AttackRuleMap
Mapping of open-source detection rules and atomic tests.
Atomic Tech ID
|
Atomic Name | GUID |
Sigma Rules
|
Rules
|
|---|---|---|---|---|
| T1562.001 | Disable Windows Defender with DISM | 871438ac-7d6e-432a-b27d-3e7db69faf58 | ||
| T1560.001 | Compress Data and lock with password for Exfiltration with 7zip | d1334303-59cb-4a03-8313-b3e24d02c198 |
|
|
| T1558.004 | WinPwn - PowerSharpPack - Kerberoasting Using Rubeus | 8c385f88-4d47-4c9a-814d-93d9deec8c71 | ||
| T1558.004 | Rubeus asreproast | 615bd568-2859-41b5-9aed-61f6a88e48dd |
|
|
| T1558.003 | WinPwn - PowerSharpPack - Kerberoasting Using Rubeus | 29094950-2c96-4cbd-b5e4-f7c65079678f | ||
| T1558.003 | Extract all accounts in use as SPN using setspn | e6f4affd-d826-4871-9a62-6c9004b8fe06 |
|
|
| T1558.003 | Rubeus kerberoast | 14625569-6def-4497-99ac-8e7817105b55 |
|
|
| T1555.004 | WinPwn - Loot local Credentials - Invoke-WCMDump | fa714db1-63dd-479e-a58e-7b2b52ca5997 | ||
| T1555.003 | WinPwn - PowerSharpPack - Sharpweb for Browser Credentials | e5e3d639-6ea8-4408-9ecd-d5a286268ca0 | ||
| T1552.006 | GPP Passwords (findstr) | 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f | ||
| T1552.004 | Private Keys | 520ce462-7ca7-441e-b5a5-f8347f632696 | ||
| T1552.001 | List Credential Files via Command Prompt | b0cdacf6-8949-4ffe-9274-a9643a788e55 |
|
|
| T1550.003 | Mimikatz Kerberos Ticket Attack | dbf38128-7ba7-4776-bedf-cc2eed432098 | ||
| T1550.002 | Mimikatz Pass the Hash | ec23cef9-27d9-46e4-a68d-6f75f7b86908 | ||
| T1548.002 | WinPwn - UAC Bypass DccwBypassUAC technique | 2b61977b-ae2d-4ae4-89cb-5c36c89586be | ||
| T1548.002 | Bypass UAC by Mocking Trusted Directories | f7a35090-6f7f-4f64-bb47-d657bf5b10c1 | ||
| T1546.003 | Windows MOFComp.exe Load MOF File | 29786d7e-8916-4de6-9c55-be7b093b2706 | ||
| T1543.003 | Remote Service Installation CMD | fb4151a2-db33-4f8c-b7f8-78ea8790f961 | ||
| T1531 | Delete User - Windows | f21a1d7d-a62f-442a-8c3a-2440d43b19e5 | ||
| T1531 | Change User Password - Windows | 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2 | ||
| T1529 | ESXi - vim-cmd Used to Power Off VMs | 622cc1a0-45e7-428c-aed7-c96dd605fbe6 | ||
| T1529 | ESXi - Avoslocker enumerates VMs and forcefully kills VMs | 189f7d6e-9442-4160-9bc3-5e4104d93ece | ||
| T1529 | ESXi - Terminates VMs using pkill | 987c9b4d-a637-42db-b1cb-e9e242c3991b | ||
| T1518.001 | Get Windows Defender exclusion settings using WMIC | e31564c8-4c60-40cd-a8f4-9261307e8336 |
|
|
| T1505.004 | Install IIS Module using AppCmd.exe | 53adbdfa-8200-490c-871c-d3b1ab3324b2 | ||
| T1491.001 | ESXi - Change Welcome Message on Direct Console User Interface (DCUI) | 30905f21-34f3-4504-8b4c-f7a5e314b810 | ||
| T1485 | ESXi - Delete VM Snapshots | 1207ddff-f25b-41b3-aa0e-7c26d2b546d1 | ||
| T1485 | Windows - Overwrite file with SysInternals SDelete | 476419b5-aebf-4366-a131-ae3e8dae5fc2 |
|
|
| T1482 | TruffleSnout - Listing AD Infrastructure | ea1b4f2d-5b82-4006-b64f-f2845608a3bf |
|
|
| T1482 | Adfind - Enumerate Active Directory OUs | d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec | ||
| T1219 | GoToAssist Files Detected Test on Windows | 1b72b3bd-72f8-4b63-a30b-84e91b9c3578 | ||
| T1219 | AnyDesk Files Detected Test on Windows | 6b8b7391-5c0a-4f8c-baee-78d8ce0ce330 | ||
| T1218.011 | Rundll32 with Control_RunDLL | e4c04b6f-c492-4782-82c7-3bf75eb8077e | ||
| T1218.011 | Rundll32 with Ordinal Value | 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0 | ||
| T1218.011 | Execution of non-dll using rundll32.exe | ae3a8605-b26e-457c-b6b3-2702fd335bac | ||
| T1218.011 | Rundll32 setupapi.dll Execution | 71d771cd-d6b3-4f34-bc76-a63d47a10b19 | ||
| T1218.011 | Rundll32 syssetup.dll Execution | 41fa324a-3946-401e-bbdd-d7991c628125 | ||
| T1218.011 | Rundll32 ieadvpack.dll Execution | 5e46a58e-cbf6-45ef-a289-ed7754603df9 | ||
| T1218.011 | Rundll32 advpack.dll Execution | d91cae26-7fc1-457b-a854-34c8aad48c89 | ||
| T1218.011 | Rundll32 execute VBscript command using Ordinal number | 32d1cf1b-cbc2-4c09-8d05-07ec5c83a821 | ||
| T1218.010 | Regsvr32 Registering Non DLL | 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421 | ||
| T1218.010 | Regsvr32 remote COM scriptlet execution | c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36 | ||
| T1218.010 | Regsvr32 local COM scriptlet execution | 449aa403-6aba-47ce-8a37-247d21ef0306 | ||
| T1218.008 | Odbcconf.exe - Load Response File | 331ce274-f9c9-440b-9f8c-a1006e1fce0b | ||
| T1218.008 | Odbcconf.exe - Execute Arbitrary DLL | 2430498b-06c0-4b92-a448-8ad263c388e2 | ||
| T1218.007 | Msiexec.exe - Execute Remote MSI file | 44a4bedf-ffe3-452e-bee4-6925ab125662 | ||
| T1218.007 | Msiexec.exe - Execute the DllUnregisterServer function of a DLL | ab09ec85-4955-4f9c-b8e0-6851baf4d47f | ||
| T1218.007 | Msiexec.exe - Execute the DllRegisterServer function of a DLL | 0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d | ||
| T1218.001 | Decompile Local CHM File | 20cb05e0-1fa5-406d-92c1-84da4ba01813 | ||
| T1218.001 | Invoke CHM Shortcut Command with ITS and Help Topic | 15756147-7470-4a83-87fb-bb5662526247 |
|
|
| T1218.001 | Compiled HTML Help Remote Payload | 0f8af516-9818-4172-922b-42986ef1e81d | ||
| T1218.001 | Compiled HTML Help Local Payload | 5cb87818-0d7c-4469-b7ef-9224107aebe8 | ||
| T1218 | DiskShadow Command Execution | 0e1483ba-8f0c-425d-b8c6-42736e058eaa | ||
| T1218 | Renamed Microsoft.Workflow.Compiler.exe Payload Executions | 4cc40fd7-87b8-4b16-b2d7-57534b86b911 | ||
| T1218 | mavinject - Inject DLL into running process | c426dacf-575d-4937-8611-a148a86a5e61 | ||
| T1216 | SyncAppvPublishingServer Signed Script PowerShell Command Execution | 275d963d-3f36-476c-8bef-a2a3960ee6eb | ||
| T1201 | Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy | b2698b33-984c-4a1c-93bb-e4ba72a0babb |
|
|
| T1201 | Examine domain password policy - Windows | 46c2c362-2679-4ef5-aec9-0e958e135be4 | ||
| T1197 | Bits download using desktopimgdownldr.exe (cmd) | afb5e09e-e385-4dee-9a94-6ee60979d114 | ||
| T1197 | Bitsadmin Download (PowerShell) | f63b8bc4-07e5-4112-acba-56f646f3f0bc | ||
| T1197 | Bitsadmin Download (cmd) | 3c73d728-75fb-4180-a12f-6712864d7421 | ||
| T1195 | Octopus Scanner Malware Open Source Supply Chain | 82a9f001-94c5-495e-9ed5-f530dbded5e2 | ||
| T1187 | WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS | 7f06b25c-799e-40f1-89db-999c9cc84317 | ||
| T1136.002 | Create a new account similar to ANONYMOUS LOGON | dc7726d2-8ccb-4cc6-af22-0d5afb53a548 | ||
| T1136.002 | Create a new Windows domain admin user | fcec2963-9951-4173-9bfa-98d8b7834e62 | ||
| T1136.001 | Create a new Windows admin user via .NET | 2170d9b5-bacd-4819-a952-da76dae0815f | ||
| T1136.001 | Create a new Windows admin user | fda74566-a604-4581-a4cc-fbbe21d66559 | ||
| T1136.001 | Create a new user in a command prompt | 6657864e-0323-4206-9344-ac9cd7265a4f | ||
| T1134.005 | Injection SID-History with mimikatz | 6bef32e5-9456-4072-8f14-35566fb85401 | ||
| T1134.002 | WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique | ccf4ac39-ec93-42be-9035-90e2f26bcd92 | ||
| T1129 | ESXi - Install a custom VIB on an ESXi host | 7f843046-abf2-443f-b880-07a83cf968ec | ||
| T1124 | System Time Discovery W32tm as a Delay | d5d5a6b0-0f92-42d8-985d-47aafa2dd4db | ||
| T1114.001 | Email Collection with PowerShell Get-Inbox | 3f1b5096-0139-4736-9b78-19bcb02bb1cb | ||
| T1112 | Flush Shimcache | ecbd533e-b45d-4239-aeff-b857c6f6d68b | ||
| T1112 | Change Powershell Execution Policy to Bypass | f3a6cceb-06c9-48e5-8df8-8867a6814245 | ||
| T1110.002 | Password Cracking with Hashcat | 6d27df5d-69d4-4c91-bc33-5983ffe91692 | ||
| T1110.001 | ESXi - Brute Force Until Account Lockout | ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5 | ||
| T1106 | WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique | e1f93a06-1649-4f07-89a8-f57279a7d60e | ||
| T1106 | WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique | 7ec5b74e-8289-4ff2-a162-b6f286a33abd | ||
| T1106 | WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique | ce4e76e6-de70-4392-9efe-b281fc2b4087 | ||
| T1105 | Arbitrary file download using the Notepad++ GUP.exe binary | 66ee226e-64cb-4dae-80e3-5bf5763e4a51 | ||
| T1105 | Nimgrab - Transfer Files | b1729c57-9384-4d1c-9b99-9b220afb384e |
|
|
| T1105 | File Download via PowerShell | 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 | ||
| T1105 | Windows - PowerShell Download | 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8 | ||
| T1105 | Windows - BITSAdmin BITS Download | a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b | ||
| T1105 | certutil download (urlcache) | dd3b61dd-7bbc-48cd-ab51-49ad1a776df0 |
|
|
| T1095 | Powercat C2 | 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e | ||
| T1095 | ICMP C2 | 0268e63c-e244-42db-bef7-72a9e59fc1fc | ||
| T1087.002 | Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope | ffbcfd62-15d6-4989-a21a-80bfc8e58bb5 |
|
|
| T1087.002 | Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property | 6e85bdf9-7bc4-4259-ac0f-f0cb39964443 |
|
|
| T1087.002 | Suspicious LAPS Attributes Query with Get-ADComputer all properties | 394012d9-2164-4d4f-b9e5-acf30ba933fe |
|
|
| T1087.002 | Enumerate Default Domain Admin Details (Domain) | c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef | ||
| T1087.002 | Adfind - Enumerate Active Directory User Objects | e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 | ||
| T1087.002 | Enumerate logged on users via CMD (Domain) | 161dcd85-d014-4f5e-900c-d3eaae82a0f7 |
|
|
| T1087.002 | Enumerate all accounts (Domain) | 6fbc9e68-5ad7-444a-bd11-8bf3136c477e | ||
| T1087.001 | ESXi - Local Account Discovery via ESXCLI | 9762ac6e-aa60-4449-a2f0-cbbd0e1fd22c | ||
| T1087.001 | Enumerate logged on users via CMD (Local) | a138085e-bfe5-46ba-a242-74a6fb884af3 |
|
|
| T1083 | ESXi - Enumerate VMDKs available on an ESXi Host | 4a233a40-caf7-4cf1-890a-c6331bbc72cf | ||
| T1082 | ESXi - Darkside system information discovery | f89812e5-67d1-4f49-86fa-cbc6609ea86a | ||
| T1082 | ESXi - VM Discovery using ESXCLI | 2040405c-eea6-4c1c-aef3-c2acc430fac9 | ||
| T1082 | WinPwn - PowerSharpPack - Seatbelt | 5c16ceb4-ba3a-43d7-b848-a13c1f216d95 | ||
| T1082 | WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors | efb79454-1101-4224-a4d0-30c9c8b29ffc | ||
| T1082 | WinPwn - PowerSharpPack - Watson searching for missing windows patches | 07b18a66-6304-47d2-bad0-ef421eb2e107 | ||
| T1078.003 | Use PsExec to elevate to NT Authority\SYSTEM account | 6904235f-0f55-4039-8aed-41c300ff7733 | ||
| T1078.001 | Activate Guest Account | aa6cb8c4-b582-4f8e-b677-37733914abda | ||
| T1071.004 | DNS C2 | e7bf9802-2e78-4db9-93b5-181b7bcd37d7 | ||
| T1070.004 | Clears Recycle bin via rd | f723d13d-48dc-4317-9990-cf43a9ac0bf2 |
|
|
| T1070.004 | Delete an entire folder - Windows cmd | ded937c4-2add-42f7-9c2c-c742b7a98698 | ||
| T1069.002 | Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) | 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8 |
|
|
| T1069.002 | Enumerate Active Directory Groups with Get-AdGroup | 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8 |
|
|
| T1069.002 | Adfind - Query Active Directory Groups | 48ddc687-82af-40b7-8472-ff1e742e8274 | ||
| T1069.002 | Permission Groups Discovery PowerShell (Domain) | 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7 |
|
|
| T1069.001 | WMIObject Group Discovery | 69119e58-96db-4110-ad27-954e48f3bb13 |
|
|
| T1069.001 | Wmic Group Discovery | 7413be50-be8e-430f-ad4d-07bf197884b2 | ||
| T1069.001 | SharpHound3 - LocalAdmin | e03ada14-0980-4107-aff1-7783b2b59bb1 | ||
| T1069.001 | Basic Permission Groups Discovery Windows (Local) | 1f454dd6-e134-44df-bebb-67de70fb6cd8 | ||
| T1059.001 | SOAPHound - Build Cache | 4099086c-1470-4223-8085-8186e1ed5948 | ||
| T1059.001 | SOAPHound - Dump BloodHound Data | 6a5b2a50-d037-4879-bf01-43d4d6cbf73f | ||
| T1059.001 | ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments | 0d181431-ddf3-4826-8055-2dbf63ae848b | ||
| T1059.001 | ATHPowerShellCommandLineParameter -EncodedCommand parameter variations | 86a43bad-12e3-4e85-b97c-4d5cf25b95c3 | ||
| T1059.001 | ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments | 1c0a870f-dc74-49cf-9afc-eccc45e58790 | ||
| T1059.001 | ATHPowerShellCommandLineParameter -Command parameter variations | 686a9785-f99b-41d4-90df-66ed515f81d7 |
|
|
| T1059.001 | Powershell invoke mshta.exe download | 8a2ad40b-12c7-4b25-8521-2737b0a415af |
|
|
| T1059.001 | Powershell MsXml COM object - with prompt | 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da | ||
| T1059.001 | Invoke-AppPathBypass | 06a220b6-7e29-4bd8-9d07-5b4d86742372 | ||
| T1059.001 | Mimikatz | f3132740-55bc-48c4-bcc0-758a459cd027 |
|
|
| T1059 | AutoIt Script Execution | a9b93f17-31cb-435d-a462-5e838a2a6026 |
|
|
| T1055.001 | WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique | 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5 |
|
|
| T1053.005 | Scheduled Task ("Ghost Task") via Registry Key Manipulation | 704333ca-cc12-4bcf-9916-101844881f54 | ||
| T1053.005 | Scheduled task Remote | 2e5eac3e-327b-4a88-a0c0-c4057039a8dd | ||
| T1053.005 | Scheduled Task Startup Script | fec27f65-db86-4c2d-b66c-61945aee87c2 | ||
| T1049 | System Network Connections Discovery with PowerShell | f069f0f1-baad-4831-aa2b-eddac4baac4a |
|
|
| T1048.002 | Exfiltrate data HTTPS using curl windows | 1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0 |
|
|
| T1047 | Application uninstall using WMIC | c510d25b-1667-467d-8331-a56d3e9bc4ff | ||
| T1047 | WMI Execute rundll32 | 00738d2a-4651-4d76-adf2-c43a41dfb243 | ||
| T1047 | Create a Process using WMI Query and an Encoded Command | 7db7a7f9-9531-4840-9b30-46220135441c | ||
| T1047 | WMI Execute Remote Process | 9c8ef159-c666-472f-9874-90c8d60d136b | ||
| T1047 | WMI Execute Local Process | b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3 | ||
| T1047 | WMI Reconnaissance List Remote Services | 0fd48ef7-d890-4e93-a533-f7dedd5191d3 | ||
| T1047 | WMI Reconnaissance Users | c107778c-dcf5-47c5-af2e-1d058a3df3ea |
|
|
| T1036.004 | Creating W32Time similar named service using schtasks | f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9 | ||
| T1036.003 | Masquerading - wscript.exe running as svchost.exe | 24136435-c91a-4ede-9da1-8b284a1c1a23 | ||
| T1033 | GetCurrent User with PowerShell Script | 1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b |
|
|
| T1021.004 | ESXi - Enable SSH via VIM-CMD | 280812c8-4dae-43e9-a74e-1d08ab997c0e | ||
| T1021.003 | PowerShell Lateral Movement using MMC20 | 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 |
|
|
| T1021.002 | Execute command writing output to local Admin Share | d41aaab5-bdfe-431d-a3d5-c29e9136ff46 | ||
| T1021.002 | Copy and Execute File with PsExec | 0eb03d41-79e4-4393-8e57-6344856be1cf | ||
| T1021.002 | Map admin share | 3386975b-367a-4fbb-9d77-4dcf3639ffd3 |
|
|
| T1018 | Remote System Discovery - net group Domain Controller | 5843529a-5056-4bc1-9c13-a311e2af4ca0 | ||
| T1018 | Get-WmiObject to Enumerate Domain Controllers | e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad |
|
|
| T1018 | Enumerate Active Directory Computers with Get-AdComputer | 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf |
|
|
| T1018 | Adfind - Enumerate Active Directory Computer Objects | a889f5be-2d54-4050-bd05-884578748bb4 | ||
| T1018 | Remote System Discovery - nltest | 52ab5108-3f6f-42fb-8ba3-73bc054f22c8 | ||
| T1018 | Remote System Discovery - net group Domain Computers | f1bf6c8f-9016-4edf-aff9-80b65f5d711f | ||
| T1018 | Remote System Discovery - net | 85321a9c-897f-4a60-9f20-29788e50bccd | ||
| T1016 | DNS Server Discovery Using nslookup | 34557863-344a-468f-808b-a1bfb89b4fa9 | ||
| T1016 | Adfind - Enumerate Active Directory Subnet Objects | 9bb45dd7-c466-4f93-83a1-be30e56033ee | ||
| T1003.006 | DCSync (Active Directory) | 129efd28-8497-4c87-a1b0-73b9a870ca3e | ||
| T1003.004 | Dump Kerberos Tickets from LSA using dumper.ps1 | 2dfa3bff-9a27-46db-ab75-7faefdaca732 | ||
| T1003.004 | Dumping LSA Secrets | 55295ab0-a703-433b-9ca4-ae13807de12f | ||
| T1003.003 | Create Volume Shadow Copy with diskshadow | b385996c-0e7d-4e27-95a4-aca046b119a7 | ||
| T1003.003 | Create Symlink to Volume Shadow Copy | 21748c28-2793-4284-9e07-d6d028b66702 | ||
| T1003.003 | Create Volume Shadow Copy remotely (WMI) with esentutl | 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865 | ||
| T1003.003 | Create Volume Shadow Copy remotely with WMI | d893459f-71f0-484d-9808-ec83b2b64226 | ||
| T1003.003 | Create Volume Shadow Copy with WMI | 224f7de0-8f0a-4a94-b5d8-989b036c86da | ||
| T1003.003 | Copy NTDS.dit from Volume Shadow Copy | c6237146-9ea6-4711-85c9-c56d263a6b03 | ||
| T1003.003 | Create Volume Shadow Copy with vssadmin | dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f | ||
| T1003.002 | dump volume shadow copy hives with certutil | eeb9751a-d598-42d3-b11c-c122d9c3f6c7 | ||
| T1003.002 | esentutl.exe SAM copy | a90c2f4d-6726-444e-99d2-a00cd7c20480 | ||
| T1003.002 | Registry dump of SAM, creds, and secrets | 5c2571d0-1572-416d-9676-812e64ca9f44 |
|
|
| T1003.001 | Powershell Mimikatz | 66fb0bc1-3c3f-47e9-a298-550ecfefacbc |
|
|
| T1562.001 | Kill antimalware protected processes using Backstab | 24a12b91-05a7-4deb-8d7f-035fa98591bc |
|
|
| T1562.001 | Uninstall Crowdstrike Falcon on Windows | b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297 |
|
|
| T1562.001 | Remove Windows Defender Definition Files | 3d47daaa-2f56-43e0-94cc-caf5d8d52a68 |
|
|
| T1562.001 | Tamper with Windows Defender Command Prompt | aa875ed4-8935-47e2-b2c5-6ec00ab220d2 |
|
|
| T1562.001 | Disable Arbitrary Security Windows Service | a1230893-56ac-4c81-b644-2108e982f8f5 |
|
|
| T1562.001 | AMSI Bypass - AMSI InitFailed | 695eed40-e949-40e5-b306-b4031e4154bd |
|
|
| T1562.001 | Unload Sysmon Filter Driver | 811b3e76-c41b-430c-ac0d-e2380bfaa164 |
|
|
| T1562 | Windows Disable LSA Protection | 40075d5f-3a70-4c66-9125-f72bee87247d |
|
|
| T1560.001 | Compress Data and lock with password for Exfiltration with winzip | 01df0353-d531-408d-a0c5-3161bf822134 |
|
|
| T1560.001 | Compress Data and lock with password for Exfiltration with winrar | 8dd61a55-44c6-43cc-af0c-8bdda276860c |
|
|
| T1555.004 | Access Saved Credentials via VaultCmd | 9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439 |
|
|
| T1555.003 | Dump Chrome Login Data with esentutl | 70422253-8198-4019-b617-6be401b49fce |
|
|
| T1555.003 | Simulating access to Windows Edge Login Data | a6a5ec26-a2d1-4109-9d35-58b867689329 |
|
|
| T1555.003 | Simulating access to Windows Firefox Login Data | eb8da98a-2e16-4551-b3dd-83de49baa14c |
|
|
| T1555.003 | Simulating access to Opera Login Data | 28498c17-57e4-495a-b0be-cc1e36de408b |
|
|
| T1555.003 | Simulating access to Chrome Login Data | 3d111226-d09a-4911-8715-fe11664f960d |
|
|
| T1555.003 | LaZagne - Credentials from Browser | 9a2915b3-3954-4cce-8c76-00fbf4dbd014 |
|
|
| T1555.003 | Run Chrome-password Collector | 8c05b133-d438-47ca-a630-19cc464c4622 |
|
|
| T1555 | Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] | bc071188-459f-44d5-901a-f8f2625b2d2e |
|
|
| T1555 | Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] | 36753ded-e5c4-4eb5-bc3c-e8fba236878d |
|
|
| T1555 | Dump credentials from Windows Credential Manager With PowerShell [web Credentials] | 8fd5a296-6772-4766-9991-ff4e92af7240 |
|
|
| T1555 | Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] | c89becbe-1758-4e7d-a0f4-97d2188a23e3 |
|
|
| T1553.004 | Add Root Certificate to CurrentUser Certificate Store | ca20a3f1-42b5-4e21-ad3f-1049199ec2e0 |
|
|
| T1553.003 | SIP (Subject Interface Package) Hijacking via Custom DLL | e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675 |
|
|
| T1552.006 | GPP Passwords (Get-GPPPassword) | e9584f82-322c-474a-b831-940fd8b4455c |
|
|
| T1552.004 | Export Certificates with Mimikatz | 290df60e-4b5d-4a5e-b0c7-dc5348ea0c86 |
|
|
| T1552.004 | CertUtil ExportPFX | 336b25bf-4514-4684-8924-474974f28137 |
|
|
| T1552.002 | Enumeration for PuTTY Credentials in Registry | af197fd7-e868-448e-9bd5-05d1bcd9d9e5 |
|
|
| T1552.002 | Enumeration for Credentials in Registry | b6ec082c-7384-46b3-a111-9a9b8b14e5e7 |
|
|
| T1548.002 | Bypass UAC using Fodhelper | 58f641ea-12e3-499a-b684-44dee46bd182 |
|
|
| T1547.009 | Shortcut Modification | ce4fc678-364f-4282-af16-2fb4c78005ce |
|
|
| T1547.001 | Creating Boot Verification Program Key for application execution during successful boot | 6e1666d5-3f2b-4b9a-80aa-f011322380d4 |
|
|
| T1547.001 | Reg Key RunOnce | 554cbd88-cde1-4b56-8168-0be552eed9eb |
|
|
| T1547.001 | Reg Key Run | e55be3fd-3521-4610-9d1a-e210e42dcf05 |
|
|
| T1547 | Driver Installation Using pnputil.exe | 5cb0b071-8a5a-412f-839d-116beb2ed9f7 |
|
|
| T1547 | Add a driver | cb01b3da-b0e7-4e24-bf6d-de5223526785 |
|
|
| T1546.011 | New shim database files created in the default shim database directory | aefd6866-d753-431f-a7a4-215ca7e3f13d |
|
|
| T1546.011 | Application Shim Installation | 9ab27e22-ee62-4211-962b-d36d9a0e6a18 |
|
|
| T1546.008 | Create Symbolic Link From osk.exe to cmd.exe | 51ef369c-5e87-4f33-88cd-6d61be63edf2 |
|
|
| T1546.008 | Replace binary of sticky keys | 934e90cf-29ca-48b3-863c-411737ad44e3 |
|
|
| T1546.007 | Netsh Helper DLL Registration | 3244697d-5a3a-4dfc-941c-550f69f91a4d |
|
|
| T1546.002 | Set Arbitrary Binary as Screensaver | 281201e7-de41-4dc9-b73d-f288938cbb64 |
|
|
| T1546.001 | Change Default File Association | 10a08978-2045-4d62-8c42-1957bbbea102 |
|
|
| T1546 | Persistence via ErrorHandler.cmd script execution | 547a4736-dd1c-4b48-b4fe-e916190bb2e7 |
|
|
| T1543.003 | TinyTurla backdoor service w64time | ef0581fd-528e-4662-87bc-4c2affb86940 |
|
|
| T1543.003 | Service Installation PowerShell | 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 |
|
|
| T1543.003 | Service Installation CMD | 981e2942-e433-44e9-afc1-8c957a1496b6 |
|
|
| T1543.003 | Modify Fax service to run PowerShell | ed366cde-7d12-49df-a833-671904770b9f |
|
|
| T1518.001 | Security Software Discovery - AV Discovery via WMI | 1553252f-14ea-4d3b-8a08-d7a4211aa945 |
|
|
| T1518.001 | Security Software Discovery - Sysmon Service | fe613cf3-8009-4446-9a0f-bc78a15b66c9 |
|
|
| T1518.001 | Security Software Discovery | f92a380f-ced9-491f-b338-95a991418ce2 |
|
|
| T1518 | Find and Display Internet Explorer Browser Version | 68981660-6670-47ee-a5fa-7e74806420a4 |
|
|
| T1505.003 | Web Shell Written to Disk | 0a2ce662-1efa-496f-a472-2fe7b080db16 |
|
|
| T1505.002 | Install MS Exchange Transport Agent Persistence | 43e92449-ff60-46e9-83a3-1a38089df94d |
|
|
| T1490 | Modify VSS Service Permissions | a4420f93-5386-4290-b780-f4f66abc7070 |
|
|
| T1490 | Windows - vssadmin Resize Shadowstorage Volume | da558b07-69ae-41b9-b9d4-4d98154a7049 |
|
|
| T1490 | Windows - Disable the SR scheduled task | 1c68c68d-83a4-4981-974e-8993055fa034 |
|
|
| T1490 | Windows - Delete Backup Files | 6b1dbaf6-cc8a-4ea6-891f-6058569653bf |
|
|
| T1490 | Windows - Delete Volume Shadow Copies via WMI with PowerShell | 39a295ca-7059-4a88-86f6-09556c1211e7 |
|
|
| T1490 | Windows - Disable Windows Recovery Console Repair | cf21060a-80b3-4238-a595-22525de4ab81 |
|
|
| T1490 | Windows - Delete Volume Shadow Copies via WMI | 6a3ff8dd-f49c-4272-a658-11c2fe58bd88 |
|
|
| T1490 | Windows - Delete Volume Shadow Copies | 43819286-91a9-4369-90ed-d31fb4da2c01 |
|
|
| T1489 | Windows - Stop service by killing process | f3191b84-c38b-400b-867e-3a217a27795f |
|
|
| T1489 | Windows - Stop service using net.exe | 41274289-ec9c-4213-bea4-e43c4aa57954 |
|
|
| T1489 | Windows - Stop service using Service Controller | 21dfb440-830d-4c86-a3e5-2a491d5a8d04 |
|
|
| T1486 | PureLocker Ransom Note | 649349c7-9abf-493b-a7a2-b1aa4d141528 |
|
|
| T1485 | Overwrite deleted data on C drive | 321fd25e-0007-417f-adec-33232252be19 |
|
|
| T1482 | Adfind - Enumerate Active Directory Trusts | 15fe436d-e771-4ff3-b655-2dca9ba52834 |
|
|
| T1482 | Windows - Discover domain trusts with nltest | 2e22641d-0498-48d2-b9ff-c71e496ccdbe |
|
|
| T1222.001 | Grant Full Access to folder for Everyone - Ryuk Ransomware Style | ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 |
|
|
| T1222.001 | attrib - hide file | 32b979da-7b68-42c9-9a99-0e39900fc36c |
|
|
| T1222.001 | attrib - Remove read-only attribute | bec1e95c-83aa-492e-ab77-60c71bbd21b0 |
|
|
| T1222.001 | cacls - Grant permission to specified user or group recursively | a8206bcc-f282-40a9-a389-05d9c0263485 |
|
|
| T1222.001 | Take ownership using takeown utility | 98d34bb4-6e75-42ad-9c41-1dae7dc6a001 |
|
|
| T1222 | Enable Local and Remote Symbolic Links via fsutil | 6c4ac96f-d4fa-44f4-83ca-56d8f4a55c02 |
|
|
| T1220 | WMIC bypass using remote XSL file | 7f5be499-33be-4129-a560-66021f379b9b |
|
|
| T1220 | WMIC bypass using local XSL file | 1b237334-3e21-4a0c-8178-b8c996124988 |
|
|
| T1218.011 | Rundll32 execute payload by calling RouteTheCall | 8a7f56ee-10e7-444c-a139-0109438288eb |
|
|
| T1218.011 | Rundll32 execute command via FileProtocolHandler | f3ad3c5b-1db1-45c1-81bf-d3370ebab6c8 |
|
|
| T1218.011 | Running DLL with .init extension and function | 2d5029f0-ae20-446f-8811-e7511b58e8b6 |
|
|
| T1218.011 | Rundll32 with desk.cpl | 83a95136-a496-423c-81d3-1c6750133917 |
|
|
| T1218.011 | Launches an executable using Rundll32 and pcwutl.dll | 9f5d081a-ee5a-42f9-a04e-b7bdc487e676 |
|
|
| T1218.011 | Execution of HTA and VBS Files using Rundll32 and URL.dll | 22cfde89-befe-4e15-9753-47306b37a6e3 |
|
|
| T1218.011 | Rundll32 execute VBscript command | 638730e7-7aed-43dc-bf8c-8117f805f5bb |
|
|
| T1218.011 | Rundll32 execute JavaScript Remote Payload With GetObject | 57ba4ce9-ee7a-4f27-9928-3c70c489b59d |
|
|
| T1218.010 | Regsvr32 Silent DLL Install Call DllRegisterServer | 9d71c492-ea2e-4c08-af16-c6994cdf029f |
|
|
| T1218.007 | Msiexec.exe - Execute Local MSI file with an embedded EXE | ed3fa08a-ca18-4009-973e-03d13014d0e8 |
|
|
| T1218.007 | Msiexec.exe - Execute Local MSI file with an embedded DLL | 628fa796-76c5-44c3-93aa-b9d8214fd568 |
|
|
| T1218.007 | Msiexec.exe - Execute Local MSI file with embedded VBScript | 8d73c7b0-c2b1-4ac1-881a-4aa644f76064 |
|
|
| T1218.007 | Msiexec.exe - Execute Local MSI file with embedded JScript | a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04 |
|
|
| T1218.005 | Mshta used to Execute PowerShell | 8707a805-2b76-4f32-b1c0-14e558205772 |
|
|
| T1218.005 | Mshta executes VBScript to execute malicious command | 906865c3-e05f-4acc-85c4-fbc185455095 |
|
|
| T1218.005 | Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject | 1483fab9-4f52-4217-a9ce-daa9d7747cae |
|
|
| T1218.003 | CMSTP Executing UAC Bypass | 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 |
|
|
| T1218.003 | CMSTP Executing Remote Scriptlet | 34e63321-9683-496b-bbc1-7566bc55e624 |
|
|
| T1218 | System Binary Proxy Execution - Wlrmdr Lolbin | 7816c252-b728-4ea6-a683-bd9441ca0b71 |
|
|
| T1218 | Provlaunch.exe Executes Arbitrary Command via Registry Key | ab76e34f-28bf-441f-a39c-8db4835b89cc |
|
|
| T1218 | Lolbas ie4uinit.exe use as proxy | 13c0804e-615e-43ad-b223-2dfbacd0b0b3 |
|
|
| T1218 | Lolbin Gpscript startup option | f8da74bb-21b8-4af9-8d84-f2c8e4a220e3 |
|
|
| T1218 | Lolbin Gpscript logon option | 5bcda9cd-8e85-48fa-861d-b5a85d91d48c |
|
|
| T1218 | Load Arbitrary DLL via Wuauclt (Windows Update Client) | 49fbd548-49e9-4bb7-94a6-3769613912b8 |
|
|
| T1218 | Invoke-ATHRemoteFXvGPUDisablementCommand base test | 9ebe7901-7edf-45c0-b5c7-8366300919db |
|
|
| T1218 | Microsoft.Workflow.Compiler.exe Payload Execution | 7cbb0f26-a4c1-4f77-b180-a009aa05637e |
|
|
| T1218 | InfDefaultInstall.exe .inf Execution | 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef |
|
|
| T1218 | Register-CimProvider - Execute evil dll | ad2c17ed-f626-4061-b21e-b9804a6f3655 |
|
|
| T1217 | List Internet Explorer Bookmarks using the command prompt | 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 |
|
|
| T1217 | List Mozilla Firefox bookmarks on Windows with command prompt | 4312cdbc-79fc-4a9c-becc-53d49c734bc5 |
|
|
| T1217 | List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt | 76f71e2f-480e-4bed-b61e-398fe17499d5 |
|
|
| T1216.001 | PubPrn.vbs Signed Script Bypass | 9dd29a1f-1e16-4862-be83-913b10a88f6c |
|
|
| T1216 | manage-bde.wsf Signed Script Command Execution | 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a |
|
|
| T1204.002 | LNK Payload Download | 581d7521-9c4b-420e-9695-2aec5241167f |
|
|
| T1204.002 | Potentially Unwanted Applications (PUA) | 02f35d62-9fdc-4a97-b899-a5d9a876d295 |
|
|
| T1204.002 | OSTap Payload Download | 3f3af983-118a-4fa1-85d3-ba4daa739d80 |
|
|
| T1202 | Indirect Command Execution - Scriptrunner.exe | 0fd14730-6226-4f5e-8d67-43c65f1be940 |
|
|
| T1202 | Indirect Command Execution - forfiles.exe | 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc |
|
|
| T1202 | Indirect Command Execution - pcalua.exe | cecfea7a-5f03-4cdd-8bc8-6f7c22862440 |
|
|
| T1201 | Use of SecEdit.exe to export the local security policy (including the password policy) | 510cc97f-56ac-4cd3-a198-d3218c23d889 |
|
|
| T1201 | Examine local password policy - Windows | 4588d243-f24e-4549-b2e3-e627acc089f6 |
|
|
| T1187 | Trigger an authenticated RPC call to a target server with no Sign flag set | 81cfdd7f-1f41-4cc5-9845-bb5149438e37 |
|
|
| T1187 | PetitPotam | 485ce873-2e65-4706-9c7e-ae3ab9e14213 |
|
|
| T1140 | Certutil Rename and Decode | 71abc534-3c05-4d0c-80f7-cbe93cb2aa94 |
|
|
| T1140 | Deobfuscate/Decode Files Or Information | dc6fe391-69e6-4506-bd06-ea5eeb4082f8 |
|
|
| T1137 | Office Application Startup - Outlook as a C2 | bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c |
|
|
| T1135 | PowerView ShareFinder | d07e4cc1-98ae-447e-9d31-36cb430d28c4 |
|
|
| T1135 | View available share drives | ab39a04f-0c93-4540-9ff2-83f862c385ae |
|
|
| T1135 | Network Share Discovery command prompt | 20f1097d-81c1-405c-8380-32174d493bbb |
|
|
| T1134.004 | Parent PID Spoofing - Spawn from Specified Process | cbbff285-9051-444a-9d17-c07cd2d230eb |
|
|
| T1127 | Lolbin Jsc.exe compile javascript to dll | 3fc9fea2-871d-414d-8ef6-02e85e322b80 |
|
|
| T1127 | Lolbin Jsc.exe compile javascript to exe | 1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8 |
|
|
| T1124 | System Time Discovery | 20aba24b-e61f-4b26-b4ce-4784f763ca20 |
|
|
| T1123 | using device audio capture commandlet | 9c3ad250-b185-4444-b5a9-d69218a10c95 |
|
|
| T1120 | Peripheral Device Discovery via fsutil | 424e18fd-48b8-4201-8d3a-bf591523a686 |
|
|
| T1119 | Recon information for export with Command Prompt | aa1180e2-f329-4e1e-8625-2472ec0bfaf3 |
|
|
| T1119 | Automated Collection Command Prompt | cb379146-53f1-43e0-b884-7ce2c635ff5b |
|
|
| T1115 | Utilize Clipboard to store or execute commands from | 0cd14633-58d4-4422-9ede-daa2c9474ae7 |
|
|
| T1113 | Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted | 5a496325-0115-4274-8eb9-755b649ad0fb |
|
|
| T1112 | Modify UseTPMKeyPIN Registry entry | 02d8b9f7-1a51-4011-8901-2d55cca667f9 |
|
|
| T1112 | Modify UseTPMKey Registry entry | c8480c83-a932-446e-a919-06a1fd1e512a |
|
|
| T1112 | Modify UseTPMPIN Registry entry | 10b33fb0-c58b-44cd-8599-b6da5ad6384c |
|
|
| T1112 | Modify EnableBDEWithNoTPM Registry entry | bacb3e73-8161-43a9-8204-a69fe0e4b482 |
|
|
| T1112 | Requires the BitLocker PIN for Pre-boot authentication | 26fc7375-a551-4336-90d7-3f2817564304 |
|
|
| T1112 | Disable Windows Remote Desktop Protocol | 5f8e36de-37ca-455e-b054-a2584f043c06 |
|
|
| T1112 | Enable RDP via Registry (fDenyTSConnections) | 16bdbe52-371c-4ccf-b708-79fba61f1db4 |
|
|
| T1112 | Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. | ffeddced-bb9f-49c6-97f0-3d07a509bf94 |
|
|
| T1112 | Modify Internet Zone Protocol Defaults in Current User Registry - cmd | c88ef166-50fa-40d5-a80c-e2b87d4180f7 |
|
|
| T1112 | Tamper Win Defender Protection | 3b625eaa-c10d-4635-af96-3eae7d2a2f3c |
|
|
| T1112 | Enabling Remote Desktop Protocol via Remote Registry | e3ad8e83-3089-49ff-817f-e52f8c948090 |
|
|
| T1112 | Mimic Ransomware - Allow Multiple RDP Sessions per User | 35727d9e-7a7f-4d0c-a259-dc3906d6e8b9 |
|
|
| T1112 | Disable Windows Error Reporting Settings | d2c9e41e-cd86-473d-980d-b6403562e3e1 |
|
|
| T1112 | Ursnif Malware Registry Key Creation | c375558d-7c25-45e9-bd64-7b23a97c1db0 |
|
|
| T1112 | NetWire RAT Registry Key Creation | 65704cd4-6e36-4b90-b6c1-dc29a82c8e56 |
|
|
| T1112 | Suppress Win Defender Notifications | c30dada3-7777-4590-b970-dc890b8cf113 |
|
|
| T1112 | Windows Add Registry Value to Load Service in Safe Mode with Network | c173c948-65e5-499c-afbe-433722ed5bd4 |
|
|
| T1112 | Windows Add Registry Value to Load Service in Safe Mode without Network | 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5 |
|
|
| T1112 | Windows Powershell Logging Disabled | 95b25212-91a7-42ff-9613-124aca6845a8 |
|
|
| T1112 | Modify registry to store logon credentials | c0413fb5-33e2-40b7-9b6f-60b29f4a7a18 |
|
|
| T1112 | Modify Registry of Local Machine - cmd | 282f929a-6bc5-42b8-bd93-960c3ba35afe |
|
|
| T1110.001 | Password Brute User using Kerbrute Tool | 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4 |
|
|
| T1105 | iwr or Invoke Web-Request download | c01cad7f-7a4c-49df-985e-b190dcf6a279 |
|
|
| T1105 | Download a file using wscript | 97116a3f-efac-4b26-8336-b9cb18c45188 |
|
|
| T1105 | certreq download | 6fdaae87-c05b-42f8-842e-991a74e8376b |
|
|
| T1105 | Lolbas replace.exe use to copy UNC file | ed0335ac-0354-400c-8148-f6151d20035a |
|
|
| T1105 | Lolbas replace.exe use to copy file | 54782d65-12f0-47a5-b4c1-b70ee23de6df |
|
|
| T1105 | Printer Migration Command-Line Tool UNC share folder into a zip file | 49845fc1-7961-4590-a0f0-3dbcf065ae7e |
|
|
| T1105 | Download a file with IMEWDBLD.exe | 1a02df58-09af-4064-a765-0babe1a0d1e2 |
|
|
| T1105 | File download with finger.exe on Windows | 5f507e45-8411-4f99-84e7-e38530c45d01 |
|
|
| T1105 | Download a File with Windows Defender MpCmdRun.exe | 815bef8b-bf91-4b67-be4c-abe4c2a94ccc |
|
|
| T1105 | svchost writing a file to a UNC path | fa5a2759-41d7-4e13-a19c-e8f28a53566f |
|
|
| T1105 | OSTAP Worming Activity | 2ca61766-b456-4fcf-a35a-1233685e1cad |
|
|
| T1090.001 | portproxy reg key | b8223ea9-4be2-44a6-b50a-9657a3d4e72a |
|
|
| T1087.002 | Enumerate Linked Policies In ADSISearcher Discovery | 7ab0205a-34e4-4a44-9b04-e1541d1a57be |
|
|
| T1087.002 | Enumerate Active Directory Users with ADSISearcher | 02e8be5a-3065-4e54-8cc8-a14d138834d3 |
|
|
| T1087.002 | Adfind - Enumerate Active Directory Exchange AD Objects | 5e2938fb-f919-47b6-8b29-2f6a1f718e99 |
|
|
| T1087.002 | Adfind - Enumerate Active Directory Admins | b95fd967-4e62-4109-b48d-265edfd28c3a |
|
|
| T1087.002 | Adfind -Listing password policy | 736b4f53-f400-4c22-855d-1a6b5a551600 |
|
|
| T1087.002 | Automated AD Recon (ADRecon) | 95018438-454a-468c-a0fa-59c800149b59 |
|
|
| T1083 | File and Directory Discovery (cmd.exe) | 0e36303b-6762-4500-b003-127743b80ba6 |
|
|
| T1082 | System Information Discovery | 4060ee98-01ae-4c8e-8aad-af8300519cc7 |
|
|
| T1082 | Griffon Recon | 69bd4abe-8759-49a6-8d21-0f15822d6370 |
|
|
| T1082 | Windows MachineGUID Discovery | 224b4daf-db44-404e-b6b2-f4d1f0126ef8 |
|
|
| T1082 | System Information Discovery | 66703791-c902-4560-8770-42b8a91f7667 |
|
|
| T1078.003 | Create local account with admin privileges | a524ce99-86de-4db6-b4f9-e08f35a47a15 |
|
|
| T1078.001 | Enable Guest account with RDP capability and admin privileges | 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 |
|
|
| T1074.001 | Zip a Folder with PowerShell for Staging in Temp | a57fbe4b-3440-452a-88a7-943531ac872a |
|
|
| T1074.001 | Stage data from Discovery.bat | 107706a5-6f9f-451a-adae-bab8c667829f |
|
|
| T1071.001 | Malicious User Agents - CMD | dc3488b0-08c7-4fea-b585-905c83b48180 |
|
|
| T1070.005 | Remove Network Share | 09210ad5-1ef2-4077-9ad3-7351e13e9222 |
|
|
| T1070.005 | Add Network Share | 14c38f32-6509-46d8-ab43-d53e32d2b131 |
|
|
| T1070.004 | Delete Prefetch File | 36f96049-0ad7-4a5f-8418-460acaeb92fb |
|
|
| T1070.004 | Delete a single file - Windows cmd | 861ea0b4-708a-4d17-848d-186c9c7f17e3 |
|
|
| T1070.001 | Clear Logs | e6abb60e-26b8-41da-8aae-0c35174b0967 |
|
|
| T1070 | Indicator Removal using FSUtil | b4115c7a-0e92-47f0-a61e-17e7218b2435 |
|
|
| T1069.002 | Enumerate Active Directory Groups with ADSISearcher | 9f4e344b-8434-41b3-85b1-d38f29d148d0 |
|
|
| T1059.007 | JScript execution to gather local computer information via wscript | 0709945e-4fec-4c49-9faf-c3c292a74484 |
|
|
| T1059.007 | JScript execution to gather local computer information via cscript | 01d75adf-ca1b-4dd1-ac96-7c9550ad1035 |
|
|
| T1059.005 | Visual Basic script execution to gather local computer information | 1620de42-160a-4fe5-bbaf-d3fef0181ce9 |
|
|
| T1059.003 | Command prompt writing script to file then executes it | 00682c9f-7df4-4df8-950b-6dcaaa3ad9af |
|
|
| T1059.003 | Command Prompt read contents from CMD file and execute | df81db1b-066c-4802-9bc8-b6d030c3ba8e |
|
|
| T1059.003 | Writes text to a file and displays it. | 127b4afe-2346-4192-815c-69042bec570e |
|
|
| T1059.001 | PowerShell Invoke Known Malicious Cmdlets | 49eb9404-5e0f-4031-a179-b40f7be385e3 |
|
|
| T1059.001 | PowerShell Command Execution | a538de64-1c74-46ed-aa60-b995ed302598 |
|
|
| T1059.001 | Mimikatz - Cradlecraft PsSendKeys | af1800cf-9f9d-4fd1-a709-14b1e6de020d |
|
|
| T1057 | Discover Specific Process - tasklist | 11ba69ee-902e-4a0f-b3b6-418aed7d7ddb |
|
|
| T1057 | Process Discovery - wmic process | 640cbf6d-659b-498b-ba53-f6dd1a1cc02c |
|
|
| T1057 | Process Discovery - tasklist | c5806a4f-62b8-4900-980b-c7ec004e9908 |
|
|
| T1056.004 | Hook PowerShell TLS Encrypt/Decrypt Messages | de1934ea-1fbf-425b-8795-65fb27dd7e33 |
|
|
| T1056.001 | Input Capture | d9b633ca-8efb-45e6-b838-70f595c6ae26 |
|
|
| T1055 | Process Injection with Go using CreateThread WinAPI (Natively) | 2a3c7035-d14f-467a-af94-933e49fe6786 |
|
|
| T1055 | Process Injection with Go using CreateThread WinAPI | 2871ed59-3837-4a52-9107-99500ebc87cb |
|
|
| T1055 | Remote Process Injection in LSASS via mimikatz | 3203ad24-168e-4bec-be36-f79b13ef8a83 |
|
|
| T1053.005 | Scheduled Task Executing Base64 Encoded Commands From Registry | e895677d-4f06-49ab-91b6-ae3742d0a2ba |
|
|
| T1053.005 | Scheduled task Local | 42f53695-ad4a-4546-abb6-7d837f644a71 |
|
|
| T1053.002 | At.exe Scheduled task | 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 |
|
|
| T1047 | WMI Reconnaissance Software | 718aebaa-d0e0-471a-8241-c5afa69c7414 |
|
|
| T1047 | WMI Reconnaissance Processes | 5750aa16-0e59-4410-8b9a-8a47ca2788e2 |
|
|
| T1040 | Windows Internal pktmon set filter | 855fb8b4-b8ab-4785-ae77-09f5df7bff55 |
|
|
| T1040 | Windows Internal Packet Capture | b5656f67-d67f-4de8-8e62-b5581630f528 |
|
|
| T1039 | Copy a sensitive File over Administrative share with Powershell | 7762e120-5879-44ff-97f8-008b401b9a98 |
|
|
| T1039 | Copy a sensitive File over Administrative share with copy | 6ed67921-1774-44ba-bac6-adb51ed60660 |
|
|
| T1037.001 | Logon Scripts | d6042746-07d4-4c92-9ad8-e644c114a231 |
|
|
| T1036.007 | File Extension Masquerading | c7fa0c3b-b57f-4cba-9118-863bf4e653fc |
|
|
| T1036.004 | Creating W32Time similar named service using sc | b721c6ef-472c-4263-a0d9-37f1f4ecff66 |
|
|
| T1036.003 | Malicious process Masquerading as LSM.exe | 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f |
|
|
| T1036.003 | Masquerading - powershell.exe running as taskhostw.exe | ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa |
|
|
| T1036.003 | Masquerading - cscript.exe running as notepad.exe | 3a2a578b-0a01-46e4-92e3-62e2859b42f0 |
|
|
| T1036.003 | Masquerading as Windows LSASS process | 5ba5a3d1-cf3c-4499-968a-a93155d1f717 |
|
|
| T1033 | System Owner/User Discovery | 4c4959bf-addf-4b4a-be86-8d09cc1857aa |
|
|
| T1027 | Execution from Compressed JScript File | fad04df1-5229-4185-b016-fb6010cd87ac |
|
|
| T1027 | DLP Evasion via Sensitive Data in VBA Macro over HTTP | e2d85e66-cb66-4ed7-93b1-833fc56c9319 |
|
|
| T1021.001 | Disable NLA for RDP via Command Prompt | 01d1c6c0-faf0-408e-b368-752a02285cb2 |
|
|
| T1021.001 | Changing RDP Port to Non Standard Port via Command_Prompt | 74ace21e-a31c-4f7d-b540-53e4eb6d1f73 |
|
|
| T1018 | Enumerate Remote Hosts with Netscan | b8147c9a-84db-4ec1-8eee-4e0da75f0de5 |
|
|
| T1018 | Enumerate Active Directory Computers with ADSISearcher | 64ede6ac-b57a-41c2-a7d1-32c6cd35397d |
|
|
| T1018 | Remote System Discovery - ping sweep | 6db1f57f-d1d5-4223-8a66-55c9c65a9592 |
|
|
| T1016.002 | Enumerate Stored Wi-Fi Profiles And Passwords via netsh | 53cf1903-0fa7-4177-ab14-f358ae809eec |
|
|
| T1016 | System Network Configuration Discovery (TrickBot Style) | dafaf052-5508-402d-bf77-51e0700c02e2 |
|
|
| T1016 | System Network Configuration Discovery on Windows | 970ab6a1-0157-4f3f-9a73-ec4166754b23 |
|
|
| T1007 | System Service Discovery - net.exe | 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3 |
|
|
| T1007 | System Service Discovery | 89676ba1-b1f8-47ee-b940-2e1a113ebc71 |
|
|
| T1003.006 | Run DSInternals Get-ADReplAccount | a0bced08-3fc5-4d8b-93b7-e8344739376e |
|
|
| T1003.005 | Cached Credential Dump via Cmdkey | 56506854-89d6-46a3-9804-b7fde90791f9 |
|
|
| T1003.003 | Create Volume Shadow Copy with Powershell | 542bb97e-da53-436b-8e43-e0a7d31a6c24 |
|
|
| T1003.003 | Dump Active Directory Database with NTDSUtil | 2364e33d-ceab-4641-8468-bfb1d7cc2723 |
|
|
| T1003.001 | Dump LSASS.exe Memory through Silent Process Exit | eb5adf16-b601-4926-bca7-dad22adffb37 |
|
|
| T1003.001 | Dump LSASS.exe using imported Microsoft DLLs | 86fc3f40-237f-4701-b155-81c01c48d697 |
|
|
| T1003.001 | Create Mini Dump of LSASS.exe using ProcDump | 7cede33f-0acd-44ef-9774-15511300b24b |
|
|
| T1003.001 | Offline Credential Theft With Mimikatz | 453acf13-1dbd-47d7-b28a-172ce9228023 |
|
|
| T1003.001 | Dump LSASS.exe Memory using NanoDump | dddd4aca-bbed-46f0-984d-e4c5971c51ea |
|
|
| T1003.001 | Dump LSASS.exe Memory using comsvcs.dll | 2536dee2-12fb-459a-8c37-971844fa73be |
|
|
| T1003.001 | Dump LSASS.exe Memory using ProcDump | 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8 |
|
|
| T1003 | Send NTLM Hash with RPC Test Connection | 0b207037-813c-4444-ac3f-b597cf280a67 |
|
|
| T1003 | Dump Credential Manager using keymgr.dll and rundll32.exe | 84113186-ed3c-4d0d-8a3c-8980c86c1f4a |
|
|
| T1003 | Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config) | 42510244-5019-48fa-a0e5-66c3b76e6049 |
|