atomic-red-team/atomics/Indexes/Indexes-CSV/index.csv at e136a49db2497ffdf91fa0d32826dc1816637554

Files

T

CircleCI Atomic Red Team doc generator e136a49db2 Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2021-02-11 14:06:01 +00:00

102 KiB

Raw Blame History

1	Tactic	Technique #	Technique Name	Test #	Test Name	Test GUID	Executor Name
2	privilege-escalation	T1546.004	.bash_profile and .bashrc	1	Add command to .bash_profile	94500ae1-7e31-47e3-886b-c328da46872f	sh
3	privilege-escalation	T1546.004	.bash_profile and .bashrc	2	Add command to .bashrc	0a898315-4cfa-4007-bafe-33a4646d115f	sh
4	privilege-escalation	T1546.008	Accessibility Features	1	Attaches Command Prompt as a Debugger to a List of Target Processes	3309f53e-b22b-4eb6-8fd2-a6cf58b355a9	powershell
5	privilege-escalation	T1546.008	Accessibility Features	2	Replace binary of sticky keys	934e90cf-29ca-48b3-863c-411737ad44e3	command_prompt
6	privilege-escalation	T1546.010	AppInit DLLs	1	Install AppInit Shim	a58d9386-3080-4242-ab5f-454c16503d18	command_prompt
7	privilege-escalation	T1546.011	Application Shimming	1	Application Shim Installation	9ab27e22-ee62-4211-962b-d36d9a0e6a18	command_prompt
8	privilege-escalation	T1546.011	Application Shimming	2	New shim database files created in the default shim database directory	aefd6866-d753-431f-a7a4-215ca7e3f13d	powershell
9	privilege-escalation	T1546.011	Application Shimming	3	Registry key creation and/or modification events for SDB	9b6a06f9-ab5e-4e8d-8289-1df4289db02f	powershell
10	privilege-escalation	T1055.004	Asynchronous Procedure Call	1	Process Injection via C#	611b39b7-e243-4c81-87a4-7145a90358b1	command_prompt
11	privilege-escalation	T1053.001	At (Linux)	1	At - Schedule a job	7266d898-ac82-4ec0-97c7-436075d0d08e	sh
12	privilege-escalation	T1053.002	At (Windows)	1	At.exe Scheduled task	4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8	command_prompt
13	privilege-escalation	T1548.002	Bypass User Account Control	1	Bypass UAC using Event Viewer (cmd)	5073adf8-9a50-4bd9-b298-a9bd2ead8af9	command_prompt
14	privilege-escalation	T1548.002	Bypass User Account Control	2	Bypass UAC using Event Viewer (PowerShell)	a6ce9acf-842a-4af6-8f79-539be7608e2b	powershell
15	privilege-escalation	T1548.002	Bypass User Account Control	3	Bypass UAC using Fodhelper	58f641ea-12e3-499a-b684-44dee46bd182	command_prompt
16	privilege-escalation	T1548.002	Bypass User Account Control	4	Bypass UAC using Fodhelper - PowerShell	3f627297-6c38-4e7d-a278-fc2563eaaeaa	powershell
17	privilege-escalation	T1548.002	Bypass User Account Control	5	Bypass UAC using ComputerDefaults (PowerShell)	3c51abf2-44bf-42d8-9111-dc96ff66750f	powershell
18	privilege-escalation	T1548.002	Bypass User Account Control	6	Bypass UAC by Mocking Trusted Directories	f7a35090-6f7f-4f64-bb47-d657bf5b10c1	command_prompt
19	privilege-escalation	T1548.002	Bypass User Account Control	7	Bypass UAC using sdclt DelegateExecute	3be891eb-4608-4173-87e8-78b494c029b7	powershell
20	privilege-escalation	T1548.002	Bypass User Account Control	8	Disable UAC using reg.exe	9e8af564-53ec-407e-aaa8-3cb20c3af7f9	command_prompt
21	privilege-escalation	T1574.012	COR_PROFILER	1	User scope COR_PROFILER	9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a	powershell
22	privilege-escalation	T1574.012	COR_PROFILER	2	System Scope COR_PROFILER	f373b482-48c8-4ce4-85ed-d40c8b3f7310	powershell
23	privilege-escalation	T1574.012	COR_PROFILER	3	Registry-free process scope COR_PROFILER	79d57242-bbef-41db-b301-9d01d9f6e817	powershell
24	privilege-escalation	T1546.001	Change Default File Association	1	Change Default File Association	10a08978-2045-4d62-8c42-1957bbbea102	command_prompt
25	privilege-escalation	T1053.003	Cron	1	Cron - Replace crontab with referenced file	435057fb-74b1-410e-9403-d81baf194f75	bash
26	privilege-escalation	T1053.003	Cron	2	Cron - Add script to all cron subfolders	b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0	bash
27	privilege-escalation	T1053.003	Cron	3	Cron - Add script to /var/spool/cron/crontabs/ folder	2d943c18-e74a-44bf-936f-25ade6cccab4	bash
28	privilege-escalation	T1574.001	DLL Search Order Hijacking	1	DLL Search Order Hijacking - amsi.dll	8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3	command_prompt
29	privilege-escalation	T1574.002	DLL Side-Loading	1	DLL Side-Loading using the Notepad++ GUP.exe binary	65526037-7079-44a9-bda1-2cb624838040	command_prompt
30	privilege-escalation	T1078.001	Default Accounts	1	Enable Guest account with RDP capability and admin priviliges	99747561-ed8d-47f2-9c91-1e5fde1ed6e0	command_prompt
31	privilege-escalation	T1546.014	Emond	1	Persistance with Event Monitor - emond	23c9c127-322b-4c75-95ca-eff464906114	sh
32	privilege-escalation	T1546.012	Image File Execution Options Injection	1	IFEO Add Debugger	fdda2626-5234-4c90-b163-60849a24c0b8	command_prompt
33	privilege-escalation	T1546.012	Image File Execution Options Injection	2	IFEO Global Flags	46b1f278-c8ee-4aa5-acce-65e77b11f3c1	command_prompt
34	privilege-escalation	T1547.006	Kernel Modules and Extensions	1	Linux - Load Kernel Module via insmod	687dcb93-9656-4853-9c36-9977315e9d23	bash
35	privilege-escalation	T1574.006	LD_PRELOAD	1	Shared Library Injection via /etc/ld.so.preload	39cb0e67-dd0d-4b74-a74b-c072db7ae991	bash
36	privilege-escalation	T1574.006	LD_PRELOAD	2	Shared Library Injection via LD_PRELOAD	bc219ff7-789f-4d51-9142-ecae3397deae	bash
37	privilege-escalation	T1543.001	Launch Agent	1	Launch Agent	a5983dee-bf6c-4eaf-951c-dbc1a7b90900	bash
38	privilege-escalation	T1543.004	Launch Daemon	1	Launch Daemon	03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf	bash
39	privilege-escalation	T1053.004	Launchd	1	Event Monitor Daemon Persistence	11979f23-9b9d-482a-9935-6fc9cd022c3e	bash
40	privilege-escalation	T1078.003	Local Accounts	1	Create local account with admin priviliges	a524ce99-86de-4db6-b4f9-e08f35a47a15	command_prompt
41	privilege-escalation	T1037.002	Logon Script (Mac)	1	Logon Scripts - Mac	f047c7de-a2d9-406e-a62b-12a09d9516f4	manual
42	privilege-escalation	T1037.001	Logon Script (Windows)	1	Logon Scripts	d6042746-07d4-4c92-9ad8-e644c114a231	command_prompt
43	privilege-escalation	T1546.007	Netsh Helper DLL	1	Netsh Helper DLL Registration	3244697d-5a3a-4dfc-941c-550f69f91a4d	command_prompt
44	privilege-escalation	T1134.004	Parent PID Spoofing	1	Parent PID Spoofing using PowerShell	069258f4-2162-46e9-9a25-c9c6c56150d2	powershell
45	privilege-escalation	T1134.004	Parent PID Spoofing	2	Parent PID Spoofing - Spawn from Current Process	14920ebd-1d61-491a-85e0-fe98efe37f25	powershell
46	privilege-escalation	T1134.004	Parent PID Spoofing	3	Parent PID Spoofing - Spawn from Specified Process	cbbff285-9051-444a-9d17-c07cd2d230eb	powershell
47	privilege-escalation	T1134.004	Parent PID Spoofing	4	Parent PID Spoofing - Spawn from svchost.exe	e9f2b777-3123-430b-805d-5cedc66ab591	powershell
48	privilege-escalation	T1134.004	Parent PID Spoofing	5	Parent PID Spoofing - Spawn from New Process	2988133e-561c-4e42-a15f-6281e6a9b2db	powershell
49	privilege-escalation	T1574.009	Path Interception by Unquoted Path	1	Execution of program.exe as service with unquoted service path	2770dea7-c50f-457b-84c4-c40a47460d9f	command_prompt
50	privilege-escalation	T1547.011	Plist Modification	1	Plist Modification	394a538e-09bb-4a4a-95d1-b93cf12682a8	manual
51	privilege-escalation	T1546.013	PowerShell Profile	1	Append malicious start-process cmdlet	090e5aa5-32b6-473b-a49b-21e843a56896	powershell
52	privilege-escalation	T1055.012	Process Hollowing	1	Process Hollowing using PowerShell	562427b4-39ef-4e8c-af88-463a78e70b9c	powershell
53	privilege-escalation	T1055.012	Process Hollowing	2	RunPE via VBA	3ad4a037-1598-4136-837c-4027e4fa319b	powershell
54	privilege-escalation	T1055	Process Injection	1	Process Injection via mavinject.exe	74496461-11a1-4982-b439-4d87a550d254	powershell
55	privilege-escalation	T1055	Process Injection	2	Shellcode execution via VBA	1c91e740-1729-4329-b779-feba6e71d048	powershell
56	privilege-escalation	T1055	Process Injection	3	Remote Process Injection in LSASS via mimikatz	3203ad24-168e-4bec-be36-f79b13ef8a83	command_prompt
57	privilege-escalation	T1037.004	Rc.common	1	rc.common	97a48daa-8bca-4bc0-b1a9-c1d163e762de	bash
58	privilege-escalation	T1547.007	Re-opened Applications	1	Re-Opened Applications	5fefd767-ef54-4ac6-84d3-751ab85e8aba	manual
59	privilege-escalation	T1547.007	Re-opened Applications	2	Re-Opened Applications	5f5b71da-e03f-42e7-ac98-d63f9e0465cb	sh
60	privilege-escalation	T1547.001	Registry Run Keys / Startup Folder	1	Reg Key Run	e55be3fd-3521-4610-9d1a-e210e42dcf05	command_prompt
61	privilege-escalation	T1547.001	Registry Run Keys / Startup Folder	2	Reg Key RunOnce	554cbd88-cde1-4b56-8168-0be552eed9eb	command_prompt
62	privilege-escalation	T1547.001	Registry Run Keys / Startup Folder	3	PowerShell Registry RunOnce	eb44f842-0457-4ddc-9b92-c4caa144ac42	powershell
63	privilege-escalation	T1547.001	Registry Run Keys / Startup Folder	4	Suspicious vbs file run from startup Folder	2cb98256-625e-4da9-9d44-f2e5f90b8bd5	powershell
64	privilege-escalation	T1547.001	Registry Run Keys / Startup Folder	5	Suspicious jse file run from startup Folder	dade9447-791e-4c8f-b04b-3a35855dfa06	powershell
65	privilege-escalation	T1547.001	Registry Run Keys / Startup Folder	6	Suspicious bat file run from startup Folder	5b6768e4-44d2-44f0-89da-a01d1430fd5e	powershell
66	privilege-escalation	T1547.001	Registry Run Keys / Startup Folder	7	Add Executable Shortcut Link to User Startup Folder	24e55612-85f6-4bd6-ae74-a73d02e3441d	powershell
67	privilege-escalation	T1053.005	Scheduled Task	1	Scheduled Task Startup Script	fec27f65-db86-4c2d-b66c-61945aee87c2	command_prompt
68	privilege-escalation	T1053.005	Scheduled Task	2	Scheduled task Local	42f53695-ad4a-4546-abb6-7d837f644a71	command_prompt
69	privilege-escalation	T1053.005	Scheduled Task	3	Scheduled task Remote	2e5eac3e-327b-4a88-a0c0-c4057039a8dd	command_prompt
70	privilege-escalation	T1053.005	Scheduled Task	4	Powershell Cmdlet Scheduled Task	af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd	powershell
71	privilege-escalation	T1053.005	Scheduled Task	5	Task Scheduler via VBA	ecd3fa21-7792-41a2-8726-2c5c673414d3	powershell
72	privilege-escalation	T1546.002	Screensaver	1	Set Arbitrary Binary as Screensaver	281201e7-de41-4dc9-b73d-f288938cbb64	command_prompt
73	privilege-escalation	T1547.005	Security Support Provider	1	Modify SSP configuration in registry	afdfd7e3-8a0b-409f-85f7-886fdf249c9e	powershell
74	privilege-escalation	T1574.011	Services Registry Permissions Weakness	1	Service Registry Permissions Weakness	f7536d63-7fd4-466f-89da-7e48d550752a	powershell
75	privilege-escalation	T1574.011	Services Registry Permissions Weakness	2	Service ImagePath Change with reg.exe	f38e9eea-e1d7-4ba6-b716-584791963827	command_prompt
76	privilege-escalation	T1548.001	Setuid and Setgid	1	Make and modify binary from C source	896dfe97-ae43-4101-8e96-9a7996555d80	sh
77	privilege-escalation	T1548.001	Setuid and Setgid	2	Set a SetUID flag on file	759055b3-3885-4582-a8ec-c00c9d64dd79	sh
78	privilege-escalation	T1548.001	Setuid and Setgid	3	Set a SetGID flag on file	db55f666-7cba-46c6-9fe6-205a05c3242c	sh
79	privilege-escalation	T1547.009	Shortcut Modification	1	Shortcut Modification	ce4fc678-364f-4282-af16-2fb4c78005ce	command_prompt
80	privilege-escalation	T1547.009	Shortcut Modification	2	Create shortcut to cmd in startup folders	cfdc954d-4bb0-4027-875b-a1893ce406f2	powershell
81	privilege-escalation	T1037.005	Startup Items	1	Add file to Local Library StartupItems	134627c3-75db-410e-bff8-7a920075f198	sh
82	privilege-escalation	T1548.003	Sudo and Sudo Caching	1	Sudo usage	150c3a08-ee6e-48a6-aeaf-3659d24ceb4e	sh
83	privilege-escalation	T1548.003	Sudo and Sudo Caching	2	Unlimited sudo cache timeout	a7b17659-dd5e-46f7-b7d1-e6792c91d0bc	sh
84	privilege-escalation	T1548.003	Sudo and Sudo Caching	3	Disable tty_tickets for sudo caching	91a60b03-fb75-4d24-a42e-2eb8956e8de1	sh
85	privilege-escalation	T1543.002	Systemd Service	1	Create Systemd Service	d9e4f24f-aa67-4c6e-bcbf-85622b697a7c	bash
86	privilege-escalation	T1134.001	Token Impersonation/Theft	1	Named pipe client impersonation	90db9e27-8e7c-4c04-b602-a45927884966	powershell
87	privilege-escalation	T1134.001	Token Impersonation/Theft	2	`SeDebugPrivilege` token duplication	34f0a430-9d04-4d98-bcb5-1989f14719f0	powershell
88	privilege-escalation	T1546.005	Trap	1	Trap	a74b2e07-5952-4c03-8b56-56274b076b61	sh
89	privilege-escalation	T1546.003	Windows Management Instrumentation Event Subscription	1	Persistence via WMI Event Subscription	3c64f177-28e2-49eb-a799-d767b24dd1e0	powershell
90	privilege-escalation	T1543.003	Windows Service	1	Modify Fax service to run PowerShell	ed366cde-7d12-49df-a833-671904770b9f	command_prompt
91	privilege-escalation	T1543.003	Windows Service	2	Service Installation CMD	981e2942-e433-44e9-afc1-8c957a1496b6	command_prompt
92	privilege-escalation	T1543.003	Windows Service	3	Service Installation PowerShell	491a4af6-a521-4b74-b23b-f7b3f1ee9e77	powershell
93	privilege-escalation	T1547.004	Winlogon Helper DLL	1	Winlogon Shell Key Persistence - PowerShell	bf9f9d65-ee4d-4c3e-a843-777d04f19c38	powershell
94	privilege-escalation	T1547.004	Winlogon Helper DLL	2	Winlogon Userinit Key Persistence - PowerShell	fb32c935-ee2e-454b-8fa3-1c46b42e8dfb	powershell
95	privilege-escalation	T1547.004	Winlogon Helper DLL	3	Winlogon Notify Key Logon Persistence - PowerShell	d40da266-e073-4e5a-bb8b-2b385023e5f9	powershell
96	persistence	T1546.004	.bash_profile and .bashrc	1	Add command to .bash_profile	94500ae1-7e31-47e3-886b-c328da46872f	sh
97	persistence	T1546.004	.bash_profile and .bashrc	2	Add command to .bashrc	0a898315-4cfa-4007-bafe-33a4646d115f	sh
98	persistence	T1546.008	Accessibility Features	1	Attaches Command Prompt as a Debugger to a List of Target Processes	3309f53e-b22b-4eb6-8fd2-a6cf58b355a9	powershell
99	persistence	T1546.008	Accessibility Features	2	Replace binary of sticky keys	934e90cf-29ca-48b3-863c-411737ad44e3	command_prompt
100	persistence	T1098	Account Manipulation	1	Admin Account Manipulate	5598f7cb-cf43-455e-883a-f6008c5d46af	powershell
101	persistence	T1098	Account Manipulation	2	Domain Account and Group Manipulate	a55a22e9-a3d3-42ce-bd48-2653adb8f7a9	powershell
102	persistence	T1546.010	AppInit DLLs	1	Install AppInit Shim	a58d9386-3080-4242-ab5f-454c16503d18	command_prompt
103	persistence	T1546.011	Application Shimming	1	Application Shim Installation	9ab27e22-ee62-4211-962b-d36d9a0e6a18	command_prompt
104	persistence	T1546.011	Application Shimming	2	New shim database files created in the default shim database directory	aefd6866-d753-431f-a7a4-215ca7e3f13d	powershell
105	persistence	T1546.011	Application Shimming	3	Registry key creation and/or modification events for SDB	9b6a06f9-ab5e-4e8d-8289-1df4289db02f	powershell
106	persistence	T1053.001	At (Linux)	1	At - Schedule a job	7266d898-ac82-4ec0-97c7-436075d0d08e	sh
107	persistence	T1053.002	At (Windows)	1	At.exe Scheduled task	4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8	command_prompt
108	persistence	T1197	BITS Jobs	1	Bitsadmin Download (cmd)	3c73d728-75fb-4180-a12f-6712864d7421	command_prompt
109	persistence	T1197	BITS Jobs	2	Bitsadmin Download (PowerShell)	f63b8bc4-07e5-4112-acba-56f646f3f0bc	powershell
110	persistence	T1197	BITS Jobs	3	Persist, Download, & Execute	62a06ec5-5754-47d2-bcfc-123d8314c6ae	command_prompt
111	persistence	T1197	BITS Jobs	4	Bits download using desktopimgdownldr.exe (cmd)	afb5e09e-e385-4dee-9a94-6ee60979d114	command_prompt
112	persistence	T1176	Browser Extensions	1	Chrome (Developer Mode)	3ecd790d-2617-4abf-9a8c-4e8d47da9ee1	manual
113	persistence	T1176	Browser Extensions	2	Chrome (Chrome Web Store)	4c83940d-8ca5-4bb2-8100-f46dc914bc3f	manual
114	persistence	T1176	Browser Extensions	3	Firefox	cb790029-17e6-4c43-b96f-002ce5f10938	manual
115	persistence	T1176	Browser Extensions	4	Edge Chromium Addon - VPN	3d456e2b-a7db-4af8-b5b3-720e7c4d9da5	manual
116	persistence	T1574.012	COR_PROFILER	1	User scope COR_PROFILER	9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a	powershell
117	persistence	T1574.012	COR_PROFILER	2	System Scope COR_PROFILER	f373b482-48c8-4ce4-85ed-d40c8b3f7310	powershell
118	persistence	T1574.012	COR_PROFILER	3	Registry-free process scope COR_PROFILER	79d57242-bbef-41db-b301-9d01d9f6e817	powershell
119	persistence	T1546.001	Change Default File Association	1	Change Default File Association	10a08978-2045-4d62-8c42-1957bbbea102	command_prompt
120	persistence	T1053.003	Cron	1	Cron - Replace crontab with referenced file	435057fb-74b1-410e-9403-d81baf194f75	bash
121	persistence	T1053.003	Cron	2	Cron - Add script to all cron subfolders	b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0	bash
122	persistence	T1053.003	Cron	3	Cron - Add script to /var/spool/cron/crontabs/ folder	2d943c18-e74a-44bf-936f-25ade6cccab4	bash
123	persistence	T1574.001	DLL Search Order Hijacking	1	DLL Search Order Hijacking - amsi.dll	8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3	command_prompt
124	persistence	T1574.002	DLL Side-Loading	1	DLL Side-Loading using the Notepad++ GUP.exe binary	65526037-7079-44a9-bda1-2cb624838040	command_prompt
125	persistence	T1078.001	Default Accounts	1	Enable Guest account with RDP capability and admin priviliges	99747561-ed8d-47f2-9c91-1e5fde1ed6e0	command_prompt
126	persistence	T1136.002	Domain Account	1	Create a new Windows domain admin user	fcec2963-9951-4173-9bfa-98d8b7834e62	command_prompt
127	persistence	T1136.002	Domain Account	2	Create a new account similar to ANONYMOUS LOGON	dc7726d2-8ccb-4cc6-af22-0d5afb53a548	command_prompt
128	persistence	T1546.014	Emond	1	Persistance with Event Monitor - emond	23c9c127-322b-4c75-95ca-eff464906114	sh
129	persistence	T1133	External Remote Services	1	Running Chrome VPN Extensions via the Registry 2 vpn extension	4c8db261-a58b-42a6-a866-0a294deedde4	powershell
130	persistence	T1546.012	Image File Execution Options Injection	1	IFEO Add Debugger	fdda2626-5234-4c90-b163-60849a24c0b8	command_prompt
131	persistence	T1546.012	Image File Execution Options Injection	2	IFEO Global Flags	46b1f278-c8ee-4aa5-acce-65e77b11f3c1	command_prompt
132	persistence	T1547.006	Kernel Modules and Extensions	1	Linux - Load Kernel Module via insmod	687dcb93-9656-4853-9c36-9977315e9d23	bash
133	persistence	T1574.006	LD_PRELOAD	1	Shared Library Injection via /etc/ld.so.preload	39cb0e67-dd0d-4b74-a74b-c072db7ae991	bash
134	persistence	T1574.006	LD_PRELOAD	2	Shared Library Injection via LD_PRELOAD	bc219ff7-789f-4d51-9142-ecae3397deae	bash
135	persistence	T1543.001	Launch Agent	1	Launch Agent	a5983dee-bf6c-4eaf-951c-dbc1a7b90900	bash
136	persistence	T1543.004	Launch Daemon	1	Launch Daemon	03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf	bash
137	persistence	T1053.004	Launchd	1	Event Monitor Daemon Persistence	11979f23-9b9d-482a-9935-6fc9cd022c3e	bash
138	persistence	T1136.001	Local Account	1	Create a user account on a Linux system	40d8eabd-e394-46f6-8785-b9bfa1d011d2	bash
139	persistence	T1136.001	Local Account	2	Create a user account on a MacOS system	01993ba5-1da3-4e15-a719-b690d4f0f0b2	bash
140	persistence	T1136.001	Local Account	3	Create a new user in a command prompt	6657864e-0323-4206-9344-ac9cd7265a4f	command_prompt
141	persistence	T1136.001	Local Account	4	Create a new user in PowerShell	bc8be0ac-475c-4fbf-9b1d-9fffd77afbde	powershell
142	persistence	T1136.001	Local Account	5	Create a new user in Linux with `root` UID and GID.	a1040a30-d28b-4eda-bd99-bb2861a4616c	bash
143	persistence	T1136.001	Local Account	6	Create a new Windows admin user	fda74566-a604-4581-a4cc-fbbe21d66559	command_prompt
144	persistence	T1078.003	Local Accounts	1	Create local account with admin priviliges	a524ce99-86de-4db6-b4f9-e08f35a47a15	command_prompt
145	persistence	T1037.002	Logon Script (Mac)	1	Logon Scripts - Mac	f047c7de-a2d9-406e-a62b-12a09d9516f4	manual
146	persistence	T1037.001	Logon Script (Windows)	1	Logon Scripts	d6042746-07d4-4c92-9ad8-e644c114a231	command_prompt
147	persistence	T1546.007	Netsh Helper DLL	1	Netsh Helper DLL Registration	3244697d-5a3a-4dfc-941c-550f69f91a4d	command_prompt
148	persistence	T1137.002	Office Test	1	Office Apllication Startup Test Persistence	c3e35b58-fe1c-480b-b540-7600fb612563	command_prompt
149	persistence	T1574.009	Path Interception by Unquoted Path	1	Execution of program.exe as service with unquoted service path	2770dea7-c50f-457b-84c4-c40a47460d9f	command_prompt
150	persistence	T1547.011	Plist Modification	1	Plist Modification	394a538e-09bb-4a4a-95d1-b93cf12682a8	manual
151	persistence	T1546.013	PowerShell Profile	1	Append malicious start-process cmdlet	090e5aa5-32b6-473b-a49b-21e843a56896	powershell
152	persistence	T1037.004	Rc.common	1	rc.common	97a48daa-8bca-4bc0-b1a9-c1d163e762de	bash
153	persistence	T1547.007	Re-opened Applications	1	Re-Opened Applications	5fefd767-ef54-4ac6-84d3-751ab85e8aba	manual
154	persistence	T1547.007	Re-opened Applications	2	Re-Opened Applications	5f5b71da-e03f-42e7-ac98-d63f9e0465cb	sh
155	persistence	T1547.001	Registry Run Keys / Startup Folder	1	Reg Key Run	e55be3fd-3521-4610-9d1a-e210e42dcf05	command_prompt
156	persistence	T1547.001	Registry Run Keys / Startup Folder	2	Reg Key RunOnce	554cbd88-cde1-4b56-8168-0be552eed9eb	command_prompt
157	persistence	T1547.001	Registry Run Keys / Startup Folder	3	PowerShell Registry RunOnce	eb44f842-0457-4ddc-9b92-c4caa144ac42	powershell
158	persistence	T1547.001	Registry Run Keys / Startup Folder	4	Suspicious vbs file run from startup Folder	2cb98256-625e-4da9-9d44-f2e5f90b8bd5	powershell
159	persistence	T1547.001	Registry Run Keys / Startup Folder	5	Suspicious jse file run from startup Folder	dade9447-791e-4c8f-b04b-3a35855dfa06	powershell
160	persistence	T1547.001	Registry Run Keys / Startup Folder	6	Suspicious bat file run from startup Folder	5b6768e4-44d2-44f0-89da-a01d1430fd5e	powershell
161	persistence	T1547.001	Registry Run Keys / Startup Folder	7	Add Executable Shortcut Link to User Startup Folder	24e55612-85f6-4bd6-ae74-a73d02e3441d	powershell
162	persistence	T1098.004	SSH Authorized Keys	1	Modify SSH Authorized Keys	342cc723-127c-4d3a-8292-9c0c6b4ecadc	bash
163	persistence	T1053.005	Scheduled Task	1	Scheduled Task Startup Script	fec27f65-db86-4c2d-b66c-61945aee87c2	command_prompt
164	persistence	T1053.005	Scheduled Task	2	Scheduled task Local	42f53695-ad4a-4546-abb6-7d837f644a71	command_prompt
165	persistence	T1053.005	Scheduled Task	3	Scheduled task Remote	2e5eac3e-327b-4a88-a0c0-c4057039a8dd	command_prompt
166	persistence	T1053.005	Scheduled Task	4	Powershell Cmdlet Scheduled Task	af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd	powershell
167	persistence	T1053.005	Scheduled Task	5	Task Scheduler via VBA	ecd3fa21-7792-41a2-8726-2c5c673414d3	powershell
168	persistence	T1546.002	Screensaver	1	Set Arbitrary Binary as Screensaver	281201e7-de41-4dc9-b73d-f288938cbb64	command_prompt
169	persistence	T1547.005	Security Support Provider	1	Modify SSP configuration in registry	afdfd7e3-8a0b-409f-85f7-886fdf249c9e	powershell
170	persistence	T1574.011	Services Registry Permissions Weakness	1	Service Registry Permissions Weakness	f7536d63-7fd4-466f-89da-7e48d550752a	powershell
171	persistence	T1574.011	Services Registry Permissions Weakness	2	Service ImagePath Change with reg.exe	f38e9eea-e1d7-4ba6-b716-584791963827	command_prompt
172	persistence	T1547.009	Shortcut Modification	1	Shortcut Modification	ce4fc678-364f-4282-af16-2fb4c78005ce	command_prompt
173	persistence	T1547.009	Shortcut Modification	2	Create shortcut to cmd in startup folders	cfdc954d-4bb0-4027-875b-a1893ce406f2	powershell
174	persistence	T1037.005	Startup Items	1	Add file to Local Library StartupItems	134627c3-75db-410e-bff8-7a920075f198	sh
175	persistence	T1543.002	Systemd Service	1	Create Systemd Service	d9e4f24f-aa67-4c6e-bcbf-85622b697a7c	bash
176	persistence	T1505.002	Transport Agent	1	Install MS Exchange Transport Agent Persistence	43e92449-ff60-46e9-83a3-1a38089df94d	powershell
177	persistence	T1546.005	Trap	1	Trap	a74b2e07-5952-4c03-8b56-56274b076b61	sh
178	persistence	T1505.003	Web Shell	1	Web Shell Written to Disk	0a2ce662-1efa-496f-a472-2fe7b080db16	command_prompt
179	persistence	T1546.003	Windows Management Instrumentation Event Subscription	1	Persistence via WMI Event Subscription	3c64f177-28e2-49eb-a799-d767b24dd1e0	powershell
180	persistence	T1543.003	Windows Service	1	Modify Fax service to run PowerShell	ed366cde-7d12-49df-a833-671904770b9f	command_prompt
181	persistence	T1543.003	Windows Service	2	Service Installation CMD	981e2942-e433-44e9-afc1-8c957a1496b6	command_prompt
182	persistence	T1543.003	Windows Service	3	Service Installation PowerShell	491a4af6-a521-4b74-b23b-f7b3f1ee9e77	powershell
183	persistence	T1547.004	Winlogon Helper DLL	1	Winlogon Shell Key Persistence - PowerShell	bf9f9d65-ee4d-4c3e-a843-777d04f19c38	powershell
184	persistence	T1547.004	Winlogon Helper DLL	2	Winlogon Userinit Key Persistence - PowerShell	fb32c935-ee2e-454b-8fa3-1c46b42e8dfb	powershell
185	persistence	T1547.004	Winlogon Helper DLL	3	Winlogon Notify Key Logon Persistence - PowerShell	d40da266-e073-4e5a-bb8b-2b385023e5f9	powershell
186	credential-access	T1003.008	/etc/passwd and /etc/shadow	1	Access /etc/shadow (Local)	3723ab77-c546-403c-8fb4-bb577033b235	bash
187	credential-access	T1003.008	/etc/passwd and /etc/shadow	2	Access /etc/passwd (Local)	60e860b6-8ae6-49db-ad07-5e73edd88f5d	sh
188	credential-access	T1552.003	Bash History	1	Search Through Bash History	3cfde62b-7c33-4b26-a61e-755d6131c8ce	sh
189	credential-access	T1056.004	Credential API Hooking	1	Hook PowerShell TLS Encrypt/Decrypt Messages	de1934ea-1fbf-425b-8795-65fb27dd7e33	powershell
190	credential-access	T1552.001	Credentials In Files	1	Extract Browser and System credentials with LaZagne	9e507bb8-1d30-4e3b-a49b-cb5727d7ea79	bash
191	credential-access	T1552.001	Credentials In Files	2	Extract passwords with grep	bd4cf0d1-7646-474e-8610-78ccf5a097c4	sh
192	credential-access	T1552.001	Credentials In Files	3	Extracting passwords with findstr	0e56bf29-ff49-4ea5-9af4-3b81283fd513	powershell
193	credential-access	T1552.001	Credentials In Files	4	Access unattend.xml	367d4004-5fc0-446d-823f-960c74ae52c3	command_prompt
194	credential-access	T1555	Credentials from Password Stores	1	Extract Windows Credential Manager via VBA	234f9b7c-b53d-4f32-897b-b880a6c9ea7b	powershell
195	credential-access	T1555.003	Credentials from Web Browsers	1	Run Chrome-password Collector	8c05b133-d438-47ca-a630-19cc464c4622	powershell
196	credential-access	T1555.003	Credentials from Web Browsers	2	Search macOS Safari Cookies	c1402f7b-67ca-43a8-b5f3-3143abedc01b	sh
197	credential-access	T1555.003	Credentials from Web Browsers	3	LaZagne - Credentials from Browser	9a2915b3-3954-4cce-8c76-00fbf4dbd014	command_prompt
198	credential-access	T1552.002	Credentials in Registry	1	Enumeration for Credentials in Registry	b6ec082c-7384-46b3-a111-9a9b8b14e5e7	command_prompt
199	credential-access	T1552.002	Credentials in Registry	2	Enumeration for PuTTY Credentials in Registry	af197fd7-e868-448e-9bd5-05d1bcd9d9e5	command_prompt
200	credential-access	T1003.006	DCSync	1	DCSync	129efd28-8497-4c87-a1b0-73b9a870ca3e	command_prompt
201	credential-access	T1056.002	GUI Input Capture	1	AppleScript - Prompt User for Password	76628574-0bc1-4646-8fe2-8f4427b47d15	bash
202	credential-access	T1056.002	GUI Input Capture	2	PowerShell - Prompt User for Password	2b162bfd-0928-4d4c-9ec3-4d9f88374b52	powershell
203	credential-access	T1558.001	Golden Ticket	1	Crafting golden tickets with mimikatz	9726592a-dabc-4d4d-81cd-44070008b3af	powershell
204	credential-access	T1552.006	Group Policy Preferences	1	GPP Passwords (findstr)	870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f	command_prompt
205	credential-access	T1552.006	Group Policy Preferences	2	GPP Passwords (Get-GPPPassword)	e9584f82-322c-474a-b831-940fd8b4455c	powershell
206	credential-access	T1558.003	Kerberoasting	1	Request for service tickets	3f987809-3681-43c8-bcd8-b3ff3a28533a	powershell
207	credential-access	T1555.001	Keychain	1	Keychain	1864fdec-ff86-4452-8c30-f12507582a93	sh
208	credential-access	T1056.001	Keylogging	1	Input Capture	d9b633ca-8efb-45e6-b838-70f595c6ae26	powershell
209	credential-access	T1003.004	LSA Secrets	1	Dumping LSA Secrets	55295ab0-a703-433b-9ca4-ae13807de12f	command_prompt
210	credential-access	T1003.001	LSASS Memory	1	Windows Credential Editor	0f7c5301-6859-45ba-8b4d-1fac30fc31ed	command_prompt
211	credential-access	T1003.001	LSASS Memory	2	Dump LSASS.exe Memory using ProcDump	0be2230c-9ab3-4ac2-8826-3199b9a0ebf8	command_prompt
212	credential-access	T1003.001	LSASS Memory	3	Dump LSASS.exe Memory using comsvcs.dll	2536dee2-12fb-459a-8c37-971844fa73be	powershell
213	credential-access	T1003.001	LSASS Memory	4	Dump LSASS.exe Memory using direct system calls and API unhooking	7ae7102c-a099-45c8-b985-4c7a2d05790d	command_prompt
214	credential-access	T1003.001	LSASS Memory	5	Dump LSASS.exe Memory using Windows Task Manager	dea6c349-f1c6-44f3-87a1-1ed33a59a607	manual
215	credential-access	T1003.001	LSASS Memory	6	Offline Credential Theft With Mimikatz	453acf13-1dbd-47d7-b28a-172ce9228023	command_prompt
216	credential-access	T1003.001	LSASS Memory	7	LSASS read with pypykatz	c37bc535-5c62-4195-9cc3-0517673171d8	command_prompt
217	credential-access	T1003.001	LSASS Memory	8	Dump LSASS.exe Memory using Out-Minidump.ps1	6502c8f0-b775-4dbd-9193-1298f56b6781	powershell
218	credential-access	T1003.001	LSASS Memory	9	Create Mini Dump of LSASS.exe using ProcDump	7cede33f-0acd-44ef-9774-15511300b24b	command_prompt
219	credential-access	T1003.003	NTDS	1	Create Volume Shadow Copy with vssadmin	dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f	command_prompt
220	credential-access	T1003.003	NTDS	2	Copy NTDS.dit from Volume Shadow Copy	c6237146-9ea6-4711-85c9-c56d263a6b03	command_prompt
221	credential-access	T1003.003	NTDS	3	Dump Active Directory Database with NTDSUtil	2364e33d-ceab-4641-8468-bfb1d7cc2723	command_prompt
222	credential-access	T1003.003	NTDS	4	Create Volume Shadow Copy with WMI	224f7de0-8f0a-4a94-b5d8-989b036c86da	command_prompt
223	credential-access	T1003.003	NTDS	5	Create Volume Shadow Copy with Powershell	542bb97e-da53-436b-8e43-e0a7d31a6c24	powershell
224	credential-access	T1003.003	NTDS	6	Create Symlink to Volume Shadow Copy	21748c28-2793-4284-9e07-d6d028b66702	command_prompt
225	credential-access	T1040	Network Sniffing	1	Packet Capture Linux	7fe741f7-b265-4951-a7c7-320889083b3e	bash
226	credential-access	T1040	Network Sniffing	2	Packet Capture macOS	9d04efee-eff5-4240-b8d2-07792b873608	bash
227	credential-access	T1040	Network Sniffing	3	Packet Capture Windows Command Prompt	a5b2f6a0-24b4-493e-9590-c699f75723ca	command_prompt
228	credential-access	T1040	Network Sniffing	4	Windows Internal Packet Capture	b5656f67-d67f-4de8-8e62-b5581630f528	command_prompt
229	credential-access	T1003	OS Credential Dumping	1	Powershell Mimikatz	66fb0bc1-3c3f-47e9-a298-550ecfefacbc	powershell
230	credential-access	T1003	OS Credential Dumping	2	Gsecdump	96345bfc-8ae7-4b6a-80b7-223200f24ef9	command_prompt
231	credential-access	T1003	OS Credential Dumping	3	Credential Dumping with NPPSpy	9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6	powershell
232	credential-access	T1110.002	Password Cracking	1	Password Cracking with Hashcat	6d27df5d-69d4-4c91-bc33-5983ffe91692	command_prompt
233	credential-access	T1556.002	Password Filter DLL	1	Install and Register Password Filter DLL	a7961770-beb5-4134-9674-83d7e1fa865c	powershell
234	credential-access	T1110.001	Password Guessing	1	Brute Force Credentials of all domain users via SMB	09480053-2f98-4854-be6e-71ae5f672224	command_prompt
235	credential-access	T1110.001	Password Guessing	2	Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos)	c2969434-672b-4ec8-8df0-bbb91f40e250	powershell
236	credential-access	T1110.003	Password Spraying	1	Password Spray all Domain Users	90bc2e54-6c84-47a5-9439-0a2a92b4b175	command_prompt
237	credential-access	T1110.003	Password Spraying	2	Password Spray (DomainPasswordSpray)	263ae743-515f-4786-ac7d-41ef3a0d4b2b	powershell
238	credential-access	T1110.003	Password Spraying	3	Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos)	f14d956a-5b6e-4a93-847f-0c415142f07d	powershell
239	credential-access	T1552.004	Private Keys	1	Private Keys	520ce462-7ca7-441e-b5a5-f8347f632696	command_prompt
240	credential-access	T1552.004	Private Keys	2	Discover Private SSH Keys	46959285-906d-40fa-9437-5a439accd878	sh
241	credential-access	T1552.004	Private Keys	3	Copy Private SSH Keys with CP	7c247dc7-5128-4643-907b-73a76d9135c3	sh
242	credential-access	T1552.004	Private Keys	4	Copy Private SSH Keys with rsync	864bb0b2-6bb5-489a-b43b-a77b3a16d68a	sh
243	credential-access	T1003.002	Security Account Manager	1	Registry dump of SAM, creds, and secrets	5c2571d0-1572-416d-9676-812e64ca9f44	command_prompt
244	credential-access	T1003.002	Security Account Manager	2	Registry parse with pypykatz	a96872b2-cbf3-46cf-8eb4-27e8c0e85263	command_prompt
245	credential-access	T1003.002	Security Account Manager	3	esentutl.exe SAM copy	a90c2f4d-6726-444e-99d2-a00cd7c20480	command_prompt
246	credential-access	T1003.002	Security Account Manager	4	PowerDump Registry dump of SAM for hashes and usernames	804f28fc-68fc-40da-b5a2-e9d0bce5c193	powershell
247	collection	T1560	Archive Collected Data	1	Compress Data for Exfiltration With PowerShell	41410c60-614d-4b9d-b66e-b0192dd9c597	powershell
248	collection	T1560.001	Archive via Utility	1	Compress Data for Exfiltration With Rar	02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0	command_prompt
249	collection	T1560.001	Archive via Utility	2	Compress Data and lock with password for Exfiltration with winrar	8dd61a55-44c6-43cc-af0c-8bdda276860c	command_prompt
250	collection	T1560.001	Archive via Utility	3	Compress Data and lock with password for Exfiltration with winzip	01df0353-d531-408d-a0c5-3161bf822134	command_prompt
251	collection	T1560.001	Archive via Utility	4	Compress Data and lock with password for Exfiltration with 7zip	d1334303-59cb-4a03-8313-b3e24d02c198	command_prompt
252	collection	T1560.001	Archive via Utility	5	Data Compressed - nix - zip	c51cec55-28dd-4ad2-9461-1eacbc82c3a0	sh
253	collection	T1560.001	Archive via Utility	6	Data Compressed - nix - gzip Single File	cde3c2af-3485-49eb-9c1f-0ed60e9cc0af	sh
254	collection	T1560.001	Archive via Utility	7	Data Compressed - nix - tar Folder or File	7af2b51e-ad1c-498c-aca8-d3290c19535a	sh
255	collection	T1560.001	Archive via Utility	8	Data Encrypted with zip and gpg symmetric	0286eb44-e7ce-41a0-b109-3da516e05a5f	sh
256	collection	T1123	Audio Capture	1	using device audio capture commandlet	9c3ad250-b185-4444-b5a9-d69218a10c95	powershell
257	collection	T1119	Automated Collection	1	Automated Collection Command Prompt	cb379146-53f1-43e0-b884-7ce2c635ff5b	command_prompt
258	collection	T1119	Automated Collection	2	Automated Collection PowerShell	634bd9b9-dc83-4229-b19f-7f83ba9ad313	powershell
259	collection	T1119	Automated Collection	3	Recon information for export with PowerShell	c3f6d794-50dd-482f-b640-0384fbb7db26	powershell
260	collection	T1119	Automated Collection	4	Recon information for export with Command Prompt	aa1180e2-f329-4e1e-8625-2472ec0bfaf3	command_prompt
261	collection	T1115	Clipboard Data	1	Utilize Clipboard to store or execute commands from	0cd14633-58d4-4422-9ede-daa2c9474ae7	command_prompt
262	collection	T1115	Clipboard Data	2	Execute Commands from Clipboard using PowerShell	d6dc21af-bec9-4152-be86-326b6babd416	powershell
263	collection	T1115	Clipboard Data	3	Execute commands from clipboard	1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff	bash
264	collection	T1115	Clipboard Data	4	Collect Clipboard Data via VBA	9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52	powershell
265	collection	T1056.004	Credential API Hooking	1	Hook PowerShell TLS Encrypt/Decrypt Messages	de1934ea-1fbf-425b-8795-65fb27dd7e33	powershell
266	collection	T1056.002	GUI Input Capture	1	AppleScript - Prompt User for Password	76628574-0bc1-4646-8fe2-8f4427b47d15	bash
267	collection	T1056.002	GUI Input Capture	2	PowerShell - Prompt User for Password	2b162bfd-0928-4d4c-9ec3-4d9f88374b52	powershell
268	collection	T1056.001	Keylogging	1	Input Capture	d9b633ca-8efb-45e6-b838-70f595c6ae26	powershell
269	collection	T1074.001	Local Data Staging	1	Stage data from Discovery.bat	107706a5-6f9f-451a-adae-bab8c667829f	powershell
270	collection	T1074.001	Local Data Staging	2	Stage data from Discovery.sh	39ce0303-ae16-4b9e-bb5b-4f53e8262066	bash
271	collection	T1074.001	Local Data Staging	3	Zip a Folder with PowerShell for Staging in Temp	a57fbe4b-3440-452a-88a7-943531ac872a	powershell
272	collection	T1114.001	Local Email Collection	1	Email Collection with PowerShell Get-Inbox	3f1b5096-0139-4736-9b78-19bcb02bb1cb	powershell
273	collection	T1113	Screen Capture	1	Screencapture	0f47ceb1-720f-4275-96b8-21f0562217ac	bash
274	collection	T1113	Screen Capture	2	Screencapture (silent)	deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4	bash
275	collection	T1113	Screen Capture	3	X Windows Capture	8206dd0c-faf6-4d74-ba13-7fbe13dce6ac	bash
276	collection	T1113	Screen Capture	4	Capture Linux Desktop using Import Tool	9cd1cccb-91e4-4550-9139-e20a586fcea1	bash
277	collection	T1113	Screen Capture	5	Windows Screencapture	3c898f62-626c-47d5-aad2-6de873d69153	powershell
278	defense-evasion	T1055.004	Asynchronous Procedure Call	1	Process Injection via C#	611b39b7-e243-4c81-87a4-7145a90358b1	command_prompt
279	defense-evasion	T1197	BITS Jobs	1	Bitsadmin Download (cmd)	3c73d728-75fb-4180-a12f-6712864d7421	command_prompt
280	defense-evasion	T1197	BITS Jobs	2	Bitsadmin Download (PowerShell)	f63b8bc4-07e5-4112-acba-56f646f3f0bc	powershell
281	defense-evasion	T1197	BITS Jobs	3	Persist, Download, & Execute	62a06ec5-5754-47d2-bcfc-123d8314c6ae	command_prompt
282	defense-evasion	T1197	BITS Jobs	4	Bits download using desktopimgdownldr.exe (cmd)	afb5e09e-e385-4dee-9a94-6ee60979d114	command_prompt
283	defense-evasion	T1027.001	Binary Padding	1	Pad Binary to Change Hash - Linux/macOS dd	ffe2346c-abd5-4b45-a713-bf5f1ebd573a	sh
284	defense-evasion	T1548.002	Bypass User Account Control	1	Bypass UAC using Event Viewer (cmd)	5073adf8-9a50-4bd9-b298-a9bd2ead8af9	command_prompt
285	defense-evasion	T1548.002	Bypass User Account Control	2	Bypass UAC using Event Viewer (PowerShell)	a6ce9acf-842a-4af6-8f79-539be7608e2b	powershell
286	defense-evasion	T1548.002	Bypass User Account Control	3	Bypass UAC using Fodhelper	58f641ea-12e3-499a-b684-44dee46bd182	command_prompt
287	defense-evasion	T1548.002	Bypass User Account Control	4	Bypass UAC using Fodhelper - PowerShell	3f627297-6c38-4e7d-a278-fc2563eaaeaa	powershell
288	defense-evasion	T1548.002	Bypass User Account Control	5	Bypass UAC using ComputerDefaults (PowerShell)	3c51abf2-44bf-42d8-9111-dc96ff66750f	powershell
289	defense-evasion	T1548.002	Bypass User Account Control	6	Bypass UAC by Mocking Trusted Directories	f7a35090-6f7f-4f64-bb47-d657bf5b10c1	command_prompt
290	defense-evasion	T1548.002	Bypass User Account Control	7	Bypass UAC using sdclt DelegateExecute	3be891eb-4608-4173-87e8-78b494c029b7	powershell
291	defense-evasion	T1548.002	Bypass User Account Control	8	Disable UAC using reg.exe	9e8af564-53ec-407e-aaa8-3cb20c3af7f9	command_prompt
292	defense-evasion	T1218.003	CMSTP	1	CMSTP Executing Remote Scriptlet	34e63321-9683-496b-bbc1-7566bc55e624	command_prompt
293	defense-evasion	T1218.003	CMSTP	2	CMSTP Executing UAC Bypass	748cb4f6-2fb3-4e97-b7ad-b22635a09ab0	command_prompt
294	defense-evasion	T1574.012	COR_PROFILER	1	User scope COR_PROFILER	9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a	powershell
295	defense-evasion	T1574.012	COR_PROFILER	2	System Scope COR_PROFILER	f373b482-48c8-4ce4-85ed-d40c8b3f7310	powershell
296	defense-evasion	T1574.012	COR_PROFILER	3	Registry-free process scope COR_PROFILER	79d57242-bbef-41db-b301-9d01d9f6e817	powershell
297	defense-evasion	T1070.003	Clear Command History	1	Clear Bash history (rm)	a934276e-2be5-4a36-93fd-98adbb5bd4fc	sh
298	defense-evasion	T1070.003	Clear Command History	2	Clear Bash history (echo)	cbf506a5-dd78-43e5-be7e-a46b7c7a0a11	sh
299	defense-evasion	T1070.003	Clear Command History	3	Clear Bash history (cat dev/null)	b1251c35-dcd3-4ea1-86da-36d27b54f31f	sh
300	defense-evasion	T1070.003	Clear Command History	4	Clear Bash history (ln dev/null)	23d348f3-cc5c-4ba9-bd0a-ae09069f0914	sh
301	defense-evasion	T1070.003	Clear Command History	5	Clear Bash history (truncate)	47966a1d-df4f-4078-af65-db6d9aa20739	sh
302	defense-evasion	T1070.003	Clear Command History	6	Clear history of a bunch of shells	7e6721df-5f08-4370-9255-f06d8a77af4c	sh
303	defense-evasion	T1070.003	Clear Command History	7	Clear and Disable Bash History Logging	784e4011-bd1a-4ecd-a63a-8feb278512e6	sh
304	defense-evasion	T1070.003	Clear Command History	8	Use Space Before Command to Avoid Logging to History	53b03a54-4529-4992-852d-a00b4b7215a6	sh
305	defense-evasion	T1070.003	Clear Command History	9	Prevent Powershell History Logging	2f898b81-3e97-4abb-bc3f-a95138988370	powershell
306	defense-evasion	T1070.003	Clear Command History	10	Clear Powershell History by Deleting History File	da75ae8d-26d6-4483-b0fe-700e4df4f037	powershell
307	defense-evasion	T1070.002	Clear Linux or Mac System Logs	1	rm -rf	989cc1b1-3642-4260-a809-54f9dd559683	sh
308	defense-evasion	T1070.002	Clear Linux or Mac System Logs	2	Overwrite Linux Mail Spool	1602ff76-ed7f-4c94-b550-2f727b4782d4	bash
309	defense-evasion	T1070.002	Clear Linux or Mac System Logs	3	Overwrite Linux Log	d304b2dc-90b4-4465-a650-16ddd503f7b5	bash
310	defense-evasion	T1070.001	Clear Windows Event Logs	1	Clear Logs	e6abb60e-26b8-41da-8aae-0c35174b0967	command_prompt
311	defense-evasion	T1070.001	Clear Windows Event Logs	2	Delete System Logs Using Clear-EventLog	b13e9306-3351-4b4b-a6e8-477358b0b498	powershell
312	defense-evasion	T1070.001	Clear Windows Event Logs	3	Clear Event Logs via VBA	1b682d84-f075-4f93-9a89-8a8de19ffd6e	powershell
313	defense-evasion	T1027.004	Compile After Delivery	1	Compile After Delivery using csc.exe	ffcdbd6a-b0e8-487d-927a-09127fe9a206	command_prompt
314	defense-evasion	T1027.004	Compile After Delivery	2	Dynamic C# Compile	453614d8-3ba6-4147-acc0-7ec4b3e1faef	powershell
315	defense-evasion	T1218.001	Compiled HTML File	1	Compiled HTML Help Local Payload	5cb87818-0d7c-4469-b7ef-9224107aebe8	command_prompt
316	defense-evasion	T1218.001	Compiled HTML File	2	Compiled HTML Help Remote Payload	0f8af516-9818-4172-922b-42986ef1e81d	command_prompt
317	defense-evasion	T1218.001	Compiled HTML File	3	Invoke CHM with default Shortcut Command Execution	29d6f0d7-be63-4482-8827-ea77126c1ef7	powershell
318	defense-evasion	T1218.001	Compiled HTML File	4	Invoke CHM with InfoTech Storage Protocol Handler	b4094750-5fc7-4e8e-af12-b4e36bf5e7f6	powershell
319	defense-evasion	T1218.001	Compiled HTML File	5	Invoke CHM Simulate Double click	5decef42-92b8-4a93-9eb2-877ddcb9401a	powershell
320	defense-evasion	T1218.001	Compiled HTML File	6	Invoke CHM with Script Engine and Help Topic	4f83adda-f5ec-406d-b318-9773c9ca92e5	powershell
321	defense-evasion	T1218.001	Compiled HTML File	7	Invoke CHM Shortcut Command with ITS and Help Topic	15756147-7470-4a83-87fb-bb5662526247	powershell
322	defense-evasion	T1218.002	Control Panel	1	Control Panel Items	037e9d8a-9e46-4255-8b33-2ae3b545ca6f	command_prompt
323	defense-evasion	T1574.001	DLL Search Order Hijacking	1	DLL Search Order Hijacking - amsi.dll	8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3	command_prompt
324	defense-evasion	T1574.002	DLL Side-Loading	1	DLL Side-Loading using the Notepad++ GUP.exe binary	65526037-7079-44a9-bda1-2cb624838040	command_prompt
325	defense-evasion	T1078.001	Default Accounts	1	Enable Guest account with RDP capability and admin priviliges	99747561-ed8d-47f2-9c91-1e5fde1ed6e0	command_prompt
326	defense-evasion	T1140	Deobfuscate/Decode Files or Information	1	Deobfuscate/Decode Files Or Information	dc6fe391-69e6-4506-bd06-ea5eeb4082f8	command_prompt
327	defense-evasion	T1140	Deobfuscate/Decode Files or Information	2	Certutil Rename and Decode	71abc534-3c05-4d0c-80f7-cbe93cb2aa94	command_prompt
328	defense-evasion	T1006	Direct Volume Access	1	Read volume boot sector via DOS device path (PowerShell)	88f6327e-51ec-4bbf-b2e8-3fea534eab8b	powershell
329	defense-evasion	T1562.002	Disable Windows Event Logging	1	Disable Windows IIS HTTP Logging	69435dcf-c66f-4ec0-a8b1-82beb76b34db	powershell
330	defense-evasion	T1562.002	Disable Windows Event Logging	2	Kill Event Log Service Threads	41ac52ba-5d5e-40c0-b267-573ed90489bd	powershell
331	defense-evasion	T1562.002	Disable Windows Event Logging	3	Impair Windows Audit Log Policy	5102a3a7-e2d7-4129-9e45-f483f2e0eea8	command_prompt
332	defense-evasion	T1562.004	Disable or Modify System Firewall	1	Disable iptables firewall	80f5e701-f7a4-4d06-b140-26c8efd1b6b4	sh
333	defense-evasion	T1562.004	Disable or Modify System Firewall	2	Disable Microsoft Defender Firewall	88d05800-a5e4-407e-9b53-ece4174f197f	command_prompt
334	defense-evasion	T1562.004	Disable or Modify System Firewall	3	Allow SMB and RDP on Microsoft Defender Firewall	d9841bf8-f161-4c73-81e9-fd773a5ff8c1	command_prompt
335	defense-evasion	T1562.004	Disable or Modify System Firewall	4	Opening ports for proxy - HARDRAIN	15e57006-79dd-46df-9bf9-31bc24fb5a80	command_prompt
336	defense-evasion	T1562.004	Disable or Modify System Firewall	5	Open a local port through Windows Firewall to any profile	9636dd6e-7599-40d2-8eee-ac16434f35ed	powershell
337	defense-evasion	T1562.004	Disable or Modify System Firewall	6	Allow Executable Through Firewall Located in Non-Standard Location	6f5822d2-d38d-4f48-9bfc-916607ff6b8c	powershell
338	defense-evasion	T1562.001	Disable or Modify Tools	1	Disable syslog	4ce786f8-e601-44b5-bfae-9ebb15a7d1c8	sh
339	defense-evasion	T1562.001	Disable or Modify Tools	2	Disable Cb Response	ae8943f7-0f8d-44de-962d-fbc2e2f03eb8	sh
340	defense-evasion	T1562.001	Disable or Modify Tools	3	Disable SELinux	fc225f36-9279-4c39-b3f9-5141ab74f8d8	sh
341	defense-evasion	T1562.001	Disable or Modify Tools	4	Stop Crowdstrike Falcon on Linux	828a1278-81cc-4802-96ab-188bf29ca77d	sh
342	defense-evasion	T1562.001	Disable or Modify Tools	5	Disable Carbon Black Response	8fba7766-2d11-4b4a-979a-1e3d9cc9a88c	sh
343	defense-evasion	T1562.001	Disable or Modify Tools	6	Disable LittleSnitch	62155dd8-bb3d-4f32-b31c-6532ff3ac6a3	sh
344	defense-evasion	T1562.001	Disable or Modify Tools	7	Disable OpenDNS Umbrella	07f43b33-1e15-4e99-be70-bc094157c849	sh
345	defense-evasion	T1562.001	Disable or Modify Tools	8	Disable macOS Gatekeeper	2a821573-fb3f-4e71-92c3-daac7432f053	sh
346	defense-evasion	T1562.001	Disable or Modify Tools	9	Stop and unload Crowdstrike Falcon on macOS	b3e7510c-2d4c-4249-a33f-591a2bc83eef	sh
347	defense-evasion	T1562.001	Disable or Modify Tools	10	Unload Sysmon Filter Driver	811b3e76-c41b-430c-ac0d-e2380bfaa164	command_prompt
348	defense-evasion	T1562.001	Disable or Modify Tools	11	Uninstall Sysmon	a316fb2e-5344-470d-91c1-23e15c374edc	command_prompt
349	defense-evasion	T1562.001	Disable or Modify Tools	12	AMSI Bypass - AMSI InitFailed	695eed40-e949-40e5-b306-b4031e4154bd	powershell
350	defense-evasion	T1562.001	Disable or Modify Tools	13	AMSI Bypass - Remove AMSI Provider Reg Key	13f09b91-c953-438e-845b-b585e51cac9b	powershell
351	defense-evasion	T1562.001	Disable or Modify Tools	14	Disable Arbitrary Security Windows Service	a1230893-56ac-4c81-b644-2108e982f8f5	command_prompt
352	defense-evasion	T1562.001	Disable or Modify Tools	15	Tamper with Windows Defender ATP PowerShell	6b8df440-51ec-4d53-bf83-899591c9b5d7	powershell
353	defense-evasion	T1562.001	Disable or Modify Tools	16	Tamper with Windows Defender Command Prompt	aa875ed4-8935-47e2-b2c5-6ec00ab220d2	command_prompt
354	defense-evasion	T1562.001	Disable or Modify Tools	17	Tamper with Windows Defender Registry	1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45	powershell
355	defense-evasion	T1562.001	Disable or Modify Tools	18	Disable Microsoft Office Security Features	6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7	powershell
356	defense-evasion	T1562.001	Disable or Modify Tools	19	Remove Windows Defender Definition Files	3d47daaa-2f56-43e0-94cc-caf5d8d52a68	command_prompt
357	defense-evasion	T1562.001	Disable or Modify Tools	20	Stop and Remove Arbitrary Security Windows Service	ae753dda-0f15-4af6-a168-b9ba16143143	powershell
358	defense-evasion	T1562.001	Disable or Modify Tools	21	Uninstall Crowdstrike Falcon on Windows	b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297	powershell
359	defense-evasion	T1562.001	Disable or Modify Tools	22	Tamper with Windows Defender Evade Scanning -Folder	0b19f4ee-de90-4059-88cb-63c800c683ed	powershell
360	defense-evasion	T1562.001	Disable or Modify Tools	23	Tamper with Windows Defender Evade Scanning -Extension	315f4be6-2240-4552-b3e1-d1047f5eecea	powershell
361	defense-evasion	T1562.001	Disable or Modify Tools	24	Tamper with Windows Defender Evade Scanning -Process	a123ce6a-3916-45d6-ba9c-7d4081315c27	powershell
362	defense-evasion	T1070.004	File Deletion	1	Delete a single file - Linux/macOS	562d737f-2fc6-4b09-8c2a-7f8ff0828480	sh
363	defense-evasion	T1070.004	File Deletion	2	Delete an entire folder - Linux/macOS	a415f17e-ce8d-4ce2-a8b4-83b674e7017e	sh
364	defense-evasion	T1070.004	File Deletion	3	Overwrite and delete a file with shred	039b4b10-2900-404b-b67f-4b6d49aa6499	sh
365	defense-evasion	T1070.004	File Deletion	4	Delete a single file - Windows cmd	861ea0b4-708a-4d17-848d-186c9c7f17e3	command_prompt
366	defense-evasion	T1070.004	File Deletion	5	Delete an entire folder - Windows cmd	ded937c4-2add-42f7-9c2c-c742b7a98698	command_prompt
367	defense-evasion	T1070.004	File Deletion	6	Delete a single file - Windows PowerShell	9dee89bd-9a98-4c4f-9e2d-4256690b0e72	powershell
368	defense-evasion	T1070.004	File Deletion	7	Delete an entire folder - Windows PowerShell	edd779e4-a509-4cba-8dfa-a112543dbfb1	powershell
369	defense-evasion	T1070.004	File Deletion	8	Delete Filesystem - Linux	f3aa95fe-4f10-4485-ad26-abf22a764c52	bash
370	defense-evasion	T1070.004	File Deletion	9	Delete Prefetch File	36f96049-0ad7-4a5f-8418-460acaeb92fb	powershell
371	defense-evasion	T1070.004	File Deletion	10	Delete TeamViewer Log Files	69f50a5f-967c-4327-a5bb-e1a9a9983785	powershell
372	defense-evasion	T1553.001	Gatekeeper Bypass	1	Gatekeeper Bypass	fb3d46c6-9480-4803-8d7d-ce676e1f1a9b	sh
373	defense-evasion	T1564.001	Hidden Files and Directories	1	Create a hidden file in a hidden directory	61a782e5-9a19-40b5-8ba4-69a4b9f3d7be	sh
374	defense-evasion	T1564.001	Hidden Files and Directories	2	Mac Hidden file	cddb9098-3b47-4e01-9d3b-6f5f323288a9	sh
375	defense-evasion	T1564.001	Hidden Files and Directories	3	Create Windows System File with Attrib	f70974c8-c094-4574-b542-2c545af95a32	command_prompt
376	defense-evasion	T1564.001	Hidden Files and Directories	4	Create Windows Hidden File with Attrib	dadb792e-4358-4d8d-9207-b771faa0daa5	command_prompt
377	defense-evasion	T1564.001	Hidden Files and Directories	5	Hidden files	3b7015f2-3144-4205-b799-b05580621379	sh
378	defense-evasion	T1564.001	Hidden Files and Directories	6	Hide a Directory	b115ecaf-3b24-4ed2-aefe-2fcb9db913d3	sh
379	defense-evasion	T1564.001	Hidden Files and Directories	7	Show all hidden files	9a1ec7da-b892-449f-ad68-67066d04380c	sh
380	defense-evasion	T1564.002	Hidden Users	1	Create Hidden User using UniqueID < 500	4238a7f0-a980-4fff-98a2-dfc0a363d507	sh
381	defense-evasion	T1564.002	Hidden Users	2	Create Hidden User using IsHidden option	de87ed7b-52c3-43fd-9554-730f695e7f31	sh
382	defense-evasion	T1564.003	Hidden Window	1	Hidden Window	f151ee37-9e2b-47e6-80e4-550b9f999b7a	powershell
383	defense-evasion	T1564	Hide Artifacts	1	Extract binary files via VBA	6afe288a-8a8b-4d33-a629-8d03ba9dad3a	powershell
384	defense-evasion	T1562.003	Impair Command History Logging	1	Disable history collection	4eafdb45-0f79-4d66-aa86-a3e2c08791f5	sh
385	defense-evasion	T1562.003	Impair Command History Logging	2	Mac HISTCONTROL	468566d5-83e5-40c1-b338-511e1659628d	manual
386	defense-evasion	T1562.006	Indicator Blocking	1	Auditing Configuration Changes on Linux Host	212cfbcf-4770-4980-bc21-303e37abd0e3	bash
387	defense-evasion	T1562.006	Indicator Blocking	2	Lgging Configuration Changes on Linux Host	7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c	bash
388	defense-evasion	T1070	Indicator Removal on Host	1	Indicator Removal using FSUtil	b4115c7a-0e92-47f0-a61e-17e7218b2435	command_prompt
389	defense-evasion	T1202	Indirect Command Execution	1	Indirect Command Execution - pcalua.exe	cecfea7a-5f03-4cdd-8bc8-6f7c22862440	command_prompt
390	defense-evasion	T1202	Indirect Command Execution	2	Indirect Command Execution - forfiles.exe	8b34a448-40d9-4fc3-a8c8-4bb286faf7dc	command_prompt
391	defense-evasion	T1202	Indirect Command Execution	3	Indirect Command Execution - conhost.exe	cf3391e0-b482-4b02-87fc-ca8362269b29	command_prompt
392	defense-evasion	T1553.004	Install Root Certificate	1	Install root CA on CentOS/RHEL	9c096ec4-fd42-419d-a762-d64cc950627e	sh
393	defense-evasion	T1553.004	Install Root Certificate	2	Install root CA on Debian/Ubuntu	53bcf8a0-1549-4b85-b919-010c56d724ff	sh
394	defense-evasion	T1553.004	Install Root Certificate	3	Install root CA on macOS	cc4a0b8c-426f-40ff-9426-4e10e5bf4c49	command_prompt
395	defense-evasion	T1553.004	Install Root Certificate	4	Install root CA on Windows	76f49d86-5eb1-461a-a032-a480f86652f1	powershell
396	defense-evasion	T1553.004	Install Root Certificate	5	Install root CA on Windows with certutil	5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f	powershell
397	defense-evasion	T1218.004	InstallUtil	1	CheckIfInstallable method call	ffd9c807-d402-47d2-879d-f915cf2a3a94	powershell
398	defense-evasion	T1218.004	InstallUtil	2	InstallHelper method call	d43a5bde-ae28-4c55-a850-3f4c80573503	powershell
399	defense-evasion	T1218.004	InstallUtil	3	InstallUtil class constructor method call	9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93	powershell
400	defense-evasion	T1218.004	InstallUtil	4	InstallUtil Install method call	9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b	powershell
401	defense-evasion	T1218.004	InstallUtil	5	InstallUtil Uninstall method call - /U variant	34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b	powershell
402	defense-evasion	T1218.004	InstallUtil	6	InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant	06d9deba-f732-48a8-af8e-bdd6e4d98c1d	powershell
403	defense-evasion	T1218.004	InstallUtil	7	InstallUtil HelpText method call	5a683850-1145-4326-a0e5-e91ced3c6022	powershell
404	defense-evasion	T1218.004	InstallUtil	8	InstallUtil evasive invocation	559e6d06-bb42-4307-bff7-3b95a8254bad	powershell
405	defense-evasion	T1574.006	LD_PRELOAD	1	Shared Library Injection via /etc/ld.so.preload	39cb0e67-dd0d-4b74-a74b-c072db7ae991	bash
406	defense-evasion	T1574.006	LD_PRELOAD	2	Shared Library Injection via LD_PRELOAD	bc219ff7-789f-4d51-9142-ecae3397deae	bash
407	defense-evasion	T1222.002	Linux and Mac File and Directory Permissions Modification	1	chmod - Change file or folder mode (numeric mode)	34ca1464-de9d-40c6-8c77-690adf36a135	bash
408	defense-evasion	T1222.002	Linux and Mac File and Directory Permissions Modification	2	chmod - Change file or folder mode (symbolic mode)	fc9d6695-d022-4a80-91b1-381f5c35aff3	bash
409	defense-evasion	T1222.002	Linux and Mac File and Directory Permissions Modification	3	chmod - Change file or folder mode (numeric mode) recursively	ea79f937-4a4d-4348-ace6-9916aec453a4	bash
410	defense-evasion	T1222.002	Linux and Mac File and Directory Permissions Modification	4	chmod - Change file or folder mode (symbolic mode) recursively	0451125c-b5f6-488f-993b-5a32b09f7d8f	bash
411	defense-evasion	T1222.002	Linux and Mac File and Directory Permissions Modification	5	chown - Change file or folder ownership and group	d169e71b-85f9-44ec-8343-27093ff3dfc0	bash
412	defense-evasion	T1222.002	Linux and Mac File and Directory Permissions Modification	6	chown - Change file or folder ownership and group recursively	b78598be-ff39-448f-a463-adbf2a5b7848	bash
413	defense-evasion	T1222.002	Linux and Mac File and Directory Permissions Modification	7	chown - Change file or folder mode ownership only	967ba79d-f184-4e0e-8d09-6362b3162e99	bash
414	defense-evasion	T1222.002	Linux and Mac File and Directory Permissions Modification	8	chown - Change file or folder ownership recursively	3b015515-b3d8-44e9-b8cd-6fa84faf30b2	bash
415	defense-evasion	T1222.002	Linux and Mac File and Directory Permissions Modification	9	chattr - Remove immutable file attribute	e7469fe2-ad41-4382-8965-99b94dd3c13f	sh
416	defense-evasion	T1078.003	Local Accounts	1	Create local account with admin priviliges	a524ce99-86de-4db6-b4f9-e08f35a47a15	command_prompt
417	defense-evasion	T1127.001	MSBuild	1	MSBuild Bypass Using Inline Tasks (C#)	58742c0f-cb01-44cd-a60b-fb26e8871c93	command_prompt
418	defense-evasion	T1127.001	MSBuild	2	MSBuild Bypass Using Inline Tasks (VB)	ab042179-c0c5-402f-9bc8-42741f5ce359	command_prompt
419	defense-evasion	T1036.004	Masquerade Task or Service	1	Creating W32Time similar named service using schtasks	f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9	command_prompt
420	defense-evasion	T1036.004	Masquerade Task or Service	2	Creating W32Time similar named service using sc	b721c6ef-472c-4263-a0d9-37f1f4ecff66	command_prompt
421	defense-evasion	T1112	Modify Registry	1	Modify Registry of Current User Profile - cmd	1324796b-d0f6-455a-b4ae-21ffee6aa6b9	command_prompt
422	defense-evasion	T1112	Modify Registry	2	Modify Registry of Local Machine - cmd	282f929a-6bc5-42b8-bd93-960c3ba35afe	command_prompt
423	defense-evasion	T1112	Modify Registry	3	Modify registry to store logon credentials	c0413fb5-33e2-40b7-9b6f-60b29f4a7a18	command_prompt
424	defense-evasion	T1112	Modify Registry	4	Add domain to Trusted sites Zone	cf447677-5a4e-4937-a82c-e47d254afd57	powershell
425	defense-evasion	T1112	Modify Registry	5	Javascript in registry	15f44ea9-4571-4837-be9e-802431a7bfae	powershell
426	defense-evasion	T1112	Modify Registry	6	Change Powershell Execution Policy to Bypass	f3a6cceb-06c9-48e5-8df8-8867a6814245	powershell
427	defense-evasion	T1218.005	Mshta	1	Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject	1483fab9-4f52-4217-a9ce-daa9d7747cae	command_prompt
428	defense-evasion	T1218.005	Mshta	2	Mshta executes VBScript to execute malicious command	906865c3-e05f-4acc-85c4-fbc185455095	command_prompt
429	defense-evasion	T1218.005	Mshta	3	Mshta Executes Remote HTML Application (HTA)	c4b97eeb-5249-4455-a607-59f95485cb45	powershell
430	defense-evasion	T1218.005	Mshta	4	Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement	007e5672-2088-4853-a562-7490ddc19447	powershell
431	defense-evasion	T1218.005	Mshta	5	Invoke HTML Application - Jscript Engine Simulating Double Click	58a193ec-131b-404e-b1ca-b35cf0b18c33	powershell
432	defense-evasion	T1218.005	Mshta	6	Invoke HTML Application - Direct download from URI	39ceed55-f653-48ac-bd19-aceceaf525db	powershell
433	defense-evasion	T1218.005	Mshta	7	Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler	e7e3a525-7612-4d68-a5d3-c4649181b8af	powershell
434	defense-evasion	T1218.005	Mshta	8	Invoke HTML Application - JScript Engine with Inline Protocol Handler	d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840	powershell
435	defense-evasion	T1218.005	Mshta	9	Invoke HTML Application - Simulate Lateral Movement over UNC Path	b8a8bdb2-7eae-490d-8251-d5e0295b2362	powershell
436	defense-evasion	T1218.007	Msiexec	1	Msiexec.exe - Execute Local MSI file	0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8	command_prompt
437	defense-evasion	T1218.007	Msiexec	2	Msiexec.exe - Execute Remote MSI file	bde7d2fe-d049-458d-a362-abda32a7e649	command_prompt
438	defense-evasion	T1218.007	Msiexec	3	Msiexec.exe - Execute Arbitrary DLL	66f64bd5-7c35-4c24-953a-04ca30a0a0ec	command_prompt
439	defense-evasion	T1564.004	NTFS File Attributes	1	Alternate Data Streams (ADS)	8822c3b0-d9f9-4daf-a043-49f4602364f4	command_prompt
440	defense-evasion	T1564.004	NTFS File Attributes	2	Store file in Alternate Data Stream (ADS)	2ab75061-f5d5-4c1a-b666-ba2a50df5b02	powershell
441	defense-evasion	T1564.004	NTFS File Attributes	3	Create ADS command prompt	17e7637a-ddaf-4a82-8622-377e20de8fdb	command_prompt
442	defense-evasion	T1564.004	NTFS File Attributes	4	Create ADS PowerShell	0045ea16-ed3c-4d4c-a9ee-15e44d1560d1	powershell
443	defense-evasion	T1070.005	Network Share Connection Removal	1	Add Network Share	14c38f32-6509-46d8-ab43-d53e32d2b131	command_prompt
444	defense-evasion	T1070.005	Network Share Connection Removal	2	Remove Network Share	09210ad5-1ef2-4077-9ad3-7351e13e9222	command_prompt
445	defense-evasion	T1070.005	Network Share Connection Removal	3	Remove Network Share PowerShell	0512d214-9512-4d22-bde7-f37e058259b3	powershell
446	defense-evasion	T1027	Obfuscated Files or Information	1	Decode base64 Data into Script	f45df6be-2e1e-4136-a384-8f18ab3826fb	sh
447	defense-evasion	T1027	Obfuscated Files or Information	2	Execute base64-encoded PowerShell	a50d5a97-2531-499e-a1de-5544c74432c6	powershell
448	defense-evasion	T1027	Obfuscated Files or Information	3	Execute base64-encoded PowerShell from Windows Registry	450e7218-7915-4be4-8b9b-464a49eafcec	powershell
449	defense-evasion	T1027	Obfuscated Files or Information	4	Execution from Compressed File	f8c8a909-5f29-49ac-9244-413936ce6d1f	command_prompt
450	defense-evasion	T1218.008	Odbcconf	1	Odbcconf.exe - Execute Arbitrary DLL	2430498b-06c0-4b92-a448-8ad263c388e2	command_prompt
451	defense-evasion	T1134.004	Parent PID Spoofing	1	Parent PID Spoofing using PowerShell	069258f4-2162-46e9-9a25-c9c6c56150d2	powershell
452	defense-evasion	T1134.004	Parent PID Spoofing	2	Parent PID Spoofing - Spawn from Current Process	14920ebd-1d61-491a-85e0-fe98efe37f25	powershell
453	defense-evasion	T1134.004	Parent PID Spoofing	3	Parent PID Spoofing - Spawn from Specified Process	cbbff285-9051-444a-9d17-c07cd2d230eb	powershell
454	defense-evasion	T1134.004	Parent PID Spoofing	4	Parent PID Spoofing - Spawn from svchost.exe	e9f2b777-3123-430b-805d-5cedc66ab591	powershell
455	defense-evasion	T1134.004	Parent PID Spoofing	5	Parent PID Spoofing - Spawn from New Process	2988133e-561c-4e42-a15f-6281e6a9b2db	powershell
456	defense-evasion	T1550.002	Pass the Hash	1	Mimikatz Pass the Hash	ec23cef9-27d9-46e4-a68d-6f75f7b86908	command_prompt
457	defense-evasion	T1550.002	Pass the Hash	2	crackmapexec Pass the Hash	eb05b028-16c8-4ad8-adea-6f5b219da9a9	command_prompt
458	defense-evasion	T1550.003	Pass the Ticket	1	Mimikatz Kerberos Ticket Attack	dbf38128-7ba7-4776-bedf-cc2eed432098	command_prompt
459	defense-evasion	T1556.002	Password Filter DLL	1	Install and Register Password Filter DLL	a7961770-beb5-4134-9674-83d7e1fa865c	powershell
460	defense-evasion	T1574.009	Path Interception by Unquoted Path	1	Execution of program.exe as service with unquoted service path	2770dea7-c50f-457b-84c4-c40a47460d9f	command_prompt
461	defense-evasion	T1055.012	Process Hollowing	1	Process Hollowing using PowerShell	562427b4-39ef-4e8c-af88-463a78e70b9c	powershell
462	defense-evasion	T1055.012	Process Hollowing	2	RunPE via VBA	3ad4a037-1598-4136-837c-4027e4fa319b	powershell
463	defense-evasion	T1055	Process Injection	1	Process Injection via mavinject.exe	74496461-11a1-4982-b439-4d87a550d254	powershell
464	defense-evasion	T1055	Process Injection	2	Shellcode execution via VBA	1c91e740-1729-4329-b779-feba6e71d048	powershell
465	defense-evasion	T1055	Process Injection	3	Remote Process Injection in LSASS via mimikatz	3203ad24-168e-4bec-be36-f79b13ef8a83	command_prompt
466	defense-evasion	T1216.001	PubPrn	1	PubPrn.vbs Signed Script Bypass	9dd29a1f-1e16-4862-be83-913b10a88f6c	command_prompt
467	defense-evasion	T1218.009	Regsvcs/Regasm	1	Regasm Uninstall Method Call Test	71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112	command_prompt
468	defense-evasion	T1218.009	Regsvcs/Regasm	2	Regsvcs Uninstall Method Call Test	fd3c1c6a-02d2-4b72-82d9-71c527abb126	powershell
469	defense-evasion	T1218.010	Regsvr32	1	Regsvr32 local COM scriptlet execution	449aa403-6aba-47ce-8a37-247d21ef0306	command_prompt
470	defense-evasion	T1218.010	Regsvr32	2	Regsvr32 remote COM scriptlet execution	c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36	command_prompt
471	defense-evasion	T1218.010	Regsvr32	3	Regsvr32 local DLL execution	08ffca73-9a3d-471a-aeb0-68b4aa3ab37b	command_prompt
472	defense-evasion	T1218.010	Regsvr32	4	Regsvr32 Registering Non DLL	1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421	command_prompt
473	defense-evasion	T1218.010	Regsvr32	5	Regsvr32 Silent DLL Install Call DllRegisterServer	9d71c492-ea2e-4c08-af16-c6994cdf029f	command_prompt
474	defense-evasion	T1036.003	Rename System Utilities	1	Masquerading as Windows LSASS process	5ba5a3d1-cf3c-4499-968a-a93155d1f717	command_prompt
475	defense-evasion	T1036.003	Rename System Utilities	2	Masquerading as Linux crond process.	a315bfff-7a98-403b-b442-2ea1b255e556	sh
476	defense-evasion	T1036.003	Rename System Utilities	3	Masquerading - cscript.exe running as notepad.exe	3a2a578b-0a01-46e4-92e3-62e2859b42f0	command_prompt
477	defense-evasion	T1036.003	Rename System Utilities	4	Masquerading - wscript.exe running as svchost.exe	24136435-c91a-4ede-9da1-8b284a1c1a23	command_prompt
478	defense-evasion	T1036.003	Rename System Utilities	5	Masquerading - powershell.exe running as taskhostw.exe	ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa	command_prompt
479	defense-evasion	T1036.003	Rename System Utilities	6	Masquerading - non-windows exe running as windows exe	bc15c13f-d121-4b1f-8c7d-28d95854d086	powershell
480	defense-evasion	T1036.003	Rename System Utilities	7	Masquerading - windows exe running as different windows exe	c3d24a39-2bfe-4c6a-b064-90cd73896cb0	powershell
481	defense-evasion	T1036.003	Rename System Utilities	8	Malicious process Masquerading as LSM.exe	83810c46-f45e-4485-9ab6-8ed0e9e6ed7f	command_prompt
482	defense-evasion	T1036.003	Rename System Utilities	9	File Extension Masquerading	c7fa0c3b-b57f-4cba-9118-863bf4e653fc	command_prompt
483	defense-evasion	T1207	Rogue Domain Controller	1	DCShadow - Mimikatz	0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6	powershell
484	defense-evasion	T1014	Rootkit	1	Loadable Kernel Module based Rootkit	dfb50072-e45a-4c75-a17e-a484809c8553	sh
485	defense-evasion	T1014	Rootkit	2	Loadable Kernel Module based Rootkit	75483ef8-f10f-444a-bf02-62eb0e48db6f	sh
486	defense-evasion	T1014	Rootkit	3	Windows Signed Driver Rootkit Test	8e4e1985-9a19-4529-b4b8-b7a49ff87fae	command_prompt
487	defense-evasion	T1218.011	Rundll32	1	Rundll32 execute JavaScript Remote Payload With GetObject	cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be	command_prompt
488	defense-evasion	T1218.011	Rundll32	2	Rundll32 execute VBscript command	638730e7-7aed-43dc-bf8c-8117f805f5bb	command_prompt
489	defense-evasion	T1218.011	Rundll32	3	Rundll32 advpack.dll Execution	d91cae26-7fc1-457b-a854-34c8aad48c89	command_prompt
490	defense-evasion	T1218.011	Rundll32	4	Rundll32 ieadvpack.dll Execution	5e46a58e-cbf6-45ef-a289-ed7754603df9	command_prompt
491	defense-evasion	T1218.011	Rundll32	5	Rundll32 syssetup.dll Execution	41fa324a-3946-401e-bbdd-d7991c628125	command_prompt
492	defense-evasion	T1218.011	Rundll32	6	Rundll32 setupapi.dll Execution	71d771cd-d6b3-4f34-bc76-a63d47a10b19	command_prompt
493	defense-evasion	T1218.011	Rundll32	7	Execution of HTA and VBS Files using Rundll32 and URL.dll	22cfde89-befe-4e15-9753-47306b37a6e3	command_prompt
494	defense-evasion	T1574.011	Services Registry Permissions Weakness	1	Service Registry Permissions Weakness	f7536d63-7fd4-466f-89da-7e48d550752a	powershell
495	defense-evasion	T1574.011	Services Registry Permissions Weakness	2	Service ImagePath Change with reg.exe	f38e9eea-e1d7-4ba6-b716-584791963827	command_prompt
496	defense-evasion	T1548.001	Setuid and Setgid	1	Make and modify binary from C source	896dfe97-ae43-4101-8e96-9a7996555d80	sh
497	defense-evasion	T1548.001	Setuid and Setgid	2	Set a SetUID flag on file	759055b3-3885-4582-a8ec-c00c9d64dd79	sh
498	defense-evasion	T1548.001	Setuid and Setgid	3	Set a SetGID flag on file	db55f666-7cba-46c6-9fe6-205a05c3242c	sh
499	defense-evasion	T1218	Signed Binary Proxy Execution	1	mavinject - Inject DLL into running process	c426dacf-575d-4937-8611-a148a86a5e61	command_prompt
500	defense-evasion	T1218	Signed Binary Proxy Execution	2	SyncAppvPublishingServer - Execute arbitrary PowerShell code	d590097e-d402-44e2-ad72-2c6aa1ce78b1	command_prompt
501	defense-evasion	T1218	Signed Binary Proxy Execution	3	Register-CimProvider - Execute evil dll	ad2c17ed-f626-4061-b21e-b9804a6f3655	command_prompt
502	defense-evasion	T1218	Signed Binary Proxy Execution	4	InfDefaultInstall.exe .inf Execution	54ad7d5a-a1b5-472c-b6c4-f8090fb2daef	command_prompt
503	defense-evasion	T1218	Signed Binary Proxy Execution	5	ProtocolHandler.exe Downloaded a Suspicious File	db020456-125b-4c8b-a4a7-487df8afb5a2	command_prompt
504	defense-evasion	T1218	Signed Binary Proxy Execution	6	Microsoft.Workflow.Compiler.exe Payload Execution	7cbb0f26-a4c1-4f77-b180-a009aa05637e	powershell
505	defense-evasion	T1218	Signed Binary Proxy Execution	7	Renamed Microsoft.Workflow.Compiler.exe Payload Executions	4cc40fd7-87b8-4b16-b2d7-57534b86b911	powershell
506	defense-evasion	T1218	Signed Binary Proxy Execution	8	Invoke-ATHRemoteFXvGPUDisablementCommand base test	9ebe7901-7edf-45c0-b5c7-8366300919db	powershell
507	defense-evasion	T1216	Signed Script Proxy Execution	1	SyncAppvPublishingServer Signed Script PowerShell Command Execution	275d963d-3f36-476c-8bef-a2a3960ee6eb	command_prompt
508	defense-evasion	T1216	Signed Script Proxy Execution	2	manage-bde.wsf Signed Script Command Execution	2a8f2d3c-3dec-4262-99dd-150cb2a4d63a	command_prompt
509	defense-evasion	T1027.002	Software Packing	1	Binary simply packed by UPX (linux)	11c46cd8-e471-450e-acb8-52a1216ae6a4	sh
510	defense-evasion	T1027.002	Software Packing	2	Binary packed by UPX, with modified headers (linux)	f06197f8-ff46-48c2-a0c6-afc1b50665e1	sh
511	defense-evasion	T1027.002	Software Packing	3	Binary simply packed by UPX	b16ef901-00bb-4dda-b4fc-a04db5067e20	sh
512	defense-evasion	T1027.002	Software Packing	4	Binary packed by UPX, with modified headers	4d46e16b-5765-4046-9f25-a600d3e65e4d	sh
513	defense-evasion	T1036.006	Space after Filename	1	Space After Filename	89a7dd26-e510-4c9f-9b15-f3bae333360f	manual
514	defense-evasion	T1548.003	Sudo and Sudo Caching	1	Sudo usage	150c3a08-ee6e-48a6-aeaf-3659d24ceb4e	sh
515	defense-evasion	T1548.003	Sudo and Sudo Caching	2	Unlimited sudo cache timeout	a7b17659-dd5e-46f7-b7d1-e6792c91d0bc	sh
516	defense-evasion	T1548.003	Sudo and Sudo Caching	3	Disable tty_tickets for sudo caching	91a60b03-fb75-4d24-a42e-2eb8956e8de1	sh
517	defense-evasion	T1497.001	System Checks	1	Detect Virtualization Environment (Linux)	dfbd1a21-540d-4574-9731-e852bd6fe840	sh
518	defense-evasion	T1497.001	System Checks	2	Detect Virtualization Environment (Windows)	502a7dc4-9d6f-4d28-abf2-f0e84692562d	powershell
519	defense-evasion	T1497.001	System Checks	3	Detect Virtualization Environment (MacOS)	a960185f-aef6-4547-8350-d1ce16680d09	sh
520	defense-evasion	T1070.006	Timestomp	1	Set a file's access timestamp	5f9113d5-ed75-47ed-ba23-ea3573d05810	sh
521	defense-evasion	T1070.006	Timestomp	2	Set a file's modification timestamp	20ef1523-8758-4898-b5a2-d026cc3d2c52	sh
522	defense-evasion	T1070.006	Timestomp	3	Set a file's creation timestamp	8164a4a6-f99c-4661-ac4f-80f5e4e78d2b	sh
523	defense-evasion	T1070.006	Timestomp	4	Modify file timestamps using reference file	631ea661-d661-44b0-abdb-7a7f3fc08e50	sh
524	defense-evasion	T1070.006	Timestomp	5	Windows - Modify file creation timestamp with PowerShell	b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c	powershell
525	defense-evasion	T1070.006	Timestomp	6	Windows - Modify file last modified timestamp with PowerShell	f8f6634d-93e1-4238-8510-f8a90a20dcf2	powershell
526	defense-evasion	T1070.006	Timestomp	7	Windows - Modify file last access timestamp with PowerShell	da627f63-b9bd-4431-b6f8-c5b44d061a62	powershell
527	defense-evasion	T1070.006	Timestomp	8	Windows - Timestomp a File	d7512c33-3a75-4806-9893-69abc3ccdd43	powershell
528	defense-evasion	T1134.001	Token Impersonation/Theft	1	Named pipe client impersonation	90db9e27-8e7c-4c04-b602-a45927884966	powershell
529	defense-evasion	T1134.001	Token Impersonation/Theft	2	`SeDebugPrivilege` token duplication	34f0a430-9d04-4d98-bcb5-1989f14719f0	powershell
530	defense-evasion	T1222.001	Windows File and Directory Permissions Modification	1	Take ownership using takeown utility	98d34bb4-6e75-42ad-9c41-1dae7dc6a001	command_prompt
531	defense-evasion	T1222.001	Windows File and Directory Permissions Modification	2	cacls - Grant permission to specified user or group recursively	a8206bcc-f282-40a9-a389-05d9c0263485	command_prompt
532	defense-evasion	T1222.001	Windows File and Directory Permissions Modification	3	attrib - Remove read-only attribute	bec1e95c-83aa-492e-ab77-60c71bbd21b0	command_prompt
533	defense-evasion	T1222.001	Windows File and Directory Permissions Modification	4	attrib - hide file	32b979da-7b68-42c9-9a99-0e39900fc36c	command_prompt
534	defense-evasion	T1222.001	Windows File and Directory Permissions Modification	5	Grant Full Access to folder for Everyone - Ryuk Ransomware Style	ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6	command_prompt
535	defense-evasion	T1220	XSL Script Processing	1	MSXSL Bypass using local files	ca23bfb2-023f-49c5-8802-e66997de462d	command_prompt
536	defense-evasion	T1220	XSL Script Processing	2	MSXSL Bypass using remote files	a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985	command_prompt
537	defense-evasion	T1220	XSL Script Processing	3	WMIC bypass using local XSL file	1b237334-3e21-4a0c-8178-b8c996124988	command_prompt
538	defense-evasion	T1220	XSL Script Processing	4	WMIC bypass using remote XSL file	7f5be499-33be-4129-a560-66021f379b9b	command_prompt
539	impact	T1531	Account Access Removal	1	Change User Password - Windows	1b99ef28-f83c-4ec5-8a08-1a56263a5bb2	command_prompt
540	impact	T1531	Account Access Removal	2	Delete User - Windows	f21a1d7d-a62f-442a-8c3a-2440d43b19e5	command_prompt
541	impact	T1531	Account Access Removal	3	Remove Account From Domain Admin Group	43f71395-6c37-498e-ab17-897d814a0947	powershell
542	impact	T1485	Data Destruction	1	Windows - Overwrite file with Sysinternals SDelete	476419b5-aebf-4366-a131-ae3e8dae5fc2	powershell
543	impact	T1485	Data Destruction	2	macOS/Linux - Overwrite file with DD	38deee99-fd65-4031-bec8-bfa4f9f26146	bash
544	impact	T1490	Inhibit System Recovery	1	Windows - Delete Volume Shadow Copies	43819286-91a9-4369-90ed-d31fb4da2c01	command_prompt
545	impact	T1490	Inhibit System Recovery	2	Windows - Delete Volume Shadow Copies via WMI	6a3ff8dd-f49c-4272-a658-11c2fe58bd88	command_prompt
546	impact	T1490	Inhibit System Recovery	3	Windows - wbadmin Delete Windows Backup Catalog	263ba6cb-ea2b-41c9-9d4e-b652dadd002c	command_prompt
547	impact	T1490	Inhibit System Recovery	4	Windows - Disable Windows Recovery Console Repair	cf21060a-80b3-4238-a595-22525de4ab81	command_prompt
548	impact	T1490	Inhibit System Recovery	5	Windows - Delete Volume Shadow Copies via WMI with PowerShell	39a295ca-7059-4a88-86f6-09556c1211e7	powershell
549	impact	T1490	Inhibit System Recovery	6	Windows - Delete Backup Files	6b1dbaf6-cc8a-4ea6-891f-6058569653bf	command_prompt
550	impact	T1490	Inhibit System Recovery	7	Windows - wbadmin Delete systemstatebackup	584331dd-75bc-4c02-9e0b-17f5fd81c748	command_prompt
551	impact	T1496	Resource Hijacking	1	macOS/Linux - Simulate CPU Load with Yes	904a5a0e-fb02-490d-9f8d-0e256eb37549	bash
552	impact	T1489	Service Stop	1	Windows - Stop service using Service Controller	21dfb440-830d-4c86-a3e5-2a491d5a8d04	command_prompt
553	impact	T1489	Service Stop	2	Windows - Stop service using net.exe	41274289-ec9c-4213-bea4-e43c4aa57954	command_prompt
554	impact	T1489	Service Stop	3	Windows - Stop service by killing process	f3191b84-c38b-400b-867e-3a217a27795f	command_prompt
555	impact	T1529	System Shutdown/Reboot	1	Shutdown System - Windows	ad254fa8-45c0-403b-8c77-e00b3d3e7a64	command_prompt
556	impact	T1529	System Shutdown/Reboot	2	Restart System - Windows	f4648f0d-bf78-483c-bafc-3ec99cd1c302	command_prompt
557	impact	T1529	System Shutdown/Reboot	3	Restart System via `shutdown` - macOS/Linux	6326dbc4-444b-4c04-88f4-27e94d0327cb	bash
558	impact	T1529	System Shutdown/Reboot	4	Shutdown System via `shutdown` - macOS/Linux	4963a81e-a3ad-4f02-adda-812343b351de	bash
559	impact	T1529	System Shutdown/Reboot	5	Restart System via `reboot` - macOS/Linux	47d0b042-a918-40ab-8cf9-150ffe919027	bash
560	impact	T1529	System Shutdown/Reboot	6	Shutdown System via `halt` - Linux	918f70ab-e1ef-49ff-bc57-b27021df84dd	bash
561	impact	T1529	System Shutdown/Reboot	7	Reboot System via `halt` - Linux	78f92e14-f1e9-4446-b3e9-f1b921f2459e	bash
562	impact	T1529	System Shutdown/Reboot	8	Shutdown System via `poweroff` - Linux	73a90cd2-48a2-4ac5-8594-2af35fa909fa	bash
563	impact	T1529	System Shutdown/Reboot	9	Reboot System via `poweroff` - Linux	61303105-ff60-427b-999e-efb90b314e41	bash
564	discovery	T1010	Application Window Discovery	1	List Process Main Windows - C# .NET	fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4	command_prompt
565	discovery	T1217	Browser Bookmark Discovery	1	List Mozilla Firefox Bookmark Database Files on Linux	3a41f169-a5ab-407f-9269-abafdb5da6c2	sh
566	discovery	T1217	Browser Bookmark Discovery	2	List Mozilla Firefox Bookmark Database Files on macOS	1ca1f9c7-44bc-46bb-8c85-c50e2e94267b	sh
567	discovery	T1217	Browser Bookmark Discovery	3	List Google Chrome Bookmark JSON Files on macOS	b789d341-154b-4a42-a071-9111588be9bc	sh
568	discovery	T1217	Browser Bookmark Discovery	4	List Google Chrome Bookmarks on Windows with powershell	faab755e-4299-48ec-8202-fc7885eb6545	powershell
569	discovery	T1217	Browser Bookmark Discovery	5	List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt	76f71e2f-480e-4bed-b61e-398fe17499d5	command_prompt
570	discovery	T1217	Browser Bookmark Discovery	6	List Mozilla Firefox bookmarks on Windows with command prompt	4312cdbc-79fc-4a9c-becc-53d49c734bc5	command_prompt
571	discovery	T1217	Browser Bookmark Discovery	7	List Internet Explorer Bookmarks using the command prompt	727dbcdb-e495-4ab1-a6c4-80c7f77aef85	command_prompt
572	discovery	T1087.002	Domain Account	1	Enumerate all accounts (Domain)	6fbc9e68-5ad7-444a-bd11-8bf3136c477e	command_prompt
573	discovery	T1087.002	Domain Account	2	Enumerate all accounts via PowerShell (Domain)	8b8a6449-be98-4f42-afd2-dedddc7453b2	powershell
574	discovery	T1087.002	Domain Account	3	Enumerate logged on users via CMD (Domain)	161dcd85-d014-4f5e-900c-d3eaae82a0f7	command_prompt
575	discovery	T1087.002	Domain Account	4	Automated AD Recon (ADRecon)	95018438-454a-468c-a0fa-59c800149b59	powershell
576	discovery	T1087.002	Domain Account	5	Adfind -Listing password policy	736b4f53-f400-4c22-855d-1a6b5a551600	command_prompt
577	discovery	T1087.002	Domain Account	6	Adfind - Enumerate Active Directory Admins	b95fd967-4e62-4109-b48d-265edfd28c3a	command_prompt
578	discovery	T1087.002	Domain Account	7	Adfind - Enumerate Active Directory User Objects	e1ec8d20-509a-4b9a-b820-06c9b2da8eb7	command_prompt
579	discovery	T1087.002	Domain Account	8	Adfind - Enumerate Active Directory Exchange AD Objects	5e2938fb-f919-47b6-8b29-2f6a1f718e99	command_prompt
580	discovery	T1087.002	Domain Account	9	Enumerate Default Domain Admin Details (Domain)	c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef	command_prompt
581	discovery	T1069.002	Domain Groups	1	Basic Permission Groups Discovery Windows (Domain)	dd66d77d-8998-48c0-8024-df263dc2ce5d	command_prompt
582	discovery	T1069.002	Domain Groups	2	Permission Groups Discovery PowerShell (Domain)	6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7	powershell
583	discovery	T1069.002	Domain Groups	3	Elevated group enumeration using net group (Domain)	0afb5163-8181-432e-9405-4322710c0c37	command_prompt
584	discovery	T1069.002	Domain Groups	4	Find machines where user has local admin access (PowerView)	a2d71eee-a353-4232-9f86-54f4288dd8c1	powershell
585	discovery	T1069.002	Domain Groups	5	Find local admins on all machines in domain (PowerView)	a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd	powershell
586	discovery	T1069.002	Domain Groups	6	Find Local Admins via Group Policy (PowerView)	64fdb43b-5259-467a-b000-1b02c00e510a	powershell
587	discovery	T1069.002	Domain Groups	7	Enumerate Users Not Requiring Pre Auth (ASRepRoast)	870ba71e-6858-4f6d-895c-bb6237f6121b	powershell
588	discovery	T1069.002	Domain Groups	8	Adfind - Query Active Directory Groups	48ddc687-82af-40b7-8472-ff1e742e8274	command_prompt
589	discovery	T1482	Domain Trust Discovery	1	Windows - Discover domain trusts with dsquery	4700a710-c821-4e17-a3ec-9e4c81d6845f	command_prompt
590	discovery	T1482	Domain Trust Discovery	2	Windows - Discover domain trusts with nltest	2e22641d-0498-48d2-b9ff-c71e496ccdbe	command_prompt
591	discovery	T1482	Domain Trust Discovery	3	Powershell enumerate domains and forests	c58fbc62-8a62-489e-8f2d-3565d7d96f30	powershell
592	discovery	T1482	Domain Trust Discovery	4	Adfind - Enumerate Active Directory OUs	d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec	command_prompt
593	discovery	T1482	Domain Trust Discovery	5	Adfind - Enumerate Active Directory Trusts	15fe436d-e771-4ff3-b655-2dca9ba52834	command_prompt
594	discovery	T1083	File and Directory Discovery	1	File and Directory Discovery (cmd.exe)	0e36303b-6762-4500-b003-127743b80ba6	command_prompt
595	discovery	T1083	File and Directory Discovery	2	File and Directory Discovery (PowerShell)	2158908e-b7ef-4c21-8a83-3ce4dd05a924	powershell
596	discovery	T1083	File and Directory Discovery	3	Nix File and Diectory Discovery	ffc8b249-372a-4b74-adcd-e4c0430842de	sh
597	discovery	T1083	File and Directory Discovery	4	Nix File and Directory Discovery 2	13c5e1ae-605b-46c4-a79f-db28c77ff24e	sh
598	discovery	T1087.001	Local Account	1	Enumerate all accounts (Local)	f8aab3dd-5990-4bf8-b8ab-2226c951696f	sh
599	discovery	T1087.001	Local Account	2	View sudoers access	fed9be70-0186-4bde-9f8a-20945f9370c2	sh
600	discovery	T1087.001	Local Account	3	View accounts with UID 0	c955a599-3653-4fe5-b631-f11c00eb0397	sh
601	discovery	T1087.001	Local Account	4	List opened files by user	7e46c7a5-0142-45be-a858-1a3ecb4fd3cb	sh
602	discovery	T1087.001	Local Account	5	Show if a user account has ever logged in remotely	0f0b6a29-08c3-44ad-a30b-47fd996b2110	sh
603	discovery	T1087.001	Local Account	6	Enumerate users and groups	e6f36545-dc1e-47f0-9f48-7f730f54a02e	sh
604	discovery	T1087.001	Local Account	7	Enumerate users and groups	319e9f6c-7a9e-432e-8c62-9385c803b6f2	sh
605	discovery	T1087.001	Local Account	8	Enumerate all accounts on Windows (Local)	80887bec-5a9b-4efc-a81d-f83eb2eb32ab	command_prompt
606	discovery	T1087.001	Local Account	9	Enumerate all accounts via PowerShell (Local)	ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b	powershell
607	discovery	T1087.001	Local Account	10	Enumerate logged on users via CMD (Local)	a138085e-bfe5-46ba-a242-74a6fb884af3	command_prompt
608	discovery	T1087.001	Local Account	11	Enumerate logged on users via PowerShell	2bdc42c7-8907-40c2-9c2b-42919a00fe03	powershell
609	discovery	T1069.001	Local Groups	1	Permission Groups Discovery (Local)	952931a4-af0b-4335-bbbe-73c8c5b327ae	sh
610	discovery	T1069.001	Local Groups	2	Basic Permission Groups Discovery Windows (Local)	1f454dd6-e134-44df-bebb-67de70fb6cd8	command_prompt
611	discovery	T1069.001	Local Groups	3	Permission Groups Discovery PowerShell (Local)	a580462d-2c19-4bc7-8b9a-57a41b7d3ba4	powershell
612	discovery	T1046	Network Service Scanning	1	Port Scan	68e907da-2539-48f6-9fc9-257a78c05540	sh
613	discovery	T1046	Network Service Scanning	2	Port Scan Nmap	515942b0-a09f-4163-a7bb-22fefb6f185f	sh
614	discovery	T1046	Network Service Scanning	3	Port Scan NMap for Windows	d696a3cb-d7a8-4976-8eb5-5af4abf2e3df	powershell
615	discovery	T1135	Network Share Discovery	1	Network Share Discovery	f94b5ad9-911c-4eff-9718-fd21899db4f7	sh
616	discovery	T1135	Network Share Discovery	2	Network Share Discovery command prompt	20f1097d-81c1-405c-8380-32174d493bbb	command_prompt
617	discovery	T1135	Network Share Discovery	3	Network Share Discovery PowerShell	1b0814d1-bb24-402d-9615-1b20c50733fb	powershell
618	discovery	T1135	Network Share Discovery	4	View available share drives	ab39a04f-0c93-4540-9ff2-83f862c385ae	command_prompt
619	discovery	T1135	Network Share Discovery	5	Share Discovery with PowerView	b1636f0a-ba82-435c-b699-0d78794d8bfd	powershell
620	discovery	T1040	Network Sniffing	1	Packet Capture Linux	7fe741f7-b265-4951-a7c7-320889083b3e	bash
621	discovery	T1040	Network Sniffing	2	Packet Capture macOS	9d04efee-eff5-4240-b8d2-07792b873608	bash
622	discovery	T1040	Network Sniffing	3	Packet Capture Windows Command Prompt	a5b2f6a0-24b4-493e-9590-c699f75723ca	command_prompt
623	discovery	T1040	Network Sniffing	4	Windows Internal Packet Capture	b5656f67-d67f-4de8-8e62-b5581630f528	command_prompt
624	discovery	T1201	Password Policy Discovery	1	Examine password complexity policy - Ubuntu	085fe567-ac84-47c7-ac4c-2688ce28265b	bash
625	discovery	T1201	Password Policy Discovery	2	Examine password complexity policy - CentOS/RHEL 7.x	78a12e65-efff-4617-bc01-88f17d71315d	bash
626	discovery	T1201	Password Policy Discovery	3	Examine password complexity policy - CentOS/RHEL 6.x	6ce12552-0adb-4f56-89ff-95ce268f6358	bash
627	discovery	T1201	Password Policy Discovery	4	Examine password expiration policy - All Linux	7c86c55c-70fa-4a05-83c9-3aa19b145d1a	bash
628	discovery	T1201	Password Policy Discovery	5	Examine local password policy - Windows	4588d243-f24e-4549-b2e3-e627acc089f6	command_prompt
629	discovery	T1201	Password Policy Discovery	6	Examine domain password policy - Windows	46c2c362-2679-4ef5-aec9-0e958e135be4	command_prompt
630	discovery	T1201	Password Policy Discovery	7	Examine password policy - macOS	4b7fa042-9482-45e1-b348-4b756b2a0742	bash
631	discovery	T1120	Peripheral Device Discovery	1	Win32_PnPEntity Hardware Inventory	2cb4dbf2-2dca-4597-8678-4d39d207a3a5	powershell
632	discovery	T1057	Process Discovery	1	Process Discovery - ps	4ff64f0b-aaf2-4866-b39d-38d9791407cc	sh
633	discovery	T1057	Process Discovery	2	Process Discovery - tasklist	c5806a4f-62b8-4900-980b-c7ec004e9908	command_prompt
634	discovery	T1012	Query Registry	1	Query Registry	8f7578c4-9863-4d83-875c-a565573bbdf0	command_prompt
635	discovery	T1018	Remote System Discovery	1	Remote System Discovery - net	85321a9c-897f-4a60-9f20-29788e50bccd	command_prompt
636	discovery	T1018	Remote System Discovery	2	Remote System Discovery - net group Domain Computers	f1bf6c8f-9016-4edf-aff9-80b65f5d711f	command_prompt
637	discovery	T1018	Remote System Discovery	3	Remote System Discovery - nltest	52ab5108-3f6f-42fb-8ba3-73bc054f22c8	command_prompt
638	discovery	T1018	Remote System Discovery	4	Remote System Discovery - ping sweep	6db1f57f-d1d5-4223-8a66-55c9c65a9592	command_prompt
639	discovery	T1018	Remote System Discovery	5	Remote System Discovery - arp	2d5a61f5-0447-4be4-944a-1f8530ed6574	command_prompt
640	discovery	T1018	Remote System Discovery	6	Remote System Discovery - arp nix	acb6b1ff-e2ad-4d64-806c-6c35fe73b951	sh
641	discovery	T1018	Remote System Discovery	7	Remote System Discovery - sweep	96db2632-8417-4dbb-b8bb-a8b92ba391de	sh
642	discovery	T1018	Remote System Discovery	8	Remote System Discovery - nslookup	baa01aaa-5e13-45ec-8a0d-e46c93c9760f	powershell
643	discovery	T1018	Remote System Discovery	9	Remote System Discovery - adidnsdump	95e19466-469e-4316-86d2-1dc401b5a959	command_prompt
644	discovery	T1018	Remote System Discovery	10	Adfind - Enumerate Active Directory Computer Objects	a889f5be-2d54-4050-bd05-884578748bb4	command_prompt
645	discovery	T1018	Remote System Discovery	11	Adfind - Enumerate Active Directory Domain Controller Objects	5838c31e-a0e2-4b9f-b60a-d79d2cb7995e	command_prompt
646	discovery	T1518.001	Security Software Discovery	1	Security Software Discovery	f92a380f-ced9-491f-b338-95a991418ce2	command_prompt
647	discovery	T1518.001	Security Software Discovery	2	Security Software Discovery - powershell	7f566051-f033-49fb-89de-b6bacab730f0	powershell
648	discovery	T1518.001	Security Software Discovery	3	Security Software Discovery - ps	ba62ce11-e820-485f-9c17-6f3c857cd840	sh
649	discovery	T1518.001	Security Software Discovery	4	Security Software Discovery - Sysmon Service	fe613cf3-8009-4446-9a0f-bc78a15b66c9	command_prompt
650	discovery	T1518.001	Security Software Discovery	5	Security Software Discovery - AV Discovery via WMI	1553252f-14ea-4d3b-8a08-d7a4211aa945	command_prompt
651	discovery	T1518	Software Discovery	1	Find and Display Internet Explorer Browser Version	68981660-6670-47ee-a5fa-7e74806420a4	command_prompt
652	discovery	T1518	Software Discovery	2	Applications Installed	c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b	powershell
653	discovery	T1518	Software Discovery	3	Find and Display Safari Browser Version	103d6533-fd2a-4d08-976a-4a598565280f	command_prompt
654	discovery	T1497.001	System Checks	1	Detect Virtualization Environment (Linux)	dfbd1a21-540d-4574-9731-e852bd6fe840	sh
655	discovery	T1497.001	System Checks	2	Detect Virtualization Environment (Windows)	502a7dc4-9d6f-4d28-abf2-f0e84692562d	powershell
656	discovery	T1497.001	System Checks	3	Detect Virtualization Environment (MacOS)	a960185f-aef6-4547-8350-d1ce16680d09	sh
657	discovery	T1082	System Information Discovery	1	System Information Discovery	66703791-c902-4560-8770-42b8a91f7667	command_prompt
658	discovery	T1082	System Information Discovery	2	System Information Discovery	edff98ec-0f73-4f63-9890-6b117092aff6	sh
659	discovery	T1082	System Information Discovery	3	List OS Information	cccb070c-df86-4216-a5bc-9fb60c74e27c	sh
660	discovery	T1082	System Information Discovery	4	Linux VM Check via Hardware	31dad7ad-2286-4c02-ae92-274418c85fec	bash
661	discovery	T1082	System Information Discovery	5	Linux VM Check via Kernel Modules	8057d484-0fae-49a4-8302-4812c4f1e64e	bash
662	discovery	T1082	System Information Discovery	6	Hostname Discovery (Windows)	85cfbf23-4a1e-4342-8792-007e004b975f	command_prompt
663	discovery	T1082	System Information Discovery	7	Hostname Discovery	486e88ea-4f56-470f-9b57-3f4d73f39133	bash
664	discovery	T1082	System Information Discovery	8	Windows MachineGUID Discovery	224b4daf-db44-404e-b6b2-f4d1f0126ef8	command_prompt
665	discovery	T1082	System Information Discovery	9	Griffon Recon	69bd4abe-8759-49a6-8d21-0f15822d6370	powershell
666	discovery	T1016	System Network Configuration Discovery	1	System Network Configuration Discovery on Windows	970ab6a1-0157-4f3f-9a73-ec4166754b23	command_prompt
667	discovery	T1016	System Network Configuration Discovery	2	List Windows Firewall Rules	038263cb-00f4-4b0a-98ae-0696c67e1752	command_prompt
668	discovery	T1016	System Network Configuration Discovery	3	System Network Configuration Discovery	c141bbdb-7fca-4254-9fd6-f47e79447e17	sh
669	discovery	T1016	System Network Configuration Discovery	4	System Network Configuration Discovery (TrickBot Style)	dafaf052-5508-402d-bf77-51e0700c02e2	command_prompt
670	discovery	T1016	System Network Configuration Discovery	5	List Open Egress Ports	4b467538-f102-491d-ace7-ed487b853bf5	powershell
671	discovery	T1016	System Network Configuration Discovery	6	Adfind - Enumerate Active Directory Subnet Objects	9bb45dd7-c466-4f93-83a1-be30e56033ee	command_prompt
672	discovery	T1016	System Network Configuration Discovery	7	Qakbot Recon	121de5c6-5818-4868-b8a7-8fd07c455c1b	command_prompt
673	discovery	T1049	System Network Connections Discovery	1	System Network Connections Discovery	0940a971-809a-48f1-9c4d-b1d785e96ee5	command_prompt
674	discovery	T1049	System Network Connections Discovery	2	System Network Connections Discovery with PowerShell	f069f0f1-baad-4831-aa2b-eddac4baac4a	powershell
675	discovery	T1049	System Network Connections Discovery	3	System Network Connections Discovery Linux & MacOS	9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2	sh
676	discovery	T1049	System Network Connections Discovery	4	System Discovery using SharpView	96f974bb-a0da-4d87-a744-ff33e73367e9	powershell
677	discovery	T1033	System Owner/User Discovery	1	System Owner/User Discovery	4c4959bf-addf-4b4a-be86-8d09cc1857aa	command_prompt
678	discovery	T1033	System Owner/User Discovery	2	System Owner/User Discovery	2a9b677d-a230-44f4-ad86-782df1ef108c	sh
679	discovery	T1033	System Owner/User Discovery	3	Find computers where user has session - Stealth mode (PowerView)	29857f27-a36f-4f7e-8084-4557cd6207ca	powershell
680	discovery	T1007	System Service Discovery	1	System Service Discovery	89676ba1-b1f8-47ee-b940-2e1a113ebc71	command_prompt
681	discovery	T1007	System Service Discovery	2	System Service Discovery - net.exe	5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3	command_prompt
682	discovery	T1124	System Time Discovery	1	System Time Discovery	20aba24b-e61f-4b26-b4ce-4784f763ca20	command_prompt
683	discovery	T1124	System Time Discovery	2	System Time Discovery - PowerShell	1d5711d6-655c-4a47-ae9c-6503c74fa877	powershell
684	execution	T1059.002	AppleScript	1	AppleScript	3600d97d-81b9-4171-ab96-e4386506e2c2	sh
685	execution	T1053.001	At (Linux)	1	At - Schedule a job	7266d898-ac82-4ec0-97c7-436075d0d08e	sh
686	execution	T1053.002	At (Windows)	1	At.exe Scheduled task	4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8	command_prompt
687	execution	T1053.003	Cron	1	Cron - Replace crontab with referenced file	435057fb-74b1-410e-9403-d81baf194f75	bash
688	execution	T1053.003	Cron	2	Cron - Add script to all cron subfolders	b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0	bash
689	execution	T1053.003	Cron	3	Cron - Add script to /var/spool/cron/crontabs/ folder	2d943c18-e74a-44bf-936f-25ade6cccab4	bash
690	execution	T1559.002	Dynamic Data Exchange	1	Execute Commands	f592ba2a-e9e8-4d62-a459-ef63abd819fd	manual
691	execution	T1559.002	Dynamic Data Exchange	2	Execute PowerShell script via Word DDE	47c21fb6-085e-4b0d-b4d2-26d72c3830b3	command_prompt
692	execution	T1559.002	Dynamic Data Exchange	3	DDEAUTO	cf91174c-4e74-414e-bec0-8d60a104d181	manual
693	execution	T1569.001	Launchctl	1	Launchctl	6fb61988-724e-4755-a595-07743749d4e2	bash
694	execution	T1053.004	Launchd	1	Event Monitor Daemon Persistence	11979f23-9b9d-482a-9935-6fc9cd022c3e	bash
695	execution	T1204.002	Malicious File	1	OSTap Style Macro Execution	8bebc690-18c7-4549-bc98-210f7019efff	powershell
696	execution	T1204.002	Malicious File	2	OSTap Payload Download	3f3af983-118a-4fa1-85d3-ba4daa739d80	command_prompt
697	execution	T1204.002	Malicious File	3	Maldoc choice flags command execution	0330a5d2-a45a-4272-a9ee-e364411c4b18	powershell
698	execution	T1204.002	Malicious File	4	OSTAP JS version	add560ef-20d6-4011-a937-2c340f930911	powershell
699	execution	T1204.002	Malicious File	5	Office launching .bat file from AppData	9215ea92-1ded-41b7-9cd6-79f9a78397aa	powershell
700	execution	T1204.002	Malicious File	6	Excel 4 Macro	4ea1fc97-8a46-4b4e-ba48-af43d2a98052	powershell
701	execution	T1204.002	Malicious File	7	Headless Chrome code execution via VBA	a19ee671-ed98-4e9d-b19c-d1954a51585a	powershell
702	execution	T1106	Native API	1	Execution through API - CreateProcess	99be2089-c52d-4a4a-b5c3-261ee42c8b62	command_prompt
703	execution	T1059.001	PowerShell	1	Mimikatz	f3132740-55bc-48c4-bcc0-758a459cd027	command_prompt
704	execution	T1059.001	PowerShell	2	Run BloodHound from local disk	a21bb23e-e677-4ee7-af90-6931b57b6350	powershell
705	execution	T1059.001	PowerShell	3	Run Bloodhound from Memory using Download Cradle	bf8c1441-4674-4dab-8e4e-39d93d08f9b7	powershell
706	execution	T1059.001	PowerShell	4	Obfuscation Tests	4297c41a-8168-4138-972d-01f3ee92c804	powershell
707	execution	T1059.001	PowerShell	5	Mimikatz - Cradlecraft PsSendKeys	af1800cf-9f9d-4fd1-a709-14b1e6de020d	powershell
708	execution	T1059.001	PowerShell	6	Invoke-AppPathBypass	06a220b6-7e29-4bd8-9d07-5b4d86742372	command_prompt
709	execution	T1059.001	PowerShell	7	Powershell MsXml COM object - with prompt	388a7340-dbc1-4c9d-8e59-b75ad8c6d5da	command_prompt
710	execution	T1059.001	PowerShell	8	Powershell XML requests	4396927f-e503-427b-b023-31049b9b09a6	command_prompt
711	execution	T1059.001	PowerShell	9	Powershell invoke mshta.exe download	8a2ad40b-12c7-4b25-8521-2737b0a415af	command_prompt
712	execution	T1059.001	PowerShell	10	Powershell Invoke-DownloadCradle	cc50fa2a-a4be-42af-a88f-e347ba0bf4d7	manual
713	execution	T1059.001	PowerShell	11	PowerShell Fileless Script Execution	fa050f5e-bc75-4230-af73-b6fd7852cd73	powershell
714	execution	T1059.001	PowerShell	12	PowerShell Downgrade Attack	9148e7c4-9356-420e-a416-e896e9c0f73e	powershell
715	execution	T1059.001	PowerShell	13	NTFS Alternate Data Stream Access	8e5c5532-1181-4c1d-bb79-b3a9f5dbd680	powershell
716	execution	T1059.001	PowerShell	14	PowerShell Session Creation and Use	7c1acec2-78fa-4305-a3e0-db2a54cddecd	powershell
717	execution	T1059.001	PowerShell	15	ATHPowerShellCommandLineParameter -Command parameter variations	686a9785-f99b-41d4-90df-66ed515f81d7	powershell
718	execution	T1059.001	PowerShell	16	ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments	1c0a870f-dc74-49cf-9afc-eccc45e58790	powershell
719	execution	T1059.001	PowerShell	17	ATHPowerShellCommandLineParameter -EncodedCommand parameter variations	86a43bad-12e3-4e85-b97c-4d5cf25b95c3	powershell
720	execution	T1059.001	PowerShell	18	ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments	0d181431-ddf3-4826-8055-2dbf63ae848b	powershell
721	execution	T1053.005	Scheduled Task	1	Scheduled Task Startup Script	fec27f65-db86-4c2d-b66c-61945aee87c2	command_prompt
722	execution	T1053.005	Scheduled Task	2	Scheduled task Local	42f53695-ad4a-4546-abb6-7d837f644a71	command_prompt
723	execution	T1053.005	Scheduled Task	3	Scheduled task Remote	2e5eac3e-327b-4a88-a0c0-c4057039a8dd	command_prompt
724	execution	T1053.005	Scheduled Task	4	Powershell Cmdlet Scheduled Task	af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd	powershell
725	execution	T1053.005	Scheduled Task	5	Task Scheduler via VBA	ecd3fa21-7792-41a2-8726-2c5c673414d3	powershell
726	execution	T1569.002	Service Execution	1	Execute a Command as a Service	2382dee2-a75f-49aa-9378-f52df6ed3fb1	command_prompt
727	execution	T1569.002	Service Execution	2	Use PsExec to execute a command on a remote host	873106b7-cfed-454b-8680-fa9f6400431c	command_prompt
728	execution	T1059.004	Unix Shell	1	Create and Execute Bash Shell Script	7e7ac3ed-f795-4fa5-b711-09d6fbe9b873	sh
729	execution	T1059.004	Unix Shell	2	Command-Line Interface	d0c88567-803d-4dca-99b4-7ce65e7b257c	sh
730	execution	T1059.005	Visual Basic	1	Visual Basic script execution to gather local computer information	1620de42-160a-4fe5-bbaf-d3fef0181ce9	powershell
731	execution	T1059.005	Visual Basic	2	Encoded VBS code execution	e8209d5f-e42d-45e6-9c2f-633ac4f1eefa	powershell
732	execution	T1059.005	Visual Basic	3	Extract Memory via VBA	8faff437-a114-4547-9a60-749652a03df6	powershell
733	execution	T1059.003	Windows Command Shell	1	Create and Execute Batch Script	9e8894c0-50bd-4525-a96c-d4ac78ece388	powershell
734	execution	T1047	Windows Management Instrumentation	1	WMI Reconnaissance Users	c107778c-dcf5-47c5-af2e-1d058a3df3ea	command_prompt
735	execution	T1047	Windows Management Instrumentation	2	WMI Reconnaissance Processes	5750aa16-0e59-4410-8b9a-8a47ca2788e2	command_prompt
736	execution	T1047	Windows Management Instrumentation	3	WMI Reconnaissance Software	718aebaa-d0e0-471a-8241-c5afa69c7414	command_prompt
737	execution	T1047	Windows Management Instrumentation	4	WMI Reconnaissance List Remote Services	0fd48ef7-d890-4e93-a533-f7dedd5191d3	command_prompt
738	execution	T1047	Windows Management Instrumentation	5	WMI Execute Local Process	b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3	command_prompt
739	execution	T1047	Windows Management Instrumentation	6	WMI Execute Remote Process	9c8ef159-c666-472f-9874-90c8d60d136b	command_prompt
740	execution	T1047	Windows Management Instrumentation	7	Create a Process using WMI Query and an Encoded Command	7db7a7f9-9531-4840-9b30-46220135441c	command_prompt
741	lateral-movement	T1021.003	Distributed Component Object Model	1	PowerShell Lateral Movement using MMC20	6dc74eb1-c9d6-4c53-b3b5-6f50ae339673	powershell
742	lateral-movement	T1550.002	Pass the Hash	1	Mimikatz Pass the Hash	ec23cef9-27d9-46e4-a68d-6f75f7b86908	command_prompt
743	lateral-movement	T1550.002	Pass the Hash	2	crackmapexec Pass the Hash	eb05b028-16c8-4ad8-adea-6f5b219da9a9	command_prompt
744	lateral-movement	T1550.003	Pass the Ticket	1	Mimikatz Kerberos Ticket Attack	dbf38128-7ba7-4776-bedf-cc2eed432098	command_prompt
745	lateral-movement	T1563.002	RDP Hijacking	1	RDP hijacking	a37ac520-b911-458e-8aed-c5f1576d9f46	command_prompt
746	lateral-movement	T1021.001	Remote Desktop Protocol	1	RDP to DomainController	355d4632-8cb9-449d-91ce-b566d0253d3e	powershell
747	lateral-movement	T1021.001	Remote Desktop Protocol	2	RDP to Server	7382a43e-f19c-46be-8f09-5c63af7d3e2b	powershell
748	lateral-movement	T1021.002	SMB/Windows Admin Shares	1	Map admin share	3386975b-367a-4fbb-9d77-4dcf3639ffd3	command_prompt
749	lateral-movement	T1021.002	SMB/Windows Admin Shares	2	Map Admin Share PowerShell	514e9cd7-9207-4882-98b1-c8f791bae3c5	powershell
750	lateral-movement	T1021.002	SMB/Windows Admin Shares	3	Copy and Execute File with PsExec	0eb03d41-79e4-4393-8e57-6344856be1cf	command_prompt
751	lateral-movement	T1021.002	SMB/Windows Admin Shares	4	Execute command writing output to local Admin Share	d41aaab5-bdfe-431d-a3d5-c29e9136ff46	command_prompt
752	lateral-movement	T1021.006	Windows Remote Management	1	Enable Windows Remote Management	9059e8de-3d7d-4954-a322-46161880b9cf	powershell
753	lateral-movement	T1021.006	Windows Remote Management	2	Invoke-Command	5295bd61-bd7e-4744-9d52-85962a4cf2d6	powershell
754	lateral-movement	T1021.006	Windows Remote Management	3	WinRM Access with Evil-WinRM	efe86d95-44c4-4509-ae42-7bfd9d1f5b3d	powershell
755	command-and-control	T1071.004	DNS	1	DNS Large Query Volume	1700f5d6-5a44-487b-84de-bc66f507b0a6	powershell
756	command-and-control	T1071.004	DNS	2	DNS Regular Beaconing	3efc144e-1af8-46bb-8ca2-1376bb6db8b6	powershell
757	command-and-control	T1071.004	DNS	3	DNS Long Domain Query	fef31710-223a-40ee-8462-a396d6b66978	powershell
758	command-and-control	T1071.004	DNS	4	DNS C2	e7bf9802-2e78-4db9-93b5-181b7bcd37d7	powershell
759	command-and-control	T1573	Encrypted Channel	1	OpenSSL C2	21caf58e-87ad-440c-a6b8-3ac259964003	powershell
760	command-and-control	T1105	Ingress Tool Transfer	1	rsync remote file copy (push)	0fc6e977-cb12-44f6-b263-2824ba917409	bash
761	command-and-control	T1105	Ingress Tool Transfer	2	rsync remote file copy (pull)	3180f7d5-52c0-4493-9ea0-e3431a84773f	bash
762	command-and-control	T1105	Ingress Tool Transfer	3	scp remote file copy (push)	83a49600-222b-4866-80a0-37736ad29344	bash
763	command-and-control	T1105	Ingress Tool Transfer	4	scp remote file copy (pull)	b9d22b9a-9778-4426-abf0-568ea64e9c33	bash
764	command-and-control	T1105	Ingress Tool Transfer	5	sftp remote file copy (push)	f564c297-7978-4aa9-b37a-d90477feea4e	bash
765	command-and-control	T1105	Ingress Tool Transfer	6	sftp remote file copy (pull)	0139dba1-f391-405e-a4f5-f3989f2c88ef	bash
766	command-and-control	T1105	Ingress Tool Transfer	7	certutil download (urlcache)	dd3b61dd-7bbc-48cd-ab51-49ad1a776df0	command_prompt
767	command-and-control	T1105	Ingress Tool Transfer	8	certutil download (verifyctl)	ffd492e3-0455-4518-9fb1-46527c9f241b	powershell
768	command-and-control	T1105	Ingress Tool Transfer	9	Windows - BITSAdmin BITS Download	a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b	command_prompt
769	command-and-control	T1105	Ingress Tool Transfer	10	Windows - PowerShell Download	42dc4460-9aa6-45d3-b1a6-3955d34e1fe8	powershell
770	command-and-control	T1105	Ingress Tool Transfer	11	OSTAP Worming Activity	2ca61766-b456-4fcf-a35a-1233685e1cad	command_prompt
771	command-and-control	T1105	Ingress Tool Transfer	12	svchost writing a file to a UNC path	fa5a2759-41d7-4e13-a19c-e8f28a53566f	command_prompt
772	command-and-control	T1105	Ingress Tool Transfer	13	Download a File with Windows Defender MpCmdRun.exe	815bef8b-bf91-4b67-be4c-abe4c2a94ccc	command_prompt
773	command-and-control	T1090.001	Internal Proxy	1	Connection Proxy	0ac21132-4485-4212-a681-349e8a6637cd	sh
774	command-and-control	T1090.001	Internal Proxy	2	Connection Proxy for macOS UI	648d68c1-8bcd-4486-9abe-71c6655b6a2c	sh
775	command-and-control	T1090.001	Internal Proxy	3	portproxy reg key	b8223ea9-4be2-44a6-b50a-9657a3d4e72a	powershell
776	command-and-control	T1095	Non-Application Layer Protocol	1	ICMP C2	0268e63c-e244-42db-bef7-72a9e59fc1fc	powershell
777	command-and-control	T1095	Non-Application Layer Protocol	2	Netcat C2	bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37	powershell
778	command-and-control	T1095	Non-Application Layer Protocol	3	Powercat C2	3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e	powershell
779	command-and-control	T1571	Non-Standard Port	1	Testing usage of uncommonly used port with PowerShell	21fe622f-8e53-4b31-ba83-6d333c2583f4	powershell
780	command-and-control	T1571	Non-Standard Port	2	Testing usage of uncommonly used port	5db21e1d-dd9c-4a50-b885-b1e748912767	sh
781	command-and-control	T1219	Remote Access Software	1	TeamViewer Files Detected Test on Windows	8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0	powershell
782	command-and-control	T1219	Remote Access Software	2	AnyDesk Files Detected Test on Windows	6b8b7391-5c0a-4f8c-baee-78d8ce0ce330	powershell
783	command-and-control	T1219	Remote Access Software	3	LogMeIn Files Detected Test on Windows	d03683ec-aae0-42f9-9b4c-534780e0f8e1	powershell
784	command-and-control	T1132.001	Standard Encoding	1	Base64 Encoded data.	1164f70f-9a88-4dff-b9ff-dc70e7bf0c25	sh
785	command-and-control	T1071.001	Web Protocols	1	Malicious User Agents - Powershell	81c13829-f6c9-45b8-85a6-053366d55297	powershell
786	command-and-control	T1071.001	Web Protocols	2	Malicious User Agents - CMD	dc3488b0-08c7-4fea-b585-905c83b48180	command_prompt
787	command-and-control	T1071.001	Web Protocols	3	Malicious User Agents - Nix	2d7c471a-e887-4b78-b0dc-b0df1f2e0658	sh
788	exfiltration	T1020	Automated Exfiltration	1	IcedID Botnet HTTP PUT	9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0	powershell
789	exfiltration	T1030	Data Transfer Size Limits	1	Data Transfer Size Limits	ab936c51-10f4-46ce-9144-e02137b2016a	sh
790	exfiltration	T1048	Exfiltration Over Alternative Protocol	1	Exfiltration Over Alternative Protocol - SSH	f6786cc8-beda-4915-a4d6-ac2f193bb988	sh
791	exfiltration	T1048	Exfiltration Over Alternative Protocol	2	Exfiltration Over Alternative Protocol - SSH	7c3cb337-35ae-4d06-bf03-3032ed2ec268	sh
792	exfiltration	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	1	Exfiltration Over Alternative Protocol - HTTP	1d1abbd6-a3d3-4b2e-bef5-c59293f46eff	manual
793	exfiltration	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	2	Exfiltration Over Alternative Protocol - ICMP	dd4b4421-2e25-4593-90ae-7021947ad12e	powershell
794	exfiltration	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	3	Exfiltration Over Alternative Protocol - DNS	c403b5a4-b5fc-49f2-b181-d1c80d27db45	manual
795	exfiltration	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4	Exfiltration Over Alternative Protocol - HTTP	6aa58451-1121-4490-a8e9-1dada3f1c68c	powershell
796	exfiltration	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	5	Exfiltration Over Alternative Protocol - SMTP	ec3a835e-adca-4c7c-88d2-853b69c11bb9	powershell
797	initial-access	T1078.001	Default Accounts	1	Enable Guest account with RDP capability and admin priviliges	99747561-ed8d-47f2-9c91-1e5fde1ed6e0	command_prompt
798	initial-access	T1133	External Remote Services	1	Running Chrome VPN Extensions via the Registry 2 vpn extension	4c8db261-a58b-42a6-a866-0a294deedde4	powershell
799	initial-access	T1078.003	Local Accounts	1	Create local account with admin priviliges	a524ce99-86de-4db6-b4f9-e08f35a47a15	command_prompt
800	initial-access	T1566.001	Spearphishing Attachment	1	Download Phishing Attachment - VBScript	114ccff9-ae6d-4547-9ead-4cd69f687306	powershell
801	initial-access	T1566.001	Spearphishing Attachment	2	Word spawned a command shell and used an IP address in the command line	cbb6799a-425c-4f83-9194-5447a909d67f	powershell

102 KiB Raw Blame History

102 KiB

Raw Blame History