5-8df8-8867a6814245	powershell
507	defense-evasion	T1112	Modify Registry	7	BlackByte Ransomware Registry Changes - CMD	4f4e2f9f-6209-4fcf-9b15-3b7455706f5b	command_prompt
508	defense-evasion	T1112	Modify Registry	8	BlackByte Ransomware Registry Changes - Powershell	0b79c06f-c788-44a2-8630-d69051f1123d	powershell
509	defense-evasion	T1112	Modify Registry	9	Disable Windows Registry Tool	ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8	command_prompt
510	defense-evasion	T1112	Modify Registry	10	Disable Windows CMD application	d2561a6d-72bd-408c-b150-13efe1801c2a	powershell
511	defense-evasion	T1112	Modify Registry	11	Disable Windows Task Manager application	af254e70-dd0e-4de6-9afe-a994d9ea8b62	command_prompt
512	defense-evasion	T1112	Modify Registry	12	Disable Windows Notification Center	c0d6d67f-1f63-42cc-95c0-5fd6b20082ad	command_prompt
513	defense-evasion	T1112	Modify Registry	13	Disable Windows Shutdown Button	6e0d1131-2d7e-4905-8ca5-d6172f05d03d	command_prompt
514	defense-evasion	T1112	Modify Registry	14	Disable Windows LogOff Button	e246578a-c24d-46a7-9237-0213ff86fb0c	command_prompt
515	defense-evasion	T1112	Modify Registry	15	Disable Windows Change Password Feature	d4a6da40-618f-454d-9a9e-26af552aaeb0	command_prompt
516	defense-evasion	T1112	Modify Registry	16	Disable Windows Lock Workstation Feature	3dacb0d2-46ee-4c27-ac1b-f9886bf91a56	command_prompt
517	defense-evasion	T1112	Modify Registry	17	Activate Windows NoDesktop Group Policy Feature	93386d41-525c-4a1b-8235-134a628dee17	command_prompt
518	defense-evasion	T1112	Modify Registry	18	Activate Windows NoRun Group Policy Feature	d49ff3cc-8168-4123-b5b3-f057d9abbd55	command_prompt
519	defense-evasion	T1112	Modify Registry	19	Activate Windows NoFind Group Policy Feature	ffbb407e-7f1d-4c95-b22e-548169db1fbd	command_prompt
520	defense-evasion	T1112	Modify Registry	20	Activate Windows NoControlPanel Group Policy Feature	a450e469-ba54-4de1-9deb-9023a6111690	command_prompt
521	defense-evasion	T1112	Modify Registry	21	Activate Windows NoFileMenu Group Policy Feature	5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4	command_prompt
522	defense-evasion	T1112	Modify Registry	22	Activate Windows NoClose Group Policy Feature	12f50e15-dbc6-478b-a801-a746e8ba1723	command_prompt
523	defense-evasion	T1112	Modify Registry	23	Activate Windows NoSetTaskbar Group Policy Feature	d29b7faf-7355-4036-9ed3-719bd17951ed	command_prompt
524	defense-evasion	T1112	Modify Registry	24	Activate Windows NoTrayContextMenu Group Policy Feature	4d72d4b1-fa7b-4374-b423-0fe326da49d2	command_prompt
525	defense-evasion	T1112	Modify Registry	25	Activate Windows NoPropertiesMyDocuments Group Policy Feature	20fc9daa-bd48-4325-9aff-81b967a84b1d	command_prompt
526	defense-evasion	T1112	Modify Registry	26	Hide Windows Clock Group Policy Feature	8023db1e-ad06-4966-934b-b6a0ae52689e	command_prompt
527	defense-evasion	T1112	Modify Registry	27	Windows HideSCAHealth Group Policy Feature	a4637291-40b1-4a96-8c82-b28f1d73e54e	command_prompt
528	defense-evasion	T1112	Modify Registry	28	Windows HideSCANetwork Group Policy Feature	3e757ce7-eca0-411a-9583-1c33b8508d52	command_prompt
529	defense-evasion	T1112	Modify Registry	29	Windows HideSCAPower Group Policy Feature	8d85a5d8-702f-436f-bc78-fcd9119496fc	command_prompt
530	defense-evasion	T1112	Modify Registry	30	Windows HideSCAVolume Group Policy Feature	7f037590-b4c6-4f13-b3cc-e424c5ab8ade	command_prompt
531	defense-evasion	T1112	Modify Registry	31	Windows Modify Show Compress Color And Info Tip Registry	795d3248-0394-4d4d-8e86-4e8df2a2693f	command_prompt
532	defense-evasion	T1112	Modify Registry	32	Windows Powershell Logging Disabled	95b25212-91a7-42ff-9613-124aca6845a8	command_prompt
533	defense-evasion	T1112	Modify Registry	33	Windows Add Registry Value to Load Service in Safe Mode without Network	1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5	command_prompt
534	defense-evasion	T1112	Modify Registry	34	Windows Add Registry Value to Load Service in Safe Mode with Network	c173c948-65e5-499c-afbe-433722ed5bd4	command_prompt
535	defense-evasion	T1218.005	Mshta	1	Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject	1483fab9-4f52-4217-a9ce-daa9d7747cae	command_prompt
536	defense-evasion	T1218.005	Mshta	2	Mshta executes VBScript to execute malicious command	906865c3-e05f-4acc-85c4-fbc185455095	command_prompt
537	defense-evasion	T1218.005	Mshta	3	Mshta Executes Remote HTML Application (HTA)	c4b97eeb-5249-4455-a607-59f95485cb45	powershell
538	defense-evasion	T1218.005	Mshta	4	Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement	007e5672-2088-4853-a562-7490ddc19447	powershell
539	defense-evasion	T1218.005	Mshta	5	Invoke HTML Application - Jscript Engine Simulating Double Click	58a193ec-131b-404e-b1ca-b35cf0b18c33	powershell
540	defense-evasion	T1218.005	Mshta	6	Invoke HTML Application - Direct download from URI	39ceed55-f653-48ac-bd19-aceceaf525db	powershell
541	defense-evasion	T1218.005	Mshta	7	Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler	e7e3a525-7612-4d68-a5d3-c4649181b8af	powershell
542	defense-evasion	T1218.005	Mshta	8	Invoke HTML Application - JScript Engine with Inline Protocol Handler	d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840	powershell
543	defense-evasion	T1218.005	Mshta	9	Invoke HTML Application - Simulate Lateral Movement over UNC Path	b8a8bdb2-7eae-490d-8251-d5e0295b2362	powershell
544	defense-evasion	T1218.005	Mshta	10	Mshta used to Execute PowerShell	8707a805-2b76-4f32-b1c0-14e558205772	command_prompt
545	defense-evasion	T1218.007	Msiexec	1	Msiexec.exe - Execute Local MSI file with embedded JScript	a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04	command_prompt
546	defense-evasion	T1218.007	Msiexec	2	Msiexec.exe - Execute Local MSI file with embedded VBScript	8d73c7b0-c2b1-4ac1-881a-4aa644f76064	command_prompt
547	defense-evasion	T1218.007	Msiexec	3	Msiexec.exe - Execute Local MSI file with an embedded DLL	628fa796-76c5-44c3-93aa-b9d8214fd568	command_prompt
548	defense-evasion	T1218.007	Msiexec	4	Msiexec.exe - Execute Local MSI file with an embedded EXE	ed3fa08a-ca18-4009-973e-03d13014d0e8	command_prompt
549	defense-evasion	T1218.007	Msiexec	5	WMI Win32_Product Class - Execute Local MSI file with embedded JScript	882082f0-27c6-4eec-a43c-9aa80bccdb30	powershell
550	defense-evasion	T1218.007	Msiexec	6	WMI Win32_Product Class - Execute Local MSI file with embedded VBScript	cf470d9a-58e7-43e5-b0d2-805dffc05576	powershell
551	defense-evasion	T1218.007	Msiexec	7	WMI Win32_Product Class - Execute Local MSI file with an embedded DLL	32eb3861-30da-4993-897a-42737152f5f8	powershell
552	defense-evasion	T1218.007	Msiexec	8	WMI Win32_Product Class - Execute Local MSI file with an embedded EXE	55080eb0-49ae-4f55-a440-4167b7974f79	powershell
553	defense-evasion	T1218.007	Msiexec	9	Msiexec.exe - Execute the DllRegisterServer function of a DLL	0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d	command_prompt
554	defense-evasion	T1218.007	Msiexec	10	Msiexec.exe - Execute the DllUnregisterServer function of a DLL	ab09ec85-4955-4f9c-b8e0-6851baf4d47f	command_prompt
555	defense-evasion	T1218.007	Msiexec	11	Msiexec.exe - Execute Remote MSI file	44a4bedf-ffe3-452e-bee4-6925ab125662	command_prompt
556	defense-evasion	T1564.004	NTFS File Attributes	1	Alternate Data Streams (ADS)	8822c3b0-d9f9-4daf-a043-49f4602364f4	command_prompt
557	defense-evasion	T1564.004	NTFS File Attributes	2	Store file in Alternate Data Stream (ADS)	2ab75061-f5d5-4c1a-b666-ba2a50df5b02	powershell
558	defense-evasion	T1564.004	NTFS File Attributes	3	Create ADS command prompt	17e7637a-ddaf-4a82-8622-377e20de8fdb	command_prompt
559	defense-evasion	T1564.004	NTFS File Attributes	4	Create ADS PowerShell	0045ea16-ed3c-4d4c-a9ee-15e44d1560d1	powershell
560	defense-evasion	T1070.005	Network Share Connection Removal	1	Add Network Share	14c38f32-6509-46d8-ab43-d53e32d2b131	command_prompt
561	defense-evasion	T1070.005	Network Share Connection Removal	2	Remove Network Share	09210ad5-1ef2-4077-9ad3-7351e13e9222	command_prompt
562	defense-evasion	T1070.005	Network Share Connection Removal	3	Remove Network Share PowerShell	0512d214-9512-4d22-bde7-f37e058259b3	powershell
563	defense-evasion	T1070.005	Network Share Connection Removal	4	Disable Administrative Share Creation at Startup	99c657aa-ebeb-4179-a665-69288fdd12b8	command_prompt
564	defense-evasion	T1070.005	Network Share Connection Removal	5	Remove Administrative Shares	4299eff5-90f1-4446-b2f3-7f4f5cfd5d62	command_prompt
565	defense-evasion	T1027	Obfuscated Files or Information	1	Decode base64 Data into Script	f45df6be-2e1e-4136-a384-8f18ab3826fb	sh
566	defense-evasion	T1027	Obfuscated Files or Information	2	Execute base64-encoded PowerShell	a50d5a97-2531-499e-a1de-5544c74432c6	powershell
567	defense-evasion	T1027	Obfuscated Files or Information	3	Execute base64-encoded PowerShell from Windows Registry	450e7218-7915-4be4-8b9b-464a49eafcec	powershell
568	defense-evasion	T1027	Obfuscated Files or Information	4	Execution from Compressed File	f8c8a909-5f29-49ac-9244-413936ce6d1f	command_prompt
569	defense-evasion	T1027	Obfuscated Files or Information	5	DLP Evasion via Sensitive Data in VBA Macro over email	129edb75-d7b8-42cd-a8ba-1f3db64ec4ad	powershell
570	defense-evasion	T1027	Obfuscated Files or Information	6	DLP Evasion via Sensitive Data in VBA Macro over HTTP	e2d85e66-cb66-4ed7-93b1-833fc56c9319	powershell
571	defense-evasion	T1027	Obfuscated Files or Information	7	Obfuscated Command in PowerShell	8b3f4ed6-077b-4bdd-891c-2d237f19410f	powershell
572	defense-evasion	T1027	Obfuscated Files or Information	8	Obfuscated Command Line using special Unicode characters	e68b945c-52d0-4dd9-a5e8-d173d70c448f	manual
573	defense-evasion	T1218.008	Odbcconf	1	Odbcconf.exe - Execute Arbitrary DLL	2430498b-06c0-4b92-a448-8ad263c388e2	command_prompt
574	defense-evasion	T1134.004	Parent PID Spoofing	1	Parent PID Spoofing using PowerShell	069258f4-2162-46e9-9a25-c9c6c56150d2	powershell
575	defense-evasion	T1134.004	Parent PID Spoofing	2	Parent PID Spoofing - Spawn from Current Process	14920ebd-1d61-491a-85e0-fe98efe37f25	powershell
576	defense-evasion	T1134.004	Parent PID Spoofing	3	Parent PID Spoofing - Spawn from Specified Process	cbbff285-9051-444a-9d17-c07cd2d230eb	powershell
577	defense-evasion	T1134.004	Parent PID Spoofing	4	Parent PID Spoofing - Spawn from svchost.exe	e9f2b777-3123-430b-805d-5cedc66ab591	powershell
578	defense-evasion	T1134.004	Parent PID Spoofing	5	Parent PID Spoofing - Spawn from New Process	2988133e-561c-4e42-a15f-6281e6a9b2db	powershell
579	defense-evasion	T1550.002	Pass the Hash	1	Mimikatz Pass the Hash	ec23cef9-27d9-46e4-a68d-6f75f7b86908	command_prompt
580	defense-evasion	T1550.002	Pass the Hash	2	crackmapexec Pass the Hash	eb05b028-16c8-4ad8-adea-6f5b219da9a9	command_prompt
581	defense-evasion	T1550.002	Pass the Hash	3	Invoke-WMIExec Pass the Hash	f8757545-b00a-4e4e-8cfb-8cfb961ee713	powershell
582	defense-evasion	T1550.003	Pass the Ticket	1	Mimikatz Kerberos Ticket Attack	dbf38128-7ba7-4776-bedf-cc2eed432098	command_prompt
583	defense-evasion	T1550.003	Pass the Ticket	2	Rubeus Kerberos Pass The Ticket	a2fc4ec5-12c6-4fb4-b661-961f23f359cb	powershell
584	defense-evasion	T1556.002	Password Filter DLL	1	Install and Register Password Filter DLL	a7961770-beb5-4134-9674-83d7e1fa865c	powershell
585	defense-evasion	T1574.009	Path Interception by Unquoted Path	1	Execution of program.exe as service with unquoted service path	2770dea7-c50f-457b-84c4-c40a47460d9f	command_prompt
586	defense-evasion	T1556.003	Pluggable Authentication Modules	1	Malicious PAM rule	4b9dde80-ae22-44b1-a82a-644bf009eb9c	sh
587	defense-evasion	T1556.003	Pluggable Authentication Modules	2	Malicious PAM module	65208808-3125-4a2e-8389-a0a00e9ab326	sh
588	defense-evasion	T1055.012	Process Hollowing	1	Process Hollowing using PowerShell	562427b4-39ef-4e8c-af88-463a78e70b9c	powershell
589	defense-evasion	T1055.012	Process Hollowing	2	RunPE via VBA	3ad4a037-1598-4136-837c-4027e4fa319b	powershell
590	defense-evasion	T1055	Process Injection	1	Shellcode execution via VBA	1c91e740-1729-4329-b779-feba6e71d048	powershell
591	defense-evasion	T1055	Process Injection	2	Remote Process Injection in LSASS via mimikatz	3203ad24-168e-4bec-be36-f79b13ef8a83	command_prompt
592	defense-evasion	T1216.001	PubPrn	1	PubPrn.vbs Signed Script Bypass	9dd29a1f-1e16-4862-be83-913b10a88f6c	command_prompt
593	defense-evasion	T1218.009	Regsvcs/Regasm	1	Regasm Uninstall Method Call Test	71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112	command_prompt
594	defense-evasion	T1218.009	Regsvcs/Regasm	2	Regsvcs Uninstall Method Call Test	fd3c1c6a-02d2-4b72-82d9-71c527abb126	powershell
595	defense-evasion	T1218.010	Regsvr32	1	Regsvr32 local COM scriptlet execution	449aa403-6aba-47ce-8a37-247d21ef0306	command_prompt
596	defense-evasion	T1218.010	Regsvr32	2	Regsvr32 remote COM scriptlet execution	c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36	command_prompt
597	defense-evasion	T1218.010	Regsvr32	3	Regsvr32 local DLL execution	08ffca73-9a3d-471a-aeb0-68b4aa3ab37b	command_prompt
598	defense-evasion	T1218.010	Regsvr32	4	Regsvr32 Registering Non DLL	1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421	command_prompt
599	defense-evasion	T1218.010	Regsvr32	5	Regsvr32 Silent DLL Install Call DllRegisterServer	9d71c492-ea2e-4c08-af16-c6994cdf029f	command_prompt
600	defense-evasion	T1036.003	Rename System Utilities	1	Masquerading as Windows LSASS process	5ba5a3d1-cf3c-4499-968a-a93155d1f717	command_prompt
601	defense-evasion	T1036.003	Rename System Utilities	2	Masquerading as Linux crond process.	a315bfff-7a98-403b-b442-2ea1b255e556	sh
602	defense-evasion	T1036.003	Rename System Utilities	3	Masquerading - cscript.exe running as notepad.exe	3a2a578b-0a01-46e4-92e3-62e2859b42f0	command_prompt
603	defense-evasion	T1036.003	Rename System Utilities	4	Masquerading - wscript.exe running as svchost.exe	24136435-c91a-4ede-9da1-8b284a1c1a23	command_prompt
604	defense-evasion	T1036.003	Rename System Utilities	5	Masquerading - powershell.exe running as taskhostw.exe	ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa	command_prompt
605	defense-evasion	T1036.003	Rename System Utilities	6	Masquerading - non-windows exe running as windows exe	bc15c13f-d121-4b1f-8c7d-28d95854d086	powershell
606	defense-evasion	T1036.003	Rename System Utilities	7	Masquerading - windows exe running as different windows exe	c3d24a39-2bfe-4c6a-b064-90cd73896cb0	powershell
607	defense-evasion	T1036.003	Rename System Utilities	8	Malicious process Masquerading as LSM.exe	83810c46-f45e-4485-9ab6-8ed0e9e6ed7f	command_prompt
608	defense-evasion	T1036.003	Rename System Utilities	9	File Extension Masquerading	c7fa0c3b-b57f-4cba-9118-863bf4e653fc	command_prompt
609	defense-evasion	T1207	Rogue Domain Controller	1	DCShadow (Active Directory)	0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6	powershell
610	defense-evasion	T1014	Rootkit	1	Loadable Kernel Module based Rootkit	dfb50072-e45a-4c75-a17e-a484809c8553	sh
611	defense-evasion	T1014	Rootkit	2	Loadable Kernel Module based Rootkit	75483ef8-f10f-444a-bf02-62eb0e48db6f	sh
612	defense-evasion	T1564.006	Run Virtual Instance	1	Register Portable Virtualbox	c59f246a-34f8-4e4d-9276-c295ef9ba0dd	command_prompt
613	defense-evasion	T1564.006	Run Virtual Instance	2	Create and start VirtualBox virtual machine	88b81702-a1c0-49a9-95b2-2dd53d755767	command_prompt
614	defense-evasion	T1564.006	Run Virtual Instance	3	Create and start Hyper-V virtual machine	fb8d4d7e-f5a4-481c-8867-febf13f8b6d3	powershell
615	defense-evasion	T1218.011	Rundll32	1	Rundll32 execute JavaScript Remote Payload With GetObject	cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be	command_prompt
616	defense-evasion	T1218.011	Rundll32	2	Rundll32 execute VBscript command	638730e7-7aed-43dc-bf8c-8117f805f5bb	command_prompt
617	defense-evasion	T1218.011	Rundll32	3	Rundll32 advpack.dll Execution	d91cae26-7fc1-457b-a854-34c8aad48c89	command_prompt
618	defense-evasion	T1218.011	Rundll32	4	Rundll32 ieadvpack.dll Execution	5e46a58e-cbf6-45ef-a289-ed7754603df9	command_prompt
619	defense-evasion	T1218.011	Rundll32	5	Rundll32 syssetup.dll Execution	41fa324a-3946-401e-bbdd-d7991c628125	command_prompt
620	defense-evasion	T1218.011	Rundll32	6	Rundll32 setupapi.dll Execution	71d771cd-d6b3-4f34-bc76-a63d47a10b19	command_prompt
621	defense-evasion	T1218.011	Rundll32	7	Execution of HTA and VBS Files using Rundll32 and URL.dll	22cfde89-befe-4e15-9753-47306b37a6e3	command_prompt
622	defense-evasion	T1218.011	Rundll32	8	Launches an executable using Rundll32 and pcwutl.dll	9f5d081a-ee5a-42f9-a04e-b7bdc487e676	command_prompt
623	defense-evasion	T1218.011	Rundll32	9	Execution of non-dll using rundll32.exe	ae3a8605-b26e-457c-b6b3-2702fd335bac	powershell
624	defense-evasion	T1218.011	Rundll32	10	Rundll32 with Ordinal Value	9fd5a74b-ba89-482a-8a3e-a5feaa3697b0	command_prompt
625	defense-evasion	T1218.011	Rundll32	11	Rundll32 with Control_RunDLL	e4c04b6f-c492-4782-82c7-3bf75eb8077e	command_prompt
626	defense-evasion	T1218.011	Rundll32	12	Rundll32 with desk.cpl	83a95136-a496-423c-81d3-1c6750133917	command_prompt
627	defense-evasion	T1134.005	SID-History Injection	1	Injection SID-History with mimikatz	6bef32e5-9456-4072-8f14-35566fb85401	command_prompt
628	defense-evasion	T1574.011	Services Registry Permissions Weakness	1	Service Registry Permissions Weakness	f7536d63-7fd4-466f-89da-7e48d550752a	powershell
629	defense-evasion	T1574.011	Services Registry Permissions Weakness	2	Service ImagePath Change with reg.exe	f38e9eea-e1d7-4ba6-b716-584791963827	command_prompt
630	defense-evasion	T1548.001	Setuid and Setgid	1	Make and modify binary from C source	896dfe97-ae43-4101-8e96-9a7996555d80	sh
631	defense-evasion	T1548.001	Setuid and Setgid	2	Set a SetUID flag on file	759055b3-3885-4582-a8ec-c00c9d64dd79	sh
632	defense-evasion	T1548.001	Setuid and Setgid	3	Set a SetGID flag on file	db55f666-7cba-46c6-9fe6-205a05c3242c	sh
633	defense-evasion	T1548.001	Setuid and Setgid	4	Make and modify capabilities of a binary	db53959c-207d-4000-9e7a-cd8eb417e072	sh
634	defense-evasion	T1548.001	Setuid and Setgid	5	Provide the SetUID capability to a file	1ac3272f-9bcf-443a-9888-4b1d3de785c1	sh
635	defense-evasion	T1218	Signed Binary Proxy Execution	1	mavinject - Inject DLL into running process	c426dacf-575d-4937-8611-a148a86a5e61	command_prompt
636	defense-evasion	T1218	Signed Binary Proxy Execution	2	SyncAppvPublishingServer - Execute arbitrary PowerShell code	d590097e-d402-44e2-ad72-2c6aa1ce78b1	command_prompt
637	defense-evasion	T1218	Signed Binary Proxy Execution	3	Register-CimProvider - Execute evil dll	ad2c17ed-f626-4061-b21e-b9804a6f3655	command_prompt
638	defense-evasion	T1218	Signed Binary Proxy Execution	4	InfDefaultInstall.exe .inf Execution	54ad7d5a-a1b5-472c-b6c4-f8090fb2daef	command_prompt
639	defense-evasion	T1218	Signed Binary Proxy Execution	5	ProtocolHandler.exe Downloaded a Suspicious File	db020456-125b-4c8b-a4a7-487df8afb5a2	command_prompt
640	defense-evasion	T1218	Signed Binary Proxy Execution	6	Microsoft.Workflow.Compiler.exe Payload Execution	7cbb0f26-a4c1-4f77-b180-a009aa05637e	powershell
641	defense-evasion	T1218	Signed Binary Proxy Execution	7	Renamed Microsoft.Workflow.Compiler.exe Payload Executions	4cc40fd7-87b8-4b16-b2d7-57534b86b911	powershell
642	defense-evasion	T1218	Signed Binary Proxy Execution	8	Invoke-ATHRemoteFXvGPUDisablementCommand base test	9ebe7901-7edf-45c0-b5c7-8366300919db	powershell
643	defense-evasion	T1218	Signed Binary Proxy Execution	9	DiskShadow Command Execution	0e1483ba-8f0c-425d-b8c6-42736e058eaa	powershell
644	defense-evasion	T1218	Signed Binary Proxy Execution	10	Load Arbitrary DLL via Wuauclt (Windows Update Client)	49fbd548-49e9-4bb7-94a6-3769613912b8	command_prompt
645	defense-evasion	T1216	Signed Script Proxy Execution	1	SyncAppvPublishingServer Signed Script PowerShell Command Execution	275d963d-3f36-476c-8bef-a2a3960ee6eb	command_prompt
646	defense-evasion	T1216	Signed Script Proxy Execution	2	manage-bde.wsf Signed Script Command Execution	2a8f2d3c-3dec-4262-99dd-150cb2a4d63a	command_prompt
647	defense-evasion	T1027.002	Software Packing	1	Binary simply packed by UPX (linux)	11c46cd8-e471-450e-acb8-52a1216ae6a4	sh
648	defense-evasion	T1027.002	Software Packing	2	Binary packed by UPX, with modified headers (linux)	f06197f8-ff46-48c2-a0c6-afc1b50665e1	sh
649	defense-evasion	T1027.002	Software Packing	3	Binary simply packed by UPX	b16ef901-00bb-4dda-b4fc-a04db5067e20	sh
650	defense-evasion	T1027.002	Software Packing	4	Binary packed by UPX, with modified headers	4d46e16b-5765-4046-9f25-a600d3e65e4d	sh
651	defense-evasion	T1036.006	Space after Filename	1	Space After Filename (Manual)	89a7dd26-e510-4c9f-9b15-f3bae333360f	manual
652	defense-evasion	T1036.006	Space after Filename	2	Space After Filename	b95ce2eb-a093-4cd8-938d-5258cef656ea	bash
653	defense-evasion	T1548.003	Sudo and Sudo Caching	1	Sudo usage	150c3a08-ee6e-48a6-aeaf-3659d24ceb4e	sh
654	defense-evasion	T1548.003	Sudo and Sudo Caching	2	Unlimited sudo cache timeout	a7b17659-dd5e-46f7-b7d1-e6792c91d0bc	sh
655	defense-evasion	T1548.003	Sudo and Sudo Caching	3	Disable tty_tickets for sudo caching	91a60b03-fb75-4d24-a42e-2eb8956e8de1	sh
656	defense-evasion	T1497.001	System Checks	1	Detect Virtualization Environment (Linux)	dfbd1a21-540d-4574-9731-e852bd6fe840	sh
657	defense-evasion	T1497.001	System Checks	2	Detect Virtualization Environment (Windows)	502a7dc4-9d6f-4d28-abf2-f0e84692562d	powershell
658	defense-evasion	T1497.001	System Checks	3	Detect Virtualization Environment (MacOS)	a960185f-aef6-4547-8350-d1ce16680d09	sh
659	defense-evasion	T1497.001	System Checks	4	Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)	4a41089a-48e0-47aa-82cb-5b81a463bc78	powershell
660	defense-evasion	T1221	Template Injection	1	WINWORD Remote Template Injection	1489e08a-82c7-44ee-b769-51b72d03521d	command_prompt
661	defense-evasion	T1070.006	Timestomp	1	Set a file's access timestamp	5f9113d5-ed75-47ed-ba23-ea3573d05810	sh
662	defense-evasion	T1070.006	Timestomp	2	Set a file's modification timestamp	20ef1523-8758-4898-b5a2-d026cc3d2c52	sh
663	defense-evasion	T1070.006	Timestomp	3	Set a file's creation timestamp	8164a4a6-f99c-4661-ac4f-80f5e4e78d2b	sh
664	defense-evasion	T1070.006	Timestomp	4	Modify file timestamps using reference file	631ea661-d661-44b0-abdb-7a7f3fc08e50	sh
665	defense-evasion	T1070.006	Timestomp	5	Windows - Modify file creation timestamp with PowerShell	b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c	powershell
666	defense-evasion	T1070.006	Timestomp	6	Windows - Modify file last modified timestamp with PowerShell	f8f6634d-93e1-4238-8510-f8a90a20dcf2	powershell
667	defense-evasion	T1070.006	Timestomp	7	Windows - Modify file last access timestamp with PowerShell	da627f63-b9bd-4431-b6f8-c5b44d061a62	powershell
668	defense-evasion	T1070.006	Timestomp	8	Windows - Timestomp a File	d7512c33-3a75-4806-9893-69abc3ccdd43	powershell
669	defense-evasion	T1134.001	Token Impersonation/Theft	1	Named pipe client impersonation	90db9e27-8e7c-4c04-b602-a45927884966	powershell
670	defense-evasion	T1134.001	Token Impersonation/Theft	2	`SeDebugPrivilege` token duplication	34f0a430-9d04-4d98-bcb5-1989f14719f0	powershell
671	defense-evasion	T1222.001	Windows File and Directory Permissions Modification	1	Take ownership using takeown utility	98d34bb4-6e75-42ad-9c41-1dae7dc6a001	command_prompt
672	defense-evasion	T1222.001	Windows File and Directory Permissions Modification	2	cacls - Grant permission to specified user or group recursively	a8206bcc-f282-40a9-a389-05d9c0263485	command_prompt
673	defense-evasion	T1222.001	Windows File and Directory Permissions Modification	3	attrib - Remove read-only attribute	bec1e95c-83aa-492e-ab77-60c71bbd21b0	command_prompt
674	defense-evasion	T1222.001	Windows File and Directory Permissions Modification	4	attrib - hide file	32b979da-7b68-42c9-9a99-0e39900fc36c	command_prompt
675	defense-evasion	T1222.001	Windows File and Directory Permissions Modification	5	Grant Full Access to folder for Everyone - Ryuk Ransomware Style	ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6	command_prompt
676	defense-evasion	T1220	XSL Script Processing	1	MSXSL Bypass using local files	ca23bfb2-023f-49c5-8802-e66997de462d	command_prompt
677	defense-evasion	T1220	XSL Script Processing	2	MSXSL Bypass using remote files	a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985	command_prompt
678	defense-evasion	T1220	XSL Script Processing	3	WMIC bypass using local XSL file	1b237334-3e21-4a0c-8178-b8c996124988	command_prompt
679	defense-evasion	T1220	XSL Script Processing	4	WMIC bypass using remote XSL file	7f5be499-33be-4129-a560-66021f379b9b	command_prompt
680	persistence	T1546.008	Accessibility Features	1	Attaches Command Prompt as a Debugger to a List of Target Processes	3309f53e-b22b-4eb6-8fd2-a6cf58b355a9	powershell
681	persistence	T1546.008	Accessibility Features	2	Replace binary of sticky keys	934e90cf-29ca-48b3-863c-411737ad44e3	command_prompt
682	persistence	T1098	Account Manipulation	1	Admin Account Manipulate	5598f7cb-cf43-455e-883a-f6008c5d46af	powershell
683	persistence	T1098	Account Manipulation	2	Domain Account and Group Manipulate	a55a22e9-a3d3-42ce-bd48-2653adb8f7a9	powershell
684	persistence	T1098	Account Manipulation	3	AWS - Create a group and add a user to that group	8822c3b0-d9f9-4daf-a043-49f110a31122	sh
685	persistence	T1098	Account Manipulation	4	Azure - adding user to Azure AD role	0e65ae27-5385-46b4-98ac-607a8ee82261	powershell
686	persistence	T1098	Account Manipulation	5	Azure - adding service principal to Azure AD role	92c40b3f-c406-4d1f-8d2b-c039bf5009e4	powershell
687	persistence	T1098	Account Manipulation	6	Azure - adding user to Azure role in subscription	1a94b3fc-b080-450a-b3d8-6d9b57b472ea	powershell
688	persistence	T1098	Account Manipulation	7	Azure - adding service principal to Azure role in subscription	c8f4bc29-a151-48da-b3be-4680af56f404	powershell
689	persistence	T1098	Account Manipulation	8	AzureAD - adding permission to application	94ea9cc3-81f9-4111-8dde-3fb54f36af4b	powershell
690	persistence	T1098	Account Manipulation	9	Password Change on Directory Service Restore Mode (DSRM) Account	d5b886d9-d1c7-4b6e-a7b0-460041bf2823	command_prompt
691	persistence	T1137.006	Add-ins	1	Code Executed Via Excel Add-in File (Xll)	441b1a0f-a771-428a-8af0-e99e4698cda3	powershell
692	persistence	T1098.001	Additional Cloud Credentials	1	Azure AD Application Hijacking - Service Principal	b8e747c3-bdf7-4d71-bce2-f1df2a057406	powershell
693	persistence	T1098.001	Additional Cloud Credentials	2	Azure AD Application Hijacking - App Registration	a12b5531-acab-4618-a470-0dafb294a87a	powershell
694	persistence	T1098.001	Additional Cloud Credentials	3	AWS - Create Access Key and Secret Key	8822c3b0-d9f9-4daf-a043-491160a31122	sh
695	persistence	T1546.010	AppInit DLLs	1	Install AppInit Shim	a58d9386-3080-4242-ab5f-454c16503d18	command_prompt
696	persistence	T1546.011	Application Shimming	1	Application Shim Installation	9ab27e22-ee62-4211-962b-d36d9a0e6a18	command_prompt
697	persistence	T1546.011	Application Shimming	2	New shim database files created in the default shim database directory	aefd6866-d753-431f-a7a4-215ca7e3f13d	powershell
698	persistence	T1546.011	Application Shimming	3	Registry key creation and/or modification events for SDB	9b6a06f9-ab5e-4e8d-8289-1df4289db02f	powershell
699	persistence	T1053.001	At (Linux)	1	At - Schedule a job	7266d898-ac82-4ec0-97c7-436075d0d08e	sh
700	persistence	T1053.002	At (Windows)	1	At.exe Scheduled task	4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8	command_prompt
701	persistence	T1547.002	Authentication Package	1	Authentication Package	be2590e8-4ac3-47ac-b4b5-945820f2fbe9	powershell
702	persistence	T1197	BITS Jobs	1	Bitsadmin Download (cmd)	3c73d728-75fb-4180-a12f-6712864d7421	command_prompt
703	persistence	T1197	BITS Jobs	2	Bitsadmin Download (PowerShell)	f63b8bc4-07e5-4112-acba-56f646f3f0bc	powershell
704	persistence	T1197	BITS Jobs	3	Persist, Download, & Execute	62a06ec5-5754-47d2-bcfc-123d8314c6ae	command_prompt
705	persistence	T1197	BITS Jobs	4	Bits download using desktopimgdownldr.exe (cmd)	afb5e09e-e385-4dee-9a94-6ee60979d114	command_prompt
706	persistence	T1547	Boot or Logon Autostart Execution	1	Add a driver	cb01b3da-b0e7-4e24-bf6d-de5223526785	command_prompt
707	persistence	T1176	Browser Extensions	1	Chrome (Developer Mode)	3ecd790d-2617-4abf-9a8c-4e8d47da9ee1	manual
708	persistence	T1176	Browser Extensions	2	Chrome (Chrome Web Store)	4c83940d-8ca5-4bb2-8100-f46dc914bc3f	manual
709	persistence	T1176	Browser Extensions	3	Firefox	cb790029-17e6-4c43-b96f-002ce5f10938	manual
710	persistence	T1176	Browser Extensions	4	Edge Chromium Addon - VPN	3d456e2b-a7db-4af8-b5b3-720e7c4d9da5	manual
711	persistence	T1574.012	COR_PROFILER	1	User scope COR_PROFILER	9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a	powershell
712	persistence	T1574.012	COR_PROFILER	2	System Scope COR_PROFILER	f373b482-48c8-4ce4-85ed-d40c8b3f7310	powershell
713	persistence	T1574.012	COR_PROFILER	3	Registry-free process scope COR_PROFILER	79d57242-bbef-41db-b301-9d01d9f6e817	powershell
714	persistence	T1546.001	Change Default File Association	1	Change Default File Association	10a08978-2045-4d62-8c42-1957bbbea102	command_prompt
715	persistence	T1136.003	Cloud Account	1	AWS - Create a new IAM user	8d1c2368-b503-40c9-9057-8e42f21c58ad	sh
716	persistence	T1078.004	Cloud Accounts	1	Creating GCP Service Account and Service Account Key	9fdd83fd-bd53-46e5-a716-9dec89c8ae8e	gcloud
717	persistence	T1546.015	Component Object Model Hijacking	1	COM Hijacking - InprocServer32	48117158-d7be-441b-bc6a-d9e36e47b52b	powershell
718	persistence	T1546.015	Component Object Model Hijacking	2	Powershell Execute COM Object	752191b1-7c71-445c-9dbe-21bb031b18eb	powershell
719	persistence	T1053.007	Container Orchestration Job	1	ListCronjobs	ddfb0bc1-3c3f-47e9-a298-550ecfefacbd	bash
720	persistence	T1053.007	Container Orchestration Job	2	CreateCronjob	f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3	bash
721	persistence	T1053.003	Cron	1	Cron - Replace crontab with referenced file	435057fb-74b1-410e-9403-d81baf194f75	bash
722	persistence	T1053.003	Cron	2	Cron - Add script to all cron subfolders	b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0	bash
723	persistence	T1053.003	Cron	3	Cron - Add script to /var/spool/cron/crontabs/ folder	2d943c18-e74a-44bf-936f-25ade6cccab4	bash
724	persistence	T1574.001	DLL Search Order Hijacking	1	DLL Search Order Hijacking - amsi.dll	8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3	command_prompt
725	persistence	T1574.002	DLL Side-Loading	1	DLL Side-Loading using the Notepad++ GUP.exe binary	65526037-7079-44a9-bda1-2cb624838040	command_prompt
726	persistence	T1078.001	Default Accounts	1	Enable Guest account with RDP capability and admin privileges	99747561-ed8d-47f2-9c91-1e5fde1ed6e0	command_prompt
727	persistence	T1078.001	Default Accounts	2	Activate Guest Account	aa6cb8c4-b582-4f8e-b677-37733914abda	command_prompt
728	persistence	T1136.002	Domain Account	1	Create a new Windows domain admin user	fcec2963-9951-4173-9bfa-98d8b7834e62	command_prompt
729	persistence	T1136.002	Domain Account	2	Create a new account similar to ANONYMOUS LOGON	dc7726d2-8ccb-4cc6-af22-0d5afb53a548	command_prompt
730	persistence	T1136.002	Domain Account	3	Create a new Domain Account using PowerShell	5a3497a4-1568-4663-b12a-d4a5ed70c7d7	powershell
731	persistence	T1574.006	Dynamic Linker Hijacking	1	Shared Library Injection via /etc/ld.so.preload	39cb0e67-dd0d-4b74-a74b-c072db7ae991	bash
732	persistence	T1574.006	Dynamic Linker Hijacking	2	Shared Library Injection via LD_PRELOAD	bc219ff7-789f-4d51-9142-ecae3397deae	bash
733	persistence	T1546.014	Emond	1	Persistance with Event Monitor - emond	23c9c127-322b-4c75-95ca-eff464906114	sh
734	persistence	T1133	External Remote Services	1	Running Chrome VPN Extensions via the Registry 2 vpn extension	4c8db261-a58b-42a6-a866-0a294deedde4	powershell
735	persistence	T1546.012	Image File Execution Options Injection	1	IFEO Add Debugger	fdda2626-5234-4c90-b163-60849a24c0b8	command_prompt
736	persistence	T1546.012	Image File Execution Options Injection	2	IFEO Global Flags	46b1f278-c8ee-4aa5-acce-65e77b11f3c1	command_prompt
737	persistence	T1547.006	Kernel Modules and Extensions	1	Linux - Load Kernel Module via insmod	687dcb93-9656-4853-9c36-9977315e9d23	bash
738	persistence	T1543.001	Launch Agent	1	Launch Agent	a5983dee-bf6c-4eaf-951c-dbc1a7b90900	bash
739	persistence	T1543.004	Launch Daemon	1	Launch Daemon	03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf	bash
740	persistence	T1053.004	Launchd	1	Event Monitor Daemon Persistence	11979f23-9b9d-482a-9935-6fc9cd022c3e	bash
741	persistence	T1136.001	Local Account	1	Create a user account on a Linux system	40d8eabd-e394-46f6-8785-b9bfa1d011d2	bash
742	persistence	T1136.001	Local Account	2	Create a user account on a MacOS system	01993ba5-1da3-4e15-a719-b690d4f0f0b2	bash
743	persistence	T1136.001	Local Account	3	Create a new user in a command prompt	6657864e-0323-4206-9344-ac9cd7265a4f	command_prompt
744	persistence	T1136.001	Local Account	4	Create a new user in PowerShell	bc8be0ac-475c-4fbf-9b1d-9fffd77afbde	powershell
745	persistence	T1136.001	Local Account	5	Create a new user in Linux with `root` UID and GID.	a1040a30-d28b-4eda-bd99-bb2861a4616c	bash
746	persistence	T1136.001	Local Account	6	Create a new Windows admin user	fda74566-a604-4581-a4cc-fbbe21d66559	command_prompt
747	persistence	T1078.003	Local Accounts	1	Create local account with admin privileges	a524ce99-86de-4db6-b4f9-e08f35a47a15	command_prompt
748	persistence	T1078.003	Local Accounts	2	Create local account with admin privileges - MacOS	f1275566-1c26-4b66-83e3-7f9f7f964daa	bash
749	persistence	T1037.002	Logon Script (Mac)	1	Logon Scripts - Mac	f047c7de-a2d9-406e-a62b-12a09d9516f4	manual
750	persistence	T1037.001	Logon Script (Windows)	1	Logon Scripts	d6042746-07d4-4c92-9ad8-e644c114a231	command_prompt
751	persistence	T1546.007	Netsh Helper DLL	1	Netsh Helper DLL Registration	3244697d-5a3a-4dfc-941c-550f69f91a4d	command_prompt
752	persistence	T1137	Office Application Startup	1	Office Application Startup - Outlook as a C2	bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c	command_prompt
753	persistence	T1137.002	Office Test	1	Office Application Startup Test Persistence	c3e35b58-fe1c-480b-b540-7600fb612563	command_prompt
754	persistence	T1137.004	Outlook Home Page	1	Install Outlook Home Page Persistence	7a91ad51-e6d2-4d43-9471-f26362f5738e	command_prompt
755	persistence	T1556.002	Password Filter DLL	1	Install and Register Password Filter DLL	a7961770-beb5-4134-9674-83d7e1fa865c	powershell
756	persistence	T1574.009	Path Interception by Unquoted Path	1	Execution of program.exe as service with unquoted service path	2770dea7-c50f-457b-84c4-c40a47460d9f	command_prompt
757	persistence	T1547.011	Plist Modification	1	Plist Modification	394a538e-09bb-4a4a-95d1-b93cf12682a8	manual
758	persistence	T1556.003	Pluggable Authentication Modules	1	Malicious PAM rule	4b9dde80-ae22-44b1-a82a-644bf009eb9c	sh
759	persistence	T1556.003	Pluggable Authentication Modules	2	Malicious PAM module	65208808-3125-4a2e-8389-a0a00e9ab326	sh
760	persistence	T1547.010	Port Monitors	1	Add Port Monitor persistence in Registry	d34ef297-f178-4462-871e-9ce618d44e50	command_prompt
761	persistence	T1546.013	PowerShell Profile	1	Append malicious start-process cmdlet	090e5aa5-32b6-473b-a49b-21e843a56896	powershell
762	persistence	T1037.004	RC Scripts	1	rc.common	97a48daa-8bca-4bc0-b1a9-c1d163e762de	bash
763	persistence	T1037.004	RC Scripts	2	rc.common	c33f3d80-5f04-419b-a13a-854d1cbdbf3a	bash
764	persistence	T1037.004	RC Scripts	3	rc.local	126f71af-e1c9-405c-94ef-26a47b16c102	bash
765	persistence	T1547.007	Re-opened Applications	1	Re-Opened Applications	5fefd767-ef54-4ac6-84d3-751ab85e8aba	manual
766	persistence	T1547.007	Re-opened Applications	2	Re-Opened Applications	5f5b71da-e03f-42e7-ac98-d63f9e0465cb	sh
767	persistence	T1547.001	Registry Run Keys / Startup Folder	1	Reg Key Run	e55be3fd-3521-4610-9d1a-e210e42dcf05	command_prompt
768	persistence	T1547.001	Registry Run Keys / Startup Folder	2	Reg Key RunOnce	554cbd88-cde1-4b56-8168-0be552eed9eb	command_prompt
769	persistence	T1547.001	Registry Run Keys / Startup Folder	3	PowerShell Registry RunOnce	eb44f842-0457-4ddc-9b92-c4caa144ac42	powershell
770	persistence	T1547.001	Registry Run Keys / Startup Folder	4	Suspicious vbs file run from startup Folder	2cb98256-625e-4da9-9d44-f2e5f90b8bd5	powershell
771	persistence	T1547.001	Registry Run Keys / Startup Folder	5	Suspicious jse file run from startup Folder	dade9447-791e-4c8f-b04b-3a35855dfa06	powershell
772	persistence	T1547.001	Registry Run Keys / Startup Folder	6	Suspicious bat file run from startup Folder	5b6768e4-44d2-44f0-89da-a01d1430fd5e	powershell
773	persistence	T1547.001	Registry Run Keys / Startup Folder	7	Add Executable Shortcut Link to User Startup Folder	24e55612-85f6-4bd6-ae74-a73d02e3441d	powershell
774	persistence	T1547.001	Registry Run Keys / Startup Folder	8	Add persistance via Recycle bin	bda6a3d6-7aa7-4e89-908b-306772e9662f	command_prompt
775	persistence	T1547.001	Registry Run Keys / Startup Folder	9	SystemBC Malware-as-a-Service Registry	9dc7767b-30c1-4cc4-b999-50cab5e27891	powershell
776	persistence	T1098.004	SSH Authorized Keys	1	Modify SSH Authorized Keys	342cc723-127c-4d3a-8292-9c0c6b4ecadc	bash
777	persistence	T1053.005	Scheduled Task	1	Scheduled Task Startup Script	fec27f65-db86-4c2d-b66c-61945aee87c2	command_prompt
778	persistence	T1053.005	Scheduled Task	2	Scheduled task Local	42f53695-ad4a-4546-abb6-7d837f644a71	command_prompt
779	persistence	T1053.005	Scheduled Task	3	Scheduled task Remote	2e5eac3e-327b-4a88-a0c0-c4057039a8dd	command_prompt
780	persistence	T1053.005	Scheduled Task	4	Powershell Cmdlet Scheduled Task	af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd	powershell
781	persistence	T1053.005	Scheduled Task	5	Task Scheduler via VBA	ecd3fa21-7792-41a2-8726-2c5c673414d3	powershell
782	persistence	T1053.005	Scheduled Task	6	WMI Invoke-CimMethod Scheduled Task	e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b	powershell
783	persistence	T1053.005	Scheduled Task	7	Scheduled Task Executing Base64 Encoded Commands From Registry	e895677d-4f06-49ab-91b6-ae3742d0a2ba	command_prompt
784	persistence	T1546.002	Screensaver	1	Set Arbitrary Binary as Screensaver	281201e7-de41-4dc9-b73d-f288938cbb64	command_prompt
785	persistence	T1547.005	Security Support Provider	1	Modify SSP configuration in registry	afdfd7e3-8a0b-409f-85f7-886fdf249c9e	powershell
786	persistence	T1574.011	Services Registry Permissions Weakness	1	Service Registry Permissions Weakness	f7536d63-7fd4-466f-89da-7e48d550752a	powershell
787	persistence	T1574.011	Services Registry Permissions Weakness	2	Service ImagePath Change with reg.exe	f38e9eea-e1d7-4ba6-b716-584791963827	command_prompt
788	persistence	T1547.009	Shortcut Modification	1	Shortcut Modification	ce4fc678-364f-4282-af16-2fb4c78005ce	command_prompt
789	persistence	T1547.009	Shortcut Modification	2	Create shortcut to cmd in startup folders	cfdc954d-4bb0-4027-875b-a1893ce406f2	powershell
790	persistence	T1037.005	Startup Items	1	Add file to Local Library StartupItems	134627c3-75db-410e-bff8-7a920075f198	sh
791	persistence	T1543.002	Systemd Service	1	Create Systemd Service	d9e4f24f-aa67-4c6e-bcbf-85622b697a7c	bash
792	persistence	T1543.002	Systemd Service	2	Create Systemd Service file, Enable the service , Modify and Reload the service.	c35ac4a8-19de-43af-b9f8-755da7e89c89	bash
793	persistence	T1053.006	Systemd Timers	1	Create Systemd Service and Timer	f4983098-bb13-44fb-9b2c-46149961807b	bash
794	persistence	T1053.006	Systemd Timers	2	Create a user level transient systemd service and timer	3de33f5b-62e5-4e63-a2a0-6fd8808c80ec	sh
795	persistence	T1053.006	Systemd Timers	3	Create a system level transient systemd service and timer	d3eda496-1fc0-49e9-aff5-3bec5da9fa22	sh
796	persistence	T1505.002	Transport Agent	1	Install MS Exchange Transport Agent Persistence	43e92449-ff60-46e9-83a3-1a38089df94d	powershell
797	persistence	T1546.005	Trap	1	Trap	a74b2e07-5952-4c03-8b56-56274b076b61	sh
798	persistence	T1546.004	Unix Shell Configuration Modification	1	Add command to .bash_profile	94500ae1-7e31-47e3-886b-c328da46872f	sh
799	persistence	T1546.004	Unix Shell Configuration Modification	2	Add command to .bashrc	0a898315-4cfa-4007-bafe-33a4646d115f	sh
800	persistence	T1505.003	Web Shell	1	Web Shell Written to Disk	0a2ce662-1efa-496f-a472-2fe7b080db16	command_prompt
801	persistence	T1546.003	Windows Management Instrumentation Event Subscription	1	Persistence via WMI Event Subscription	3c64f177-28e2-49eb-a799-d767b24dd1e0	powershell
802	persistence	T1543.003	Windows Service	1	Modify Fax service to run PowerShell	ed366cde-7d12-49df-a833-671904770b9f	command_prompt
803	persistence	T1543.003	Windows Service	2	Service Installation CMD	981e2942-e433-44e9-afc1-8c957a1496b6	command_prompt
804	persistence	T1543.003	Windows Service	3	Service Installation PowerShell	491a4af6-a521-4b74-b23b-f7b3f1ee9e77	powershell
805	persistence	T1543.003	Windows Service	4	TinyTurla backdoor service w64time	ef0581fd-528e-4662-87bc-4c2affb86940	command_prompt
806	persistence	T1547.004	Winlogon Helper DLL	1	Winlogon Shell Key Persistence - PowerShell	bf9f9d65-ee4d-4c3e-a843-777d04f19c38	powershell
807	persistence	T1547.004	Winlogon Helper DLL	2	Winlogon Userinit Key Persistence - PowerShell	fb32c935-ee2e-454b-8fa3-1c46b42e8dfb	powershell
808	persistence	T1547.004	Winlogon Helper DLL	3	Winlogon Notify Key Logon Persistence - PowerShell	d40da266-e073-4e5a-bb8b-2b385023e5f9	powershell
809	impact	T1531	Account Access Removal	1	Change User Password - Windows	1b99ef28-f83c-4ec5-8a08-1a56263a5bb2	command_prompt
810	impact	T1531	Account Access Removal	2	Delete User - Windows	f21a1d7d-a62f-442a-8c3a-2440d43b19e5	command_prompt
811	impact	T1531	Account Access Removal	3	Remove Account From Domain Admin Group	43f71395-6c37-498e-ab17-897d814a0947	powershell
812	impact	T1485	Data Destruction	1	Windows - Overwrite file with Sysinternals SDelete	476419b5-aebf-4366-a131-ae3e8dae5fc2	powershell
813	impact	T1485	Data Destruction	2	macOS/Linux - Overwrite file with DD	38deee99-fd65-4031-bec8-bfa4f9f26146	bash
814	impact	T1485	Data Destruction	3	Overwrite deleted data on C drive	321fd25e-0007-417f-adec-33232252be19	command_prompt
815	impact	T1486	Data Encrypted for Impact	1	Encrypt files using gpg (Linux)	7b8ce084-3922-4618-8d22-95f996173765	bash
816	impact	T1486	Data Encrypted for Impact	2	Encrypt files using 7z (Linux)	53e6735a-4727-44cc-b35b-237682a151ad	bash
817	impact	T1486	Data Encrypted for Impact	3	Encrypt files using ccrypt (Linux)	08cbf59f-85da-4369-a5f4-049cffd7709f	bash
818	impact	T1486	Data Encrypted for Impact	4	Encrypt files using openssl (Linux)	142752dc-ca71-443b-9359-cf6f497315f1	bash
819	impact	T1486	Data Encrypted for Impact	5	PureLocker Ransom Note	649349c7-9abf-493b-a7a2-b1aa4d141528	command_prompt
820	impact	T1490	Inhibit System Recovery	1	Windows - Delete Volume Shadow Copies	43819286-91a9-4369-90ed-d31fb4da2c01	command_prompt
821	impact	T1490	Inhibit System Recovery	2	Windows - Delete Volume Shadow Copies via WMI	6a3ff8dd-f49c-4272-a658-11c2fe58bd88	command_prompt
822	impact	T1490	Inhibit System Recovery	3	Windows - wbadmin Delete Windows Backup Catalog	263ba6cb-ea2b-41c9-9d4e-b652dadd002c	command_prompt
823	impact	T1490	Inhibit System Recovery	4	Windows - Disable Windows Recovery Console Repair	cf21060a-80b3-4238-a595-22525de4ab81	command_prompt
824	impact	T1490	Inhibit System Recovery	5	Windows - Delete Volume Shadow Copies via WMI with PowerShell	39a295ca-7059-4a88-86f6-09556c1211e7	powershell
825	impact	T1490	Inhibit System Recovery	6	Windows - Delete Backup Files	6b1dbaf6-cc8a-4ea6-891f-6058569653bf	command_prompt
826	impact	T1490	Inhibit System Recovery	7	Windows - wbadmin Delete systemstatebackup	584331dd-75bc-4c02-9e0b-17f5fd81c748	command_prompt
827	impact	T1490	Inhibit System Recovery	8	Windows - Disable the SR scheduled task	1c68c68d-83a4-4981-974e-8993055fa034	command_prompt
828	impact	T1490	Inhibit System Recovery	9	Disable System Restore Through Registry	66e647d1-8741-4e43-b7c1-334760c2047f	command_prompt
829	impact	T1491.001	Internal Defacement	1	Replace Desktop Wallpaper	30558d53-9d76-41c4-9267-a7bd5184bed3	powershell
830	impact	T1496	Resource Hijacking	1	macOS/Linux - Simulate CPU Load with Yes	904a5a0e-fb02-490d-9f8d-0e256eb37549	bash
831	impact	T1489	Service Stop	1	Windows - Stop service using Service Controller	21dfb440-830d-4c86-a3e5-2a491d5a8d04	command_prompt
832	impact	T1489	Service Stop	2	Windows - Stop service using net.exe	41274289-ec9c-4213-bea4-e43c4aa57954	command_prompt
833	impact	T1489	Service Stop	3	Windows - Stop service by killing process	f3191b84-c38b-400b-867e-3a217a27795f	command_prompt
834	impact	T1529	System Shutdown/Reboot	1	Shutdown System - Windows	ad254fa8-45c0-403b-8c77-e00b3d3e7a64	command_prompt
835	impact	T1529	System Shutdown/Reboot	2	Restart System - Windows	f4648f0d-bf78-483c-bafc-3ec99cd1c302	command_prompt
836	impact	T1529	System Shutdown/Reboot	3	Restart System via `shutdown` - macOS/Linux	6326dbc4-444b-4c04-88f4-27e94d0327cb	bash
837	impact	T1529	System Shutdown/Reboot	4	Shutdown System via `shutdown` - macOS/Linux	4963a81e-a3ad-4f02-adda-812343b351de	bash
838	impact	T1529	System Shutdown/Reboot	5	Restart System via `reboot` - macOS/Linux	47d0b042-a918-40ab-8cf9-150ffe919027	bash
839	impact	T1529	System Shutdown/Reboot	6	Shutdown System via `halt` - Linux	918f70ab-e1ef-49ff-bc57-b27021df84dd	bash
840	impact	T1529	System Shutdown/Reboot	7	Reboot System via `halt` - Linux	78f92e14-f1e9-4446-b3e9-f1b921f2459e	bash
841	impact	T1529	System Shutdown/Reboot	8	Shutdown System via `poweroff` - Linux	73a90cd2-48a2-4ac5-8594-2af35fa909fa	bash
842	impact	T1529	System Shutdown/Reboot	9	Reboot System via `poweroff` - Linux	61303105-ff60-427b-999e-efb90b314e41	bash
843	discovery	T1010	Application Window Discovery	1	List Process Main Windows - C# .NET	fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4	command_prompt
844	discovery	T1217	Browser Bookmark Discovery	1	List Mozilla Firefox Bookmark Database Files on Linux	3a41f169-a5ab-407f-9269-abafdb5da6c2	sh
845	discovery	T1217	Browser Bookmark Discovery	2	List Mozilla Firefox Bookmark Database Files on macOS	1ca1f9c7-44bc-46bb-8c85-c50e2e94267b	sh
846	discovery	T1217	Browser Bookmark Discovery	3	List Google Chrome Bookmark JSON Files on macOS	b789d341-154b-4a42-a071-9111588be9bc	sh
847	discovery	T1217	Browser Bookmark Discovery	4	List Google Chrome / Opera Bookmarks on Windows with powershell	faab755e-4299-48ec-8202-fc7885eb6545	powershell
848	discovery	T1217	Browser Bookmark Discovery	5	List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt	76f71e2f-480e-4bed-b61e-398fe17499d5	command_prompt
849	discovery	T1217	Browser Bookmark Discovery	6	List Mozilla Firefox bookmarks on Windows with command prompt	4312cdbc-79fc-4a9c-becc-53d49c734bc5	command_prompt
850	discovery	T1217	Browser Bookmark Discovery	7	List Internet Explorer Bookmarks using the command prompt	727dbcdb-e495-4ab1-a6c4-80c7f77aef85	command_prompt
851	discovery	T1217	Browser Bookmark Discovery	8	List Safari Bookmarks on MacOS	5fc528dd-79de-47f5-8188-25572b7fafe0	sh
852	discovery	T1087.002	Domain Account	1	Enumerate all accounts (Domain)	6fbc9e68-5ad7-444a-bd11-8bf3136c477e	command_prompt
853	discovery	T1087.002	Domain Account	2	Enumerate all accounts via PowerShell (Domain)	8b8a6449-be98-4f42-afd2-dedddc7453b2	powershell
854	discovery	T1087.002	Domain Account	3	Enumerate logged on users via CMD (Domain)	161dcd85-d014-4f5e-900c-d3eaae82a0f7	command_prompt
855	discovery	T1087.002	Domain Account	4	Automated AD Recon (ADRecon)	95018438-454a-468c-a0fa-59c800149b59	powershell
856	discovery	T1087.002	Domain Account	5	Adfind -Listing password policy	736b4f53-f400-4c22-855d-1a6b5a551600	command_prompt
857	discovery	T1087.002	Domain Account	6	Adfind - Enumerate Active Directory Admins	b95fd967-4e62-4109-b48d-265edfd28c3a	command_prompt
858	discovery	T1087.002	Domain Account	7	Adfind - Enumerate Active Directory User Objects	e1ec8d20-509a-4b9a-b820-06c9b2da8eb7	command_prompt
859	discovery	T1087.002	Domain Account	8	Adfind - Enumerate Active Directory Exchange AD Objects	5e2938fb-f919-47b6-8b29-2f6a1f718e99	command_prompt
860	discovery	T1087.002	Domain Account	9	Enumerate Default Domain Admin Details (Domain)	c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef	command_prompt
861	discovery	T1087.002	Domain Account	10	Enumerate Active Directory for Unconstrained Delegation	46f8dbe9-22a5-4770-8513-66119c5be63b	powershell
862	discovery	T1087.002	Domain Account	11	Get-DomainUser with PowerView	93662494-5ed7-4454-a04c-8c8372808ac2	powershell
863	discovery	T1087.002	Domain Account	12	Enumerate Active Directory Users with ADSISearcher	02e8be5a-3065-4e54-8cc8-a14d138834d3	powershell
864	discovery	T1087.002	Domain Account	13	Enumerate Linked Policies In ADSISearcher Discovery	7ab0205a-34e4-4a44-9b04-e1541d1a57be	powershell
865	discovery	T1087.002	Domain Account	14	Enumerate Root Domain linked policies Discovery	00c652e2-0750-4ca6-82ff-0204684a6fe4	powershell
866	discovery	T1069.002	Domain Groups	1	Basic Permission Groups Discovery Windows (Domain)	dd66d77d-8998-48c0-8024-df263dc2ce5d	command_prompt
867	discovery	T1069.002	Domain Groups	2	Permission Groups Discovery PowerShell (Domain)	6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7	powershell
868	discovery	T1069.002	Domain Groups	3	Elevated group enumeration using net group (Domain)	0afb5163-8181-432e-9405-4322710c0c37	command_prompt
869	discovery	T1069.002	Domain Groups	4	Find machines where user has local admin access (PowerView)	a2d71eee-a353-4232-9f86-54f4288dd8c1	powershell
870	discovery	T1069.002	Domain Groups	5	Find local admins on all machines in domain (PowerView)	a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd	powershell
871	discovery	T1069.002	Domain Groups	6	Find Local Admins via Group Policy (PowerView)	64fdb43b-5259-467a-b000-1b02c00e510a	powershell
872	discovery	T1069.002	Domain Groups	7	Enumerate Users Not Requiring Pre Auth (ASRepRoast)	870ba71e-6858-4f6d-895c-bb6237f6121b	powershell
873	discovery	T1069.002	Domain Groups	8	Adfind - Query Active Directory Groups	48ddc687-82af-40b7-8472-ff1e742e8274	command_prompt
874	discovery	T1069.002	Domain Groups	9	Enumerate Active Directory Groups with Get-AdGroup	3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8	powershell
875	discovery	T1069.002	Domain Groups	10	Enumerate Active Directory Groups with ADSISearcher	9f4e344b-8434-41b3-85b1-d38f29d148d0	powershell
876	discovery	T1069.002	Domain Groups	11	Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)	43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8	powershell
877	discovery	T1069.002	Domain Groups	12	Get-DomainGroupMember with PowerView	46352f40-f283-4fe5-b56d-d9a71750e145	powershell
878	discovery	T1069.002	Domain Groups	13	Get-DomainGroup with PowerView	5a8a181c-2c8e-478d-a943-549305a01230	powershell
879	discovery	T1482	Domain Trust Discovery	1	Windows - Discover domain trusts with dsquery	4700a710-c821-4e17-a3ec-9e4c81d6845f	command_prompt
880	discovery	T1482	Domain Trust Discovery	2	Windows - Discover domain trusts with nltest	2e22641d-0498-48d2-b9ff-c71e496ccdbe	command_prompt
881	discovery	T1482	Domain Trust Discovery	3	Powershell enumerate domains and forests	c58fbc62-8a62-489e-8f2d-3565d7d96f30	powershell
882	discovery	T1482	Domain Trust Discovery	4	Adfind - Enumerate Active Directory OUs	d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec	command_prompt
883	discovery	T1482	Domain Trust Discovery	5	Adfind - Enumerate Active Directory Trusts	15fe436d-e771-4ff3-b655-2dca9ba52834	command_prompt
884	discovery	T1482	Domain Trust Discovery	6	Get-DomainTrust with PowerView	f974894c-5991-4b19-aaf5-7cc2fe298c5d	powershell
885	discovery	T1482	Domain Trust Discovery	7	Get-ForestTrust with PowerView	58ed10e8-0738-4651-8408-3a3e9a526279	powershell
886	discovery	T1083	File and Directory Discovery	1	File and Directory Discovery (cmd.exe)	0e36303b-6762-4500-b003-127743b80ba6	command_prompt
887	discovery	T1083	File and Directory Discovery	2	File and Directory Discovery (PowerShell)	2158908e-b7ef-4c21-8a83-3ce4dd05a924	powershell
888	discovery	T1083	File and Directory Discovery	3	Nix File and Directory Discovery	ffc8b249-372a-4b74-adcd-e4c0430842de	sh
889	discovery	T1083	File and Directory Discovery	4	Nix File and Directory Discovery 2	13c5e1ae-605b-46c4-a79f-db28c77ff24e	sh
890	discovery	T1083	File and Directory Discovery	5	Simulating MAZE Directory Enumeration	c6c34f61-1c3e-40fb-8a58-d017d88286d8	powershell
891	discovery	T1615	Group Policy Discovery	1	Display group policy information via gpresult	0976990f-53b1-4d3f-a185-6df5be429d3b	command_prompt
892	discovery	T1615	Group Policy Discovery	2	Get-DomainGPO to display group policy information via PowerView	4e524c4e-0e02-49aa-8df5-93f3f7959b9f	powershell
893	discovery	T1615	Group Policy Discovery	3	WinPwn - GPOAudit	bc25c04b-841e-4965-855f-d1f645d7ab73	powershell
894	discovery	T1615	Group Policy Discovery	4	WinPwn - GPORemoteAccessPolicy	7230d01a-0a72-4bd5-9d7f-c6d472bc6a59	powershell
895	discovery	T1087.001	Local Account	1	Enumerate all accounts (Local)	f8aab3dd-5990-4bf8-b8ab-2226c951696f	sh
896	discovery	T1087.001	Local Account	2	View sudoers access	fed9be70-0186-4bde-9f8a-20945f9370c2	sh
897	discovery	T1087.001	Local Account	3	View accounts with UID 0	c955a599-3653-4fe5-b631-f11c00eb0397	sh
898	discovery	T1087.001	Local Account	4	List opened files by user	7e46c7a5-0142-45be-a858-1a3ecb4fd3cb	sh
899	discovery	T1087.001	Local Account	5	Show if a user account has ever logged in remotely	0f0b6a29-08c3-44ad-a30b-47fd996b2110	sh
900	discovery	T1087.001	Local Account	6	Enumerate users and groups	e6f36545-dc1e-47f0-9f48-7f730f54a02e	sh
901	discovery	T1087.001	Local Account	7	Enumerate users and groups	319e9f6c-7a9e-432e-8c62-9385c803b6f2	sh
902	discovery	T1087.001	Local Account	8	Enumerate all accounts on Windows (Local)	80887bec-5a9b-4efc-a81d-f83eb2eb32ab	command_prompt
903	discovery	T1087.001	Local Account	9	Enumerate all accounts via PowerShell (Local)	ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b	powershell
904	discovery	T1087.001	Local Account	10	Enumerate logged on users via CMD (Local)	a138085e-bfe5-46ba-a242-74a6fb884af3	command_prompt
905	discovery	T1069.001	Local Groups	1	Permission Groups Discovery (Local)	952931a4-af0b-4335-bbbe-73c8c5b327ae	sh
906	discovery	T1069.001	Local Groups	2	Basic Permission Groups Discovery Windows (Local)	1f454dd6-e134-44df-bebb-67de70fb6cd8	command_prompt
907	discovery	T1069.001	Local Groups	3	Permission Groups Discovery PowerShell (Local)	a580462d-2c19-4bc7-8b9a-57a41b7d3ba4	powershell
908	discovery	T1069.001	Local Groups	4	SharpHound3 - LocalAdmin	e03ada14-0980-4107-aff1-7783b2b59bb1	powershell
909	discovery	T1069.001	Local Groups	5	Wmic Group Discovery	7413be50-be8e-430f-ad4d-07bf197884b2	powershell
910	discovery	T1069.001	Local Groups	6	WMIObject Group Discovery	69119e58-96db-4110-ad27-954e48f3bb13	powershell
911	discovery	T1046	Network Service Scanning	1	Port Scan	68e907da-2539-48f6-9fc9-257a78c05540	sh
912	discovery	T1046	Network Service Scanning	2	Port Scan Nmap	515942b0-a09f-4163-a7bb-22fefb6f185f	sh
913	discovery	T1046	Network Service Scanning	3	Port Scan NMap for Windows	d696a3cb-d7a8-4976-8eb5-5af4abf2e3df	powershell
914	discovery	T1046	Network Service Scanning	4	Port Scan using python	6ca45b04-9f15-4424-b9d3-84a217285a5c	powershell
915	discovery	T1046	Network Service Scanning	5	WinPwn - spoolvulnscan	54574908-f1de-4356-9021-8053dd57439a	powershell
916	discovery	T1046	Network Service Scanning	6	WinPwn - MS17-10	97585b04-5be2-40e9-8c31-82157b8af2d6	powershell
917	discovery	T1046	Network Service Scanning	7	WinPwn - bluekeep	1cca5640-32a9-46e6-b8e0-fabbe2384a73	powershell
918	discovery	T1046	Network Service Scanning	8	WinPwn - fruit	bb037826-cbe8-4a41-93ea-b94059d6bb98	powershell
919	discovery	T1135	Network Share Discovery	1	Network Share Discovery	f94b5ad9-911c-4eff-9718-fd21899db4f7	sh
920	discovery	T1135	Network Share Discovery	2	Network Share Discovery - linux	875805bc-9e86-4e87-be86-3a5527315cae	bash
921	discovery	T1135	Network Share Discovery	3	Network Share Discovery command prompt	20f1097d-81c1-405c-8380-32174d493bbb	command_prompt
922	discovery	T1135	Network Share Discovery	4	Network Share Discovery PowerShell	1b0814d1-bb24-402d-9615-1b20c50733fb	powershell
923	discovery	T1135	Network Share Discovery	5	View available share drives	ab39a04f-0c93-4540-9ff2-83f862c385ae	command_prompt
924	discovery	T1135	Network Share Discovery	6	Share Discovery with PowerView	b1636f0a-ba82-435c-b699-0d78794d8bfd	powershell
925	discovery	T1135	Network Share Discovery	7	PowerView ShareFinder	d07e4cc1-98ae-447e-9d31-36cb430d28c4	powershell
926	discovery	T1040	Network Sniffing	1	Packet Capture Linux	7fe741f7-b265-4951-a7c7-320889083b3e	bash
927	discovery	T1040	Network Sniffing	2	Packet Capture macOS	9d04efee-eff5-4240-b8d2-07792b873608	bash
928	discovery	T1040	Network Sniffing	3	Packet Capture Windows Command Prompt	a5b2f6a0-24b4-493e-9590-c699f75723ca	command_prompt
929	discovery	T1040	Network Sniffing	4	Windows Internal Packet Capture	b5656f67-d67f-4de8-8e62-b5581630f528	command_prompt
930	discovery	T1201	Password Policy Discovery	1	Examine password complexity policy - Ubuntu	085fe567-ac84-47c7-ac4c-2688ce28265b	bash
931	discovery	T1201	Password Policy Discovery	2	Examine password complexity policy - CentOS/RHEL 7.x	78a12e65-efff-4617-bc01-88f17d71315d	bash
932	discovery	T1201	Password Policy Discovery	3	Examine password complexity policy - CentOS/RHEL 6.x	6ce12552-0adb-4f56-89ff-95ce268f6358	bash
933	discovery	T1201	Password Policy Discovery	4	Examine password expiration policy - All Linux	7c86c55c-70fa-4a05-83c9-3aa19b145d1a	bash
934	discovery	T1201	Password Policy Discovery	5	Examine local password policy - Windows	4588d243-f24e-4549-b2e3-e627acc089f6	command_prompt
935	discovery	T1201	Password Policy Discovery	6	Examine domain password policy - Windows	46c2c362-2679-4ef5-aec9-0e958e135be4	command_prompt
936	discovery	T1201	Password Policy Discovery	7	Examine password policy - macOS	4b7fa042-9482-45e1-b348-4b756b2a0742	bash
937	discovery	T1201	Password Policy Discovery	8	Get-DomainPolicy with PowerView	3177f4da-3d4b-4592-8bdc-aa23d0b2e843	powershell
938	discovery	T1201	Password Policy Discovery	9	Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy	b2698b33-984c-4a1c-93bb-e4ba72a0babb	powershell
939	discovery	T1120	Peripheral Device Discovery	1	Win32_PnPEntity Hardware Inventory	2cb4dbf2-2dca-4597-8678-4d39d207a3a5	powershell
940	discovery	T1057	Process Discovery	1	Process Discovery - ps	4ff64f0b-aaf2-4866-b39d-38d9791407cc	sh
941	discovery	T1057	Process Discovery	2	Process Discovery - tasklist	c5806a4f-62b8-4900-980b-c7ec004e9908	command_prompt
942	discovery	T1057	Process Discovery	3	Process Discovery - Get-Process	3b3809b6-a54b-4f5b-8aff-cb51f2e97b34	powershell
943	discovery	T1057	Process Discovery	4	Process Discovery - get-wmiObject	b51239b4-0129-474f-a2b4-70f855b9f2c2	powershell
944	discovery	T1057	Process Discovery	5	Process Discovery - wmic process	640cbf6d-659b-498b-ba53-f6dd1a1cc02c	command_prompt
945	discovery	T1012	Query Registry	1	Query Registry	8f7578c4-9863-4d83-875c-a565573bbdf0	command_prompt
946	discovery	T1018	Remote System Discovery	1	Remote System Discovery - net	85321a9c-897f-4a60-9f20-29788e50bccd	command_prompt
947	discovery	T1018	Remote System Discovery	2	Remote System Discovery - net group Domain Computers	f1bf6c8f-9016-4edf-aff9-80b65f5d711f	command_prompt
948	discovery	T1018	Remote System Discovery	3	Remote System Discovery - nltest	52ab5108-3f6f-42fb-8ba3-73bc054f22c8	command_prompt
949	discovery	T1018	Remote System Discovery	4	Remote System Discovery - ping sweep	6db1f57f-d1d5-4223-8a66-55c9c65a9592	command_prompt
950	discovery	T1018	Remote System Discovery	5	Remote System Discovery - arp	2d5a61f5-0447-4be4-944a-1f8530ed6574	command_prompt
951	discovery	T1018	Remote System Discovery	6	Remote System Discovery - arp nix	acb6b1ff-e2ad-4d64-806c-6c35fe73b951	sh
952	discovery	T1018	Remote System Discovery	7	Remote System Discovery - sweep	96db2632-8417-4dbb-b8bb-a8b92ba391de	sh
953	discovery	T1018	Remote System Discovery	8	Remote System Discovery - nslookup	baa01aaa-5e13-45ec-8a0d-e46c93c9760f	powershell
954	discovery	T1018	Remote System Discovery	9	Remote System Discovery - adidnsdump	95e19466-469e-4316-86d2-1dc401b5a959	command_prompt
955	discovery	T1018	Remote System Discovery	10	Adfind - Enumerate Active Directory Computer Objects	a889f5be-2d54-4050-bd05-884578748bb4	command_prompt
956	discovery	T1018	Remote System Discovery	11	Adfind - Enumerate Active Directory Domain Controller Objects	5838c31e-a0e2-4b9f-b60a-d79d2cb7995e	command_prompt
957	discovery	T1018	Remote System Discovery	12	Remote System Discovery - ip neighbour	158bd4dd-6359-40ab-b13c-285b9ef6fa25	sh
958	discovery	T1018	Remote System Discovery	13	Remote System Discovery - ip route	1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1	sh
959	discovery	T1018	Remote System Discovery	14	Remote System Discovery - ip tcp_metrics	6c2da894-0b57-43cb-87af-46ea3b501388	sh
960	discovery	T1018	Remote System Discovery	15	Enumerate domain computers within Active Directory using DirectorySearcher	962a6017-1c09-45a6-880b-adc9c57cb22e	powershell
961	discovery	T1018	Remote System Discovery	16	Enumerate Active Directory Computers with Get-AdComputer	97e89d9e-e3f5-41b5-a90f-1e0825df0fdf	powershell
962	discovery	T1018	Remote System Discovery	17	Enumerate Active Directory Computers with ADSISearcher	64ede6ac-b57a-41c2-a7d1-32c6cd35397d	powershell
963	discovery	T1018	Remote System Discovery	18	Get-DomainController with PowerView	b9d2e8ca-5520-4737-8076-4f08913da2c4	powershell
964	discovery	T1018	Remote System Discovery	19	Get-wmiobject to Enumerate Domain Controllers	e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad	powershell
965	discovery	T1518.001	Security Software Discovery	1	Security Software Discovery	f92a380f-ced9-491f-b338-95a991418ce2	command_prompt
966	discovery	T1518.001	Security Software Discovery	2	Security Software Discovery - powershell	7f566051-f033-49fb-89de-b6bacab730f0	powershell
967	discovery	T1518.001	Security Software Discovery	3	Security Software Discovery - ps (macOS)	ba62ce11-e820-485f-9c17-6f3c857cd840	sh
968	discovery	T1518.001	Security Software Discovery	4	Security Software Discovery - ps (Linux)	23b91cd2-c99c-4002-9e41-317c63e024a2	sh
969	discovery	T1518.001	Security Software Discovery	5	Security Software Discovery - Sysmon Service	fe613cf3-8009-4446-9a0f-bc78a15b66c9	command_prompt
970	discovery	T1518.001	Security Software Discovery	6	Security Software Discovery - AV Discovery via WMI	1553252f-14ea-4d3b-8a08-d7a4211aa945	command_prompt
971	discovery	T1518	Software Discovery	1	Find and Display Internet Explorer Browser Version	68981660-6670-47ee-a5fa-7e74806420a4	command_prompt
972	discovery	T1518	Software Discovery	2	Applications Installed	c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b	powershell
973	discovery	T1518	Software Discovery	3	Find and Display Safari Browser Version	103d6533-fd2a-4d08-976a-4a598565280f	sh
974	discovery	T1518	Software Discovery	4	WinPwn - Dotnetsearch	7e79a1b6-519e-433c-ad55-3ff293667101	powershell
975	discovery	T1518	Software Discovery	5	WinPwn - DotNet	10ba02d0-ab76-4f80-940d-451633f24c5b	powershell
976	discovery	T1518	Software Discovery	6	WinPwn - powerSQL	0bb64470-582a-4155-bde2-d6003a95ed34	powershell
977	discovery	T1497.001	System Checks	1	Detect Virtualization Environment (Linux)	dfbd1a21-540d-4574-9731-e852bd6fe840	sh
978	discovery	T1497.001	System Checks	2	Detect Virtualization Environment (Windows)	502a7dc4-9d6f-4d28-abf2-f0e84692562d	powershell
979	discovery	T1497.001	System Checks	3	Detect Virtualization Environment (MacOS)	a960185f-aef6-4547-8350-d1ce16680d09	sh
980	discovery	T1497.001	System Checks	4	Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)	4a41089a-48e0-47aa-82cb-5b81a463bc78	powershell
981	discovery	T1082	System Information Discovery	1	System Information Discovery	66703791-c902-4560-8770-42b8a91f7667	command_prompt
982	discovery	T1082	System Information Discovery	2	System Information Discovery	edff98ec-0f73-4f63-9890-6b117092aff6	sh
983	discovery	T1082	System Information Discovery	3	List OS Information	cccb070c-df86-4216-a5bc-9fb60c74e27c	sh
984	discovery	T1082	System Information Discovery	4	Linux VM Check via Hardware	31dad7ad-2286-4c02-ae92-274418c85fec	bash
985	discovery	T1082	System Information Discovery	5	Linux VM Check via Kernel Modules	8057d484-0fae-49a4-8302-4812c4f1e64e	bash
986	discovery	T1082	System Information Discovery	6	Hostname Discovery (Windows)	85cfbf23-4a1e-4342-8792-007e004b975f	command_prompt
987	discovery	T1082	System Information Discovery	7	Hostname Discovery	486e88ea-4f56-470f-9b57-3f4d73f39133	bash
988	discovery	T1082	System Information Discovery	8	Windows MachineGUID Discovery	224b4daf-db44-404e-b6b2-f4d1f0126ef8	command_prompt
989	discovery	T1082	System Information Discovery	9	Griffon Recon	69bd4abe-8759-49a6-8d21-0f15822d6370	powershell
990	discovery	T1082	System Information Discovery	10	Environment variables discovery on windows	f400d1c0-1804-4ff8-b069-ef5ddd2adbf3	command_prompt
991	discovery	T1082	System Information Discovery	11	Environment variables discovery on macos and linux	fcbdd43f-f4ad-42d5-98f3-0218097e2720	sh
992	discovery	T1082	System Information Discovery	12	Show System Integrity Protection status (MacOS)	327cc050-9e99-4c8e-99b5-1d15f2fb6b96	sh
993	discovery	T1082	System Information Discovery	13	WinPwn - winPEAS	eea1d918-825e-47dd-acc2-814d6c58c0e1	powershell
994	discovery	T1082	System Information Discovery	14	WinPwn - itm4nprivesc	3d256a2f-5e57-4003-8eb6-64d91b1da7ce	powershell
995	discovery	T1082	System Information Discovery	15	WinPwn - Powersploits privesc checks	345cb8e4-d2de-4011-a580-619cf5a9e2d7	powershell
996	discovery	T1082	System Information Discovery	16	WinPwn - General privesc checks	5b6f39a2-6ec7-4783-a5fd-2c54a55409ed	powershell
997	discovery	T1082	System Information Discovery	17	WinPwn - GeneralRecon	7804659b-fdbf-4cf6-b06a-c03e758590e8	powershell
998	discovery	T1082	System Information Discovery	18	WinPwn - Morerecon	3278b2f6-f733-4875-9ef4-bfed34244f0a	powershell
999	discovery	T1082	System Information Discovery	19	WinPwn - RBCD-Check	dec6a0d8-bcaf-4c22-9d48-2aee59fb692b	powershell
1000	discovery	T1614.001	System Language Discovery	1	Discover System Language by Registry Query	631d4cf1-42c9-4209-8fe9-6bd4de9421be	command_prompt
1001	discovery	T1614.001	System Language Discovery	2	Discover System Language with chcp	d91473ca-944e-477a-b484-0e80217cd789	command_prompt
1002	discovery	T1016	System Network Configuration Discovery	1	System Network Configuration Discovery on Windows	970ab6a1-0157-4f3f-9a73-ec4166754b23	command_prompt
1003	discovery	T1016	System Network Configuration Discovery	2	List Windows Firewall Rules	038263cb-00f4-4b0a-98ae-0696c67e1752	command_prompt
1004	discovery	T1016	System Network Configuration Discovery	3	System Network Configuration Discovery	c141bbdb-7fca-4254-9fd6-f47e79447e17	sh
1005	discovery	T1016	System Network Configuration Discovery	4	System Network Configuration Discovery (TrickBot Style)	dafaf052-5508-402d-bf77-51e0700c02e2	command_prompt
1006	discovery	T1016	System Network Configuration Discovery	5	List Open Egress Ports	4b467538-f102-491d-ace7-ed487b853bf5	powershell
1007	discovery	T1016	System Network Configuration Discovery	6	Adfind - Enumerate Active Directory Subnet Objects	9bb45dd7-c466-4f93-83a1-be30e56033ee	command_prompt
1008	discovery	T1016	System Network Configuration Discovery	7	Qakbot Recon	121de5c6-5818-4868-b8a7-8fd07c455c1b	command_prompt
1009	discovery	T1016	System Network Configuration Discovery	8	List macOS Firewall Rules	ff1d8c25-2aa4-4f18-a425-fede4a41ee88	bash
1010	discovery	T1049	System Network Connections Discovery	1	System Network Connections Discovery	0940a971-809a-48f1-9c4d-b1d785e96ee5	command_prompt
1011	discovery	T1049	System Network Connections Discovery	2	System Network Connections Discovery with PowerShell	f069f0f1-baad-4831-aa2b-eddac4baac4a	powershell
1012	discovery	T1049	System Network Connections Discovery	3	System Network Connections Discovery Linux & MacOS	9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2	sh
1013	discovery	T1049	System Network Connections Discovery	4	System Discovery using SharpView	96f974bb-a0da-4d87-a744-ff33e73367e9	powershell
1014	discovery	T1033	System Owner/User Discovery	1	System Owner/User Discovery	4c4959bf-addf-4b4a-be86-8d09cc1857aa	command_prompt
1015	discovery	T1033	System Owner/User Discovery	2	System Owner/User Discovery	2a9b677d-a230-44f4-ad86-782df1ef108c	sh
1016	discovery	T1033	System Owner/User Discovery	3	Find computers where user has session - Stealth mode (PowerView)	29857f27-a36f-4f7e-8084-4557cd6207ca	powershell
1017	discovery	T1033	System Owner/User Discovery	4	User Discovery With Env Vars PowerShell Script	dcb6cdee-1fb0-4087-8bf8-88cfd136ba51	powershell
1018	discovery	T1033	System Owner/User Discovery	5	GetCurrent User with PowerShell Script	1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b	powershell
1019	discovery	T1007	System Service Discovery	1	System Service Discovery	89676ba1-b1f8-47ee-b940-2e1a113ebc71	command_prompt
1020	discovery	T1007	System Service Discovery	2	System Service Discovery - net.exe	5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3	command_prompt
1021	discovery	T1007	System Service Discovery	3	System Service Discovery - systemctl	f4b26bce-4c2c-46c0-bcc5-fce062d38bef	bash
1022	discovery	T1124	System Time Discovery	1	System Time Discovery	20aba24b-e61f-4b26-b4ce-4784f763ca20	command_prompt
1023	discovery	T1124	System Time Discovery	2	System Time Discovery - PowerShell	1d5711d6-655c-4a47-ae9c-6503c74fa877	powershell
1024	discovery	T1124	System Time Discovery	3	System Time Discovery in macOS	f449c933-0891-407f-821e-7916a21a1a6f	sh
1025	execution	T1059.002	AppleScript	1	AppleScript	3600d97d-81b9-4171-ab96-e4386506e2c2	sh
1026	execution	T1053.001	At (Linux)	1	At - Schedule a job	7266d898-ac82-4ec0-97c7-436075d0d08e	sh
1027	execution	T1053.002	At (Windows)	1	At.exe Scheduled task	4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8	command_prompt
1028	execution	T1609	Container Administration Command	1	ExecIntoContainer	d03bfcd3-ed87-49c8-8880-44bb772dea4b	bash
1029	execution	T1053.007	Container Orchestration Job	1	ListCronjobs	ddfb0bc1-3c3f-47e9-a298-550ecfefacbd	bash
1030	execution	T1053.007	Container Orchestration Job	2	CreateCronjob	f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3	bash
1031	execution	T1053.003	Cron	1	Cron - Replace crontab with referenced file	435057fb-74b1-410e-9403-d81baf194f75	bash
1032	execution	T1053.003	Cron	2	Cron - Add script to all cron subfolders	b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0	bash
1033	execution	T1053.003	Cron	3	Cron - Add script to /var/spool/cron/crontabs/ folder	2d943c18-e74a-44bf-936f-25ade6cccab4	bash
1034	execution	T1559.002	Dynamic Data Exchange	1	Execute Commands	f592ba2a-e9e8-4d62-a459-ef63abd819fd	manual
1035	execution	T1559.002	Dynamic Data Exchange	2	Execute PowerShell script via Word DDE	47c21fb6-085e-4b0d-b4d2-26d72c3830b3	command_prompt
1036	execution	T1559.002	Dynamic Data Exchange	3	DDEAUTO	cf91174c-4e74-414e-bec0-8d60a104d181	manual
1037	execution	T1569.001	Launchctl	1	Launchctl	6fb61988-724e-4755-a595-07743749d4e2	bash
1038	execution	T1053.004	Launchd	1	Event Monitor Daemon Persistence	11979f23-9b9d-482a-9935-6fc9cd022c3e	bash
1039	execution	T1204.002	Malicious File	1	OSTap Style Macro Execution	8bebc690-18c7-4549-bc98-210f7019efff	powershell
1040	execution	T1204.002	Malicious File	2	OSTap Payload Download	3f3af983-118a-4fa1-85d3-ba4daa739d80	command_prompt
1041	execution	T1204.002	Malicious File	3	Maldoc choice flags command execution	0330a5d2-a45a-4272-a9ee-e364411c4b18	powershell
1042	execution	T1204.002	Malicious File	4	OSTAP JS version	add560ef-20d6-4011-a937-2c340f930911	powershell
1043	execution	T1204.002	Malicious File	5	Office launching .bat file from AppData	9215ea92-1ded-41b7-9cd6-79f9a78397aa	powershell
1044	execution	T1204.002	Malicious File	6	Excel 4 Macro	4ea1fc97-8a46-4b4e-ba48-af43d2a98052	powershell
1045	execution	T1204.002	Malicious File	7	Headless Chrome code execution via VBA	a19ee671-ed98-4e9d-b19c-d1954a51585a	powershell
1046	execution	T1204.002	Malicious File	8	Potentially Unwanted Applications (PUA)	02f35d62-9fdc-4a97-b899-a5d9a876d295	powershell
1047	execution	T1204.002	Malicious File	9	Office Generic Payload Download	5202ee05-c420-4148-bf5e-fd7f7d24850c	powershell
1048	execution	T1204.002	Malicious File	10	LNK Payload Download	581d7521-9c4b-420e-9695-2aec5241167f	powershell
1049	execution	T1106	Native API	1	Execution through API - CreateProcess	99be2089-c52d-4a4a-b5c3-261ee42c8b62	command_prompt
1050	execution	T1059.001	PowerShell	1	Mimikatz	f3132740-55bc-48c4-bcc0-758a459cd027	command_prompt
1051	execution	T1059.001	PowerShell	2	Run BloodHound from local disk	a21bb23e-e677-4ee7-af90-6931b57b6350	powershell
1052	execution	T1059.001	PowerShell	3	Run Bloodhound from Memory using Download Cradle	bf8c1441-4674-4dab-8e4e-39d93d08f9b7	powershell
1053	execution	T1059.001	PowerShell	4	Obfuscation Tests	4297c41a-8168-4138-972d-01f3ee92c804	powershell
1054	execution	T1059.001	PowerShell	5	Mimikatz - Cradlecraft PsSendKeys	af1800cf-9f9d-4fd1-a709-14b1e6de020d	powershell
1055	execution	T1059.001	PowerShell	6	Invoke-AppPathBypass	06a220b6-7e29-4bd8-9d07-5b4d86742372	command_prompt
1056	execution	T1059.001	PowerShell	7	Powershell MsXml COM object - with prompt	388a7340-dbc1-4c9d-8e59-b75ad8c6d5da	command_prompt
1057	execution	T1059.001	PowerShell	8	Powershell XML requests	4396927f-e503-427b-b023-31049b9b09a6	command_prompt
1058	execution	T1059.001	PowerShell	9	Powershell invoke mshta.exe download	8a2ad40b-12c7-4b25-8521-2737b0a415af	command_prompt
1059	execution	T1059.001	PowerShell	10	Powershell Invoke-DownloadCradle	cc50fa2a-a4be-42af-a88f-e347ba0bf4d7	manual
1060	execution	T1059.001	PowerShell	11	PowerShell Fileless Script Execution	fa050f5e-bc75-4230-af73-b6fd7852cd73	powershell
1061	execution	T1059.001	PowerShell	12	PowerShell Downgrade Attack	9148e7c4-9356-420e-a416-e896e9c0f73e	powershell
1062	execution	T1059.001	PowerShell	13	NTFS Alternate Data Stream Access	8e5c5532-1181-4c1d-bb79-b3a9f5dbd680	powershell
1063	execution	T1059.001	PowerShell	14	PowerShell Session Creation and Use	7c1acec2-78fa-4305-a3e0-db2a54cddecd	powershell
1064	execution	T1059.001	PowerShell	15	ATHPowerShellCommandLineParameter -Command parameter variations	686a9785-f99b-41d4-90df-66ed515f81d7	powershell
1065	execution	T1059.001	PowerShell	16	ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments	1c0a870f-dc74-49cf-9afc-eccc45e58790	powershell
1066	execution	T1059.001	PowerShell	17	ATHPowerShellCommandLineParameter -EncodedCommand parameter variations	86a43bad-12e3-4e85-b97c-4d5cf25b95c3	powershell
1067	execution	T1059.001	PowerShell	18	ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments	0d181431-ddf3-4826-8055-2dbf63ae848b	powershell
1068	execution	T1059.001	PowerShell	19	PowerShell Command Execution	a538de64-1c74-46ed-aa60-b995ed302598	command_prompt
1069	execution	T1059.001	PowerShell	20	PowerShell Invoke Known Malicious Cmdlets	49eb9404-5e0f-4031-a179-b40f7be385e3	powershell
1070	execution	T1059.001	PowerShell	21	PowerUp Invoke-AllChecks	1289f78d-22d2-4590-ac76-166737e1811b	powershell
1071	execution	T1059.006	Python	1	Execute shell script via python's command mode arguement	3a95cdb2-c6ea-4761-b24e-02b71889b8bb	sh
1072	execution	T1059.006	Python	2	Execute Python via scripts (Linux)	6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8	sh
1073	execution	T1059.006	Python	3	Execute Python via Python executables (Linux)	0b44d79b-570a-4b27-a31f-3bf2156e5eaa	sh
1074	execution	T1053.005	Scheduled Task	1	Scheduled Task Startup Script	fec27f65-db86-4c2d-b66c-61945aee87c2	command_prompt
1075	execution	T1053.005	Scheduled Task	2	Scheduled task Local	42f53695-ad4a-4546-abb6-7d837f644a71	command_prompt
1076	execution	T1053.005	Scheduled Task	3	Scheduled task Remote	2e5eac3e-327b-4a88-a0c0-c4057039a8dd	command_prompt
1077	execution	T1053.005	Scheduled Task	4	Powershell Cmdlet Scheduled Task	af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd	powershell
1078	execution	T1053.005	Scheduled Task	5	Task Scheduler via VBA	ecd3fa21-7792-41a2-8726-2c5c673414d3	powershell
1079	execution	T1053.005	Scheduled Task	6	WMI Invoke-CimMethod Scheduled Task	e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b	powershell
1080	execution	T1053.005	Scheduled Task	7	Scheduled Task Executing Base64 Encoded Commands From Registry	e895677d-4f06-49ab-91b6-ae3742d0a2ba	command_prompt
1081	execution	T1569.002	Service Execution	1	Execute a Command as a Service	2382dee2-a75f-49aa-9378-f52df6ed3fb1	command_prompt
1082	execution	T1569.002	Service Execution	2	Use PsExec to execute a command on a remote host	873106b7-cfed-454b-8680-fa9f6400431c	command_prompt
1083	execution	T1569.002	Service Execution	3	psexec.py (Impacket)	edbcd8c9-3639-4844-afad-455c91e95a35	bash
1084	execution	T1072	Software Deployment Tools	1	Radmin Viewer Utility	b4988cad-6ed2-434d-ace5-ea2670782129	command_prompt
1085	execution	T1053.006	Systemd Timers	1	Create Systemd Service and Timer	f4983098-bb13-44fb-9b2c-46149961807b	bash
1086	execution	T1053.006	Systemd Timers	2	Create a user level transient systemd service and timer	3de33f5b-62e5-4e63-a2a0-6fd8808c80ec	sh
1087	execution	T1053.006	Systemd Timers	3	Create a system level transient systemd service and timer	d3eda496-1fc0-49e9-aff5-3bec5da9fa22	sh
1088	execution	T1059.004	Unix Shell	1	Create and Execute Bash Shell Script	7e7ac3ed-f795-4fa5-b711-09d6fbe9b873	sh
1089	execution	T1059.004	Unix Shell	2	Command-Line Interface	d0c88567-803d-4dca-99b4-7ce65e7b257c	sh
1090	execution	T1059.004	Unix Shell	3	Harvest SUID executable files	46274fc6-08a7-4956-861b-24cbbaa0503c	sh
1091	execution	T1059.004	Unix Shell	4	LinEnum tool execution	a2b35a63-9df1-4806-9a4d-5fe0500845f2	sh
1092	execution	T1059.005	Visual Basic	1	Visual Basic script execution to gather local computer information	1620de42-160a-4fe5-bbaf-d3fef0181ce9	powershell
1093	execution	T1059.005	Visual Basic	2	Encoded VBS code execution	e8209d5f-e42d-45e6-9c2f-633ac4f1eefa	powershell
1094	execution	T1059.005	Visual Basic	3	Extract Memory via VBA	8faff437-a114-4547-9a60-749652a03df6	powershell
1095	execution	T1059.003	Windows Command Shell	1	Create and Execute Batch Script	9e8894c0-50bd-4525-a96c-d4ac78ece388	powershell
1096	execution	T1059.003	Windows Command Shell	2	Writes text to a file and displays it.	127b4afe-2346-4192-815c-69042bec570e	command_prompt
1097	execution	T1059.003	Windows Command Shell	3	Suspicious Execution via Windows Command Shell	d0eb3597-a1b3-4d65-b33b-2cda8d397f20	command_prompt
1098	execution	T1059.003	Windows Command Shell	4	Simulate BlackByte Ransomware Print Bombing	6b2903ac-8f36-450d-9ad5-b220e8a2dcb9	powershell
1099	execution	T1047	Windows Management Instrumentation	1	WMI Reconnaissance Users	c107778c-dcf5-47c5-af2e-1d058a3df3ea	command_prompt
1100	execution	T1047	Windows Management Instrumentation	2	WMI Reconnaissance Processes	5750aa16-0e59-4410-8b9a-8a47ca2788e2	command_prompt
1101	execution	T1047	Windows Management Instrumentation	3	WMI Reconnaissance Software	718aebaa-d0e0-471a-8241-c5afa69c7414	command_prompt
1102	execution	T1047	Windows Management Instrumentation	4	WMI Reconnaissance List Remote Services	0fd48ef7-d890-4e93-a533-f7dedd5191d3	command_prompt
1103	execution	T1047	Windows Management Instrumentation	5	WMI Execute Local Process	b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3	command_prompt
1104	execution	T1047	Windows Management Instrumentation	6	WMI Execute Remote Process	9c8ef159-c666-472f-9874-90c8d60d136b	command_prompt
1105	execution	T1047	Windows Management Instrumentation	7	Create a Process using WMI Query and an Encoded Command	7db7a7f9-9531-4840-9b30-46220135441c	command_prompt
1106	execution	T1047	Windows Management Instrumentation	8	Create a Process using obfuscated Win32_Process	10447c83-fc38-462a-a936-5102363b1c43	powershell
1107	execution	T1047	Windows Management Instrumentation	9	WMI Execute rundll32	00738d2a-4651-4d76-adf2-c43a41dfb243	powershell
1108	execution	T1047	Windows Management Instrumentation	10	Application uninstall using WMIC	c510d25b-1667-467d-8331-a56d3e9bc4ff	command_prompt
1109	lateral-movement	T1021.003	Distributed Component Object Model	1	PowerShell Lateral Movement using MMC20	6dc74eb1-c9d6-4c53-b3b5-6f50ae339673	powershell
1110	lateral-movement	T1550.002	Pass the Hash	1	Mimikatz Pass the Hash	ec23cef9-27d9-46e4-a68d-6f75f7b86908	command_prompt
1111	lateral-movement	T1550.002	Pass the Hash	2	crackmapexec Pass the Hash	eb05b028-16c8-4ad8-adea-6f5b219da9a9	command_prompt
1112	lateral-movement	T1550.002	Pass the Hash	3	Invoke-WMIExec Pass the Hash	f8757545-b00a-4e4e-8cfb-8cfb961ee713	powershell
1113	lateral-movement	T1550.003	Pass the Ticket	1	Mimikatz Kerberos Ticket Attack	dbf38128-7ba7-4776-bedf-cc2eed432098	command_prompt
1114	lateral-movement	T1550.003	Pass the Ticket	2	Rubeus Kerberos Pass The Ticket	a2fc4ec5-12c6-4fb4-b661-961f23f359cb	powershell
1115	lateral-movement	T1563.002	RDP Hijacking	1	RDP hijacking	a37ac520-b911-458e-8aed-c5f1576d9f46	command_prompt
1116	lateral-movement	T1021.001	Remote Desktop Protocol	1	RDP to DomainController	355d4632-8cb9-449d-91ce-b566d0253d3e	powershell
1117	lateral-movement	T1021.001	Remote Desktop Protocol	2	RDP to Server	7382a43e-f19c-46be-8f09-5c63af7d3e2b	powershell
1118	lateral-movement	T1021.001	Remote Desktop Protocol	3	Changing RDP Port to Non Standard Port via Powershell	2f840dd4-8a2e-4f44-beb3-6b2399ea3771	powershell
1119	lateral-movement	T1021.001	Remote Desktop Protocol	4	Changing RDP Port to Non Standard Port via Command_Prompt	74ace21e-a31c-4f7d-b540-53e4eb6d1f73	command_prompt
1120	lateral-movement	T1091	Replication Through Removable Media	1	USB Malware Spread Simulation	d44b7297-622c-4be8-ad88-ec40d7563c75	powershell
1121	lateral-movement	T1021.002	SMB/Windows Admin Shares	1	Map admin share	3386975b-367a-4fbb-9d77-4dcf3639ffd3	command_prompt
1122	lateral-movement	T1021.002	SMB/Windows Admin Shares	2	Map Admin Share PowerShell	514e9cd7-9207-4882-98b1-c8f791bae3c5	powershell
1123	lateral-movement	T1021.002	SMB/Windows Admin Shares	3	Copy and Execute File with PsExec	0eb03d41-79e4-4393-8e57-6344856be1cf	command_prompt
1124	lateral-movement	T1021.002	SMB/Windows Admin Shares	4	Execute command writing output to local Admin Share	d41aaab5-bdfe-431d-a3d5-c29e9136ff46	command_prompt
1125	lateral-movement	T1072	Software Deployment Tools	1	Radmin Viewer Utility	b4988cad-6ed2-434d-ace5-ea2670782129	command_prompt
1126	lateral-movement	T1021.006	Windows Remote Management	1	Enable Windows Remote Management	9059e8de-3d7d-4954-a322-46161880b9cf	powershell
1127	lateral-movement	T1021.006	Windows Remote Management	2	Invoke-Command	5295bd61-bd7e-4744-9d52-85962a4cf2d6	powershell
1128	lateral-movement	T1021.006	Windows Remote Management	3	WinRM Access with Evil-WinRM	efe86d95-44c4-4509-ae42-7bfd9d1f5b3d	powershell
1129	command-and-control	T1071.004	DNS	1	DNS Large Query Volume	1700f5d6-5a44-487b-84de-bc66f507b0a6	powershell
1130	command-and-control	T1071.004	DNS	2	DNS Regular Beaconing	3efc144e-1af8-46bb-8ca2-1376bb6db8b6	powershell
1131	command-and-control	T1071.004	DNS	3	DNS Long Domain Query	fef31710-223a-40ee-8462-a396d6b66978	powershell
1132	command-and-control	T1071.004	DNS	4	DNS C2	e7bf9802-2e78-4db9-93b5-181b7bcd37d7	powershell
1133	command-and-control	T1573	Encrypted Channel	1	OpenSSL C2	21caf58e-87ad-440c-a6b8-3ac259964003	powershell
1134	command-and-control	T1105	Ingress Tool Transfer	1	rsync remote file copy (push)	0fc6e977-cb12-44f6-b263-2824ba917409	bash
1135	command-and-control	T1105	Ingress Tool Transfer	2	rsync remote file copy (pull)	3180f7d5-52c0-4493-9ea0-e3431a84773f	bash
1136	command-and-control	T1105	Ingress Tool Transfer	3	scp remote file copy (push)	83a49600-222b-4866-80a0-37736ad29344	bash
1137	command-and-control	T1105	Ingress Tool Transfer	4	scp remote file copy (pull)	b9d22b9a-9778-4426-abf0-568ea64e9c33	bash
1138	command-and-control	T1105	Ingress Tool Transfer	5	sftp remote file copy (push)	f564c297-7978-4aa9-b37a-d90477feea4e	bash
1139	command-and-control	T1105	Ingress Tool Transfer	6	sftp remote file copy (pull)	0139dba1-f391-405e-a4f5-f3989f2c88ef	bash
1140	command-and-control	T1105	Ingress Tool Transfer	7	certutil download (urlcache)	dd3b61dd-7bbc-48cd-ab51-49ad1a776df0	command_prompt
1141	command-and-control	T1105	Ingress Tool Transfer	8	certutil download (verifyctl)	ffd492e3-0455-4518-9fb1-46527c9f241b	powershell
1142	command-and-control	T1105	Ingress Tool Transfer	9	Windows - BITSAdmin BITS Download	a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b	command_prompt
1143	command-and-control	T1105	Ingress Tool Transfer	10	Windows - PowerShell Download	42dc4460-9aa6-45d3-b1a6-3955d34e1fe8	powershell
1144	command-and-control	T1105	Ingress Tool Transfer	11	OSTAP Worming Activity	2ca61766-b456-4fcf-a35a-1233685e1cad	command_prompt
1145	command-and-control	T1105	Ingress Tool Transfer	12	svchost writing a file to a UNC path	fa5a2759-41d7-4e13-a19c-e8f28a53566f	command_prompt
1146	command-and-control	T1105	Ingress Tool Transfer	13	Download a File with Windows Defender MpCmdRun.exe	815bef8b-bf91-4b67-be4c-abe4c2a94ccc	command_prompt
1147	command-and-control	T1105	Ingress Tool Transfer	14	whois file download	c99a829f-0bb8-4187-b2c6-d47d1df74cab	sh
1148	command-and-control	T1105	Ingress Tool Transfer	15	File Download via PowerShell	54a4daf1-71df-4383-9ba7-f1a295d8b6d2	powershell
1149	command-and-control	T1105	Ingress Tool Transfer	16	File download with finger.exe on Windows	5f507e45-8411-4f99-84e7-e38530c45d01	command_prompt
1150	command-and-control	T1105	Ingress Tool Transfer	17	Download a file with IMEWDBLD.exe	1a02df58-09af-4064-a765-0babe1a0d1e2	powershell
1151	command-and-control	T1105	Ingress Tool Transfer	18	Curl Download File	2b080b99-0deb-4d51-af0f-833d37c4ca6a	command_prompt
1152	command-and-control	T1105	Ingress Tool Transfer	19	Curl Upload File	635c9a38-6cbf-47dc-8615-3810bc1167cf	command_prompt
1153	command-and-control	T1105	Ingress Tool Transfer	20	Download a file with Microsoft Connection Manager Auto-Download	d239772b-88e2-4a2e-8473-897503401bcc	command_prompt
1154	command-and-control	T1105	Ingress Tool Transfer	21	MAZE Propagation Script	70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf	powershell
1155	command-and-control	T1090.001	Internal Proxy	1	Connection Proxy	0ac21132-4485-4212-a681-349e8a6637cd	sh
1156	command-and-control	T1090.001	Internal Proxy	2	Connection Proxy for macOS UI	648d68c1-8bcd-4486-9abe-71c6655b6a2c	sh
1157	command-and-control	T1090.001	Internal Proxy	3	portproxy reg key	b8223ea9-4be2-44a6-b50a-9657a3d4e72a	powershell
1158	command-and-control	T1090.003	Multi-hop Proxy	1	Psiphon	14d55ca0-920e-4b44-8425-37eedd72b173	powershell
1159	command-and-control	T1090.003	Multi-hop Proxy	2	Tor Proxy Usage - Windows	7b9d85e5-c4ce-4434-8060-d3de83595e69	powershell
1160	command-and-control	T1090.003	Multi-hop Proxy	3	Tor Proxy Usage - Debian/Ubuntu	5ff9d047-6e9c-4357-b39b-5cf89d9b59c7	sh
1161	command-and-control	T1090.003	Multi-hop Proxy	4	Tor Proxy Usage - MacOS	12631354-fdbc-4164-92be-402527e748da	sh
1162	command-and-control	T1095	Non-Application Layer Protocol	1	ICMP C2	0268e63c-e244-42db-bef7-72a9e59fc1fc	powershell
1163	command-and-control	T1095	Non-Application Layer Protocol	2	Netcat C2	bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37	powershell
1164	command-and-control	T1095	Non-Application Layer Protocol	3	Powercat C2	3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e	powershell
1165	command-and-control	T1571	Non-Standard Port	1	Testing usage of uncommonly used port with PowerShell	21fe622f-8e53-4b31-ba83-6d333c2583f4	powershell
1166	command-and-control	T1571	Non-Standard Port	2	Testing usage of uncommonly used port	5db21e1d-dd9c-4a50-b885-b1e748912767	sh
1167	command-and-control	T1572	Protocol Tunneling	1	DNS over HTTPS Large Query Volume	ae9ef4b0-d8c1-49d4-8758-06206f19af0a	powershell
1168	command-and-control	T1572	Protocol Tunneling	2	DNS over HTTPS Regular Beaconing	0c5f9705-c575-42a6-9609-cbbff4b2fc9b	powershell
1169	command-and-control	T1572	Protocol Tunneling	3	DNS over HTTPS Long Domain Query	748a73d5-cea4-4f34-84d8-839da5baa99c	powershell
1170	command-and-control	T1219	Remote Access Software	1	TeamViewer Files Detected Test on Windows	8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0	powershell
1171	command-and-control	T1219	Remote Access Software	2	AnyDesk Files Detected Test on Windows	6b8b7391-5c0a-4f8c-baee-78d8ce0ce330	powershell
1172	command-and-control	T1219	Remote Access Software	3	LogMeIn Files Detected Test on Windows	d03683ec-aae0-42f9-9b4c-534780e0f8e1	powershell
1173	command-and-control	T1219	Remote Access Software	4	GoToAssist Files Detected Test on Windows	1b72b3bd-72f8-4b63-a30b-84e91b9c3578	powershell
1174	command-and-control	T1219	Remote Access Software	5	ScreenConnect Application Download and Install on Windows	4a18cc4e-416f-4966-9a9d-75731c4684c0	powershell
1175	command-and-control	T1219	Remote Access Software	6	Ammyy Admin Software Execution	0ae9e327-3251-465a-a53b-485d4e3f58fa	powershell
1176	command-and-control	T1219	Remote Access Software	7	RemotePC Software Execution	fbff3f1f-b0bf-448e-840f-7e1687affdce	powershell
1177	command-and-control	T1132.001	Standard Encoding	1	Base64 Encoded data.	1164f70f-9a88-4dff-b9ff-dc70e7bf0c25	sh
1178	command-and-control	T1132.001	Standard Encoding	2	XOR Encoded data.	c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08	powershell
1179	command-and-control	T1071.001	Web Protocols	1	Malicious User Agents - Powershell	81c13829-f6c9-45b8-85a6-053366d55297	powershell
1180	command-and-control	T1071.001	Web Protocols	2	Malicious User Agents - CMD	dc3488b0-08c7-4fea-b585-905c83b48180	command_prompt
1181	command-and-control	T1071.001	Web Protocols	3	Malicious User Agents - Nix	2d7c471a-e887-4b78-b0dc-b0df1f2e0658	sh
1182	exfiltration	T1020	Automated Exfiltration	1	IcedID Botnet HTTP PUT	9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0	powershell
1183	exfiltration	T1030	Data Transfer Size Limits	1	Data Transfer Size Limits	ab936c51-10f4-46ce-9144-e02137b2016a	sh
1184	exfiltration	T1048	Exfiltration Over Alternative Protocol	1	Exfiltration Over Alternative Protocol - SSH	f6786cc8-beda-4915-a4d6-ac2f193bb988	sh
1185	exfiltration	T1048	Exfiltration Over Alternative Protocol	2	Exfiltration Over Alternative Protocol - SSH	7c3cb337-35ae-4d06-bf03-3032ed2ec268	sh
1186	exfiltration	T1048	Exfiltration Over Alternative Protocol	3	DNSExfiltration (doh)	c943d285-ada3-45ca-b3aa-7cd6500c6a48	powershell
1187	exfiltration	T1048.002	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	1	Exfiltrate data HTTPS using curl windows	1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0	command_prompt
1188	exfiltration	T1048.002	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	2	Exfiltrate data HTTPS using curl linux	4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01	bash
1189	exfiltration	T1041	Exfiltration Over C2 Channel	1	C2 Data Exfiltration	d1253f6e-c29b-49dc-b466-2147a6191932	powershell
1190	exfiltration	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	1	Exfiltration Over Alternative Protocol - HTTP	1d1abbd6-a3d3-4b2e-bef5-c59293f46eff	manual
1191	exfiltration	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	2	Exfiltration Over Alternative Protocol - ICMP	dd4b4421-2e25-4593-90ae-7021947ad12e	powershell
1192	exfiltration	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	3	Exfiltration Over Alternative Protocol - DNS	c403b5a4-b5fc-49f2-b181-d1c80d27db45	manual
1193	exfiltration	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4	Exfiltration Over Alternative Protocol - HTTP	6aa58451-1121-4490-a8e9-1dada3f1c68c	powershell
1194	exfiltration	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	5	Exfiltration Over Alternative Protocol - SMTP	ec3a835e-adca-4c7c-88d2-853b69c11bb9	powershell
1195	exfiltration	T1567	Exfiltration Over Web Service	1	Data Exfiltration with ConfigSecurityPolicy	5568a8f4-a8b1-4c40-9399-4969b642f122	powershell
1196	initial-access	T1078.004	Cloud Accounts	1	Creating GCP Service Account and Service Account Key	9fdd83fd-bd53-46e5-a716-9dec89c8ae8e	gcloud
1197	initial-access	T1078.001	Default Accounts	1	Enable Guest account with RDP capability and admin privileges	99747561-ed8d-47f2-9c91-1e5fde1ed6e0	command_prompt
1198	initial-access	T1078.001	Default Accounts	2	Activate Guest Account	aa6cb8c4-b582-4f8e-b677-37733914abda	command_prompt
1199	initial-access	T1133	External Remote Services	1	Running Chrome VPN Extensions via the Registry 2 vpn extension	4c8db261-a58b-42a6-a866-0a294deedde4	powershell
1200	initial-access	T1078.003	Local Accounts	1	Create local account with admin privileges	a524ce99-86de-4db6-b4f9-e08f35a47a15	command_prompt
1201	initial-access	T1078.003	Local Accounts	2	Create local account with admin privileges - MacOS	f1275566-1c26-4b66-83e3-7f9f7f964daa	bash
1202	initial-access	T1091	Replication Through Removable Media	1	USB Malware Spread Simulation	d44b7297-622c-4be8-ad88-ec40d7563c75	powershell
1203	initial-access	T1566.001	Spearphishing Attachment	1	Download Macro-Enabled Phishing Attachment	114ccff9-ae6d-4547-9ead-4cd69f687306	powershell
1204	initial-access	T1566.001	Spearphishing Attachment	2	Word spawned a command shell and used an IP address in the command line	cbb6799a-425c-4f83-9194-5447a909d67f	powershell

154 KiB Raw Blame History

154 KiB

Raw Blame History