|
Detect Virtualization Environment (Linux)
|
T1497.001
|
linux
|
|
Detect Virtualization Environment (FreeBSD)
|
T1497.001
|
linux
|
|
Detect Virtualization Environment (Windows)
|
T1497.001
|
windows
|
|
Detect Virtualization Environment (MacOS)
|
T1497.001
|
macos
|
|
Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)
|
T1497.001
|
windows
|
|
Odbcconf.exe - Execute Arbitrary DLL
|
T1218.008
|
windows
|
|
Odbcconf.exe - Load Response File
|
T1218.008
|
windows
|
|
At.exe Scheduled task
|
T1053.002
|
windows
|
|
At - Schedule a job
|
T1053.002
|
linux
|
|
Staging Local Certificates via Export-Certificate
|
T1649
|
windows
|
|
Pad Binary to Change Hash - Linux/macOS dd
|
T1027.001
|
linux, macos
|
|
Pad Binary to Change Hash using truncate command - Linux/macOS
|
T1027.001
|
linux, macos
|
|
Execute a process from a directory masquerading as the current parent directory.
|
T1036.005
|
macos, linux
|
|
Masquerade as a built-in system executable
|
T1036.005
|
windows
|
|
Replace Desktop Wallpaper
|
T1491.001
|
windows
|
|
Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message
|
T1491.001
|
windows
|
|
Linux - Load Kernel Module via insmod
|
T1547.006
|
linux
|
|
MacOS - Load Kernel Module via kextload and kmutil
|
T1547.006
|
macos
|
|
MacOS - Load Kernel Module via KextManagerLoadKextWithURL()
|
T1547.006
|
macos
|
|
Snake Malware Kernel Driver Comadmin
|
T1547.006
|
windows
|
|
User scope COR_PROFILER
|
T1574.012
|
windows
|
|
System Scope COR_PROFILER
|
T1574.012
|
windows
|
|
Registry-free process scope COR_PROFILER
|
T1574.012
|
windows
|
|
Trap EXIT
|
T1546.005
|
macos, linux
|
|
Trap EXIT (freebsd)
|
T1546.005
|
linux
|
|
Trap SIGINT
|
T1546.005
|
macos, linux
|
|
Trap SIGINT (freebsd)
|
T1546.005
|
linux
|
|
Register Portable Virtualbox
|
T1564.006
|
windows
|
|
Create and start VirtualBox virtual machine
|
T1564.006
|
windows
|
|
Create and start Hyper-V virtual machine
|
T1564.006
|
windows
|
|
Make and modify binary from C source
|
T1548.001
|
macos, linux
|
|
Make and modify binary from C source (freebsd)
|
T1548.001
|
linux
|
|
Set a SetUID flag on file
|
T1548.001
|
macos, linux
|
|
Set a SetUID flag on file (freebsd)
|
T1548.001
|
linux
|
|
Set a SetGID flag on file
|
T1548.001
|
macos, linux
|
|
Set a SetGID flag on file (freebsd)
|
T1548.001
|
linux
|
|
Make and modify capabilities of a binary
|
T1548.001
|
linux
|
|
Provide the SetUID capability to a file
|
T1548.001
|
linux
|
|
Do reconnaissance for files that have the setuid bit set
|
T1548.001
|
linux
|
|
Do reconnaissance for files that have the setgid bit set
|
T1548.001
|
linux
|
|
Simulate Patching termsrv.dll
|
T1505.005
|
windows
|
|
Modify Terminal Services DLL Path
|
T1505.005
|
windows
|
|
SIP (Subject Interface Package) Hijacking via Custom DLL
|
T1553.003
|
windows
|
|
Persistance with Event Monitor - emond
|
T1546.014
|
macos
|
|
OpenSSL C2
|
T1573
|
windows
|
|
Decode base64 Data into Script
|
T1027
|
macos, linux
|
|
Execute base64-encoded PowerShell
|
T1027
|
windows
|
|
Execute base64-encoded PowerShell from Windows Registry
|
T1027
|
windows
|
|
Execution from Compressed File
|
T1027
|
windows
|
|
DLP Evasion via Sensitive Data in VBA Macro over email
|
T1027
|
windows
|
|
DLP Evasion via Sensitive Data in VBA Macro over HTTP
|
T1027
|
windows
|
|
Obfuscated Command in PowerShell
|
T1027
|
windows
|
|
Obfuscated Command Line using special Unicode characters
|
T1027
|
windows
|
|
Snake Malware Encrypted crmlog file
|
T1027
|
windows
|
|
Execution from Compressed JScript File
|
T1027
|
windows
|
|
Dump LSASS.exe Memory using ProcDump
|
T1003.001
|
windows
|
|
Dump LSASS.exe Memory using comsvcs.dll
|
T1003.001
|
windows
|
|
Dump LSASS.exe Memory using direct system calls and API unhooking
|
T1003.001
|
windows
|
|
Dump LSASS.exe Memory using NanoDump
|
T1003.001
|
windows
|
|
Dump LSASS.exe Memory using Windows Task Manager
|
T1003.001
|
windows
|
|
Offline Credential Theft With Mimikatz
|
T1003.001
|
windows
|
|
LSASS read with pypykatz
|
T1003.001
|
windows
|
|
Dump LSASS.exe Memory using Out-Minidump.ps1
|
T1003.001
|
windows
|
|
Create Mini Dump of LSASS.exe using ProcDump
|
T1003.001
|
windows
|
|
Powershell Mimikatz
|
T1003.001
|
windows
|
|
Dump LSASS with createdump.exe from .Net v5
|
T1003.001
|
windows
|
|
Dump LSASS.exe using imported Microsoft DLLs
|
T1003.001
|
windows
|
|
Dump LSASS.exe using lolbin rdrleakdiag.exe
|
T1003.001
|
windows
|
|
Dump LSASS.exe Memory through Silent Process Exit
|
T1003.001
|
windows
|
|
rsync remote file copy (push)
|
T1105
|
linux, macos
|
|
rsync remote file copy (pull)
|
T1105
|
linux, macos
|
|
scp remote file copy (push)
|
T1105
|
linux, macos
|
|
scp remote file copy (pull)
|
T1105
|
linux, macos
|
|
sftp remote file copy (push)
|
T1105
|
linux, macos
|
|
sftp remote file copy (pull)
|
T1105
|
linux, macos
|
|
certutil download (urlcache)
|
T1105
|
windows
|
|
certutil download (verifyctl)
|
T1105
|
windows
|
|
Windows - BITSAdmin BITS Download
|
T1105
|
windows
|
|
Windows - PowerShell Download
|
T1105
|
windows
|
|
OSTAP Worming Activity
|
T1105
|
windows
|
|
svchost writing a file to a UNC path
|
T1105
|
windows
|
|
Download a File with Windows Defender MpCmdRun.exe
|
T1105
|
windows
|
|
whois file download
|
T1105
|
linux, macos
|
|
File Download via PowerShell
|
T1105
|
windows
|
|
File download with finger.exe on Windows
|
T1105
|
windows
|
|
Download a file with IMEWDBLD.exe
|
T1105
|
windows
|
|
Curl Download File
|
T1105
|
windows
|
|
Curl Upload File
|
T1105
|
windows
|
|
Download a file with Microsoft Connection Manager Auto-Download
|
T1105
|
windows
|
|
MAZE Propagation Script
|
T1105
|
windows
|
|
Printer Migration Command-Line Tool UNC share folder into a zip file
|
T1105
|
windows
|
|
Lolbas replace.exe use to copy file
|
T1105
|
windows
|
|
Lolbas replace.exe use to copy UNC file
|
T1105
|
windows
|
|
certreq download
|
T1105
|
windows
|
|
Download a file using wscript
|
T1105
|
windows
|
|
Linux Download File and Run
|
T1105
|
linux
|
|
Nimgrab - Transfer Files
|
T1105
|
windows
|
|
iwr or Invoke Web-Request download
|
T1105
|
windows
|
|
Arbitrary file download using the Notepad++ GUP.exe binary
|
T1105
|
windows
|
|
Set a file's access timestamp
|
T1070.006
|
linux, macos
|
|
Set a file's modification timestamp
|
T1070.006
|
linux, macos
|
|
Set a file's creation timestamp
|
T1070.006
|
linux, macos
|
|
Modify file timestamps using reference file
|
T1070.006
|
linux, macos
|
|
Windows - Modify file creation timestamp with PowerShell
|
T1070.006
|
windows
|
|
Windows - Modify file last modified timestamp with PowerShell
|
T1070.006
|
windows
|
|
Windows - Modify file last access timestamp with PowerShell
|
T1070.006
|
windows
|
|
Windows - Timestomp a File
|
T1070.006
|
windows
|
|
MacOS - Timestomp Date Modified
|
T1070.006
|
macos
|
|
Logon Scripts
|
T1037.001
|
windows
|
|
Steal Firefox Cookies (Windows)
|
T1539
|
windows
|
|
Steal Chrome Cookies (Windows)
|
T1539
|
windows
|
|
Steal Chrome Cookies via Remote Debugging (Mac)
|
T1539
|
macos
|
|
Azure - Enumerate Azure Blobs with MicroBurst
|
T1530
|
iaas:azure
|
|
Azure - Scan for Anonymous Access to Azure Storage (Powershell)
|
T1530
|
iaas:azure
|
|
AWS - Scan for Anonymous Access to S3
|
T1530
|
iaas:aws
|
|
Find AWS credentials
|
T1552.001
|
macos, linux
|
|
Extract Browser and System credentials with LaZagne
|
T1552.001
|
macos
|
|
Extract passwords with grep
|
T1552.001
|
linux, macos
|
|
Extracting passwords with findstr
|
T1552.001
|
windows
|
|
Access unattend.xml
|
T1552.001
|
windows
|
|
Find and Access Github Credentials
|
T1552.001
|
linux, macos
|
|
WinPwn - sensitivefiles
|
T1552.001
|
windows
|
|
WinPwn - Snaffler
|
T1552.001
|
windows
|
|
WinPwn - powershellsensitive
|
T1552.001
|
windows
|
|
WinPwn - passhunt
|
T1552.001
|
windows
|
|
WinPwn - SessionGopher
|
T1552.001
|
windows
|
|
WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
|
T1552.001
|
windows
|
|
HTML Smuggling Remote Payload
|
T1027.006
|
windows
|
|
Permission Groups Discovery (Local)
|
T1069.001
|
linux, macos
|
|
Basic Permission Groups Discovery Windows (Local)
|
T1069.001
|
windows
|
|
Permission Groups Discovery PowerShell (Local)
|
T1069.001
|
windows
|
|
SharpHound3 - LocalAdmin
|
T1069.001
|
windows
|
|
Wmic Group Discovery
|
T1069.001
|
windows
|
|
WMIObject Group Discovery
|
T1069.001
|
windows
|
|
Permission Groups Discovery for Containers- Local Groups
|
T1069.001
|
containers
|
|
Admin Account Manipulate
|
T1098
|
windows
|
|
Domain Account and Group Manipulate
|
T1098
|
windows
|
|
AWS - Create a group and add a user to that group
|
T1098
|
iaas:aws
|
|
Azure AD - adding user to Azure AD role
|
T1098
|
azure-ad
|
|
Azure AD - adding service principal to Azure AD role
|
T1098
|
azure-ad
|
|
Azure - adding user to Azure role in subscription
|
T1098
|
iaas:azure
|
|
Azure - adding service principal to Azure role in subscription
|
T1098
|
iaas:azure
|
|
Azure AD - adding permission to application
|
T1098
|
azure-ad
|
|
Password Change on Directory Service Restore Mode (DSRM) Account
|
T1098
|
windows
|
|
Domain Password Policy Check: Short Password
|
T1098
|
windows
|
|
Domain Password Policy Check: No Number in Password
|
T1098
|
windows
|
|
Domain Password Policy Check: No Special Character in Password
|
T1098
|
windows
|
|
Domain Password Policy Check: No Uppercase Character in Password
|
T1098
|
windows
|
|
Domain Password Policy Check: No Lowercase Character in Password
|
T1098
|
windows
|
|
Domain Password Policy Check: Only Two Character Classes
|
T1098
|
windows
|
|
Domain Password Policy Check: Common Password Use
|
T1098
|
windows
|
|
GCP - Delete Service Account Key
|
T1098
|
iaas:gcp
|
|
AWS - CloudTrail Changes
|
T1562.008
|
iaas:aws
|
|
Azure - Eventhub Deletion
|
T1562.008
|
iaas:azure
|
|
Office 365 - Exchange Audit Log Disabled
|
T1562.008
|
office-365
|
|
AWS - Disable CloudTrail Logging Through Event Selectors using Stratus
|
T1562.008
|
linux, macos, iaas:aws
|
|
AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus
|
T1562.008
|
linux, macos
|
|
AWS - Remove VPC Flow Logs using Stratus
|
T1562.008
|
linux, macos, iaas:aws
|
|
AWS - CloudWatch Log Group Deletes
|
T1562.008
|
iaas:aws
|
|
AWS CloudWatch Log Stream Deletes
|
T1562.008
|
iaas:aws
|
|
Office 365 - Set Audit Bypass For a Mailbox
|
T1562.008
|
office-365
|
|
GCP - Delete Activity Event Log
|
T1562.008
|
iaas:gcp
|
|
ExecIntoContainer
|
T1609
|
containers
|
|
Docker Exec Into Container
|
T1609
|
containers
|
|
Indirect Command Execution - pcalua.exe
|
T1202
|
windows
|
|
Indirect Command Execution - forfiles.exe
|
T1202
|
windows
|
|
Indirect Command Execution - conhost.exe
|
T1202
|
windows
|
|
Indicator Removal using FSUtil
|
T1070
|
windows
|
|
Indicator Manipulation using FSUtil
|
T1070
|
windows
|
|
Disable syslog
|
T1562.001
|
linux
|
|
Disable syslog (freebsd)
|
T1562.001
|
linux
|
|
Disable Cb Response
|
T1562.001
|
linux
|
|
Disable SELinux
|
T1562.001
|
linux
|
|
Stop Crowdstrike Falcon on Linux
|
T1562.001
|
linux
|
|
Disable Carbon Black Response
|
T1562.001
|
macos
|
|
Disable LittleSnitch
|
T1562.001
|
macos
|
|
Disable OpenDNS Umbrella
|
T1562.001
|
macos
|
|
Disable macOS Gatekeeper
|
T1562.001
|
macos
|
|
Stop and unload Crowdstrike Falcon on macOS
|
T1562.001
|
macos
|
|
Unload Sysmon Filter Driver
|
T1562.001
|
windows
|
|
Uninstall Sysmon
|
T1562.001
|
windows
|
|
AMSI Bypass - AMSI InitFailed
|
T1562.001
|
windows
|
|
AMSI Bypass - Remove AMSI Provider Reg Key
|
T1562.001
|
windows
|
|
Disable Arbitrary Security Windows Service
|
T1562.001
|
windows
|
|
Tamper with Windows Defender ATP PowerShell
|
T1562.001
|
windows
|
|
Tamper with Windows Defender Command Prompt
|
T1562.001
|
windows
|
|
Tamper with Windows Defender Registry
|
T1562.001
|
windows
|
|
Disable Microsoft Office Security Features
|
T1562.001
|
windows
|
|
Remove Windows Defender Definition Files
|
T1562.001
|
windows
|
|
Stop and Remove Arbitrary Security Windows Service
|
T1562.001
|
windows
|
|
Uninstall Crowdstrike Falcon on Windows
|
T1562.001
|
windows
|
|
Tamper with Windows Defender Evade Scanning -Folder
|
T1562.001
|
windows
|
|
Tamper with Windows Defender Evade Scanning -Extension
|
T1562.001
|
windows
|
|
Tamper with Windows Defender Evade Scanning -Process
|
T1562.001
|
windows
|
|
office-365-Disable-AntiPhishRule
|
T1562.001
|
office-365
|
|
Disable Windows Defender with DISM
|
T1562.001
|
windows
|
|
Disable Defender Using NirSoft AdvancedRun
|
T1562.001
|
windows
|
|
Kill antimalware protected processes using Backstab
|
T1562.001
|
windows
|
|
WinPwn - Kill the event log services for stealth
|
T1562.001
|
windows
|
|
Tamper with Windows Defender ATP using Aliases - PowerShell
|
T1562.001
|
windows
|
|
LockBit Black - Disable Privacy Settings Experience Using Registry -cmd
|
T1562.001
|
windows
|
|
LockBit Black - Use Registry Editor to turn on automatic logon -cmd
|
T1562.001
|
windows
|
|
LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell
|
T1562.001
|
windows
|
|
Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell
|
T1562.001
|
windows
|
|
Disable Windows Defender with PwSh Disable-WindowsOptionalFeature
|
T1562.001
|
windows
|
|
WMIC Tamper with Windows Defender Evade Scanning Folder
|
T1562.001
|
windows
|
|
Delete Windows Defender Scheduled Tasks
|
T1562.001
|
windows
|
|
Clear History
|
T1562.001
|
linux
|
|
Suspend History
|
T1562.001
|
linux
|
|
Reboot Linux Host via Kernel System Request
|
T1562.001
|
linux
|
|
Clear Pagging Cache
|
T1562.001
|
linux
|
|
Disable Memory Swap
|
T1562.001
|
linux
|
|
Disable Hypervisor-Enforced Code Integrity (HVCI)
|
T1562.001
|
windows
|
|
AMSI Bypass - Override AMSI via COM
|
T1562.001
|
windows
|
|
AWS - GuardDuty Suspension or Deletion
|
T1562.001
|
iaas:aws
|
|
Tamper with Defender ATP on Linux/MacOS
|
T1562.001
|
linux, macos
|
|
Tamper with Windows Defender Registry - Reg.exe
|
T1562.001
|
windows
|
|
Tamper with Windows Defender Registry - Powershell
|
T1562.001
|
windows
|
|
ESXi - Disable Account Lockout Policy via PowerCLI
|
T1562.001
|
linux
|
|
Delete Microsoft Defender ASR Rules - InTune
|
T1562.001
|
windows
|
|
Delete Microsoft Defender ASR Rules - GPO
|
T1562.001
|
windows
|
|
Take ownership using takeown utility
|
T1222.001
|
windows
|
|
cacls - Grant permission to specified user or group recursively
|
T1222.001
|
windows
|
|
attrib - Remove read-only attribute
|
T1222.001
|
windows
|
|
attrib - hide file
|
T1222.001
|
windows
|
|
Grant Full Access to folder for Everyone - Ryuk Ransomware Style
|
T1222.001
|
windows
|
|
Azure AD Application Hijacking - Service Principal
|
T1098.001
|
azure-ad
|
|
Azure AD Application Hijacking - App Registration
|
T1098.001
|
azure-ad
|
|
AWS - Create Access Key and Secret Key
|
T1098.001
|
iaas:aws
|
|
Cached Credential Dump via Cmdkey
|
T1003.005
|
windows
|
|
RDP hijacking
|
T1563.002
|
windows
|
|
Clear Bash history (rm)
|
T1070.003
|
linux, macos
|
|
Clear Bash history (echo)
|
T1070.003
|
linux
|
|
Clear Bash history (cat dev/null)
|
T1070.003
|
linux, macos
|
|
Clear Bash history (ln dev/null)
|
T1070.003
|
linux, macos
|
|
Clear Bash history (truncate)
|
T1070.003
|
linux
|
|
Clear history of a bunch of shells
|
T1070.003
|
linux, macos
|
|
Clear and Disable Bash History Logging
|
T1070.003
|
linux, macos
|
|
Use Space Before Command to Avoid Logging to History
|
T1070.003
|
linux, macos
|
|
Disable Bash History Logging with SSH -T
|
T1070.003
|
linux
|
|
Clear Docker Container Logs
|
T1070.003
|
linux
|
|
Prevent Powershell History Logging
|
T1070.003
|
windows
|
|
Clear Powershell History by Deleting History File
|
T1070.003
|
windows
|
|
Set Custom AddToHistoryHandler to Avoid History File Logging
|
T1070.003
|
windows
|
|
Read volume boot sector via DOS device path (PowerShell)
|
T1006
|
windows
|
|
Gatekeeper Bypass
|
T1553.001
|
macos
|
|
List Process Main Windows - C# .NET
|
T1010
|
windows
|
|
Execute Commands
|
T1559.002
|
windows
|
|
Execute PowerShell script via Word DDE
|
T1559.002
|
windows
|
|
DDEAUTO
|
T1559.002
|
windows
|
|
MSBuild Bypass Using Inline Tasks (C#)
|
T1127.001
|
windows
|
|
MSBuild Bypass Using Inline Tasks (VB)
|
T1127.001
|
windows
|
|
Disable history collection
|
T1562.003
|
linux, macos
|
|
Disable history collection (freebsd)
|
T1562.003
|
linux
|
|
Mac HISTCONTROL
|
T1562.003
|
macos, linux
|
|
Clear bash history
|
T1562.003
|
linux
|
|
Setting the HISTCONTROL environment variable
|
T1562.003
|
linux
|
|
Setting the HISTFILESIZE environment variable
|
T1562.003
|
linux
|
|
Setting the HISTSIZE environment variable
|
T1562.003
|
linux
|
|
Setting the HISTFILE environment variable
|
T1562.003
|
linux
|
|
Setting the HISTFILE environment variable (freebsd)
|
T1562.003
|
linux
|
|
Setting the HISTIGNORE environment variable
|
T1562.003
|
linux
|
|
Disable Windows Command Line Auditing using reg.exe
|
T1562.003
|
windows
|
|
Disable Windows Command Line Auditing using Powershell Cmdlet
|
T1562.003
|
windows
|
|
Email Collection with PowerShell Get-Inbox
|
T1114.001
|
windows
|
|
DCShadow (Active Directory)
|
T1207
|
windows
|
|
Netsh Helper DLL Registration
|
T1546.007
|
windows
|
|
ESXi - Enable SSH via PowerCLI
|
T1021.004
|
linux
|
|
rm -rf
|
T1070.002
|
macos, linux
|
|
rm -rf
|
T1070.002
|
linux
|
|
Delete log files using built-in log utility
|
T1070.002
|
macos
|
|
Truncate system log files via truncate utility
|
T1070.002
|
macos
|
|
Truncate system log files via truncate utility (freebsd)
|
T1070.002
|
linux
|
|
Delete log files via cat utility by appending /dev/null or /dev/zero
|
T1070.002
|
macos
|
|
Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd)
|
T1070.002
|
linux
|
|
System log file deletion via find utility
|
T1070.002
|
macos
|
|
Overwrite macOS system log via echo utility
|
T1070.002
|
macos
|
|
Overwrite FreeBSD system log via echo utility
|
T1070.002
|
linux
|
|
Real-time system log clearance/deletion
|
T1070.002
|
macos
|
|
Delete system log files via unlink utility
|
T1070.002
|
macos
|
|
Delete system log files via unlink utility (freebsd)
|
T1070.002
|
linux
|
|
Delete system log files using shred utility
|
T1070.002
|
macos
|
|
Delete system log files using srm utility
|
T1070.002
|
macos
|
|
Delete system log files using OSAScript
|
T1070.002
|
macos
|
|
Delete system log files using Applescript
|
T1070.002
|
macos
|
|
Delete system journal logs via rm and journalctl utilities
|
T1070.002
|
linux
|
|
Overwrite Linux Mail Spool
|
T1070.002
|
linux
|
|
Overwrite Linux Log
|
T1070.002
|
linux
|
|
Exfiltrate data HTTPS using curl windows
|
T1048.002
|
windows
|
|
Exfiltrate data HTTPS using curl freebsd,linux or macos
|
T1048.002
|
macos, linux
|
|
SSH Credential Stuffing From Linux
|
T1110.004
|
linux
|
|
SSH Credential Stuffing From MacOS
|
T1110.004
|
macos
|
|
SSH Credential Stuffing From FreeBSD
|
T1110.004
|
linux
|
|
Brute Force:Credential Stuffing using Kerbrute Tool
|
T1110.004
|
windows
|
|
Get-EventLog To Enumerate Windows Security Log
|
T1654
|
windows
|
|
Enumerate Windows Security Log via WevtUtil
|
T1654
|
windows
|
|
Enumerate all accounts (Domain)
|
T1087.002
|
windows
|
|
Enumerate all accounts via PowerShell (Domain)
|
T1087.002
|
windows
|
|
Enumerate logged on users via CMD (Domain)
|
T1087.002
|
windows
|
|
Automated AD Recon (ADRecon)
|
T1087.002
|
windows
|
|
Adfind -Listing password policy
|
T1087.002
|
windows
|
|
Adfind - Enumerate Active Directory Admins
|
T1087.002
|
windows
|
|
Adfind - Enumerate Active Directory User Objects
|
T1087.002
|
windows
|
|
Adfind - Enumerate Active Directory Exchange AD Objects
|
T1087.002
|
windows
|
|
Enumerate Default Domain Admin Details (Domain)
|
T1087.002
|
windows
|
|
Enumerate Active Directory for Unconstrained Delegation
|
T1087.002
|
windows
|
|
Get-DomainUser with PowerView
|
T1087.002
|
windows
|
|
Enumerate Active Directory Users with ADSISearcher
|
T1087.002
|
windows
|
|
Enumerate Linked Policies In ADSISearcher Discovery
|
T1087.002
|
windows
|
|
Enumerate Root Domain linked policies Discovery
|
T1087.002
|
windows
|
|
WinPwn - generaldomaininfo
|
T1087.002
|
windows
|
|
Kerbrute - userenum
|
T1087.002
|
windows
|
|
Wevtutil - Discover NTLM Users Remote
|
T1087.002
|
windows
|
|
Suspicious LAPS Attributes Query with Get-ADComputer all properties
|
T1087.002
|
windows
|
|
Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property
|
T1087.002
|
windows
|
|
Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope
|
T1087.002
|
windows
|
|
Suspicious LAPS Attributes Query with adfind all properties
|
T1087.002
|
windows
|
|
Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd
|
T1087.002
|
windows
|
|
Active Directory Domain Search
|
T1087.002
|
linux
|
|
Account Enumeration with LDAPDomainDump
|
T1087.002
|
linux
|
|
Download Macro-Enabled Phishing Attachment
|
T1566.001
|
windows
|
|
Word spawned a command shell and used an IP address in the command line
|
T1566.001
|
windows
|
|
USB Malware Spread Simulation
|
T1091
|
windows
|
|
Testing usage of uncommonly used port with PowerShell
|
T1571
|
windows
|
|
Testing usage of uncommonly used port
|
T1571
|
linux, macos
|
|
Docker Container and Resource Discovery
|
T1613
|
containers
|
|
Podman Container and Resource Discovery
|
T1613
|
containers
|
|
Map admin share
|
T1021.002
|
windows
|
|
Map Admin Share PowerShell
|
T1021.002
|
windows
|
|
Copy and Execute File with PsExec
|
T1021.002
|
windows
|
|
Execute command writing output to local Admin Share
|
T1021.002
|
windows
|
|
Office Application Startup Test Persistence (HKCU)
|
T1137.002
|
windows
|
|
Deploy Docker container
|
T1610
|
containers
|
|
Change User Password - Windows
|
T1531
|
windows
|
|
Delete User - Windows
|
T1531
|
windows
|
|
Remove Account From Domain Admin Group
|
T1531
|
windows
|
|
Change User Password via passwd
|
T1531
|
macos, linux
|
|
Delete User via dscl utility
|
T1531
|
macos
|
|
Delete User via sysadminctl utility
|
T1531
|
macos
|
|
Azure AD - Delete user via Azure AD PowerShell
|
T1531
|
azure-ad
|
|
Azure AD - Delete user via Azure CLI
|
T1531
|
azure-ad
|
|
Compress Data for Exfiltration With PowerShell
|
T1560
|
windows
|
|
Exfiltration Over Alternative Protocol - SSH
|
T1048
|
macos, linux
|
|
Exfiltration Over Alternative Protocol - SSH
|
T1048
|
macos, linux
|
|
DNSExfiltration (doh)
|
T1048
|
windows
|
|
Disable Windows IIS HTTP Logging
|
T1562.002
|
windows
|
|
Disable Windows IIS HTTP Logging via PowerShell
|
T1562.002
|
windows
|
|
Kill Event Log Service Threads
|
T1562.002
|
windows
|
|
Impair Windows Audit Log Policy
|
T1562.002
|
windows
|
|
Clear Windows Audit Policy Config
|
T1562.002
|
windows
|
|
Disable Event Logging with wevtutil
|
T1562.002
|
windows
|
|
Makes Eventlog blind with Phant0m
|
T1562.002
|
windows
|
|
Binary simply packed by UPX (linux)
|
T1027.002
|
linux
|
|
Binary packed by UPX, with modified headers (linux)
|
T1027.002
|
linux
|
|
Binary simply packed by UPX
|
T1027.002
|
macos
|
|
Binary packed by UPX, with modified headers
|
T1027.002
|
macos
|
|
Request for service tickets
|
T1558.003
|
windows
|
|
Rubeus kerberoast
|
T1558.003
|
windows
|
|
Extract all accounts in use as SPN using setspn
|
T1558.003
|
windows
|
|
Request A Single Ticket via PowerShell
|
T1558.003
|
windows
|
|
Request All Tickets via PowerShell
|
T1558.003
|
windows
|
|
WinPwn - Kerberoasting
|
T1558.003
|
windows
|
|
WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
|
T1558.003
|
windows
|
|
Named pipe client impersonation
|
T1134.001
|
windows
|
|
`SeDebugPrivilege` token duplication
|
T1134.001
|
windows
|
|
Launch NSudo Executable
|
T1134.001
|
windows
|
|
Bad Potato
|
T1134.001
|
windows
|
|
Juicy Potato
|
T1134.001
|
windows
|
|
Execute shell script via python's command mode arguement
|
T1059.006
|
linux
|
|
Execute Python via scripts
|
T1059.006
|
linux
|
|
Execute Python via Python executables
|
T1059.006
|
linux
|
|
Python pty module and spawn function used to spawn sh or bash
|
T1059.006
|
linux
|
|
Golden SAML
|
T1606.002
|
azure-ad
|
|
Examine password complexity policy - Ubuntu
|
T1201
|
linux
|
|
Examine password complexity policy - FreeBSD
|
T1201
|
linux
|
|
Examine password complexity policy - CentOS/RHEL 7.x
|
T1201
|
linux
|
|
Examine password complexity policy - CentOS/RHEL 6.x
|
T1201
|
linux
|
|
Examine password expiration policy - All Linux
|
T1201
|
linux
|
|
Examine local password policy - Windows
|
T1201
|
windows
|
|
Examine domain password policy - Windows
|
T1201
|
windows
|
|
Examine password policy - macOS
|
T1201
|
macos
|
|
Get-DomainPolicy with PowerView
|
T1201
|
windows
|
|
Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy
|
T1201
|
windows
|
|
Use of SecEdit.exe to export the local security policy (including the password policy)
|
T1201
|
windows
|
|
Examine AWS Password Policy
|
T1201
|
iaas:aws
|
|
Utilize Clipboard to store or execute commands from
|
T1115
|
windows
|
|
Execute Commands from Clipboard using PowerShell
|
T1115
|
windows
|
|
Execute commands from clipboard
|
T1115
|
macos
|
|
Collect Clipboard Data via VBA
|
T1115
|
windows
|
|
Add or copy content to clipboard with xClip
|
T1115
|
linux
|
|
Creating GCP Service Account and Service Account Key
|
T1078.004
|
google-workspace, iaas:gcp
|
|
Azure Persistence Automation Runbook Created or Modified
|
T1078.004
|
iaas:azure
|
|
GCP - Create Custom IAM Role
|
T1078.004
|
iaas:gcp
|
|
Brute Force Credentials of single Active Directory domain users via SMB
|
T1110.001
|
windows
|
|
Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)
|
T1110.001
|
windows
|
|
Brute Force Credentials of single Azure AD user
|
T1110.001
|
azure-ad
|
|
Password Brute User using Kerbrute Tool
|
T1110.001
|
windows
|
|
SUDO Brute Force - Debian
|
T1110.001
|
linux
|
|
SUDO Brute Force - Redhat
|
T1110.001
|
linux
|
|
SUDO Brute Force - FreeBSD
|
T1110.001
|
linux
|
|
ESXi - Brute Force Until Account Lockout
|
T1110.001
|
windows
|
|
Security Software Discovery
|
T1518.001
|
windows
|
|
Security Software Discovery - powershell
|
T1518.001
|
windows
|
|
Security Software Discovery - ps (macOS)
|
T1518.001
|
macos
|
|
Security Software Discovery - ps (Linux)
|
T1518.001
|
linux
|
|
Security Software Discovery - pgrep (FreeBSD)
|
T1518.001
|
linux
|
|
Security Software Discovery - Sysmon Service
|
T1518.001
|
windows
|
|
Security Software Discovery - AV Discovery via WMI
|
T1518.001
|
windows
|
|
Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets
|
T1518.001
|
windows
|
|
Security Software Discovery - Windows Defender Enumeration
|
T1518.001
|
windows
|
|
Security Software Discovery - Windows Firewall Enumeration
|
T1518.001
|
windows
|
|
Exfiltration Over Alternative Protocol - HTTP
|
T1048.003
|
macos, linux
|
|
Exfiltration Over Alternative Protocol - ICMP
|
T1048.003
|
windows
|
|
Exfiltration Over Alternative Protocol - DNS
|
T1048.003
|
linux
|
|
Exfiltration Over Alternative Protocol - HTTP
|
T1048.003
|
windows
|
|
Exfiltration Over Alternative Protocol - SMTP
|
T1048.003
|
windows
|
|
MAZE FTP Upload
|
T1048.003
|
windows
|
|
Exfiltration Over Alternative Protocol - FTP - Rclone
|
T1048.003
|
windows
|
|
Python3 http.server
|
T1048.003
|
linux
|
|
Authentication Package
|
T1547.002
|
windows
|
|
Win32_PnPEntity Hardware Inventory
|
T1120
|
windows
|
|
WinPwn - printercheck
|
T1120
|
windows
|
|
Peripheral Device Discovery via fsutil
|
T1120
|
windows
|
|
Change Default File Association
|
T1546.001
|
windows
|
|
Winlogon Shell Key Persistence - PowerShell
|
T1547.004
|
windows
|
|
Winlogon Userinit Key Persistence - PowerShell
|
T1547.004
|
windows
|
|
Winlogon Notify Key Logon Persistence - PowerShell
|
T1547.004
|
windows
|
|
Winlogon HKLM Shell Key Persistence - PowerShell
|
T1547.004
|
windows
|
|
Winlogon HKLM Userinit Key Persistence - PowerShell
|
T1547.004
|
windows
|
|
mavinject - Inject DLL into running process
|
T1218
|
windows
|
|
Register-CimProvider - Execute evil dll
|
T1218
|
windows
|
|
InfDefaultInstall.exe .inf Execution
|
T1218
|
windows
|
|
ProtocolHandler.exe Downloaded a Suspicious File
|
T1218
|
windows
|
|
Microsoft.Workflow.Compiler.exe Payload Execution
|
T1218
|
windows
|
|
Renamed Microsoft.Workflow.Compiler.exe Payload Executions
|
T1218
|
windows
|
|
Invoke-ATHRemoteFXvGPUDisablementCommand base test
|
T1218
|
windows
|
|
DiskShadow Command Execution
|
T1218
|
windows
|
|
Load Arbitrary DLL via Wuauclt (Windows Update Client)
|
T1218
|
windows
|
|
Lolbin Gpscript logon option
|
T1218
|
windows
|
|
Lolbin Gpscript startup option
|
T1218
|
windows
|
|
Lolbas ie4uinit.exe use as proxy
|
T1218
|
windows
|
|
LOLBAS CustomShellHost to Spawn Process
|
T1218
|
windows
|
|
Provlaunch.exe Executes Arbitrary Command via Registry Key
|
T1218
|
windows
|
|
LOLBAS Msedge to Spawn Process
|
T1218
|
windows
|
|
Bitsadmin Download (cmd)
|
T1197
|
windows
|
|
Bitsadmin Download (PowerShell)
|
T1197
|
windows
|
|
Persist, Download, & Execute
|
T1197
|
windows
|
|
Bits download using desktopimgdownldr.exe (cmd)
|
T1197
|
windows
|
|
Connection Proxy
|
T1090.001
|
linux, macos
|
|
Connection Proxy for macOS UI
|
T1090.001
|
macos
|
|
portproxy reg key
|
T1090.001
|
windows
|
|
Attaches Command Prompt as a Debugger to a List of Target Processes
|
T1546.008
|
windows
|
|
Replace binary of sticky keys
|
T1546.008
|
windows
|
|
Create Symbolic Link From osk.exe to cmd.exe
|
T1546.008
|
windows
|
|
Atbroker.exe (AT) Executes Arbitrary Command via Registry Key
|
T1546.008
|
windows
|
|
Parent PID Spoofing using PowerShell
|
T1134.004
|
windows
|
|
Parent PID Spoofing - Spawn from Current Process
|
T1134.004
|
windows
|
|
Parent PID Spoofing - Spawn from Specified Process
|
T1134.004
|
windows
|
|
Parent PID Spoofing - Spawn from svchost.exe
|
T1134.004
|
windows
|
|
Parent PID Spoofing - Spawn from New Process
|
T1134.004
|
windows
|
|
Create Systemd Service and Timer
|
T1053.006
|
linux
|
|
Create a user level transient systemd service and timer
|
T1053.006
|
linux
|
|
Create a system level transient systemd service and timer
|
T1053.006
|
linux
|
|
Azure AD - Add Company Administrator Role to a user
|
T1098.003
|
azure-ad
|
|
Simulate - Post BEC persistence via user password reset followed by user added to company administrator role
|
T1098.003
|
azure-ad
|
|
Automated Collection Command Prompt
|
T1119
|
windows
|
|
Automated Collection PowerShell
|
T1119
|
windows
|
|
Recon information for export with PowerShell
|
T1119
|
windows
|
|
Recon information for export with Command Prompt
|
T1119
|
windows
|
|
Create and Execute Bash Shell Script
|
T1059.004
|
linux, macos
|
|
Command-Line Interface
|
T1059.004
|
linux, macos
|
|
Harvest SUID executable files
|
T1059.004
|
linux
|
|
LinEnum tool execution
|
T1059.004
|
linux
|
|
New script file in the tmp directory
|
T1059.004
|
linux
|
|
What shell is running
|
T1059.004
|
linux
|
|
What shells are available
|
T1059.004
|
linux
|
|
Command line scripts
|
T1059.004
|
linux
|
|
Obfuscated command line scripts
|
T1059.004
|
linux
|
|
Change login shell
|
T1059.004
|
linux
|
|
Environment variable scripts
|
T1059.004
|
linux
|
|
Detecting pipe-to-shell
|
T1059.004
|
linux
|
|
Current kernel information enumeration
|
T1059.004
|
linux
|
|
IcedID Botnet HTTP PUT
|
T1020
|
windows
|
|
Exfiltration via Encrypted FTP
|
T1020
|
windows
|
|
Bypass UAC using Event Viewer (cmd)
|
T1548.002
|
windows
|
|
Bypass UAC using Event Viewer (PowerShell)
|
T1548.002
|
windows
|
|
Bypass UAC using Fodhelper
|
T1548.002
|
windows
|
|
Bypass UAC using Fodhelper - PowerShell
|
T1548.002
|
windows
|
|
Bypass UAC using ComputerDefaults (PowerShell)
|
T1548.002
|
windows
|
|
Bypass UAC by Mocking Trusted Directories
|
T1548.002
|
windows
|
|
Bypass UAC using sdclt DelegateExecute
|
T1548.002
|
windows
|
|
Disable UAC using reg.exe
|
T1548.002
|
windows
|
|
Bypass UAC using SilentCleanup task
|
T1548.002
|
windows
|
|
UACME Bypass Method 23
|
T1548.002
|
windows
|
|
UACME Bypass Method 31
|
T1548.002
|
windows
|
|
UACME Bypass Method 33
|
T1548.002
|
windows
|
|
UACME Bypass Method 34
|
T1548.002
|
windows
|
|
UACME Bypass Method 39
|
T1548.002
|
windows
|
|
UACME Bypass Method 56
|
T1548.002
|
windows
|
|
UACME Bypass Method 59
|
T1548.002
|
windows
|
|
UACME Bypass Method 61
|
T1548.002
|
windows
|
|
WinPwn - UAC Magic
|
T1548.002
|
windows
|
|
WinPwn - UAC Bypass ccmstp technique
|
T1548.002
|
windows
|
|
WinPwn - UAC Bypass DiskCleanup technique
|
T1548.002
|
windows
|
|
WinPwn - UAC Bypass DccwBypassUAC technique
|
T1548.002
|
windows
|
|
Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key
|
T1548.002
|
windows
|
|
UAC Bypass with WSReset Registry Modification
|
T1548.002
|
windows
|
|
Disable UAC - Switch to the secure desktop when prompting for elevation via registry key
|
T1548.002
|
windows
|
|
Disable UAC notification via registry keys
|
T1548.002
|
windows
|
|
Disable ConsentPromptBehaviorAdmin via registry keys
|
T1548.002
|
windows
|
|
Create local account with admin privileges
|
T1078.003
|
windows
|
|
Create local account with admin privileges - MacOS
|
T1078.003
|
macos
|
|
Create local account with admin privileges using sysadminctl utility - MacOS
|
T1078.003
|
macos
|
|
Enable root account using dsenableroot utility - MacOS
|
T1078.003
|
macos
|
|
Add a new/existing user to the admin group using dseditgroup utility - macOS
|
T1078.003
|
macos
|
|
WinPwn - Loot local Credentials - powerhell kittie
|
T1078.003
|
windows
|
|
WinPwn - Loot local Credentials - Safetykatz
|
T1078.003
|
windows
|
|
Create local account (Linux)
|
T1078.003
|
linux
|
|
Reactivate a locked/expired account (Linux)
|
T1078.003
|
linux
|
|
Reactivate a locked/expired account (FreeBSD)
|
T1078.003
|
linux
|
|
Login as nobody (Linux)
|
T1078.003
|
linux
|
|
Login as nobody (freebsd)
|
T1078.003
|
linux
|
|
Shared Library Injection via /etc/ld.so.preload
|
T1574.006
|
linux
|
|
Shared Library Injection via LD_PRELOAD
|
T1574.006
|
linux
|
|
Dylib Injection via DYLD_INSERT_LIBRARIES
|
T1574.006
|
macos
|
|
Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)
|
T1567.003
|
windows
|
|
Loadable Kernel Module based Rootkit
|
T1014
|
linux
|
|
Loadable Kernel Module based Rootkit
|
T1014
|
linux
|
|
dynamic-linker based rootkit (libprocesshider)
|
T1014
|
linux
|
|
Loadable Kernel Module based Rootkit (Diamorphine)
|
T1014
|
linux
|
|
Cron - Replace crontab with referenced file
|
T1053.003
|
linux, macos
|
|
Cron - Add script to all cron subfolders
|
T1053.003
|
macos, linux
|
|
Cron - Add script to /etc/cron.d folder
|
T1053.003
|
linux
|
|
Cron - Add script to /var/spool/cron/crontabs/ folder
|
T1053.003
|
linux
|
|
Access Token Manipulation
|
T1134.002
|
windows
|
|
WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique
|
T1134.002
|
windows
|
|
WinPwn - Reflectively load Mimik@tz into memory
|
T1620
|
windows
|
|
Create Hidden User using UniqueID < 500
|
T1564.002
|
macos
|
|
Create Hidden User using IsHidden option
|
T1564.002
|
macos
|
|
Create Hidden User in Registry
|
T1564.002
|
windows
|
|
Dump individual process memory with sh (Local)
|
T1003.007
|
linux
|
|
Dump individual process memory with sh on FreeBSD (Local)
|
T1003.007
|
linux
|
|
Dump individual process memory with Python (Local)
|
T1003.007
|
linux
|
|
Capture Passwords with MimiPenguin
|
T1003.007
|
linux
|
|
Enumerate all accounts (Local)
|
T1087.001
|
linux
|
|
View sudoers access
|
T1087.001
|
linux, macos
|
|
View accounts with UID 0
|
T1087.001
|
linux, macos
|
|
List opened files by user
|
T1087.001
|
linux, macos
|
|
Show if a user account has ever logged in remotely
|
T1087.001
|
linux
|
|
Enumerate users and groups
|
T1087.001
|
linux, macos
|
|
Enumerate users and groups
|
T1087.001
|
macos
|
|
Enumerate all accounts on Windows (Local)
|
T1087.001
|
windows
|
|
Enumerate all accounts via PowerShell (Local)
|
T1087.001
|
windows
|
|
Enumerate logged on users via CMD (Local)
|
T1087.001
|
windows
|
|
Input Capture
|
T1056.001
|
windows
|
|
Living off the land Terminal Input Capture on Linux with pam.d
|
T1056.001
|
linux
|
|
Logging bash history to syslog
|
T1056.001
|
linux
|
|
Logging sh history to syslog/messages
|
T1056.001
|
linux
|
|
Bash session based keylogger
|
T1056.001
|
linux
|
|
SSHD PAM keylogger
|
T1056.001
|
linux
|
|
Auditd keylogger
|
T1056.001
|
linux
|
|
MacOS Swift Keylogger
|
T1056.001
|
macos
|
|
Delete a single file - FreeBSD/Linux/macOS
|
T1070.004
|
linux, macos
|
|
Delete an entire folder - FreeBSD/Linux/macOS
|
T1070.004
|
linux, macos
|
|
Overwrite and delete a file with shred
|
T1070.004
|
linux
|
|
Delete a single file - Windows cmd
|
T1070.004
|
windows
|
|
Delete an entire folder - Windows cmd
|
T1070.004
|
windows
|
|
Delete a single file - Windows PowerShell
|
T1070.004
|
windows
|
|
Delete an entire folder - Windows PowerShell
|
T1070.004
|
windows
|
|
Delete Filesystem - Linux
|
T1070.004
|
linux
|
|
Delete Prefetch File
|
T1070.004
|
windows
|
|
Delete TeamViewer Log Files
|
T1070.004
|
windows
|
|
Modify Fax service to run PowerShell
|
T1543.003
|
windows
|
|
Service Installation CMD
|
T1543.003
|
windows
|
|
Service Installation PowerShell
|
T1543.003
|
windows
|
|
TinyTurla backdoor service w64time
|
T1543.003
|
windows
|
|
Remote Service Installation CMD
|
T1543.003
|
windows
|
|
Modify Service to Run Arbitrary Binary (Powershell)
|
T1543.003
|
windows
|
|
PowerShell Lateral Movement using MMC20
|
T1021.003
|
windows
|
|
PowerShell Lateral Movement Using Excel Application Object
|
T1021.003
|
windows
|
|
Windows - Stop service using Service Controller
|
T1489
|
windows
|
|
Windows - Stop service using net.exe
|
T1489
|
windows
|
|
Windows - Stop service by killing process
|
T1489
|
windows
|
|
UEFI Persistence via Wpbbin.exe File Creation
|
T1542.001
|
windows
|
|
Create Volume Shadow Copy with vssadmin
|
T1003.003
|
windows
|
|
Copy NTDS.dit from Volume Shadow Copy
|
T1003.003
|
windows
|
|
Dump Active Directory Database with NTDSUtil
|
T1003.003
|
windows
|
|
Create Volume Shadow Copy with WMI
|
T1003.003
|
windows
|
|
Create Volume Shadow Copy remotely with WMI
|
T1003.003
|
windows
|
|
Create Volume Shadow Copy remotely (WMI) with esentutl
|
T1003.003
|
windows
|
|
Create Volume Shadow Copy with Powershell
|
T1003.003
|
windows
|
|
Create Symlink to Volume Shadow Copy
|
T1003.003
|
windows
|
|
Create Volume Shadow Copy with diskshadow
|
T1003.003
|
windows
|
|
Install Outlook Home Page Persistence
|
T1137.004
|
windows
|
|
PetitPotam
|
T1187
|
windows
|
|
WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
|
T1187
|
windows
|
|
Crafting Active Directory silver tickets with mimikatz
|
T1558.002
|
windows
|
|
LockBit Black - Modify Group policy settings -cmd
|
T1484.001
|
windows
|
|
LockBit Black - Modify Group policy settings -Powershell
|
T1484.001
|
windows
|
|
Execution through API - CreateProcess
|
T1106
|
windows
|
|
WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
|
T1106
|
windows
|
|
WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
|
T1106
|
windows
|
|
WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
|
T1106
|
windows
|
|
Run Shellcode via Syscall in Go
|
T1106
|
windows
|
|
Process Injection via mavinject.exe
|
T1055.001
|
windows
|
|
WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
|
T1055.001
|
windows
|
|
Radmin Viewer Utility
|
T1072
|
windows
|
|
PDQ Deploy RAT
|
T1072
|
windows
|
|
Deploy 7-Zip Using Chocolatey
|
T1072
|
windows
|
|
Running Chrome VPN Extensions via the Registry 2 vpn extension
|
T1133
|
windows
|
|
Regsvr32 local COM scriptlet execution
|
T1218.010
|
windows
|
|
Regsvr32 remote COM scriptlet execution
|
T1218.010
|
windows
|
|
Regsvr32 local DLL execution
|
T1218.010
|
windows
|
|
Regsvr32 Registering Non DLL
|
T1218.010
|
windows
|
|
Regsvr32 Silent DLL Install Call DllRegisterServer
|
T1218.010
|
windows
|
|
System Time Discovery
|
T1124
|
windows
|
|
System Time Discovery - PowerShell
|
T1124
|
windows
|
|
System Time Discovery in FreeBSD/macOS
|
T1124
|
linux, macos
|
|
System Time Discovery W32tm as a Delay
|
T1124
|
windows
|
|
System Time with Windows time Command
|
T1124
|
windows
|
|
ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI
|
T1562.010
|
linux
|
|
ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI
|
T1562.010
|
linux
|
|
PowerShell Version 2 Downgrade
|
T1562.010
|
windows
|
|
Access /etc/shadow (Local)
|
T1003.008
|
linux
|
|
Access /etc/master.passwd (Local)
|
T1003.008
|
linux
|
|
Access /etc/passwd (Local)
|
T1003.008
|
linux
|
|
Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat
|
T1003.008
|
linux
|
|
Access /etc/{shadow,passwd,master.passwd} with shell builtins
|
T1003.008
|
linux
|
|
Logon Scripts - Mac
|
T1037.002
|
macos
|
|
Modify Registry of Current User Profile - cmd
|
T1112
|
windows
|
|
Modify Registry of Local Machine - cmd
|
T1112
|
windows
|
|
Modify registry to store logon credentials
|
T1112
|
windows
|
|
Use Powershell to Modify registry to store logon credentials
|
T1112
|
windows
|
|
Add domain to Trusted sites Zone
|
T1112
|
windows
|
|
Javascript in registry
|
T1112
|
windows
|
|
Change Powershell Execution Policy to Bypass
|
T1112
|
windows
|
|
BlackByte Ransomware Registry Changes - CMD
|
T1112
|
windows
|
|
BlackByte Ransomware Registry Changes - Powershell
|
T1112
|
windows
|
|
Disable Windows Registry Tool
|
T1112
|
windows
|
|
Disable Windows CMD application
|
T1112
|
windows
|
|
Disable Windows Task Manager application
|
T1112
|
windows
|
|
Disable Windows Notification Center
|
T1112
|
windows
|
|
Disable Windows Shutdown Button
|
T1112
|
windows
|
|
Disable Windows LogOff Button
|
T1112
|
windows
|
|
Disable Windows Change Password Feature
|
T1112
|
windows
|
|
Disable Windows Lock Workstation Feature
|
T1112
|
windows
|
|
Activate Windows NoDesktop Group Policy Feature
|
T1112
|
windows
|
|
Activate Windows NoRun Group Policy Feature
|
T1112
|
windows
|
|
Activate Windows NoFind Group Policy Feature
|
T1112
|
windows
|
|
Activate Windows NoControlPanel Group Policy Feature
|
T1112
|
windows
|
|
Activate Windows NoFileMenu Group Policy Feature
|
T1112
|
windows
|
|
Activate Windows NoClose Group Policy Feature
|
T1112
|
windows
|
|
Activate Windows NoSetTaskbar Group Policy Feature
|
T1112
|
windows
|
|
Activate Windows NoTrayContextMenu Group Policy Feature
|
T1112
|
windows
|
|
Activate Windows NoPropertiesMyDocuments Group Policy Feature
|
T1112
|
windows
|
|
Hide Windows Clock Group Policy Feature
|
T1112
|
windows
|
|
Windows HideSCAHealth Group Policy Feature
|
T1112
|
windows
|
|
Windows HideSCANetwork Group Policy Feature
|
T1112
|
windows
|
|
Windows HideSCAPower Group Policy Feature
|
T1112
|
windows
|
|
Windows HideSCAVolume Group Policy Feature
|
T1112
|
windows
|
|
Windows Modify Show Compress Color And Info Tip Registry
|
T1112
|
windows
|
|
Windows Powershell Logging Disabled
|
T1112
|
windows
|
|
Windows Add Registry Value to Load Service in Safe Mode without Network
|
T1112
|
windows
|
|
Windows Add Registry Value to Load Service in Safe Mode with Network
|
T1112
|
windows
|
|
Disable Windows Toast Notifications
|
T1112
|
windows
|
|
Disable Windows Security Center Notifications
|
T1112
|
windows
|
|
Suppress Win Defender Notifications
|
T1112
|
windows
|
|
Allow RDP Remote Assistance Feature
|
T1112
|
windows
|
|
NetWire RAT Registry Key Creation
|
T1112
|
windows
|
|
Ursnif Malware Registry Key Creation
|
T1112
|
windows
|
|
Terminal Server Client Connection History Cleared
|
T1112
|
windows
|
|
Disable Windows Error Reporting Settings
|
T1112
|
windows
|
|
DisallowRun Execution Of Certain Applications
|
T1112
|
windows
|
|
Enabling Restricted Admin Mode via Command_Prompt
|
T1112
|
windows
|
|
Mimic Ransomware - Enable Multiple User Sessions
|
T1112
|
windows
|
|
Mimic Ransomware - Allow Multiple RDP Sessions per User
|
T1112
|
windows
|
|
Event Viewer Registry Modification - Redirection URL
|
T1112
|
windows
|
|
Event Viewer Registry Modification - Redirection Program
|
T1112
|
windows
|
|
Enabling Remote Desktop Protocol via Remote Registry
|
T1112
|
windows
|
|
Disable Win Defender Notification
|
T1112
|
windows
|
|
Disable Windows OS Auto Update
|
T1112
|
windows
|
|
Disable Windows Auto Reboot for current logon user
|
T1112
|
windows
|
|
Windows Auto Update Option to Notify before download
|
T1112
|
windows
|
|
Do Not Connect To Win Update
|
T1112
|
windows
|
|
Tamper Win Defender Protection
|
T1112
|
windows
|
|
Snake Malware Registry Blob
|
T1112
|
windows
|
|
Allow Simultaneous Download Registry
|
T1112
|
windows
|
|
Modify Internet Zone Protocol Defaults in Current User Registry - cmd
|
T1112
|
windows
|
|
Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell
|
T1112
|
windows
|
|
Activities To Disable Secondary Authentication Detected By Modified Registry Value.
|
T1112
|
windows
|
|
Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.
|
T1112
|
windows
|
|
Scarab Ransomware Defense Evasion Activities
|
T1112
|
windows
|
|
Disable Remote Desktop Anti-Alias Setting Through Registry
|
T1112
|
windows
|
|
Disable Remote Desktop Security Settings Through Registry
|
T1112
|
windows
|
|
Disabling ShowUI Settings of Windows Error Reporting (WER)
|
T1112
|
windows
|
|
Enable Proxy Settings
|
T1112
|
windows
|
|
Set-Up Proxy Server
|
T1112
|
windows
|
|
RDP Authentication Level Override
|
T1112
|
windows
|
|
AWS - Create a new IAM user
|
T1136.003
|
iaas:aws
|
|
Azure AD - Create a new user
|
T1136.003
|
azure-ad
|
|
Azure AD - Create a new user via Azure CLI
|
T1136.003
|
azure-ad
|
|
Find and Display Internet Explorer Browser Version
|
T1518
|
windows
|
|
Applications Installed
|
T1518
|
windows
|
|
Find and Display Safari Browser Version
|
T1518
|
macos
|
|
WinPwn - Dotnetsearch
|
T1518
|
windows
|
|
WinPwn - DotNet
|
T1518
|
windows
|
|
WinPwn - powerSQL
|
T1518
|
windows
|
|
Add a driver
|
T1547
|
windows
|
|
Append malicious start-process cmdlet
|
T1546.013
|
windows
|
|
DLL Side-Loading using the Notepad++ GUP.exe binary
|
T1574.002
|
windows
|
|
DLL Side-Loading using the dotnet startup hook environment variable
|
T1574.002
|
windows
|
|
Reg Key Run
|
T1547.001
|
windows
|
|
Reg Key RunOnce
|
T1547.001
|
windows
|
|
PowerShell Registry RunOnce
|
T1547.001
|
windows
|
|
Suspicious vbs file run from startup Folder
|
T1547.001
|
windows
|
|
Suspicious jse file run from startup Folder
|
T1547.001
|
windows
|
|
Suspicious bat file run from startup Folder
|
T1547.001
|
windows
|
|
Add Executable Shortcut Link to User Startup Folder
|
T1547.001
|
windows
|
|
Add persistance via Recycle bin
|
T1547.001
|
windows
|
|
SystemBC Malware-as-a-Service Registry
|
T1547.001
|
windows
|
|
Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value
|
T1547.001
|
windows
|
|
Change Startup Folder - HKCU Modify User Shell Folders Startup Value
|
T1547.001
|
windows
|
|
HKCU - Policy Settings Explorer Run Key
|
T1547.001
|
windows
|
|
HKLM - Policy Settings Explorer Run Key
|
T1547.001
|
windows
|
|
HKLM - Append Command to Winlogon Userinit KEY Value
|
T1547.001
|
windows
|
|
HKLM - Modify default System Shell - Winlogon Shell KEY Value
|
T1547.001
|
windows
|
|
secedit used to create a Run key in the HKLM Hive
|
T1547.001
|
windows
|
|
Modify BootExecute Value
|
T1547.001
|
windows
|
|
Control Panel Items
|
T1218.002
|
windows
|
|
Add file to Local Library StartupItems
|
T1037.005
|
macos
|
|
Auditing Configuration Changes on Linux Host
|
T1562.006
|
linux
|
|
Auditing Configuration Changes on FreeBSD Host
|
T1562.006
|
linux
|
|
Logging Configuration Changes on Linux Host
|
T1562.006
|
linux
|
|
Logging Configuration Changes on FreeBSD Host
|
T1562.006
|
linux
|
|
Disable Powershell ETW Provider - Windows
|
T1562.006
|
windows
|
|
Disable .NET Event Tracing for Windows Via Registry (cmd)
|
T1562.006
|
windows
|
|
Disable .NET Event Tracing for Windows Via Registry (powershell)
|
T1562.006
|
windows
|
|
LockBit Black - Disable the ETW Provider of Windows Defender -cmd
|
T1562.006
|
windows
|
|
LockBit Black - Disable the ETW Provider of Windows Defender -Powershell
|
T1562.006
|
windows
|
|
Portable Executable Injection
|
T1055.002
|
windows
|
|
Password Spray all Domain Users
|
T1110.003
|
windows
|
|
Password Spray (DomainPasswordSpray)
|
T1110.003
|
windows
|
|
Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)
|
T1110.003
|
windows
|
|
Password spray all Azure AD users with a single password
|
T1110.003
|
azure-ad
|
|
WinPwn - DomainPasswordSpray Attacks
|
T1110.003
|
windows
|
|
Password Spray Invoke-DomainPasswordSpray Light
|
T1110.003
|
windows
|
|
Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)
|
T1110.003
|
azure-ad
|
|
Password Spray using Kerbrute Tool
|
T1110.003
|
windows
|
|
AWS - Password Spray an AWS using GoAWSConsoleSpray
|
T1110.003
|
iaas:aws
|
|
AppleScript - Prompt User for Password
|
T1056.002
|
macos
|
|
PowerShell - Prompt User for Password
|
T1056.002
|
windows
|
|
AppleScript - Spoofing a credential prompt using osascript
|
T1056.002
|
macos
|
|
Install MS Exchange Transport Agent Persistence
|
T1505.002
|
windows
|
|
OSTap Style Macro Execution
|
T1204.002
|
windows
|
|
OSTap Payload Download
|
T1204.002
|
windows
|
|
Maldoc choice flags command execution
|
T1204.002
|
windows
|
|
OSTAP JS version
|
T1204.002
|
windows
|
|
Office launching .bat file from AppData
|
T1204.002
|
windows
|
|
Excel 4 Macro
|
T1204.002
|
windows
|
|
Headless Chrome code execution via VBA
|
T1204.002
|
windows
|
|
Potentially Unwanted Applications (PUA)
|
T1204.002
|
windows
|
|
Office Generic Payload Download
|
T1204.002
|
windows
|
|
LNK Payload Download
|
T1204.002
|
windows
|
|
Mirror Blast Emulation
|
T1204.002
|
windows
|
|
Install root CA on CentOS/RHEL
|
T1553.004
|
linux
|
|
Install root CA on FreeBSD
|
T1553.004
|
linux
|
|
Install root CA on Debian/Ubuntu
|
T1553.004
|
linux
|
|
Install root CA on macOS
|
T1553.004
|
macos
|
|
Install root CA on Windows
|
T1553.004
|
windows
|
|
Install root CA on Windows with certutil
|
T1553.004
|
windows
|
|
Add Root Certificate to CurrentUser Certificate Store
|
T1553.004
|
windows
|
|
Creating W32Time similar named service using schtasks
|
T1036.004
|
windows
|
|
Creating W32Time similar named service using sc
|
T1036.004
|
windows
|
|
linux rename /proc/pid/comm using prctl
|
T1036.004
|
linux
|
|
Process Injection via C#
|
T1055.004
|
windows
|
|
EarlyBird APC Queue Injection in Go
|
T1055.004
|
windows
|
|
Remote Process Injection with Go using NtQueueApcThreadEx WinAPI
|
T1055.004
|
windows
|
|
Disable Microsoft Defender Firewall
|
T1562.004
|
windows
|
|
Disable Microsoft Defender Firewall via Registry
|
T1562.004
|
windows
|
|
Allow SMB and RDP on Microsoft Defender Firewall
|
T1562.004
|
windows
|
|
Opening ports for proxy - HARDRAIN
|
T1562.004
|
windows
|
|
Open a local port through Windows Firewall to any profile
|
T1562.004
|
windows
|
|
Allow Executable Through Firewall Located in Non-Standard Location
|
T1562.004
|
windows
|
|
Stop/Start UFW firewall
|
T1562.004
|
linux
|
|
Stop/Start Packet Filter
|
T1562.004
|
linux
|
|
Stop/Start UFW firewall systemctl
|
T1562.004
|
linux
|
|
Turn off UFW logging
|
T1562.004
|
linux
|
|
Add and delete UFW firewall rules
|
T1562.004
|
linux
|
|
Add and delete Packet Filter rules
|
T1562.004
|
linux
|
|
Edit UFW firewall user.rules file
|
T1562.004
|
linux
|
|
Edit UFW firewall ufw.conf file
|
T1562.004
|
linux
|
|
Edit UFW firewall sysctl.conf file
|
T1562.004
|
linux
|
|
Edit UFW firewall main configuration file
|
T1562.004
|
linux
|
|
Tail the UFW firewall log file
|
T1562.004
|
linux
|
|
Disable iptables
|
T1562.004
|
linux
|
|
Modify/delete iptables firewall rules
|
T1562.004
|
linux
|
|
LockBit Black - Unusual Windows firewall registry modification -cmd
|
T1562.004
|
windows
|
|
LockBit Black - Unusual Windows firewall registry modification -Powershell
|
T1562.004
|
windows
|
|
Blackbit - Disable Windows Firewall using netsh firewall
|
T1562.004
|
windows
|
|
ESXi - Disable Firewall via Esxcli
|
T1562.004
|
windows
|
|
Set a firewall rule using New-NetFirewallRule
|
T1562.004
|
windows
|
|
Process Hollowing using PowerShell
|
T1055.012
|
windows
|
|
RunPE via VBA
|
T1055.012
|
windows
|
|
Process Hollowing in Go using CreateProcessW WinAPI
|
T1055.012
|
windows
|
|
Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)
|
T1055.012
|
windows
|
|
Psiphon
|
T1090.003
|
windows
|
|
Tor Proxy Usage - Windows
|
T1090.003
|
windows
|
|
Tor Proxy Usage - Debian/Ubuntu/FreeBSD
|
T1090.003
|
linux
|
|
Tor Proxy Usage - MacOS
|
T1090.003
|
macos
|
|
Access Saved Credentials via VaultCmd
|
T1555.004
|
windows
|
|
WinPwn - Loot local Credentials - Invoke-WCMDump
|
T1555.004
|
windows
|
|
JScript execution to gather local computer information via cscript
|
T1059.007
|
windows
|
|
JScript execution to gather local computer information via wscript
|
T1059.007
|
windows
|
|
Azure - Dump All Azure Key Vaults with Microburst
|
T1528
|
iaas:azure
|
|
Modify SSH Authorized Keys
|
T1098.004
|
linux, macos
|
|
Create a new Windows domain admin user
|
T1136.002
|
windows
|
|
Create a new account similar to ANONYMOUS LOGON
|
T1136.002
|
windows
|
|
Create a new Domain Account using PowerShell
|
T1136.002
|
windows
|
|
Active Directory Create Admin Account
|
T1136.002
|
linux
|
|
Active Directory Create User Account (Non-elevated)
|
T1136.002
|
linux
|
|
Install IIS Module using AppCmd.exe
|
T1505.004
|
windows
|
|
Install IIS Module using PowerShell Cmdlet New-WebGlobalModule
|
T1505.004
|
windows
|
|
AutoIt Script Execution
|
T1059
|
windows
|
|
Enable Windows Remote Management
|
T1021.006
|
windows
|
|
Remote Code Execution with PS Credentials Using Invoke-Command
|
T1021.006
|
windows
|
|
WinRM Access with Evil-WinRM
|
T1021.006
|
windows
|
|
TeamViewer Files Detected Test on Windows
|
T1219
|
windows
|
|
AnyDesk Files Detected Test on Windows
|
T1219
|
windows
|
|
LogMeIn Files Detected Test on Windows
|
T1219
|
windows
|
|
GoToAssist Files Detected Test on Windows
|
T1219
|
windows
|
|
ScreenConnect Application Download and Install on Windows
|
T1219
|
windows
|
|
Ammyy Admin Software Execution
|
T1219
|
windows
|
|
RemotePC Software Execution
|
T1219
|
windows
|
|
NetSupport - RAT Execution
|
T1219
|
windows
|
|
UltraViewer - RAT Execution
|
T1219
|
windows
|
|
UltraVNC Execution
|
T1219
|
windows
|
|
MSP360 Connect Execution
|
T1219
|
windows
|
|
RustDesk Files Detected Test on Windows
|
T1219
|
windows
|
|
AWS S3 Enumeration
|
T1619
|
iaas:aws
|
|
LLMNR Poisoning with Inveigh (PowerShell)
|
T1557.001
|
windows
|
|
Space After Filename (Manual)
|
T1036.006
|
macos
|
|
Space After Filename
|
T1036.006
|
macos, linux
|
|
Keychain Dump
|
T1555.001
|
macos
|
|
Export Certificate Item(s)
|
T1555.001
|
macos
|
|
Import Certificate Item(s) into Keychain
|
T1555.001
|
macos
|
|
Exfiltrate data with rclone to cloud Storage - Mega (Windows)
|
T1567.002
|
windows
|
|
Dumping LSA Secrets
|
T1003.004
|
windows
|
|
Visual Basic script execution to gather local computer information
|
T1059.005
|
windows
|
|
Encoded VBS code execution
|
T1059.005
|
windows
|
|
Extract Memory via VBA
|
T1059.005
|
windows
|
|
Packet Capture Linux using tshark or tcpdump
|
T1040
|
linux
|
|
Packet Capture FreeBSD using tshark or tcpdump
|
T1040
|
linux
|
|
Packet Capture macOS using tcpdump or tshark
|
T1040
|
macos
|
|
Packet Capture Windows Command Prompt
|
T1040
|
windows
|
|
Windows Internal Packet Capture
|
T1040
|
windows
|
|
Windows Internal pktmon capture
|
T1040
|
windows
|
|
Windows Internal pktmon set filter
|
T1040
|
windows
|
|
Packet Capture macOS using /dev/bpfN with sudo
|
T1040
|
macos
|
|
Filtered Packet Capture macOS using /dev/bpfN with sudo
|
T1040
|
macos
|
|
Packet Capture FreeBSD using /dev/bpfN with sudo
|
T1040
|
linux
|
|
Filtered Packet Capture FreeBSD using /dev/bpfN with sudo
|
T1040
|
linux
|
|
Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo
|
T1040
|
linux
|
|
Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo
|
T1040
|
linux
|
|
Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo
|
T1040
|
linux
|
|
Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo
|
T1040
|
linux
|
|
PowerShell Network Sniffing
|
T1040
|
windows
|
|
AWS - EC2 Enumeration from Cloud Instance
|
T1580
|
linux, macos, iaas:aws
|
|
AWS - EC2 Security Group Enumeration
|
T1580
|
iaas:aws
|
|
Add Network Share
|
T1070.005
|
windows
|
|
Remove Network Share
|
T1070.005
|
windows
|
|
Remove Network Share PowerShell
|
T1070.005
|
windows
|
|
Disable Administrative Share Creation at Startup
|
T1070.005
|
windows
|
|
Remove Administrative Shares
|
T1070.005
|
windows
|
|
ESXi - Install a custom VIB on an ESXi host
|
T1129
|
windows
|
|
powerShell Persistence via hijacking default modules - Get-Variable.exe
|
T1574.008
|
windows
|
|
Port Scan
|
T1046
|
linux, macos
|
|
Port Scan Nmap
|
T1046
|
linux, macos
|
|
Port Scan NMap for Windows
|
T1046
|
windows
|
|
Port Scan using python
|
T1046
|
windows
|
|
WinPwn - spoolvulnscan
|
T1046
|
windows
|
|
WinPwn - MS17-10
|
T1046
|
windows
|
|
WinPwn - bluekeep
|
T1046
|
windows
|
|
WinPwn - fruit
|
T1046
|
windows
|
|
Network Service Discovery for Containers
|
T1046
|
containers
|
|
Port-Scanning /24 Subnet with PowerShell
|
T1046
|
windows
|
|
Create registry persistence via AppCert DLL
|
T1546.009
|
windows
|
|
System Network Configuration Discovery on Windows
|
T1016
|
windows
|
|
List Windows Firewall Rules
|
T1016
|
windows
|
|
System Network Configuration Discovery
|
T1016
|
macos, linux
|
|
System Network Configuration Discovery (TrickBot Style)
|
T1016
|
windows
|
|
List Open Egress Ports
|
T1016
|
windows
|
|
Adfind - Enumerate Active Directory Subnet Objects
|
T1016
|
windows
|
|
Qakbot Recon
|
T1016
|
windows
|
|
List macOS Firewall Rules
|
T1016
|
macos
|
|
DNS Server Discovery Using nslookup
|
T1016
|
windows
|
|
Steganographic Tarball Embedding
|
T1001.002
|
windows
|
|
Embedded Script in Image Execution via Extract-Invoke-PSImage
|
T1001.002
|
windows
|
|
Execute Embedded Script in Image via Steganography
|
T1001.002
|
linux
|
|
Execution of program.exe as service with unquoted service path
|
T1574.009
|
windows
|
|
Gsecdump
|
T1003
|
windows
|
|
Credential Dumping with NPPSpy
|
T1003
|
windows
|
|
Dump svchost.exe to gather RDP credentials
|
T1003
|
windows
|
|
Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)
|
T1003
|
windows
|
|
Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
|
T1003
|
windows
|
|
Dump Credential Manager using keymgr.dll and rundll32.exe
|
T1003
|
windows
|
|
Office Application Startup - Outlook as a C2
|
T1137
|
windows
|
|
WINWORD Remote Template Injection
|
T1221
|
windows
|
|
Lolbin Jsc.exe compile javascript to exe
|
T1127
|
windows
|
|
Lolbin Jsc.exe compile javascript to dll
|
T1127
|
windows
|
|
Octopus Scanner Malware Open Source Supply Chain
|
T1195
|
windows
|
|
Screencapture
|
T1113
|
macos
|
|
Screencapture (silent)
|
T1113
|
macos
|
|
X Windows Capture
|
T1113
|
linux
|
|
X Windows Capture (freebsd)
|
T1113
|
linux
|
|
Capture Linux Desktop using Import Tool
|
T1113
|
linux
|
|
Capture Linux Desktop using Import Tool (freebsd)
|
T1113
|
linux
|
|
Windows Screencapture
|
T1113
|
windows
|
|
Windows Screen Capture (CopyFromScreen)
|
T1113
|
windows
|
|
Web Shell Written to Disk
|
T1505.003
|
windows
|
|
WMI Reconnaissance Users
|
T1047
|
windows
|
|
WMI Reconnaissance Processes
|
T1047
|
windows
|
|
WMI Reconnaissance Software
|
T1047
|
windows
|
|
WMI Reconnaissance List Remote Services
|
T1047
|
windows
|
|
WMI Execute Local Process
|
T1047
|
windows
|
|
WMI Execute Remote Process
|
T1047
|
windows
|
|
Create a Process using WMI Query and an Encoded Command
|
T1047
|
windows
|
|
Create a Process using obfuscated Win32_Process
|
T1047
|
windows
|
|
WMI Execute rundll32
|
T1047
|
windows
|
|
Application uninstall using WMIC
|
T1047
|
windows
|
|
Service Registry Permissions Weakness
|
T1574.011
|
windows
|
|
Service ImagePath Change with reg.exe
|
T1574.011
|
windows
|
|
CMSTP Executing Remote Scriptlet
|
T1218.003
|
windows
|
|
CMSTP Executing UAC Bypass
|
T1218.003
|
windows
|
|
Enumerate PlugNPlay Camera
|
T1592.001
|
windows
|
|
Cobalt Strike Artifact Kit pipe
|
T1559
|
windows
|
|
Cobalt Strike Lateral Movement (psexec_psh) pipe
|
T1559
|
windows
|
|
Cobalt Strike SSH (postex_ssh) pipe
|
T1559
|
windows
|
|
Cobalt Strike post-exploitation pipe (4.2 and later)
|
T1559
|
windows
|
|
Cobalt Strike post-exploitation pipe (before 4.2)
|
T1559
|
windows
|
|
PubPrn.vbs Signed Script Bypass
|
T1216.001
|
windows
|
|
Malicious Execution from Mounted ISO Image
|
T1204.003
|
windows
|
|
rc.common
|
T1037.004
|
macos
|
|
rc.common
|
T1037.004
|
linux
|
|
rc.local
|
T1037.004
|
linux
|
|
Mimikatz Pass the Hash
|
T1550.002
|
windows
|
|
crackmapexec Pass the Hash
|
T1550.002
|
windows
|
|
Invoke-WMIExec Pass the Hash
|
T1550.002
|
windows
|
|
Scheduled Task Startup Script
|
T1053.005
|
windows
|
|
Scheduled task Local
|
T1053.005
|
windows
|
|
Scheduled task Remote
|
T1053.005
|
windows
|
|
Powershell Cmdlet Scheduled Task
|
T1053.005
|
windows
|
|
Task Scheduler via VBA
|
T1053.005
|
windows
|
|
WMI Invoke-CimMethod Scheduled Task
|
T1053.005
|
windows
|
|
Scheduled Task Executing Base64 Encoded Commands From Registry
|
T1053.005
|
windows
|
|
Import XML Schedule Task with Hidden Attribute
|
T1053.005
|
windows
|
|
PowerShell Modify A Scheduled Task
|
T1053.005
|
windows
|
|
Scheduled Task ("Ghost Task") via Registry Key Manipulation
|
T1053.005
|
windows
|
|
Create a hidden file in a hidden directory
|
T1564.001
|
linux, macos
|
|
Mac Hidden file
|
T1564.001
|
macos
|
|
Create Windows System File with Attrib
|
T1564.001
|
windows
|
|
Create Windows Hidden File with Attrib
|
T1564.001
|
windows
|
|
Hidden files
|
T1564.001
|
macos
|
|
Hide a Directory
|
T1564.001
|
macos
|
|
Show all hidden files
|
T1564.001
|
macos
|
|
Hide Files Through Registry
|
T1564.001
|
windows
|
|
Create Windows Hidden File with powershell
|
T1564.001
|
windows
|
|
Create Windows System File with powershell
|
T1564.001
|
windows
|
|
FreeBSD/macOS/Linux - Simulate CPU Load with Yes
|
T1496
|
linux, macos
|
|
Create and Execute Batch Script
|
T1059.003
|
windows
|
|
Writes text to a file and displays it.
|
T1059.003
|
windows
|
|
Suspicious Execution via Windows Command Shell
|
T1059.003
|
windows
|
|
Simulate BlackByte Ransomware Print Bombing
|
T1059.003
|
windows
|
|
Command Prompt read contents from CMD file and execute
|
T1059.003
|
windows
|
|
Command prompt writing script to file then executes it
|
T1059.003
|
windows
|
|
Exfiltration Over SMB over QUIC (New-SmbMapping)
|
T1570
|
windows
|
|
Exfiltration Over SMB over QUIC (NET USE)
|
T1570
|
windows
|
|
Persistence with Custom AutodialDLL
|
T1546
|
windows
|
|
HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
|
T1546
|
windows
|
|
HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)
|
T1546
|
windows
|
|
WMI Invoke-CimMethod Start Process
|
T1546
|
windows
|
|
Shortcut Modification
|
T1547.009
|
windows
|
|
Create shortcut to cmd in startup folders
|
T1547.009
|
windows
|
|
Registry dump of SAM, creds, and secrets
|
T1003.002
|
windows
|
|
Registry parse with pypykatz
|
T1003.002
|
windows
|
|
esentutl.exe SAM copy
|
T1003.002
|
windows
|
|
PowerDump Hashes and Usernames from Registry
|
T1003.002
|
windows
|
|
dump volume shadow copy hives with certutil
|
T1003.002
|
windows
|
|
dump volume shadow copy hives with System.IO.File
|
T1003.002
|
windows
|
|
WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
|
T1003.002
|
windows
|
|
IFEO Add Debugger
|
T1546.012
|
windows
|
|
IFEO Global Flags
|
T1546.012
|
windows
|
|
GlobalFlags in Image File Execution Options
|
T1546.012
|
windows
|
|
Alternate Data Streams (ADS)
|
T1564.004
|
windows
|
|
Store file in Alternate Data Stream (ADS)
|
T1564.004
|
windows
|
|
Create ADS command prompt
|
T1564.004
|
windows
|
|
Create ADS PowerShell
|
T1564.004
|
windows
|
|
Create Hidden Directory via $index_allocation
|
T1564.004
|
windows
|
|
Enable Guest account with RDP capability and admin privileges
|
T1078.001
|
windows
|
|
Activate Guest Account
|
T1078.001
|
windows
|
|
Enable Guest Account on macOS
|
T1078.001
|
macos
|
|
Compress Data for Exfiltration With Rar
|
T1560.001
|
windows
|
|
Compress Data and lock with password for Exfiltration with winrar
|
T1560.001
|
windows
|
|
Compress Data and lock with password for Exfiltration with winzip
|
T1560.001
|
windows
|
|
Compress Data and lock with password for Exfiltration with 7zip
|
T1560.001
|
windows
|
|
Data Compressed - nix - zip
|
T1560.001
|
linux, macos
|
|
Data Compressed - nix - gzip Single File
|
T1560.001
|
linux, macos
|
|
Data Compressed - nix - tar Folder or File
|
T1560.001
|
linux, macos
|
|
Data Encrypted with zip and gpg symmetric
|
T1560.001
|
linux, macos
|
|
Encrypts collected data with AES-256 and Base64
|
T1560.001
|
linux, macos
|
|
ESXi - Remove Syslog remote IP
|
T1560.001
|
windows
|
|
System Owner/User Discovery
|
T1033
|
windows
|
|
System Owner/User Discovery
|
T1033
|
linux, macos
|
|
Find computers where user has session - Stealth mode (PowerView)
|
T1033
|
windows
|
|
User Discovery With Env Vars PowerShell Script
|
T1033
|
windows
|
|
GetCurrent User with PowerShell Script
|
T1033
|
windows
|
|
System Discovery - SocGholish whoami
|
T1033
|
windows
|
|
System Owner/User Discovery Using Command Prompt
|
T1033
|
windows
|
|
Remote System Discovery - net
|
T1018
|
windows
|
|
Remote System Discovery - net group Domain Computers
|
T1018
|
windows
|
|
Remote System Discovery - nltest
|
T1018
|
windows
|
|
Remote System Discovery - ping sweep
|
T1018
|
windows
|
|
Remote System Discovery - arp
|
T1018
|
windows
|
|
Remote System Discovery - arp nix
|
T1018
|
linux, macos
|
|
Remote System Discovery - sweep
|
T1018
|
linux, macos
|
|
Remote System Discovery - nslookup
|
T1018
|
windows
|
|
Remote System Discovery - adidnsdump
|
T1018
|
windows
|
|
Adfind - Enumerate Active Directory Computer Objects
|
T1018
|
windows
|
|
Adfind - Enumerate Active Directory Domain Controller Objects
|
T1018
|
windows
|
|
Remote System Discovery - ip neighbour
|
T1018
|
linux
|
|
Remote System Discovery - ip route
|
T1018
|
linux
|
|
Remote System Discovery - netstat
|
T1018
|
linux
|
|
Remote System Discovery - ip tcp_metrics
|
T1018
|
linux
|
|
Enumerate domain computers within Active Directory using DirectorySearcher
|
T1018
|
windows
|
|
Enumerate Active Directory Computers with Get-AdComputer
|
T1018
|
windows
|
|
Enumerate Active Directory Computers with ADSISearcher
|
T1018
|
windows
|
|
Get-DomainController with PowerView
|
T1018
|
windows
|
|
Get-WmiObject to Enumerate Domain Controllers
|
T1018
|
windows
|
|
Remote System Discovery - net group Domain Controller
|
T1018
|
windows
|
|
Sudo usage
|
T1548.003
|
macos, linux
|
|
Sudo usage (freebsd)
|
T1548.003
|
linux
|
|
Unlimited sudo cache timeout
|
T1548.003
|
macos, linux
|
|
Unlimited sudo cache timeout (freebsd)
|
T1548.003
|
linux
|
|
Disable tty_tickets for sudo caching
|
T1548.003
|
macos, linux
|
|
Disable tty_tickets for sudo caching (freebsd)
|
T1548.003
|
linux
|
|
File and Directory Discovery (cmd.exe)
|
T1083
|
windows
|
|
File and Directory Discovery (PowerShell)
|
T1083
|
windows
|
|
Nix File and Directory Discovery
|
T1083
|
linux, macos
|
|
Nix File and Directory Discovery 2
|
T1083
|
linux, macos
|
|
Simulating MAZE Directory Enumeration
|
T1083
|
windows
|
|
Launch DirLister Executable
|
T1083
|
windows
|
|
ESXi - Enumerate VMDKs available on an ESXi Host
|
T1083
|
linux
|
|
Add command to .bash_profile
|
T1546.004
|
macos, linux
|
|
Add command to .bashrc
|
T1546.004
|
macos, linux
|
|
Add command to .shrc
|
T1546.004
|
linux
|
|
Append to the system shell profile
|
T1546.004
|
linux
|
|
Append commands user shell profile
|
T1546.004
|
linux
|
|
System shell profile scripts
|
T1546.004
|
linux
|
|
Create/Append to .bash_logout
|
T1546.004
|
linux
|
|
Injection SID-History with mimikatz
|
T1134.005
|
windows
|
|
Create a new time provider
|
T1547.003
|
windows
|
|
Edit an existing time provider
|
T1547.003
|
windows
|
|
DNS Large Query Volume
|
T1071.004
|
windows
|
|
DNS Regular Beaconing
|
T1071.004
|
windows
|
|
DNS Long Domain Query
|
T1071.004
|
windows
|
|
DNS C2
|
T1071.004
|
windows
|
|
Clear Logs
|
T1070.001
|
windows
|
|
Delete System Logs Using Clear-EventLog
|
T1070.001
|
windows
|
|
Clear Event Logs via VBA
|
T1070.001
|
windows
|
|
Compressing data using GZip in Python (FreeBSD/Linux)
|
T1560.002
|
linux
|
|
Compressing data using bz2 in Python (FreeBSD/Linux)
|
T1560.002
|
linux
|
|
Compressing data using zipfile in Python (FreeBSD/Linux)
|
T1560.002
|
linux
|
|
Compressing data using tarfile in Python (FreeBSD/Linux)
|
T1560.002
|
linux
|
|
Mimikatz
|
T1059.001
|
windows
|
|
Run BloodHound from local disk
|
T1059.001
|
windows
|
|
Run Bloodhound from Memory using Download Cradle
|
T1059.001
|
windows
|
|
Mimikatz - Cradlecraft PsSendKeys
|
T1059.001
|
windows
|
|
Invoke-AppPathBypass
|
T1059.001
|
windows
|
|
Powershell MsXml COM object - with prompt
|
T1059.001
|
windows
|
|
Powershell XML requests
|
T1059.001
|
windows
|
|
Powershell invoke mshta.exe download
|
T1059.001
|
windows
|
|
Powershell Invoke-DownloadCradle
|
T1059.001
|
windows
|
|
PowerShell Fileless Script Execution
|
T1059.001
|
windows
|
|
NTFS Alternate Data Stream Access
|
T1059.001
|
windows
|
|
PowerShell Session Creation and Use
|
T1059.001
|
windows
|
|
ATHPowerShellCommandLineParameter -Command parameter variations
|
T1059.001
|
windows
|
|
ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
|
T1059.001
|
windows
|
|
ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
|
T1059.001
|
windows
|
|
ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
|
T1059.001
|
windows
|
|
PowerShell Command Execution
|
T1059.001
|
windows
|
|
PowerShell Invoke Known Malicious Cmdlets
|
T1059.001
|
windows
|
|
PowerUp Invoke-AllChecks
|
T1059.001
|
windows
|
|
Abuse Nslookup with DNS Records
|
T1059.001
|
windows
|
|
SOAPHound - Dump BloodHound Data
|
T1059.001
|
windows
|
|
SOAPHound - Build Cache
|
T1059.001
|
windows
|
|
Launchctl
|
T1569.001
|
macos
|
|
Process injection ListPlanting
|
T1055.015
|
windows
|
|
Telnet C2
|
T1071
|
windows
|
|
Crafting Active Directory golden tickets with mimikatz
|
T1558.001
|
windows
|
|
Crafting Active Directory golden tickets with Rubeus
|
T1558.001
|
windows
|
|
Mount ISO image
|
T1553.005
|
windows
|
|
Mount an ISO image and run executable from the ISO
|
T1553.005
|
windows
|
|
Remove the Zone.Identifier alternate data stream
|
T1553.005
|
windows
|
|
Execute LNK file from ISO
|
T1553.005
|
windows
|
|
Create a user account on a Linux system
|
T1136.001
|
linux
|
|
Create a user account on a FreeBSD system
|
T1136.001
|
linux
|
|
Create a user account on a MacOS system
|
T1136.001
|
macos
|
|
Create a new user in a command prompt
|
T1136.001
|
windows
|
|
Create a new user in PowerShell
|
T1136.001
|
windows
|
|
Create a new user in Linux with `root` UID and GID.
|
T1136.001
|
linux
|
|
Create a new user in FreeBSD with `root` GID.
|
T1136.001
|
linux
|
|
Create a new Windows admin user
|
T1136.001
|
windows
|
|
Create a new Windows admin user via .NET
|
T1136.001
|
windows
|
|
CheckIfInstallable method call
|
T1218.004
|
windows
|
|
InstallHelper method call
|
T1218.004
|
windows
|
|
InstallUtil class constructor method call
|
T1218.004
|
windows
|
|
InstallUtil Install method call
|
T1218.004
|
windows
|
|
InstallUtil Uninstall method call - /U variant
|
T1218.004
|
windows
|
|
InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant
|
T1218.004
|
windows
|
|
InstallUtil HelpText method call
|
T1218.004
|
windows
|
|
InstallUtil evasive invocation
|
T1218.004
|
windows
|
|
RDP to DomainController
|
T1021.001
|
windows
|
|
Changing RDP Port to Non Standard Port via Powershell
|
T1021.001
|
windows
|
|
Changing RDP Port to Non Standard Port via Command_Prompt
|
T1021.001
|
windows
|
|
Disable NLA for RDP via Command Prompt
|
T1021.001
|
windows
|
|
Chrome/Chromium (Developer Mode)
|
T1176
|
linux, windows, macos
|
|
Chrome/Chromium (Chrome Web Store)
|
T1176
|
linux, windows, macos
|
|
Firefox
|
T1176
|
linux, windows, macos
|
|
Edge Chromium Addon - VPN
|
T1176
|
windows, macos
|
|
Google Chrome Load Unpacked Extension With Command Line
|
T1176
|
windows
|
|
Base64 Encoded data.
|
T1132.001
|
macos, linux
|
|
Base64 Encoded data (freebsd)
|
T1132.001
|
linux
|
|
XOR Encoded data.
|
T1132.001
|
windows
|
|
Malicious PAM rule
|
T1556.003
|
linux
|
|
Malicious PAM rule (freebsd)
|
T1556.003
|
linux
|
|
Malicious PAM module
|
T1556.003
|
linux
|
|
Search files of interest and save them to a single zip file (Windows)
|
T1005
|
windows
|
|
Find and dump sqlite databases (Linux)
|
T1005
|
linux
|
|
Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell
|
T1137.001
|
windows
|
|
Hidden Window
|
T1564.003
|
windows
|
|
Headless Browser Accessing Mockbin
|
T1564.003
|
windows
|
|
System Information Discovery
|
T1082
|
windows
|
|
System Information Discovery
|
T1082
|
macos
|
|
List OS Information
|
T1082
|
linux, macos
|
|
Linux VM Check via Hardware
|
T1082
|
linux
|
|
Linux VM Check via Kernel Modules
|
T1082
|
linux
|
|
FreeBSD VM Check via Kernel Modules
|
T1082
|
linux
|
|
Hostname Discovery (Windows)
|
T1082
|
windows
|
|
Hostname Discovery
|
T1082
|
linux, macos
|
|
Windows MachineGUID Discovery
|
T1082
|
windows
|
|
Griffon Recon
|
T1082
|
windows
|
|
Environment variables discovery on windows
|
T1082
|
windows
|
|
Environment variables discovery on freebsd, macos and linux
|
T1082
|
linux, macos
|
|
Show System Integrity Protection status (MacOS)
|
T1082
|
macos
|
|
WinPwn - winPEAS
|
T1082
|
windows
|
|
WinPwn - itm4nprivesc
|
T1082
|
windows
|
|
WinPwn - Powersploits privesc checks
|
T1082
|
windows
|
|
WinPwn - General privesc checks
|
T1082
|
windows
|
|
WinPwn - GeneralRecon
|
T1082
|
windows
|
|
WinPwn - Morerecon
|
T1082
|
windows
|
|
WinPwn - RBCD-Check
|
T1082
|
windows
|
|
WinPwn - PowerSharpPack - Watson searching for missing windows patches
|
T1082
|
windows
|
|
WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors
|
T1082
|
windows
|
|
WinPwn - PowerSharpPack - Seatbelt
|
T1082
|
windows
|
|
Azure Security Scan with SkyArk
|
T1082
|
azure-ad
|
|
Linux List Kernel Modules
|
T1082
|
linux
|
|
FreeBSD List Kernel Modules
|
T1082
|
linux
|
|
System Information Discovery with WMIC
|
T1082
|
windows
|
|
Driver Enumeration using DriverQuery
|
T1082
|
windows
|
|
System Information Discovery
|
T1082
|
windows
|
|
Check computer location
|
T1082
|
windows
|
|
BIOS Information Discovery through Registry
|
T1082
|
windows
|
|
ESXi - VM Discovery using ESXCLI
|
T1082
|
linux
|
|
ESXi - Darkside system information discovery
|
T1082
|
linux
|
|
HKLM - Add atomic_test key to launch executable as part of user setup
|
T1547.014
|
windows
|
|
HKLM - Add malicious StubPath value to existing Active Setup Entry
|
T1547.014
|
windows
|
|
HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number
|
T1547.014
|
windows
|
|
Query Registry
|
T1012
|
windows
|
|
Query Registry with Powershell cmdlets
|
T1012
|
windows
|
|
Enumerate COM Objects in Registry with Powershell
|
T1012
|
windows
|
|
Registry artefact when application use webcam
|
T1125
|
windows
|
|
Deobfuscate/Decode Files Or Information
|
T1140
|
windows
|
|
Certutil Rename and Decode
|
T1140
|
windows
|
|
Base64 decoding with Python
|
T1140
|
linux, macos
|
|
Base64 decoding with Perl
|
T1140
|
linux, macos
|
|
Base64 decoding with shell utilities
|
T1140
|
linux, macos
|
|
Base64 decoding with shell utilities (freebsd)
|
T1140
|
linux
|
|
FreeBSD b64encode Shebang in CLI
|
T1140
|
linux
|
|
Hex decoding with shell utilities
|
T1140
|
linux, macos
|
|
Linux Base64 Encoded Shebang in CLI
|
T1140
|
linux, macos
|
|
XOR decoding and command execution using Python
|
T1140
|
linux, macos
|
|
Enumeration for Credentials in Registry
|
T1552.002
|
windows
|
|
Enumeration for PuTTY Credentials in Registry
|
T1552.002
|
windows
|
|
Process Discovery - ps
|
T1057
|
linux, macos
|
|
Process Discovery - tasklist
|
T1057
|
windows
|
|
Process Discovery - Get-Process
|
T1057
|
windows
|
|
Process Discovery - get-wmiObject
|
T1057
|
windows
|
|
Process Discovery - wmic process
|
T1057
|
windows
|
|
Discover Specific Process - tasklist
|
T1057
|
windows
|
|
Run Chrome-password Collector
|
T1555.003
|
windows
|
|
Search macOS Safari Cookies
|
T1555.003
|
macos
|
|
LaZagne - Credentials from Browser
|
T1555.003
|
windows
|
|
Simulating access to Chrome Login Data
|
T1555.003
|
windows
|
|
Simulating access to Opera Login Data
|
T1555.003
|
windows
|
|
Simulating access to Windows Firefox Login Data
|
T1555.003
|
windows
|
|
Simulating access to Windows Edge Login Data
|
T1555.003
|
windows
|
|
Decrypt Mozilla Passwords with Firepwd.py
|
T1555.003
|
windows
|
|
LaZagne.py - Dump Credentials from Firefox Browser
|
T1555.003
|
linux
|
|
Stage Popular Credential Files for Exfiltration
|
T1555.003
|
windows
|
|
WinPwn - BrowserPwn
|
T1555.003
|
windows
|
|
WinPwn - Loot local Credentials - mimi-kittenz
|
T1555.003
|
windows
|
|
WinPwn - PowerSharpPack - Sharpweb for Browser Credentials
|
T1555.003
|
windows
|
|
Simulating Access to Chrome Login Data - MacOS
|
T1555.003
|
macos
|
|
WebBrowserPassView - Credentials from Browser
|
T1555.003
|
windows
|
|
BrowserStealer (Chrome / Firefox / Microsoft Edge)
|
T1555.003
|
windows
|
|
Dump Chrome Login Data with esentutl
|
T1555.003
|
windows
|
|
Print Processors
|
T1547.012
|
windows
|
|
Compiled HTML Help Local Payload
|
T1218.001
|
windows
|
|
Compiled HTML Help Remote Payload
|
T1218.001
|
windows
|
|
Invoke CHM with default Shortcut Command Execution
|
T1218.001
|
windows
|
|
Invoke CHM with InfoTech Storage Protocol Handler
|
T1218.001
|
windows
|
|
Invoke CHM Simulate Double click
|
T1218.001
|
windows
|
|
Invoke CHM with Script Engine and Help Topic
|
T1218.001
|
windows
|
|
Invoke CHM Shortcut Command with ITS and Help Topic
|
T1218.001
|
windows
|
|
Decompile Local CHM File
|
T1218.001
|
windows
|
|
Private Keys
|
T1552.004
|
windows
|
|
Discover Private SSH Keys
|
T1552.004
|
linux, macos
|
|
Copy Private SSH Keys with CP
|
T1552.004
|
linux
|
|
Copy Private SSH Keys with CP (freebsd)
|
T1552.004
|
linux
|
|
Copy Private SSH Keys with rsync
|
T1552.004
|
macos, linux
|
|
Copy Private SSH Keys with rsync (freebsd)
|
T1552.004
|
linux
|
|
Copy the users GnuPG directory with rsync
|
T1552.004
|
macos, linux
|
|
Copy the users GnuPG directory with rsync (freebsd)
|
T1552.004
|
linux
|
|
ADFS token signing and encryption certificates theft - Local
|
T1552.004
|
windows
|
|
ADFS token signing and encryption certificates theft - Remote
|
T1552.004
|
windows
|
|
CertUtil ExportPFX
|
T1552.004
|
windows
|
|
Export Root Certificate with Export-PFXCertificate
|
T1552.004
|
windows
|
|
Export Root Certificate with Export-Certificate
|
T1552.004
|
windows
|
|
Export Certificates with Mimikatz
|
T1552.004
|
windows
|
|
Copy a sensitive File over Administrative share with copy
|
T1039
|
windows
|
|
Copy a sensitive File over Administrative share with Powershell
|
T1039
|
windows
|
|
Persistence via WMI Event Subscription - CommandLineEventConsumer
|
T1546.003
|
windows
|
|
Persistence via WMI Event Subscription - ActiveScriptEventConsumer
|
T1546.003
|
windows
|
|
Windows MOFComp.exe Load MOF File
|
T1546.003
|
windows
|
|
ListCronjobs
|
T1053.007
|
containers
|
|
CreateCronjob
|
T1053.007
|
containers
|
|
Set Arbitrary Binary as Screensaver
|
T1546.002
|
windows
|
|
Windows - Discover domain trusts with dsquery
|
T1482
|
windows
|
|
Windows - Discover domain trusts with nltest
|
T1482
|
windows
|
|
Powershell enumerate domains and forests
|
T1482
|
windows
|
|
Adfind - Enumerate Active Directory OUs
|
T1482
|
windows
|
|
Adfind - Enumerate Active Directory Trusts
|
T1482
|
windows
|
|
Get-DomainTrust with PowerView
|
T1482
|
windows
|
|
Get-ForestTrust with PowerView
|
T1482
|
windows
|
|
TruffleSnout - Listing AD Infrastructure
|
T1482
|
windows
|
|
Safe Mode Boot
|
T1562.009
|
windows
|
|
chmod - Change file or folder mode (numeric mode)
|
T1222.002
|
linux, macos
|
|
chmod - Change file or folder mode (symbolic mode)
|
T1222.002
|
linux, macos
|
|
chmod - Change file or folder mode (numeric mode) recursively
|
T1222.002
|
linux, macos
|
|
chmod - Change file or folder mode (symbolic mode) recursively
|
T1222.002
|
linux, macos
|
|
chown - Change file or folder ownership and group
|
T1222.002
|
macos, linux
|
|
chown - Change file or folder ownership and group recursively
|
T1222.002
|
macos, linux
|
|
chown - Change file or folder mode ownership only
|
T1222.002
|
linux, macos
|
|
chown - Change file or folder ownership recursively
|
T1222.002
|
macos, linux
|
|
chattr - Remove immutable file attribute
|
T1222.002
|
macos, linux
|
|
chflags - Remove immutable file attribute
|
T1222.002
|
linux
|
|
Chmod through c script
|
T1222.002
|
macos, linux
|
|
Chmod through c script (freebsd)
|
T1222.002
|
linux
|
|
Chown through c script
|
T1222.002
|
macos, linux
|
|
Chown through c script (freebsd)
|
T1222.002
|
linux
|
|
Hook PowerShell TLS Encrypt/Decrypt Messages
|
T1056.004
|
windows
|
|
COM Hijacking - InprocServer32
|
T1546.015
|
windows
|
|
Powershell Execute COM Object
|
T1546.015
|
windows
|
|
COM Hijacking with RunDLL32 (Local Server Switch)
|
T1546.015
|
windows
|
|
COM hijacking via TreatAs
|
T1546.015
|
windows
|
|
Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
|
T1218.005
|
windows
|
|
Mshta executes VBScript to execute malicious command
|
T1218.005
|
windows
|
|
Mshta Executes Remote HTML Application (HTA)
|
T1218.005
|
windows
|
|
Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement
|
T1218.005
|
windows
|
|
Invoke HTML Application - Jscript Engine Simulating Double Click
|
T1218.005
|
windows
|
|
Invoke HTML Application - Direct download from URI
|
T1218.005
|
windows
|
|
Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler
|
T1218.005
|
windows
|
|
Invoke HTML Application - JScript Engine with Inline Protocol Handler
|
T1218.005
|
windows
|
|
Invoke HTML Application - Simulate Lateral Movement over UNC Path
|
T1218.005
|
windows
|
|
Mshta used to Execute PowerShell
|
T1218.005
|
windows
|
|
Data Transfer Size Limits
|
T1030
|
macos, linux
|
|
Network-Based Data Transfer in Small Chunks
|
T1030
|
windows
|
|
Launch Agent
|
T1543.001
|
macos
|
|
Event Monitor Daemon Persistence
|
T1543.001
|
macos
|
|
Copy in loginwindow.plist for Re-Opened Applications
|
T1547.007
|
macos
|
|
Re-Opened Applications using LoginHook
|
T1547.007
|
macos
|
|
Append to existing loginwindow for Re-Opened Applications
|
T1547.007
|
macos
|
|
Plist Modification
|
T1647
|
macos
|
|
Persistence by modifying Windows Terminal profile
|
T1547.015
|
windows
|
|
Add macOS LoginItem using Applescript
|
T1547.015
|
macos
|
|
Copy and Delete Mailbox Data on Windows
|
T1070.008
|
windows
|
|
Copy and Delete Mailbox Data on Linux
|
T1070.008
|
linux
|
|
Copy and Delete Mailbox Data on macOS
|
T1070.008
|
macos
|
|
Copy and Modify Mailbox Data on Windows
|
T1070.008
|
windows
|
|
Copy and Modify Mailbox Data on Linux
|
T1070.008
|
linux
|
|
Copy and Modify Mailbox Data on macOS
|
T1070.008
|
macos
|
|
Basic Permission Groups Discovery Windows (Domain)
|
T1069.002
|
windows
|
|
Permission Groups Discovery PowerShell (Domain)
|
T1069.002
|
windows
|
|
Elevated group enumeration using net group (Domain)
|
T1069.002
|
windows
|
|
Find machines where user has local admin access (PowerView)
|
T1069.002
|
windows
|
|
Find local admins on all machines in domain (PowerView)
|
T1069.002
|
windows
|
|
Find Local Admins via Group Policy (PowerView)
|
T1069.002
|
windows
|
|
Enumerate Users Not Requiring Pre Auth (ASRepRoast)
|
T1069.002
|
windows
|
|
Adfind - Query Active Directory Groups
|
T1069.002
|
windows
|
|
Enumerate Active Directory Groups with Get-AdGroup
|
T1069.002
|
windows
|
|
Enumerate Active Directory Groups with ADSISearcher
|
T1069.002
|
windows
|
|
Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
|
T1069.002
|
windows
|
|
Get-DomainGroupMember with PowerView
|
T1069.002
|
windows
|
|
Get-DomainGroup with PowerView
|
T1069.002
|
windows
|
|
Active Directory Enumeration with LDIFDE
|
T1069.002
|
windows
|
|
Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS
|
T1069.002
|
linux
|
|
Application Shim Installation
|
T1546.011
|
windows
|
|
New shim database files created in the default shim database directory
|
T1546.011
|
windows
|
|
Registry key creation and/or modification events for SDB
|
T1546.011
|
windows
|
|
Create Systemd Service
|
T1543.002
|
linux
|
|
Create SysV Service
|
T1543.002
|
linux
|
|
Create Systemd Service file, Enable the service , Modify and Reload the service.
|
T1543.002
|
linux
|
|
Rundll32 execute JavaScript Remote Payload With GetObject
|
T1218.011
|
windows
|
|
Rundll32 execute VBscript command
|
T1218.011
|
windows
|
|
Rundll32 execute VBscript command using Ordinal number
|
T1218.011
|
windows
|
|
Rundll32 advpack.dll Execution
|
T1218.011
|
windows
|
|
Rundll32 ieadvpack.dll Execution
|
T1218.011
|
windows
|
|
Rundll32 syssetup.dll Execution
|
T1218.011
|
windows
|
|
Rundll32 setupapi.dll Execution
|
T1218.011
|
windows
|
|
Execution of HTA and VBS Files using Rundll32 and URL.dll
|
T1218.011
|
windows
|
|
Launches an executable using Rundll32 and pcwutl.dll
|
T1218.011
|
windows
|
|
Execution of non-dll using rundll32.exe
|
T1218.011
|
windows
|
|
Rundll32 with Ordinal Value
|
T1218.011
|
windows
|
|
Rundll32 with Control_RunDLL
|
T1218.011
|
windows
|
|
Rundll32 with desk.cpl
|
T1218.011
|
windows
|
|
Running DLL with .init extension and function
|
T1218.011
|
windows
|
|
Rundll32 execute command via FileProtocolHandler
|
T1218.011
|
windows
|
|
Rubeus asreproast
|
T1558.004
|
windows
|
|
Get-DomainUser with PowerView
|
T1558.004
|
windows
|
|
WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
|
T1558.004
|
windows
|
|
Build Image On Host
|
T1612
|
containers
|
|
MSXSL Bypass using local files
|
T1220
|
windows
|
|
MSXSL Bypass using remote files
|
T1220
|
windows
|
|
WMIC bypass using local XSL file
|
T1220
|
windows
|
|
WMIC bypass using remote XSL file
|
T1220
|
windows
|
|
SyncAppvPublishingServer Signed Script PowerShell Command Execution
|
T1216
|
windows
|
|
manage-bde.wsf Signed Script Command Execution
|
T1216
|
windows
|
|
DNS over HTTPS Large Query Volume
|
T1572
|
windows
|
|
DNS over HTTPS Regular Beaconing
|
T1572
|
windows
|
|
DNS over HTTPS Long Domain Query
|
T1572
|
windows
|
|
run ngrok
|
T1572
|
windows
|
|
Install and Register Password Filter DLL
|
T1556.002
|
windows
|
|
List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux
|
T1217
|
linux
|
|
List Mozilla Firefox Bookmark Database Files on macOS
|
T1217
|
macos
|
|
List Google Chrome Bookmark JSON Files on macOS
|
T1217
|
macos
|
|
List Google Chromium Bookmark JSON Files on FreeBSD
|
T1217
|
linux
|
|
List Google Chrome / Opera Bookmarks on Windows with powershell
|
T1217
|
windows
|
|
List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt
|
T1217
|
windows
|
|
List Mozilla Firefox bookmarks on Windows with command prompt
|
T1217
|
windows
|
|
List Internet Explorer Bookmarks using the command prompt
|
T1217
|
windows
|
|
List Safari Bookmarks on MacOS
|
T1217
|
macos
|
|
Launch Daemon
|
T1543.004
|
macos
|
|
Display group policy information via gpresult
|
T1615
|
windows
|
|
Get-DomainGPO to display group policy information via PowerView
|
T1615
|
windows
|
|
WinPwn - GPOAudit
|
T1615
|
windows
|
|
WinPwn - GPORemoteAccessPolicy
|
T1615
|
windows
|
|
MSFT Get-GPO Cmdlet
|
T1615
|
windows
|
|
Execute a Command as a Service
|
T1569.002
|
windows
|
|
Use PsExec to execute a command on a remote host
|
T1569.002
|
windows
|
|
psexec.py (Impacket)
|
T1569.002
|
linux
|
|
BlackCat pre-encryption cmds with Lateral Movement
|
T1569.002
|
windows
|
|
Use RemCom to execute a command on a remote host
|
T1569.002
|
windows
|
|
Snake Malware Service Create
|
T1569.002
|
windows
|
|
Thread Execution Hijacking
|
T1055.003
|
windows
|
|
System Network Connections Discovery
|
T1049
|
windows
|
|
System Network Connections Discovery with PowerShell
|
T1049
|
windows
|
|
System Network Connections Discovery FreeBSD, Linux & MacOS
|
T1049
|
linux, macos
|
|
System Discovery using SharpView
|
T1049
|
windows
|
|
Encrypt files using gpg (FreeBSD/Linux)
|
T1486
|
linux
|
|
Encrypt files using 7z (FreeBSD/Linux)
|
T1486
|
linux
|
|
Encrypt files using ccrypt (FreeBSD/Linux)
|
T1486
|
linux
|
|
Encrypt files using openssl (FreeBSD/Linux)
|
T1486
|
linux
|
|
PureLocker Ransom Note
|
T1486
|
windows
|
|
Encrypt files using 7z utility - macOS
|
T1486
|
macos
|
|
Encrypt files using openssl utility - macOS
|
T1486
|
macos
|
|
Data Encrypted with GPG4Win
|
T1486
|
windows
|
|
Data Encrypt Using DiskCryptor
|
T1486
|
windows
|
|
DCSync (Active Directory)
|
T1003.006
|
windows
|
|
Run DSInternals Get-ADReplAccount
|
T1003.006
|
windows
|
|
Shellcode execution via VBA
|
T1055
|
windows
|
|
Remote Process Injection in LSASS via mimikatz
|
T1055
|
windows
|
|
Section View Injection
|
T1055
|
windows
|
|
Dirty Vanity process Injection
|
T1055
|
windows
|
|
Read-Write-Execute process Injection
|
T1055
|
windows
|
|
Process Injection with Go using UuidFromStringA WinAPI
|
T1055
|
windows
|
|
Process Injection with Go using EtwpCreateEtwThread WinAPI
|
T1055
|
windows
|
|
Remote Process Injection with Go using RtlCreateUserThread WinAPI
|
T1055
|
windows
|
|
Remote Process Injection with Go using CreateRemoteThread WinAPI
|
T1055
|
windows
|
|
Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)
|
T1055
|
windows
|
|
Process Injection with Go using CreateThread WinAPI
|
T1055
|
windows
|
|
Process Injection with Go using CreateThread WinAPI (Natively)
|
T1055
|
windows
|
|
UUID custom process Injection
|
T1055
|
windows
|
|
Dynamic API Resolution-Ninja-syscall
|
T1027.007
|
windows
|
|
Network Share Discovery
|
T1135
|
macos
|
|
Network Share Discovery - linux
|
T1135
|
linux
|
|
Network Share Discovery - FreeBSD
|
T1135
|
linux
|
|
Network Share Discovery command prompt
|
T1135
|
windows
|
|
Network Share Discovery PowerShell
|
T1135
|
windows
|
|
View available share drives
|
T1135
|
windows
|
|
Share Discovery with PowerView
|
T1135
|
windows
|
|
PowerView ShareFinder
|
T1135
|
windows
|
|
WinPwn - shareenumeration
|
T1135
|
windows
|
|
Network Share Discovery via dir command
|
T1135
|
windows
|
|
System File Copied to Unusual Location
|
T1036
|
windows
|
|
Malware Masquerading and Execution from Zip File
|
T1036
|
windows
|
|
Deploy container using nsenter container escape
|
T1611
|
containers
|
|
Mount host filesystem to escape privileged Docker container
|
T1611
|
containers
|
|
Shutdown System - Windows
|
T1529
|
windows
|
|
Restart System - Windows
|
T1529
|
windows
|
|
Restart System via `shutdown` - FreeBSD/macOS/Linux
|
T1529
|
linux, macos
|
|
Shutdown System via `shutdown` - FreeBSD/macOS/Linux
|
T1529
|
linux, macos
|
|
Restart System via `reboot` - FreeBSD/macOS/Linux
|
T1529
|
linux, macos
|
|
Shutdown System via `halt` - FreeBSD/Linux
|
T1529
|
linux
|
|
Reboot System via `halt` - FreeBSD
|
T1529
|
linux
|
|
Reboot System via `halt` - Linux
|
T1529
|
linux
|
|
Shutdown System via `poweroff` - FreeBSD/Linux
|
T1529
|
linux
|
|
Reboot System via `poweroff` - FreeBSD
|
T1529
|
linux
|
|
Reboot System via `poweroff` - Linux
|
T1529
|
linux
|
|
Logoff System - Windows
|
T1529
|
windows
|
|
ESXi - Terminates VMs using pkill
|
T1529
|
linux
|
|
ESXi - Avoslocker enumerates VMs and forcefully kills VMs
|
T1529
|
linux
|
|
Windows Disable LSA Protection
|
T1562
|
windows
|
|
Disable journal logging via systemctl utility
|
T1562
|
linux
|
|
Disable journal logging via sed utility
|
T1562
|
linux
|
|
Windows - Overwrite file with SysInternals SDelete
|
T1485
|
windows
|
|
FreeBSD/macOS/Linux - Overwrite file with DD
|
T1485
|
linux, macos
|
|
Overwrite deleted data on C drive
|
T1485
|
windows
|
|
GCP - Delete Bucket
|
T1485
|
iaas:gcp
|
|
Search Through Bash History
|
T1552.003
|
linux, macos
|
|
Search Through sh History
|
T1552.003
|
linux
|
|
Windows - Delete Volume Shadow Copies
|
T1490
|
windows
|
|
Windows - Delete Volume Shadow Copies via WMI
|
T1490
|
windows
|
|
Windows - wbadmin Delete Windows Backup Catalog
|
T1490
|
windows
|
|
Windows - Disable Windows Recovery Console Repair
|
T1490
|
windows
|
|
Windows - Delete Volume Shadow Copies via WMI with PowerShell
|
T1490
|
windows
|
|
Windows - Delete Backup Files
|
T1490
|
windows
|
|
Windows - wbadmin Delete systemstatebackup
|
T1490
|
windows
|
|
Windows - Disable the SR scheduled task
|
T1490
|
windows
|
|
Disable System Restore Through Registry
|
T1490
|
windows
|
|
Windows - vssadmin Resize Shadowstorage Volume
|
T1490
|
windows
|
|
Modify VSS Service Permissions
|
T1490
|
windows
|
|
Disable Time Machine
|
T1490
|
macos
|
|
Process Injection via Extra Window Memory (EWM) x64 executable
|
T1055.011
|
windows
|
|
AWS - Retrieve EC2 Password Data using stratus
|
T1552
|
linux, macos, iaas:aws
|
|
Malicious User Agents - Powershell
|
T1071.001
|
windows
|
|
Malicious User Agents - CMD
|
T1071.001
|
windows
|
|
Malicious User Agents - Nix
|
T1071.001
|
linux, macos
|
|
Stage data from Discovery.bat
|
T1074.001
|
windows
|
|
Stage data from Discovery.sh
|
T1074.001
|
linux, macos
|
|
Zip a Folder with PowerShell for Staging in Temp
|
T1074.001
|
windows
|
|
Enable Apple Remote Desktop Agent
|
T1021.005
|
macos
|
|
Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry
|
T1547.005
|
windows
|
|
Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry
|
T1547.005
|
windows
|
|
Compile After Delivery using csc.exe
|
T1027.004
|
windows
|
|
Dynamic C# Compile
|
T1027.004
|
windows
|
|
C compile
|
T1027.004
|
linux, macos
|
|
CC compile
|
T1027.004
|
linux, macos
|
|
Go compile
|
T1027.004
|
linux, macos
|
|
Extract binary files via VBA
|
T1564
|
windows
|
|
Create a Hidden User Called "$"
|
T1564
|
windows
|
|
Create an "Administrator " user (with a space on the end)
|
T1564
|
windows
|
|
Create and Hide a Service with sc.exe
|
T1564
|
windows
|
|
Command Execution with NirCmd
|
T1564
|
windows
|
|
DLL Search Order Hijacking - amsi.dll
|
T1574.001
|
windows
|
|
Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt
|
T1547.008
|
windows
|
|
Msiexec.exe - Execute Local MSI file with embedded JScript
|
T1218.007
|
windows
|
|
Msiexec.exe - Execute Local MSI file with embedded VBScript
|
T1218.007
|
windows
|
|
Msiexec.exe - Execute Local MSI file with an embedded DLL
|
T1218.007
|
windows
|
|
Msiexec.exe - Execute Local MSI file with an embedded EXE
|
T1218.007
|
windows
|
|
WMI Win32_Product Class - Execute Local MSI file with embedded JScript
|
T1218.007
|
windows
|
|
WMI Win32_Product Class - Execute Local MSI file with embedded VBScript
|
T1218.007
|
windows
|
|
WMI Win32_Product Class - Execute Local MSI file with an embedded DLL
|
T1218.007
|
windows
|
|
WMI Win32_Product Class - Execute Local MSI file with an embedded EXE
|
T1218.007
|
windows
|
|
Msiexec.exe - Execute the DllRegisterServer function of a DLL
|
T1218.007
|
windows
|
|
Msiexec.exe - Execute the DllUnregisterServer function of a DLL
|
T1218.007
|
windows
|
|
Msiexec.exe - Execute Remote MSI file
|
T1218.007
|
windows
|
|
ICMP C2
|
T1095
|
windows
|
|
Netcat C2
|
T1095
|
windows
|
|
Powercat C2
|
T1095
|
windows
|
|
Add Port Monitor persistence in Registry
|
T1547.010
|
windows
|
|
Office365 - Email Forwarding
|
T1114.003
|
office-365
|
|
AppleScript
|
T1059.002
|
macos
|
|
Mimikatz Kerberos Ticket Attack
|
T1550.003
|
windows
|
|
Rubeus Kerberos Pass The Ticket
|
T1550.003
|
windows
|
|
Discover System Language by Registry Query
|
T1614.001
|
windows
|
|
Discover System Language with chcp
|
T1614.001
|
windows
|
|
Discover System Language with locale
|
T1614.001
|
linux
|
|
Discover System Language with localectl
|
T1614.001
|
linux
|
|
Discover System Language by locale file
|
T1614.001
|
linux
|
|
Discover System Language by Environment Variable Query
|
T1614.001
|
linux
|
|
Code Executed Via Excel Add-in File (XLL)
|
T1137.006
|
windows
|
|
Persistent Code Execution Via Excel Add-in File (XLL)
|
T1137.006
|
windows
|
|
Persistent Code Execution Via Word Add-in File (WLL)
|
T1137.006
|
windows
|
|
Persistent Code Execution Via Excel VBA Add-in File (XLAM)
|
T1137.006
|
windows
|
|
Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM)
|
T1137.006
|
windows
|
|
Add Federation to Azure AD
|
T1484.002
|
azure-ad
|
|
Regasm Uninstall Method Call Test
|
T1218.009
|
windows
|
|
Regsvcs Uninstall Method Call Test
|
T1218.009
|
windows
|
|
List All Secrets
|
T1552.007
|
containers
|
|
ListSecrets
|
T1552.007
|
containers
|
|
Cat the contents of a Kubernetes service account token file
|
T1552.007
|
linux
|
|
Install AppInit Shim
|
T1546.010
|
windows
|
|
Password Cracking with Hashcat
|
T1110.002
|
windows
|
|
Extract Windows Credential Manager via VBA
|
T1555
|
windows
|
|
Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]
|
T1555
|
windows
|
|
Dump credentials from Windows Credential Manager With PowerShell [web Credentials]
|
T1555
|
windows
|
|
Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]
|
T1555
|
windows
|
|
Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]
|
T1555
|
windows
|
|
WinPwn - Loot local Credentials - lazagne
|
T1555
|
windows
|
|
WinPwn - Loot local Credentials - Wifi Credentials
|
T1555
|
windows
|
|
WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
|
T1555
|
windows
|
|
System Service Discovery
|
T1007
|
windows
|
|
System Service Discovery - net.exe
|
T1007
|
windows
|
|
System Service Discovery - systemctl/service
|
T1007
|
linux
|
|
Azure - Search Azure AD User Attributes for Passwords
|
T1552.005
|
azure-ad
|
|
Azure - Dump Azure Instance Metadata from Virtual Machines
|
T1552.005
|
iaas:azure
|
|
Azure - Dump Subscription Data with MicroBurst
|
T1526
|
iaas:azure
|
|
Masquerading as Windows LSASS process
|
T1036.003
|
windows
|
|
Masquerading as FreeBSD or Linux crond process.
|
T1036.003
|
linux
|
|
Masquerading - cscript.exe running as notepad.exe
|
T1036.003
|
windows
|
|
Masquerading - wscript.exe running as svchost.exe
|
T1036.003
|
windows
|
|
Masquerading - powershell.exe running as taskhostw.exe
|
T1036.003
|
windows
|
|
Masquerading - non-windows exe running as windows exe
|
T1036.003
|
windows
|
|
Masquerading - windows exe running as different windows exe
|
T1036.003
|
windows
|
|
Malicious process Masquerading as LSM.exe
|
T1036.003
|
windows
|
|
File Extension Masquerading
|
T1036.003
|
windows
|
|
EXO - Full access mailbox permission granted to a user
|
T1098.002
|
office-365
|
|
C2 Data Exfiltration
|
T1041
|
windows
|
|
Text Based Data Exfiltration using DNS subdomains
|
T1041
|
windows
|
|
GPP Passwords (findstr)
|
T1552.006
|
windows
|
|
GPP Passwords (Get-GPPPassword)
|
T1552.006
|
windows
|
|
using device audio capture commandlet
|
T1123
|
windows
|
|
Registry artefact when application use microphone
|
T1123
|
windows
|
|
using Quicktime Player
|
T1123
|
macos
|