Tech ID Atomic Attack Name Platform sigma Sigma Rules splunk Splunk Rules
T1562.001 Disable Windows Defender with DISM
GUID: 871438ac-7d6e-432a-b27d-3e7db69faf58
Windows
T1560.001 Compress Data and lock with password for Exfiltration with 7zip
GUID: d1334303-59cb-4a03-8313-b3e24d02c198
Windows
    N/A
T1558.004 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
GUID: 8c385f88-4d47-4c9a-814d-93d9deec8c71
Windows
T1558.004 Rubeus asreproast
GUID: 615bd568-2859-41b5-9aed-61f6a88e48dd
Windows
    N/A
T1558.003 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
GUID: 29094950-2c96-4cbd-b5e4-f7c65079678f
Windows
T1558.003 Extract all accounts in use as SPN using setspn
GUID: e6f4affd-d826-4871-9a62-6c9004b8fe06
Windows
    N/A
T1558.003 Rubeus kerberoast
GUID: 14625569-6def-4497-99ac-8e7817105b55
Windows
    N/A
T1555.004 WinPwn - Loot local Credentials - Invoke-WCMDump
GUID: fa714db1-63dd-479e-a58e-7b2b52ca5997
Windows
T1555.003 WinPwn - PowerSharpPack - Sharpweb for Browser Credentials
GUID: e5e3d639-6ea8-4408-9ecd-d5a286268ca0
Windows
T1552.006 GPP Passwords (findstr)
GUID: 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f
Windows
T1552.004 Private Keys
GUID: 520ce462-7ca7-441e-b5a5-f8347f632696
Windows
T1552.001 List Credential Files via Command Prompt
GUID: b0cdacf6-8949-4ffe-9274-a9643a788e55
Windows
    N/A
T1550.003 Mimikatz Kerberos Ticket Attack
GUID: dbf38128-7ba7-4776-bedf-cc2eed432098
Windows
T1550.002 Mimikatz Pass the Hash
GUID: ec23cef9-27d9-46e4-a68d-6f75f7b86908
Windows
T1548.002 WinPwn - UAC Bypass DccwBypassUAC technique
GUID: 2b61977b-ae2d-4ae4-89cb-5c36c89586be
Windows
T1548.002 Bypass UAC by Mocking Trusted Directories
GUID: f7a35090-6f7f-4f64-bb47-d657bf5b10c1
Windows
T1546.003 Windows MOFComp.exe Load MOF File
GUID: 29786d7e-8916-4de6-9c55-be7b093b2706
Windows
T1543.003 Remote Service Installation CMD
GUID: fb4151a2-db33-4f8c-b7f8-78ea8790f961
Windows
T1531 Delete User - Windows
GUID: f21a1d7d-a62f-442a-8c3a-2440d43b19e5
Windows
T1531 Change User Password - Windows
GUID: 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2
Windows
T1529 ESXi - vim-cmd Used to Power Off VMs
GUID: 622cc1a0-45e7-428c-aed7-c96dd605fbe6
Windows
T1529 ESXi - Avoslocker enumerates VMs and forcefully kills VMs
GUID: 189f7d6e-9442-4160-9bc3-5e4104d93ece
Windows
T1529 ESXi - Terminates VMs using pkill
GUID: 987c9b4d-a637-42db-b1cb-e9e242c3991b
Windows
T1518.001 Get Windows Defender exclusion settings using WMIC
GUID: e31564c8-4c60-40cd-a8f4-9261307e8336
Windows
    N/A
T1505.004 Install IIS Module using AppCmd.exe
GUID: 53adbdfa-8200-490c-871c-d3b1ab3324b2
Windows
T1491.001 ESXi - Change Welcome Message on Direct Console User Interface (DCUI)
GUID: 30905f21-34f3-4504-8b4c-f7a5e314b810
Windows
T1485 ESXi - Delete VM Snapshots
GUID: 1207ddff-f25b-41b3-aa0e-7c26d2b546d1
Windows
T1485 Windows - Overwrite file with SysInternals SDelete
GUID: 476419b5-aebf-4366-a131-ae3e8dae5fc2
Windows
    N/A
T1482 TruffleSnout - Listing AD Infrastructure
GUID: ea1b4f2d-5b82-4006-b64f-f2845608a3bf
Windows
    N/A
T1482 Adfind - Enumerate Active Directory OUs
GUID: d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec
Windows
T1219 GoToAssist Files Detected Test on Windows
GUID: 1b72b3bd-72f8-4b63-a30b-84e91b9c3578
Windows
T1219 AnyDesk Files Detected Test on Windows
GUID: 6b8b7391-5c0a-4f8c-baee-78d8ce0ce330
Windows
T1218.011 Rundll32 with Control_RunDLL
GUID: e4c04b6f-c492-4782-82c7-3bf75eb8077e
Windows
T1218.011 Rundll32 with Ordinal Value
GUID: 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0
Windows
T1218.011 Execution of non-dll using rundll32.exe
GUID: ae3a8605-b26e-457c-b6b3-2702fd335bac
Windows
T1218.011 Rundll32 setupapi.dll Execution
GUID: 71d771cd-d6b3-4f34-bc76-a63d47a10b19
Windows
T1218.011 Rundll32 syssetup.dll Execution
GUID: 41fa324a-3946-401e-bbdd-d7991c628125
Windows
T1218.011 Rundll32 ieadvpack.dll Execution
GUID: 5e46a58e-cbf6-45ef-a289-ed7754603df9
Windows
T1218.011 Rundll32 advpack.dll Execution
GUID: d91cae26-7fc1-457b-a854-34c8aad48c89
Windows
T1218.011 Rundll32 execute VBscript command using Ordinal number
GUID: 32d1cf1b-cbc2-4c09-8d05-07ec5c83a821
Windows
T1218.010 Regsvr32 Registering Non DLL
GUID: 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421
Windows
T1218.010 Regsvr32 remote COM scriptlet execution
GUID: c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36
Windows
T1218.010 Regsvr32 local COM scriptlet execution
GUID: 449aa403-6aba-47ce-8a37-247d21ef0306
Windows
T1218.008 Odbcconf.exe - Load Response File
GUID: 331ce274-f9c9-440b-9f8c-a1006e1fce0b
Windows
T1218.008 Odbcconf.exe - Execute Arbitrary DLL
GUID: 2430498b-06c0-4b92-a448-8ad263c388e2
Windows
T1218.007 Msiexec.exe - Execute Remote MSI file
GUID: 44a4bedf-ffe3-452e-bee4-6925ab125662
Windows
T1218.007 Msiexec.exe - Execute the DllUnregisterServer function of a DLL
GUID: ab09ec85-4955-4f9c-b8e0-6851baf4d47f
Windows
T1218.007 Msiexec.exe - Execute the DllRegisterServer function of a DLL
GUID: 0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d
Windows
T1218.001 Decompile Local CHM File
GUID: 20cb05e0-1fa5-406d-92c1-84da4ba01813
Windows
T1218.001 Invoke CHM Shortcut Command with ITS and Help Topic
GUID: 15756147-7470-4a83-87fb-bb5662526247
Windows
    N/A
T1218.001 Compiled HTML Help Remote Payload
GUID: 0f8af516-9818-4172-922b-42986ef1e81d
Windows
T1218.001 Compiled HTML Help Local Payload
GUID: 5cb87818-0d7c-4469-b7ef-9224107aebe8
Windows
T1218 DiskShadow Command Execution
GUID: 0e1483ba-8f0c-425d-b8c6-42736e058eaa
Windows
T1218 Renamed Microsoft.Workflow.Compiler.exe Payload Executions
GUID: 4cc40fd7-87b8-4b16-b2d7-57534b86b911
Windows
T1218 mavinject - Inject DLL into running process
GUID: c426dacf-575d-4937-8611-a148a86a5e61
Windows
T1216 SyncAppvPublishingServer Signed Script PowerShell Command Execution
GUID: 275d963d-3f36-476c-8bef-a2a3960ee6eb
Windows
T1201 Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy
GUID: b2698b33-984c-4a1c-93bb-e4ba72a0babb
Windows
    N/A
T1201 Examine domain password policy - Windows
GUID: 46c2c362-2679-4ef5-aec9-0e958e135be4
Windows
T1197 Bits download using desktopimgdownldr.exe (cmd)
GUID: afb5e09e-e385-4dee-9a94-6ee60979d114
Windows
T1197 Bitsadmin Download (PowerShell)
GUID: f63b8bc4-07e5-4112-acba-56f646f3f0bc
Windows
T1197 Bitsadmin Download (cmd)
GUID: 3c73d728-75fb-4180-a12f-6712864d7421
Windows
T1195 Octopus Scanner Malware Open Source Supply Chain
GUID: 82a9f001-94c5-495e-9ed5-f530dbded5e2
Windows
T1187 WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
GUID: 7f06b25c-799e-40f1-89db-999c9cc84317
Windows
T1136.002 Create a new account similar to ANONYMOUS LOGON
GUID: dc7726d2-8ccb-4cc6-af22-0d5afb53a548
Windows
T1136.002 Create a new Windows domain admin user
GUID: fcec2963-9951-4173-9bfa-98d8b7834e62
Windows
T1136.001 Create a new Windows admin user via .NET
GUID: 2170d9b5-bacd-4819-a952-da76dae0815f
Windows
T1136.001 Create a new Windows admin user
GUID: fda74566-a604-4581-a4cc-fbbe21d66559
Windows
T1136.001 Create a new user in a command prompt
GUID: 6657864e-0323-4206-9344-ac9cd7265a4f
Windows
T1134.005 Injection SID-History with mimikatz
GUID: 6bef32e5-9456-4072-8f14-35566fb85401
Windows
T1134.002 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique
GUID: ccf4ac39-ec93-42be-9035-90e2f26bcd92
Windows
T1129 ESXi - Install a custom VIB on an ESXi host
GUID: 7f843046-abf2-443f-b880-07a83cf968ec
Windows
T1124 System Time Discovery W32tm as a Delay
GUID: d5d5a6b0-0f92-42d8-985d-47aafa2dd4db
Windows
T1114.001 Email Collection with PowerShell Get-Inbox
GUID: 3f1b5096-0139-4736-9b78-19bcb02bb1cb
Windows
T1112 Flush Shimcache
GUID: ecbd533e-b45d-4239-aeff-b857c6f6d68b
Windows
T1112 Change Powershell Execution Policy to Bypass
GUID: f3a6cceb-06c9-48e5-8df8-8867a6814245
Windows
T1110.002 Password Cracking with Hashcat
GUID: 6d27df5d-69d4-4c91-bc33-5983ffe91692
Windows
T1110.001 ESXi - Brute Force Until Account Lockout
GUID: ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5
Windows
T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
GUID: e1f93a06-1649-4f07-89a8-f57279a7d60e
Windows
T1106 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
GUID: 7ec5b74e-8289-4ff2-a162-b6f286a33abd
Windows
T1106 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
GUID: ce4e76e6-de70-4392-9efe-b281fc2b4087
Windows
T1105 Arbitrary file download using the Notepad++ GUP.exe binary
GUID: 66ee226e-64cb-4dae-80e3-5bf5763e4a51
Windows
T1105 Nimgrab - Transfer Files
GUID: b1729c57-9384-4d1c-9b99-9b220afb384e
Windows
    N/A
T1105 File Download via PowerShell
GUID: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2
Windows
T1105 Windows - PowerShell Download
GUID: 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8
Windows
T1105 Windows - BITSAdmin BITS Download
GUID: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b
Windows
T1105 certutil download (urlcache)
GUID: dd3b61dd-7bbc-48cd-ab51-49ad1a776df0
Windows
    N/A
T1095 Powercat C2
GUID: 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e
Windows
T1095 ICMP C2
GUID: 0268e63c-e244-42db-bef7-72a9e59fc1fc
Windows
T1087.002 Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope
GUID: ffbcfd62-15d6-4989-a21a-80bfc8e58bb5
Windows
    N/A
T1087.002 Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property
GUID: 6e85bdf9-7bc4-4259-ac0f-f0cb39964443
Windows
    N/A
T1087.002 Suspicious LAPS Attributes Query with Get-ADComputer all properties
GUID: 394012d9-2164-4d4f-b9e5-acf30ba933fe
Windows
    N/A
T1087.002 Enumerate Default Domain Admin Details (Domain)
GUID: c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef
Windows
T1087.002 Adfind - Enumerate Active Directory User Objects
GUID: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
Windows
T1087.002 Enumerate logged on users via CMD (Domain)
GUID: 161dcd85-d014-4f5e-900c-d3eaae82a0f7
Windows
    N/A
T1087.002 Enumerate all accounts (Domain)
GUID: 6fbc9e68-5ad7-444a-bd11-8bf3136c477e
Windows
T1087.001 ESXi - Local Account Discovery via ESXCLI
GUID: 9762ac6e-aa60-4449-a2f0-cbbd0e1fd22c
Windows
T1087.001 Enumerate logged on users via CMD (Local)
GUID: a138085e-bfe5-46ba-a242-74a6fb884af3
Windows
    N/A
T1083 ESXi - Enumerate VMDKs available on an ESXi Host
GUID: 4a233a40-caf7-4cf1-890a-c6331bbc72cf
Windows
T1082 ESXi - Darkside system information discovery
GUID: f89812e5-67d1-4f49-86fa-cbc6609ea86a
Windows
T1082 ESXi - VM Discovery using ESXCLI
GUID: 2040405c-eea6-4c1c-aef3-c2acc430fac9
Windows
T1082 WinPwn - PowerSharpPack - Seatbelt
GUID: 5c16ceb4-ba3a-43d7-b848-a13c1f216d95
Windows
T1082 WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors
GUID: efb79454-1101-4224-a4d0-30c9c8b29ffc
Windows
T1082 WinPwn - PowerSharpPack - Watson searching for missing windows patches
GUID: 07b18a66-6304-47d2-bad0-ef421eb2e107
Windows
T1078.003 Use PsExec to elevate to NT Authority\SYSTEM account
GUID: 6904235f-0f55-4039-8aed-41c300ff7733
Windows
T1078.001 Activate Guest Account
GUID: aa6cb8c4-b582-4f8e-b677-37733914abda
Windows
T1071.004 DNS C2
GUID: e7bf9802-2e78-4db9-93b5-181b7bcd37d7
Windows
T1070.004 Clears Recycle bin via rd
GUID: f723d13d-48dc-4317-9990-cf43a9ac0bf2
Windows
    N/A
T1070.004 Delete an entire folder - Windows cmd
GUID: ded937c4-2add-42f7-9c2c-c742b7a98698
Windows
T1069.002 Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
GUID: 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8
Windows
    N/A
T1069.002 Enumerate Active Directory Groups with Get-AdGroup
GUID: 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8
Windows
    N/A
T1069.002 Adfind - Query Active Directory Groups
GUID: 48ddc687-82af-40b7-8472-ff1e742e8274
Windows
T1069.002 Permission Groups Discovery PowerShell (Domain)
GUID: 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7
Windows
    N/A
T1069.001 WMIObject Group Discovery
GUID: 69119e58-96db-4110-ad27-954e48f3bb13
Windows
    N/A
T1069.001 Wmic Group Discovery
GUID: 7413be50-be8e-430f-ad4d-07bf197884b2
Windows
T1069.001 SharpHound3 - LocalAdmin
GUID: e03ada14-0980-4107-aff1-7783b2b59bb1
Windows
T1069.001 Basic Permission Groups Discovery Windows (Local)
GUID: 1f454dd6-e134-44df-bebb-67de70fb6cd8
Windows
T1059.001 SOAPHound - Build Cache
GUID: 4099086c-1470-4223-8085-8186e1ed5948
Windows
T1059.001 SOAPHound - Dump BloodHound Data
GUID: 6a5b2a50-d037-4879-bf01-43d4d6cbf73f
Windows
T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
GUID: 0d181431-ddf3-4826-8055-2dbf63ae848b
Windows
T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
GUID: 86a43bad-12e3-4e85-b97c-4d5cf25b95c3
Windows
T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
GUID: 1c0a870f-dc74-49cf-9afc-eccc45e58790
Windows
T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations
GUID: 686a9785-f99b-41d4-90df-66ed515f81d7
Windows
    N/A
T1059.001 Powershell invoke mshta.exe download
GUID: 8a2ad40b-12c7-4b25-8521-2737b0a415af
Windows
    N/A
T1059.001 Powershell MsXml COM object - with prompt
GUID: 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da
Windows
T1059.001 Invoke-AppPathBypass
GUID: 06a220b6-7e29-4bd8-9d07-5b4d86742372
Windows
T1059.001 Mimikatz
GUID: f3132740-55bc-48c4-bcc0-758a459cd027
Windows
T1059 AutoIt Script Execution
GUID: a9b93f17-31cb-435d-a462-5e838a2a6026
Windows
    N/A
T1055.001 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
GUID: 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5
Windows
T1053.005 Scheduled Task ("Ghost Task") via Registry Key Manipulation
GUID: 704333ca-cc12-4bcf-9916-101844881f54
Windows
T1053.005 Scheduled task Remote
GUID: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd
Windows
T1053.005 Scheduled Task Startup Script
GUID: fec27f65-db86-4c2d-b66c-61945aee87c2
Windows
T1049 System Network Connections Discovery with PowerShell
GUID: f069f0f1-baad-4831-aa2b-eddac4baac4a
Windows
    N/A
T1048.002 Exfiltrate data HTTPS using curl windows
GUID: 1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0
Windows
    N/A
T1047 Application uninstall using WMIC
GUID: c510d25b-1667-467d-8331-a56d3e9bc4ff
Windows
T1047 WMI Execute rundll32
GUID: 00738d2a-4651-4d76-adf2-c43a41dfb243
Windows
T1047 Create a Process using WMI Query and an Encoded Command
GUID: 7db7a7f9-9531-4840-9b30-46220135441c
Windows
T1047 WMI Execute Remote Process
GUID: 9c8ef159-c666-472f-9874-90c8d60d136b
Windows
T1047 WMI Execute Local Process
GUID: b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3
Windows
T1047 WMI Reconnaissance List Remote Services
GUID: 0fd48ef7-d890-4e93-a533-f7dedd5191d3
Windows
T1047 WMI Reconnaissance Users
GUID: c107778c-dcf5-47c5-af2e-1d058a3df3ea
Windows
    N/A
T1036.004 Creating W32Time similar named service using schtasks
GUID: f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9
Windows
T1036.003 Masquerading - wscript.exe running as svchost.exe
GUID: 24136435-c91a-4ede-9da1-8b284a1c1a23
Windows
T1033 GetCurrent User with PowerShell Script
GUID: 1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b
Windows
    N/A
T1021.004 ESXi - Enable SSH via VIM-CMD
GUID: 280812c8-4dae-43e9-a74e-1d08ab997c0e
Windows
T1021.003 PowerShell Lateral Movement using MMC20
GUID: 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673
Windows
    N/A
T1021.002 Execute command writing output to local Admin Share
GUID: d41aaab5-bdfe-431d-a3d5-c29e9136ff46
Windows
T1021.002 Copy and Execute File with PsExec
GUID: 0eb03d41-79e4-4393-8e57-6344856be1cf
Windows
T1021.002 Map admin share
GUID: 3386975b-367a-4fbb-9d77-4dcf3639ffd3
Windows
    N/A
T1018 Remote System Discovery - net group Domain Controller
GUID: 5843529a-5056-4bc1-9c13-a311e2af4ca0
Windows
T1018 Get-WmiObject to Enumerate Domain Controllers
GUID: e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad
Windows
    N/A
T1018 Enumerate Active Directory Computers with Get-AdComputer
GUID: 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf
Windows
    N/A
T1018 Adfind - Enumerate Active Directory Computer Objects
GUID: a889f5be-2d54-4050-bd05-884578748bb4
Windows
T1018 Remote System Discovery - nltest
GUID: 52ab5108-3f6f-42fb-8ba3-73bc054f22c8
Windows
T1018 Remote System Discovery - net group Domain Computers
GUID: f1bf6c8f-9016-4edf-aff9-80b65f5d711f
Windows
T1018 Remote System Discovery - net
GUID: 85321a9c-897f-4a60-9f20-29788e50bccd
Windows
T1016 DNS Server Discovery Using nslookup
GUID: 34557863-344a-468f-808b-a1bfb89b4fa9
Windows
T1016 Adfind - Enumerate Active Directory Subnet Objects
GUID: 9bb45dd7-c466-4f93-83a1-be30e56033ee
Windows
T1003.006 DCSync (Active Directory)
GUID: 129efd28-8497-4c87-a1b0-73b9a870ca3e
Windows
T1003.004 Dump Kerberos Tickets from LSA using dumper.ps1
GUID: 2dfa3bff-9a27-46db-ab75-7faefdaca732
Windows
T1003.004 Dumping LSA Secrets
GUID: 55295ab0-a703-433b-9ca4-ae13807de12f
Windows
T1003.003 Create Volume Shadow Copy with diskshadow
GUID: b385996c-0e7d-4e27-95a4-aca046b119a7
Windows
T1003.003 Create Symlink to Volume Shadow Copy
GUID: 21748c28-2793-4284-9e07-d6d028b66702
Windows
T1003.003 Create Volume Shadow Copy remotely (WMI) with esentutl
GUID: 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865
Windows
T1003.003 Create Volume Shadow Copy remotely with WMI
GUID: d893459f-71f0-484d-9808-ec83b2b64226
Windows
T1003.003 Create Volume Shadow Copy with WMI
GUID: 224f7de0-8f0a-4a94-b5d8-989b036c86da
Windows
T1003.003 Copy NTDS.dit from Volume Shadow Copy
GUID: c6237146-9ea6-4711-85c9-c56d263a6b03
Windows
T1003.003 Create Volume Shadow Copy with vssadmin
GUID: dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f
Windows
T1003.002 dump volume shadow copy hives with certutil
GUID: eeb9751a-d598-42d3-b11c-c122d9c3f6c7
Windows
T1003.002 esentutl.exe SAM copy
GUID: a90c2f4d-6726-444e-99d2-a00cd7c20480
Windows
T1003.002 Registry dump of SAM, creds, and secrets
GUID: 5c2571d0-1572-416d-9676-812e64ca9f44
Windows
    N/A
T1003.001 Powershell Mimikatz
GUID: 66fb0bc1-3c3f-47e9-a298-550ecfefacbc
Windows
T1562.001 Kill antimalware protected processes using Backstab
GUID: 24a12b91-05a7-4deb-8d7f-035fa98591bc
Windows
    N/A
T1562.001 Uninstall Crowdstrike Falcon on Windows
GUID: b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297
Windows
    N/A
T1562.001 Remove Windows Defender Definition Files
GUID: 3d47daaa-2f56-43e0-94cc-caf5d8d52a68
Windows
    N/A
T1562.001 Tamper with Windows Defender Command Prompt
GUID: aa875ed4-8935-47e2-b2c5-6ec00ab220d2
Windows
    N/A
T1562.001 Disable Arbitrary Security Windows Service
GUID: a1230893-56ac-4c81-b644-2108e982f8f5
Windows
    N/A
T1562.001 AMSI Bypass - AMSI InitFailed
GUID: 695eed40-e949-40e5-b306-b4031e4154bd
Windows
    N/A
T1562.001 Unload Sysmon Filter Driver
GUID: 811b3e76-c41b-430c-ac0d-e2380bfaa164
Windows
    N/A
T1562 Windows Disable LSA Protection
GUID: 40075d5f-3a70-4c66-9125-f72bee87247d
Windows
    N/A
T1560.001 Compress Data and lock with password for Exfiltration with winzip
GUID: 01df0353-d531-408d-a0c5-3161bf822134
Windows
    N/A
T1560.001 Compress Data and lock with password for Exfiltration with winrar
GUID: 8dd61a55-44c6-43cc-af0c-8bdda276860c
Windows
    N/A
T1555.004 Access Saved Credentials via VaultCmd
GUID: 9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439
Windows
    N/A
T1555.003 Dump Chrome Login Data with esentutl
GUID: 70422253-8198-4019-b617-6be401b49fce
Windows
    N/A
T1555.003 Simulating access to Windows Edge Login Data
GUID: a6a5ec26-a2d1-4109-9d35-58b867689329
Windows
    N/A
T1555.003 Simulating access to Windows Firefox Login Data
GUID: eb8da98a-2e16-4551-b3dd-83de49baa14c
Windows
    N/A
T1555.003 Simulating access to Opera Login Data
GUID: 28498c17-57e4-495a-b0be-cc1e36de408b
Windows
    N/A
T1555.003 Simulating access to Chrome Login Data
GUID: 3d111226-d09a-4911-8715-fe11664f960d
Windows
    N/A
T1555.003 LaZagne - Credentials from Browser
GUID: 9a2915b3-3954-4cce-8c76-00fbf4dbd014
Windows
    N/A
T1555.003 Run Chrome-password Collector
GUID: 8c05b133-d438-47ca-a630-19cc464c4622
Windows
    N/A
T1555 Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]
GUID: bc071188-459f-44d5-901a-f8f2625b2d2e
Windows
    N/A
T1555 Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]
GUID: 36753ded-e5c4-4eb5-bc3c-e8fba236878d
Windows
    N/A
T1555 Dump credentials from Windows Credential Manager With PowerShell [web Credentials]
GUID: 8fd5a296-6772-4766-9991-ff4e92af7240
Windows
    N/A
T1555 Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]
GUID: c89becbe-1758-4e7d-a0f4-97d2188a23e3
Windows
    N/A
T1553.004 Add Root Certificate to CurrentUser Certificate Store
GUID: ca20a3f1-42b5-4e21-ad3f-1049199ec2e0
Windows
    N/A
T1553.003 SIP (Subject Interface Package) Hijacking via Custom DLL
GUID: e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675
Windows
    N/A
T1552.006 GPP Passwords (Get-GPPPassword)
GUID: e9584f82-322c-474a-b831-940fd8b4455c
Windows
    N/A
T1552.004 Export Certificates with Mimikatz
GUID: 290df60e-4b5d-4a5e-b0c7-dc5348ea0c86
Windows
    N/A
T1552.004 CertUtil ExportPFX
GUID: 336b25bf-4514-4684-8924-474974f28137
Windows
    N/A
T1552.002 Enumeration for PuTTY Credentials in Registry
GUID: af197fd7-e868-448e-9bd5-05d1bcd9d9e5
Windows
    N/A
T1552.002 Enumeration for Credentials in Registry
GUID: b6ec082c-7384-46b3-a111-9a9b8b14e5e7
Windows
    N/A
T1548.002 Bypass UAC using Fodhelper
GUID: 58f641ea-12e3-499a-b684-44dee46bd182
Windows
    N/A
T1547.009 Shortcut Modification
GUID: ce4fc678-364f-4282-af16-2fb4c78005ce
Windows
    N/A
T1547.001 Creating Boot Verification Program Key for application execution during successful boot
GUID: 6e1666d5-3f2b-4b9a-80aa-f011322380d4
Windows
    N/A
T1547.001 Reg Key RunOnce
GUID: 554cbd88-cde1-4b56-8168-0be552eed9eb
Windows
    N/A
T1547.001 Reg Key Run
GUID: e55be3fd-3521-4610-9d1a-e210e42dcf05
Windows
    N/A
T1547 Driver Installation Using pnputil.exe
GUID: 5cb0b071-8a5a-412f-839d-116beb2ed9f7
Windows
    N/A
T1547 Add a driver
GUID: cb01b3da-b0e7-4e24-bf6d-de5223526785
Windows
    N/A
T1546.011 New shim database files created in the default shim database directory
GUID: aefd6866-d753-431f-a7a4-215ca7e3f13d
Windows
    N/A
T1546.011 Application Shim Installation
GUID: 9ab27e22-ee62-4211-962b-d36d9a0e6a18
Windows
    N/A
T1546.008 Create Symbolic Link From osk.exe to cmd.exe
GUID: 51ef369c-5e87-4f33-88cd-6d61be63edf2
Windows
    N/A
T1546.008 Replace binary of sticky keys
GUID: 934e90cf-29ca-48b3-863c-411737ad44e3
Windows
    N/A
T1546.007 Netsh Helper DLL Registration
GUID: 3244697d-5a3a-4dfc-941c-550f69f91a4d
Windows
    N/A
T1546.002 Set Arbitrary Binary as Screensaver
GUID: 281201e7-de41-4dc9-b73d-f288938cbb64
Windows
    N/A
T1546.001 Change Default File Association
GUID: 10a08978-2045-4d62-8c42-1957bbbea102
Windows
    N/A
T1546 Persistence via ErrorHandler.cmd script execution
GUID: 547a4736-dd1c-4b48-b4fe-e916190bb2e7
Windows
    N/A
T1543.003 TinyTurla backdoor service w64time
GUID: ef0581fd-528e-4662-87bc-4c2affb86940
Windows
    N/A
T1543.003 Service Installation PowerShell
GUID: 491a4af6-a521-4b74-b23b-f7b3f1ee9e77
Windows
    N/A
T1543.003 Service Installation CMD
GUID: 981e2942-e433-44e9-afc1-8c957a1496b6
Windows
    N/A
T1543.003 Modify Fax service to run PowerShell
GUID: ed366cde-7d12-49df-a833-671904770b9f
Windows
    N/A
T1518.001 Security Software Discovery - AV Discovery via WMI
GUID: 1553252f-14ea-4d3b-8a08-d7a4211aa945
Windows
    N/A
T1518.001 Security Software Discovery - Sysmon Service
GUID: fe613cf3-8009-4446-9a0f-bc78a15b66c9
Windows
    N/A
T1518.001 Security Software Discovery
GUID: f92a380f-ced9-491f-b338-95a991418ce2
Windows
    N/A
T1518 Find and Display Internet Explorer Browser Version
GUID: 68981660-6670-47ee-a5fa-7e74806420a4
Windows
    N/A
T1505.003 Web Shell Written to Disk
GUID: 0a2ce662-1efa-496f-a472-2fe7b080db16
Windows
    N/A
T1505.002 Install MS Exchange Transport Agent Persistence
GUID: 43e92449-ff60-46e9-83a3-1a38089df94d
Windows
    N/A
T1490 Modify VSS Service Permissions
GUID: a4420f93-5386-4290-b780-f4f66abc7070
Windows
    N/A
T1490 Windows - vssadmin Resize Shadowstorage Volume
GUID: da558b07-69ae-41b9-b9d4-4d98154a7049
Windows
    N/A
T1490 Windows - Disable the SR scheduled task
GUID: 1c68c68d-83a4-4981-974e-8993055fa034
Windows
    N/A
T1490 Windows - Delete Backup Files
GUID: 6b1dbaf6-cc8a-4ea6-891f-6058569653bf
Windows
    N/A
T1490 Windows - Delete Volume Shadow Copies via WMI with PowerShell
GUID: 39a295ca-7059-4a88-86f6-09556c1211e7
Windows
    N/A
T1490 Windows - Disable Windows Recovery Console Repair
GUID: cf21060a-80b3-4238-a595-22525de4ab81
Windows
    N/A
T1490 Windows - Delete Volume Shadow Copies via WMI
GUID: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88
Windows
    N/A
T1490 Windows - Delete Volume Shadow Copies
GUID: 43819286-91a9-4369-90ed-d31fb4da2c01
Windows
    N/A
T1489 Windows - Stop service by killing process
GUID: f3191b84-c38b-400b-867e-3a217a27795f
Windows
    N/A
T1489 Windows - Stop service using net.exe
GUID: 41274289-ec9c-4213-bea4-e43c4aa57954
Windows
    N/A
T1489 Windows - Stop service using Service Controller
GUID: 21dfb440-830d-4c86-a3e5-2a491d5a8d04
Windows
    N/A
T1486 PureLocker Ransom Note
GUID: 649349c7-9abf-493b-a7a2-b1aa4d141528
Windows
    N/A
T1485 Overwrite deleted data on C drive
GUID: 321fd25e-0007-417f-adec-33232252be19
Windows
    N/A
T1482 Adfind - Enumerate Active Directory Trusts
GUID: 15fe436d-e771-4ff3-b655-2dca9ba52834
Windows
    N/A
T1482 Windows - Discover domain trusts with nltest
GUID: 2e22641d-0498-48d2-b9ff-c71e496ccdbe
Windows
    N/A
T1222.001 Grant Full Access to folder for Everyone - Ryuk Ransomware Style
GUID: ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6
Windows
    N/A
T1222.001 attrib - hide file
GUID: 32b979da-7b68-42c9-9a99-0e39900fc36c
Windows
    N/A
T1222.001 attrib - Remove read-only attribute
GUID: bec1e95c-83aa-492e-ab77-60c71bbd21b0
Windows
    N/A
T1222.001 cacls - Grant permission to specified user or group recursively
GUID: a8206bcc-f282-40a9-a389-05d9c0263485
Windows
    N/A
T1222.001 Take ownership using takeown utility
GUID: 98d34bb4-6e75-42ad-9c41-1dae7dc6a001
Windows
    N/A
T1222 Enable Local and Remote Symbolic Links via fsutil
GUID: 6c4ac96f-d4fa-44f4-83ca-56d8f4a55c02
Windows
    N/A
T1220 WMIC bypass using remote XSL file
GUID: 7f5be499-33be-4129-a560-66021f379b9b
Windows
    N/A
T1220 WMIC bypass using local XSL file
GUID: 1b237334-3e21-4a0c-8178-b8c996124988
Windows
    N/A
T1218.011 Rundll32 execute payload by calling RouteTheCall
GUID: 8a7f56ee-10e7-444c-a139-0109438288eb
Windows
    N/A
T1218.011 Rundll32 execute command via FileProtocolHandler
GUID: f3ad3c5b-1db1-45c1-81bf-d3370ebab6c8
Windows
    N/A
T1218.011 Running DLL with .init extension and function
GUID: 2d5029f0-ae20-446f-8811-e7511b58e8b6
Windows
    N/A
T1218.011 Rundll32 with desk.cpl
GUID: 83a95136-a496-423c-81d3-1c6750133917
Windows
    N/A
T1218.011 Launches an executable using Rundll32 and pcwutl.dll
GUID: 9f5d081a-ee5a-42f9-a04e-b7bdc487e676
Windows
    N/A
T1218.011 Execution of HTA and VBS Files using Rundll32 and URL.dll
GUID: 22cfde89-befe-4e15-9753-47306b37a6e3
Windows
    N/A
T1218.011 Rundll32 execute VBscript command
GUID: 638730e7-7aed-43dc-bf8c-8117f805f5bb
Windows
    N/A
T1218.011 Rundll32 execute JavaScript Remote Payload With GetObject
GUID: 57ba4ce9-ee7a-4f27-9928-3c70c489b59d
Windows
    N/A
T1218.010 Regsvr32 Silent DLL Install Call DllRegisterServer
GUID: 9d71c492-ea2e-4c08-af16-c6994cdf029f
Windows
    N/A
T1218.007 Msiexec.exe - Execute Local MSI file with an embedded EXE
GUID: ed3fa08a-ca18-4009-973e-03d13014d0e8
Windows
    N/A
T1218.007 Msiexec.exe - Execute Local MSI file with an embedded DLL
GUID: 628fa796-76c5-44c3-93aa-b9d8214fd568
Windows
    N/A
T1218.007 Msiexec.exe - Execute Local MSI file with embedded VBScript
GUID: 8d73c7b0-c2b1-4ac1-881a-4aa644f76064
Windows
    N/A
T1218.007 Msiexec.exe - Execute Local MSI file with embedded JScript
GUID: a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04
Windows
    N/A
T1218.005 Mshta used to Execute PowerShell
GUID: 8707a805-2b76-4f32-b1c0-14e558205772
Windows
    N/A
T1218.005 Mshta executes VBScript to execute malicious command
GUID: 906865c3-e05f-4acc-85c4-fbc185455095
Windows
    N/A
T1218.005 Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
GUID: 1483fab9-4f52-4217-a9ce-daa9d7747cae
Windows
    N/A
T1218.003 CMSTP Executing UAC Bypass
GUID: 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0
Windows
    N/A
T1218.003 CMSTP Executing Remote Scriptlet
GUID: 34e63321-9683-496b-bbc1-7566bc55e624
Windows
    N/A
T1218 System Binary Proxy Execution - Wlrmdr Lolbin
GUID: 7816c252-b728-4ea6-a683-bd9441ca0b71
Windows
    N/A
T1218 Provlaunch.exe Executes Arbitrary Command via Registry Key
GUID: ab76e34f-28bf-441f-a39c-8db4835b89cc
Windows
    N/A
T1218 Lolbas ie4uinit.exe use as proxy
GUID: 13c0804e-615e-43ad-b223-2dfbacd0b0b3
Windows
    N/A
T1218 Lolbin Gpscript startup option
GUID: f8da74bb-21b8-4af9-8d84-f2c8e4a220e3
Windows
    N/A
T1218 Lolbin Gpscript logon option
GUID: 5bcda9cd-8e85-48fa-861d-b5a85d91d48c
Windows
    N/A
T1218 Load Arbitrary DLL via Wuauclt (Windows Update Client)
GUID: 49fbd548-49e9-4bb7-94a6-3769613912b8
Windows
    N/A
T1218 Invoke-ATHRemoteFXvGPUDisablementCommand base test
GUID: 9ebe7901-7edf-45c0-b5c7-8366300919db
Windows
    N/A
T1218 Microsoft.Workflow.Compiler.exe Payload Execution
GUID: 7cbb0f26-a4c1-4f77-b180-a009aa05637e
Windows
    N/A
T1218 InfDefaultInstall.exe .inf Execution
GUID: 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef
Windows
    N/A
T1218 Register-CimProvider - Execute evil dll
GUID: ad2c17ed-f626-4061-b21e-b9804a6f3655
Windows
    N/A
T1217 List Internet Explorer Bookmarks using the command prompt
GUID: 727dbcdb-e495-4ab1-a6c4-80c7f77aef85
Windows
    N/A
T1217 List Mozilla Firefox bookmarks on Windows with command prompt
GUID: 4312cdbc-79fc-4a9c-becc-53d49c734bc5
Windows
    N/A
T1217 List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt
GUID: 76f71e2f-480e-4bed-b61e-398fe17499d5
Windows
    N/A
T1216.001 PubPrn.vbs Signed Script Bypass
GUID: 9dd29a1f-1e16-4862-be83-913b10a88f6c
Windows
    N/A
T1216 manage-bde.wsf Signed Script Command Execution
GUID: 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a
Windows
    N/A
T1204.002 LNK Payload Download
GUID: 581d7521-9c4b-420e-9695-2aec5241167f
Windows
    N/A
T1204.002 Potentially Unwanted Applications (PUA)
GUID: 02f35d62-9fdc-4a97-b899-a5d9a876d295
Windows
    N/A
T1204.002 OSTap Payload Download
GUID: 3f3af983-118a-4fa1-85d3-ba4daa739d80
Windows
    N/A
T1202 Indirect Command Execution - Scriptrunner.exe
GUID: 0fd14730-6226-4f5e-8d67-43c65f1be940
Windows
    N/A
T1202 Indirect Command Execution - forfiles.exe
GUID: 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc
Windows
    N/A
T1202 Indirect Command Execution - pcalua.exe
GUID: cecfea7a-5f03-4cdd-8bc8-6f7c22862440
Windows
    N/A
T1201 Use of SecEdit.exe to export the local security policy (including the password policy)
GUID: 510cc97f-56ac-4cd3-a198-d3218c23d889
Windows
    N/A
T1201 Examine local password policy - Windows
GUID: 4588d243-f24e-4549-b2e3-e627acc089f6
Windows
    N/A
T1187 Trigger an authenticated RPC call to a target server with no Sign flag set
GUID: 81cfdd7f-1f41-4cc5-9845-bb5149438e37
Windows
    N/A
T1187 PetitPotam
GUID: 485ce873-2e65-4706-9c7e-ae3ab9e14213
Windows
    N/A
T1140 Certutil Rename and Decode
GUID: 71abc534-3c05-4d0c-80f7-cbe93cb2aa94
Windows
    N/A
T1140 Deobfuscate/Decode Files Or Information
GUID: dc6fe391-69e6-4506-bd06-ea5eeb4082f8
Windows
    N/A
T1137 Office Application Startup - Outlook as a C2
GUID: bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c
Windows
    N/A
T1135 PowerView ShareFinder
GUID: d07e4cc1-98ae-447e-9d31-36cb430d28c4
Windows
    N/A
T1135 View available share drives
GUID: ab39a04f-0c93-4540-9ff2-83f862c385ae
Windows
    N/A
T1135 Network Share Discovery command prompt
GUID: 20f1097d-81c1-405c-8380-32174d493bbb
Windows
    N/A
T1134.004 Parent PID Spoofing - Spawn from Specified Process
GUID: cbbff285-9051-444a-9d17-c07cd2d230eb
Windows
    N/A
T1127 Lolbin Jsc.exe compile javascript to dll
GUID: 3fc9fea2-871d-414d-8ef6-02e85e322b80
Windows
    N/A
T1127 Lolbin Jsc.exe compile javascript to exe
GUID: 1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8
Windows
    N/A
T1124 System Time Discovery
GUID: 20aba24b-e61f-4b26-b4ce-4784f763ca20
Windows
    N/A
T1123 using device audio capture commandlet
GUID: 9c3ad250-b185-4444-b5a9-d69218a10c95
Windows
    N/A
T1120 Peripheral Device Discovery via fsutil
GUID: 424e18fd-48b8-4201-8d3a-bf591523a686
Windows
    N/A
T1119 Recon information for export with Command Prompt
GUID: aa1180e2-f329-4e1e-8625-2472ec0bfaf3
Windows
    N/A
T1119 Automated Collection Command Prompt
GUID: cb379146-53f1-43e0-b884-7ce2c635ff5b
Windows
    N/A
T1115 Utilize Clipboard to store or execute commands from
GUID: 0cd14633-58d4-4422-9ede-daa2c9474ae7
Windows
    N/A
T1113 Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
GUID: 5a496325-0115-4274-8eb9-755b649ad0fb
Windows
    N/A
T1112 Modify UseTPMKeyPIN Registry entry
GUID: 02d8b9f7-1a51-4011-8901-2d55cca667f9
Windows
    N/A
T1112 Modify UseTPMKey Registry entry
GUID: c8480c83-a932-446e-a919-06a1fd1e512a
Windows
    N/A
T1112 Modify UseTPMPIN Registry entry
GUID: 10b33fb0-c58b-44cd-8599-b6da5ad6384c
Windows
    N/A
T1112 Modify EnableBDEWithNoTPM Registry entry
GUID: bacb3e73-8161-43a9-8204-a69fe0e4b482
Windows
    N/A
T1112 Requires the BitLocker PIN for Pre-boot authentication
GUID: 26fc7375-a551-4336-90d7-3f2817564304
Windows
    N/A
T1112 Disable Windows Remote Desktop Protocol
GUID: 5f8e36de-37ca-455e-b054-a2584f043c06
Windows
    N/A
T1112 Enable RDP via Registry (fDenyTSConnections)
GUID: 16bdbe52-371c-4ccf-b708-79fba61f1db4
Windows
    N/A
T1112 Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.
GUID: ffeddced-bb9f-49c6-97f0-3d07a509bf94
Windows
    N/A
T1112 Modify Internet Zone Protocol Defaults in Current User Registry - cmd
GUID: c88ef166-50fa-40d5-a80c-e2b87d4180f7
Windows
    N/A
T1112 Tamper Win Defender Protection
GUID: 3b625eaa-c10d-4635-af96-3eae7d2a2f3c
Windows
    N/A
T1112 Enabling Remote Desktop Protocol via Remote Registry
GUID: e3ad8e83-3089-49ff-817f-e52f8c948090
Windows
    N/A
T1112 Mimic Ransomware - Allow Multiple RDP Sessions per User
GUID: 35727d9e-7a7f-4d0c-a259-dc3906d6e8b9
Windows
    N/A
T1112 Disable Windows Error Reporting Settings
GUID: d2c9e41e-cd86-473d-980d-b6403562e3e1
Windows
    N/A
T1112 Ursnif Malware Registry Key Creation
GUID: c375558d-7c25-45e9-bd64-7b23a97c1db0
Windows
    N/A
T1112 NetWire RAT Registry Key Creation
GUID: 65704cd4-6e36-4b90-b6c1-dc29a82c8e56
Windows
    N/A
T1112 Suppress Win Defender Notifications
GUID: c30dada3-7777-4590-b970-dc890b8cf113
Windows
    N/A
T1112 Windows Add Registry Value to Load Service in Safe Mode with Network
GUID: c173c948-65e5-499c-afbe-433722ed5bd4
Windows
    N/A
T1112 Windows Add Registry Value to Load Service in Safe Mode without Network
GUID: 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5
Windows
    N/A
T1112 Windows Powershell Logging Disabled
GUID: 95b25212-91a7-42ff-9613-124aca6845a8
Windows
    N/A
T1112 Modify registry to store logon credentials
GUID: c0413fb5-33e2-40b7-9b6f-60b29f4a7a18
Windows
    N/A
T1112 Modify Registry of Local Machine - cmd
GUID: 282f929a-6bc5-42b8-bd93-960c3ba35afe
Windows
    N/A
T1110.001 Password Brute User using Kerbrute Tool
GUID: 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4
Windows
    N/A
T1105 iwr or Invoke Web-Request download
GUID: c01cad7f-7a4c-49df-985e-b190dcf6a279
Windows
    N/A
T1105 Download a file using wscript
GUID: 97116a3f-efac-4b26-8336-b9cb18c45188
Windows
    N/A
T1105 certreq download
GUID: 6fdaae87-c05b-42f8-842e-991a74e8376b
Windows
    N/A
T1105 Lolbas replace.exe use to copy UNC file
GUID: ed0335ac-0354-400c-8148-f6151d20035a
Windows
    N/A
T1105 Lolbas replace.exe use to copy file
GUID: 54782d65-12f0-47a5-b4c1-b70ee23de6df
Windows
    N/A
T1105 Printer Migration Command-Line Tool UNC share folder into a zip file
GUID: 49845fc1-7961-4590-a0f0-3dbcf065ae7e
Windows
    N/A
T1105 Download a file with IMEWDBLD.exe
GUID: 1a02df58-09af-4064-a765-0babe1a0d1e2
Windows
    N/A
T1105 File download with finger.exe on Windows
GUID: 5f507e45-8411-4f99-84e7-e38530c45d01
Windows
    N/A
T1105 Download a File with Windows Defender MpCmdRun.exe
GUID: 815bef8b-bf91-4b67-be4c-abe4c2a94ccc
Windows
    N/A
T1105 svchost writing a file to a UNC path
GUID: fa5a2759-41d7-4e13-a19c-e8f28a53566f
Windows
    N/A
T1105 OSTAP Worming Activity
GUID: 2ca61766-b456-4fcf-a35a-1233685e1cad
Windows
    N/A
T1090.001 portproxy reg key
GUID: b8223ea9-4be2-44a6-b50a-9657a3d4e72a
Windows
    N/A
T1087.002 Enumerate Linked Policies In ADSISearcher Discovery
GUID: 7ab0205a-34e4-4a44-9b04-e1541d1a57be
Windows
    N/A
T1087.002 Enumerate Active Directory Users with ADSISearcher
GUID: 02e8be5a-3065-4e54-8cc8-a14d138834d3
Windows
    N/A
T1087.002 Adfind - Enumerate Active Directory Exchange AD Objects
GUID: 5e2938fb-f919-47b6-8b29-2f6a1f718e99
Windows
    N/A
T1087.002 Adfind - Enumerate Active Directory Admins
GUID: b95fd967-4e62-4109-b48d-265edfd28c3a
Windows
    N/A
T1087.002 Adfind -Listing password policy
GUID: 736b4f53-f400-4c22-855d-1a6b5a551600
Windows
    N/A
T1087.002 Automated AD Recon (ADRecon)
GUID: 95018438-454a-468c-a0fa-59c800149b59
Windows
    N/A
T1083 File and Directory Discovery (cmd.exe)
GUID: 0e36303b-6762-4500-b003-127743b80ba6
Windows
    N/A
T1082 System Information Discovery
GUID: 4060ee98-01ae-4c8e-8aad-af8300519cc7
Windows
    N/A
T1082 Griffon Recon
GUID: 69bd4abe-8759-49a6-8d21-0f15822d6370
Windows
    N/A
T1082 Windows MachineGUID Discovery
GUID: 224b4daf-db44-404e-b6b2-f4d1f0126ef8
Windows
    N/A
T1082 System Information Discovery
GUID: 66703791-c902-4560-8770-42b8a91f7667
Windows
    N/A
T1078.003 Create local account with admin privileges
GUID: a524ce99-86de-4db6-b4f9-e08f35a47a15
Windows
    N/A
T1078.001 Enable Guest account with RDP capability and admin privileges
GUID: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
Windows
    N/A
T1074.001 Zip a Folder with PowerShell for Staging in Temp
GUID: a57fbe4b-3440-452a-88a7-943531ac872a
Windows
    N/A
T1074.001 Stage data from Discovery.bat
GUID: 107706a5-6f9f-451a-adae-bab8c667829f
Windows
    N/A
T1071.001 Malicious User Agents - CMD
GUID: dc3488b0-08c7-4fea-b585-905c83b48180
Windows
    N/A
T1070.005 Remove Network Share
GUID: 09210ad5-1ef2-4077-9ad3-7351e13e9222
Windows
    N/A
T1070.005 Add Network Share
GUID: 14c38f32-6509-46d8-ab43-d53e32d2b131
Windows
    N/A
T1070.004 Delete Prefetch File
GUID: 36f96049-0ad7-4a5f-8418-460acaeb92fb
Windows
    N/A
T1070.004 Delete a single file - Windows cmd
GUID: 861ea0b4-708a-4d17-848d-186c9c7f17e3
Windows
    N/A
T1070.001 Clear Logs
GUID: e6abb60e-26b8-41da-8aae-0c35174b0967
Windows
    N/A
T1070 Indicator Removal using FSUtil
GUID: b4115c7a-0e92-47f0-a61e-17e7218b2435
Windows
    N/A
T1069.002 Enumerate Active Directory Groups with ADSISearcher
GUID: 9f4e344b-8434-41b3-85b1-d38f29d148d0
Windows
    N/A
T1059.007 JScript execution to gather local computer information via wscript
GUID: 0709945e-4fec-4c49-9faf-c3c292a74484
Windows
    N/A
T1059.007 JScript execution to gather local computer information via cscript
GUID: 01d75adf-ca1b-4dd1-ac96-7c9550ad1035
Windows
    N/A
T1059.005 Visual Basic script execution to gather local computer information
GUID: 1620de42-160a-4fe5-bbaf-d3fef0181ce9
Windows
    N/A
T1059.003 Command prompt writing script to file then executes it
GUID: 00682c9f-7df4-4df8-950b-6dcaaa3ad9af
Windows
    N/A
T1059.003 Command Prompt read contents from CMD file and execute
GUID: df81db1b-066c-4802-9bc8-b6d030c3ba8e
Windows
    N/A
T1059.003 Writes text to a file and displays it.
GUID: 127b4afe-2346-4192-815c-69042bec570e
Windows
    N/A
T1059.001 PowerShell Invoke Known Malicious Cmdlets
GUID: 49eb9404-5e0f-4031-a179-b40f7be385e3
Windows
    N/A
T1059.001 PowerShell Command Execution
GUID: a538de64-1c74-46ed-aa60-b995ed302598
Windows
    N/A
T1059.001 Mimikatz - Cradlecraft PsSendKeys
GUID: af1800cf-9f9d-4fd1-a709-14b1e6de020d
Windows
    N/A
T1057 Discover Specific Process - tasklist
GUID: 11ba69ee-902e-4a0f-b3b6-418aed7d7ddb
Windows
    N/A
T1057 Process Discovery - wmic process
GUID: 640cbf6d-659b-498b-ba53-f6dd1a1cc02c
Windows
    N/A
T1057 Process Discovery - tasklist
GUID: c5806a4f-62b8-4900-980b-c7ec004e9908
Windows
    N/A
T1056.004 Hook PowerShell TLS Encrypt/Decrypt Messages
GUID: de1934ea-1fbf-425b-8795-65fb27dd7e33
Windows
    N/A
T1056.001 Input Capture
GUID: d9b633ca-8efb-45e6-b838-70f595c6ae26
Windows
    N/A
T1055 Process Injection with Go using CreateThread WinAPI (Natively)
GUID: 2a3c7035-d14f-467a-af94-933e49fe6786
Windows
    N/A
T1055 Process Injection with Go using CreateThread WinAPI
GUID: 2871ed59-3837-4a52-9107-99500ebc87cb
Windows
    N/A
T1055 Remote Process Injection in LSASS via mimikatz
GUID: 3203ad24-168e-4bec-be36-f79b13ef8a83
Windows
    N/A
T1053.005 Scheduled Task Executing Base64 Encoded Commands From Registry
GUID: e895677d-4f06-49ab-91b6-ae3742d0a2ba
Windows
    N/A
T1053.005 Scheduled task Local
GUID: 42f53695-ad4a-4546-abb6-7d837f644a71
Windows
    N/A
T1053.002 At.exe Scheduled task
GUID: 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8
Windows
    N/A
T1047 WMI Reconnaissance Software
GUID: 718aebaa-d0e0-471a-8241-c5afa69c7414
Windows
    N/A
T1047 WMI Reconnaissance Processes
GUID: 5750aa16-0e59-4410-8b9a-8a47ca2788e2
Windows
    N/A
T1040 Windows Internal pktmon set filter
GUID: 855fb8b4-b8ab-4785-ae77-09f5df7bff55
Windows
    N/A
T1040 Windows Internal Packet Capture
GUID: b5656f67-d67f-4de8-8e62-b5581630f528
Windows
    N/A
T1039 Copy a sensitive File over Administrative share with Powershell
GUID: 7762e120-5879-44ff-97f8-008b401b9a98
Windows
    N/A
T1039 Copy a sensitive File over Administrative share with copy
GUID: 6ed67921-1774-44ba-bac6-adb51ed60660
Windows
    N/A
T1037.001 Logon Scripts
GUID: d6042746-07d4-4c92-9ad8-e644c114a231
Windows
    N/A
T1036.007 File Extension Masquerading
GUID: c7fa0c3b-b57f-4cba-9118-863bf4e653fc
Windows
    N/A
T1036.004 Creating W32Time similar named service using sc
GUID: b721c6ef-472c-4263-a0d9-37f1f4ecff66
Windows
    N/A
T1036.003 Malicious process Masquerading as LSM.exe
GUID: 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f
Windows
    N/A
T1036.003 Masquerading - powershell.exe running as taskhostw.exe
GUID: ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa
Windows
    N/A
T1036.003 Masquerading - cscript.exe running as notepad.exe
GUID: 3a2a578b-0a01-46e4-92e3-62e2859b42f0
Windows
    N/A
T1036.003 Masquerading as Windows LSASS process
GUID: 5ba5a3d1-cf3c-4499-968a-a93155d1f717
Windows
    N/A
T1033 System Owner/User Discovery
GUID: 4c4959bf-addf-4b4a-be86-8d09cc1857aa
Windows
    N/A
T1027 Execution from Compressed JScript File
GUID: fad04df1-5229-4185-b016-fb6010cd87ac
Windows
    N/A
T1027 DLP Evasion via Sensitive Data in VBA Macro over HTTP
GUID: e2d85e66-cb66-4ed7-93b1-833fc56c9319
Windows
    N/A
T1021.001 Disable NLA for RDP via Command Prompt
GUID: 01d1c6c0-faf0-408e-b368-752a02285cb2
Windows
    N/A
T1021.001 Changing RDP Port to Non Standard Port via Command_Prompt
GUID: 74ace21e-a31c-4f7d-b540-53e4eb6d1f73
Windows
    N/A
T1018 Enumerate Remote Hosts with Netscan
GUID: b8147c9a-84db-4ec1-8eee-4e0da75f0de5
Windows
    N/A
T1018 Enumerate Active Directory Computers with ADSISearcher
GUID: 64ede6ac-b57a-41c2-a7d1-32c6cd35397d
Windows
    N/A
T1018 Remote System Discovery - ping sweep
GUID: 6db1f57f-d1d5-4223-8a66-55c9c65a9592
Windows
    N/A
T1016.002 Enumerate Stored Wi-Fi Profiles And Passwords via netsh
GUID: 53cf1903-0fa7-4177-ab14-f358ae809eec
Windows
    N/A
T1016 System Network Configuration Discovery (TrickBot Style)
GUID: dafaf052-5508-402d-bf77-51e0700c02e2
Windows
    N/A
T1016 System Network Configuration Discovery on Windows
GUID: 970ab6a1-0157-4f3f-9a73-ec4166754b23
Windows
    N/A
T1007 System Service Discovery - net.exe
GUID: 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3
Windows
    N/A
T1007 System Service Discovery
GUID: 89676ba1-b1f8-47ee-b940-2e1a113ebc71
Windows
    N/A
T1003.006 Run DSInternals Get-ADReplAccount
GUID: a0bced08-3fc5-4d8b-93b7-e8344739376e
Windows
    N/A
T1003.005 Cached Credential Dump via Cmdkey
GUID: 56506854-89d6-46a3-9804-b7fde90791f9
Windows
    N/A
T1003.003 Create Volume Shadow Copy with Powershell
GUID: 542bb97e-da53-436b-8e43-e0a7d31a6c24
Windows
    N/A
T1003.003 Dump Active Directory Database with NTDSUtil
GUID: 2364e33d-ceab-4641-8468-bfb1d7cc2723
Windows
    N/A
T1003.001 Dump LSASS.exe Memory through Silent Process Exit
GUID: eb5adf16-b601-4926-bca7-dad22adffb37
Windows
    N/A
T1003.001 Dump LSASS.exe using imported Microsoft DLLs
GUID: 86fc3f40-237f-4701-b155-81c01c48d697
Windows
    N/A
T1003.001 Create Mini Dump of LSASS.exe using ProcDump
GUID: 7cede33f-0acd-44ef-9774-15511300b24b
Windows
    N/A
T1003.001 Offline Credential Theft With Mimikatz
GUID: 453acf13-1dbd-47d7-b28a-172ce9228023
Windows
    N/A
T1003.001 Dump LSASS.exe Memory using NanoDump
GUID: dddd4aca-bbed-46f0-984d-e4c5971c51ea
Windows
    N/A
T1003.001 Dump LSASS.exe Memory using comsvcs.dll
GUID: 2536dee2-12fb-459a-8c37-971844fa73be
Windows
    N/A
T1003.001 Dump LSASS.exe Memory using ProcDump
GUID: 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
Windows
    N/A
T1003 Send NTLM Hash with RPC Test Connection
GUID: 0b207037-813c-4444-ac3f-b597cf280a67
Windows
    N/A
T1003 Dump Credential Manager using keymgr.dll and rundll32.exe
GUID: 84113186-ed3c-4d0d-8a3c-8980c86c1f4a
Windows
    N/A
T1003 Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
GUID: 42510244-5019-48fa-a0e5-66c3b76e6049
Windows
    N/A