| ATT&CK ↕ |
Atomic Attack Name ↕
|
GitHub | Platform |
Sigma Rules
|
Google SecOps Rules
|
|---|---|---|---|---|---|
| T1001.002 | Execute Embedded Script in Image via Steganography |
|
|
||
| T1003 | Send NTLM Hash with RPC Test Connection |
|
|
||
| T1003 | Dump Credential Manager using keymgr.dll and rundll32.exe |
|
|
||
| T1003 | Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config) |
|
|
||
| T1003.001 | Powershell Mimikatz |
|
|
|
|
| T1003.001 | Dump LSASS.exe Memory through Silent Process Exit |
|
|
||
| T1003.001 | Dump LSASS.exe using imported Microsoft DLLs |
|
|
||
| T1003.001 | Create Mini Dump of LSASS.exe using ProcDump |
|
|
||
| T1003.001 | Offline Credential Theft With Mimikatz |
|
|
||
| T1003.001 | Dump LSASS.exe Memory using NanoDump |
|
|
||
| T1003.001 | Dump LSASS.exe Memory using comsvcs.dll |
|
|
||
| T1003.001 | Dump LSASS.exe Memory using ProcDump |
|
|
||
| T1003.002 | dump volume shadow copy hives with certutil |
|
|
||
| T1003.002 | esentutl.exe SAM copy |
|
|
||
| T1003.003 | Create Volume Shadow Copy with diskshadow |
|
|
||
| T1003.003 | Create Symlink to Volume Shadow Copy |
|
|
||
| T1003.003 | Create Volume Shadow Copy remotely (WMI) with esentutl |
|
|
||
| T1003.003 | Create Volume Shadow Copy remotely with WMI |
|
|
||
| T1003.003 | Create Volume Shadow Copy with WMI |
|
|
||
| T1003.003 | Copy NTDS.dit from Volume Shadow Copy |
|
|
||
| T1003.003 | Create Volume Shadow Copy with vssadmin |
|
|
||
| T1003.003 | Create Volume Shadow Copy with Powershell |
|
|
||
| T1003.003 | Dump Active Directory Database with NTDSUtil |
|
|
||
| T1003.004 | Dump Kerberos Tickets from LSA using dumper.ps1 |
|
|
||
| T1003.004 | Dumping LSA Secrets |
|
|
||
| T1003.005 | Cached Credential Dump via Cmdkey |
|
|
||
| T1003.006 | DCSync (Active Directory) |
|
|
||
| T1003.006 | Run DSInternals Get-ADReplAccount |
|
|
||
| T1003.007 | Capture Passwords with MimiPenguin |
|
|
||
| T1003.008 | Access /etc/shadow (Local) |
|
|
||
| T1007 | System Service Discovery - net.exe |
|
|
||
| T1007 | System Service Discovery |
|
|
||
| T1016 | DNS Server Discovery Using nslookup |
|
|
||
| T1016 | Adfind - Enumerate Active Directory Subnet Objects |
|
|
||
| T1016 | System Network Configuration Discovery (TrickBot Style) |
|
|
||
| T1016 | System Network Configuration Discovery on Windows |
|
|
||
| T1016.002 | Enumerate Stored Wi-Fi Profiles And Passwords via netsh |
|
|
||
| T1018 | Remote System Discovery - net group Domain Controller |
|
|
||
| T1018 | Adfind - Enumerate Active Directory Computer Objects |
|
|
||
| T1018 | Remote System Discovery - nltest |
|
|
||
| T1018 | Remote System Discovery - net group Domain Computers |
|
|
||
| T1018 | Remote System Discovery - net |
|
|
||
| T1018 | Enumerate Remote Hosts with Netscan |
|
|
||
| T1018 | Enumerate Active Directory Computers with ADSISearcher |
|
|
||
| T1018 | Remote System Discovery - ping sweep |
|
|
||
| T1021.001 | Disable NLA for RDP via Command Prompt |
|
|
||
| T1021.001 | Changing RDP Port to Non Standard Port via Command_Prompt |
|
|
||
| T1021.002 | Execute command writing output to local Admin Share |
|
|
||
| T1021.002 | Copy and Execute File with PsExec |
|
|
||
| T1021.004 | ESXi - Enable SSH via VIM-CMD |
|
|
||
| T1027 | Execution from Compressed JScript File |
|
|
||
| T1027 | DLP Evasion via Sensitive Data in VBA Macro over HTTP |
|
|
||
| T1033 | System Owner/User Discovery |
|
|
||
| T1036.003 | Masquerading - wscript.exe running as svchost.exe |
|
|
||
| T1036.003 | Malicious process Masquerading as LSM.exe |
|
|
||
| T1036.003 | Masquerading - powershell.exe running as taskhostw.exe |
|
|
||
| T1036.003 | Masquerading - cscript.exe running as notepad.exe |
|
|
||
| T1036.003 | Masquerading as Windows LSASS process |
|
|
||
| T1036.004 | Creating W32Time similar named service using schtasks |
|
|
||
| T1036.004 | Creating W32Time similar named service using sc |
|
|
||
| T1036.007 | File Extension Masquerading |
|
|
||
| T1037.001 | Logon Scripts |
|
|
||
| T1039 | Copy a sensitive File over Administrative share with Powershell |
|
|
||
| T1039 | Copy a sensitive File over Administrative share with copy |
|
|
||
| T1040 | Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo |
|
|
||
| T1040 | Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo |
|
|
||
| T1040 | Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo |
|
|
||
| T1040 | Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo |
|
|
||
| T1040 | Windows Internal pktmon set filter |
|
|
||
| T1040 | Windows Internal Packet Capture |
|
|
||
| T1047 | Application uninstall using WMIC |
|
|
||
| T1047 | WMI Execute rundll32 |
|
|
||
| T1047 | Create a Process using WMI Query and an Encoded Command |
|
|
||
| T1047 | WMI Execute Remote Process |
|
|
||
| T1047 | WMI Execute Local Process |
|
|
||
| T1047 | WMI Reconnaissance List Remote Services |
|
|
||
| T1047 | WMI Reconnaissance Software |
|
|
||
| T1047 | WMI Reconnaissance Processes |
|
|
||
| T1048.002 | Exfiltrate data HTTPS using curl freebsd,linux or macos |
|
|
||
| T1053.002 | At.exe Scheduled task |
|
|
||
| T1053.003 | Cron - Add script to /var/spool/cron/crontabs/ folder |
|
|
||
| T1053.003 | Cron - Add script to all cron subfolders |
|
|
||
| T1053.005 | Scheduled Task ("Ghost Task") via Registry Key Manipulation |
|
|
||
| T1053.005 | Scheduled task Remote |
|
|
||
| T1053.005 | Scheduled Task Startup Script |
|
|
||
| T1053.005 | Scheduled Task Executing Base64 Encoded Commands From Registry |
|
|
||
| T1053.005 | Scheduled task Local |
|
|
||
| T1053.006 | Create Systemd Service and Timer |
|
|
||
| T1055 | Process Injection with Go using CreateThread WinAPI (Natively) |
|
|
||
| T1055 | Process Injection with Go using CreateThread WinAPI |
|
|
||
| T1055 | Remote Process Injection in LSASS via mimikatz |
|
|
||
| T1055.001 | WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique |
|
|
|
|
| T1056.001 | Input Capture |
|
|
||
| T1056.004 | Hook PowerShell TLS Encrypt/Decrypt Messages |
|
|
||
| T1057 | Discover Specific Process - tasklist |
|
|
||
| T1057 | Process Discovery - wmic process |
|
|
||
| T1057 | Process Discovery - tasklist |
|
|
||
| T1059.001 | SOAPHound - Build Cache |
|
|
||
| T1059.001 | SOAPHound - Dump BloodHound Data |
|
|
||
| T1059.001 | ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments |
|
|
||
| T1059.001 | ATHPowerShellCommandLineParameter -EncodedCommand parameter variations |
|
|
||
| T1059.001 | ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments |
|
|
||
| T1059.001 | Powershell MsXml COM object - with prompt |
|
|
||
| T1059.001 | Invoke-AppPathBypass |
|
|
|
|
| T1059.001 | Mimikatz |
|
|
|
|
| T1059.001 | PowerShell Invoke Known Malicious Cmdlets |
|
|
||
| T1059.001 | PowerShell Command Execution |
|
|
||
| T1059.001 | Mimikatz - Cradlecraft PsSendKeys |
|
|
||
| T1059.003 | Command prompt writing script to file then executes it |
|
|
||
| T1059.003 | Command Prompt read contents from CMD file and execute |
|
|
||
| T1059.003 | Writes text to a file and displays it. |
|
|
||
| T1059.004 | Detecting pipe-to-shell |
|
|
||
| T1059.004 | Command-Line Interface |
|
|
||
| T1059.004 | Shell Creation using awk command |
|
|
||
| T1059.005 | Visual Basic script execution to gather local computer information |
|
|
||
| T1059.007 | JScript execution to gather local computer information via wscript |
|
|
||
| T1059.007 | JScript execution to gather local computer information via cscript |
|
|
||
| T1069.001 | Wmic Group Discovery |
|
|
||
| T1069.001 | SharpHound3 - LocalAdmin |
|
|
||
| T1069.001 | Basic Permission Groups Discovery Windows (Local) |
|
|
||
| T1069.002 | Adfind - Query Active Directory Groups |
|
|
||
| T1069.002 | Enumerate Active Directory Groups with ADSISearcher |
|
|
||
| T1070 | Indicator Removal using FSUtil |
|
|
||
| T1070.001 | Clear Logs |
|
|
||
| T1070.002 | Delete system log files via unlink utility (freebsd) |
|
|
||
| T1070.003 | Clear Bash history (rm) |
|
|
||
| T1070.004 | Delete a single file - FreeBSD/Linux/macOS |
|
|
||
| T1070.004 | Delete an entire folder - Windows cmd |
|
|
||
| T1070.004 | Delete Prefetch File |
|
|
||
| T1070.004 | Delete a single file - Windows cmd |
|
|
||
| T1070.005 | Remove Network Share |
|
|
||
| T1070.005 | Add Network Share |
|
|
||
| T1071.001 | Malicious User Agents - CMD |
|
|
||
| T1071.004 | DNS C2 |
|
|
||
| T1074.001 | Stage data from Discovery.sh |
|
|
||
| T1074.001 | Zip a Folder with PowerShell for Staging in Temp |
|
|
||
| T1074.001 | Stage data from Discovery.bat |
|
|
||
| T1078.001 | Activate Guest Account |
|
|
||
| T1078.001 | Enable Guest account with RDP capability and admin privileges |
|
|
||
| T1078.003 | Use PsExec to elevate to NT Authority\SYSTEM account |
|
|
||
| T1078.003 | Create local account with admin privileges |
|
|
||
| T1082 | ESXi - Darkside system information discovery |
|
|
||
| T1082 | ESXi - VM Discovery using ESXCLI |
|
|
||
| T1082 | WinPwn - PowerSharpPack - Seatbelt |
|
|
|
|
| T1082 | WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors |
|
|
|
|
| T1082 | WinPwn - PowerSharpPack - Watson searching for missing windows patches |
|
|
|
|
| T1082 | System Information Discovery |
|
|
||
| T1082 | Griffon Recon |
|
|
||
| T1082 | Windows MachineGUID Discovery |
|
|
||
| T1082 | System Information Discovery |
|
|
||
| T1083 | ESXi - Enumerate VMDKs available on an ESXi Host |
|
|
||
| T1083 | File and Directory Discovery (cmd.exe) |
|
|
||
| T1087.001 | ESXi - Local Account Discovery via ESXCLI |
|
|
||
| T1087.002 | Enumerate Default Domain Admin Details (Domain) |
|
|
||
| T1087.002 | Adfind - Enumerate Active Directory User Objects |
|
|
||
| T1087.002 | Enumerate all accounts (Domain) |
|
|
||
| T1087.002 | Enumerate Linked Policies In ADSISearcher Discovery |
|
|
||
| T1087.002 | Enumerate Active Directory Users with ADSISearcher |
|
|
||
| T1087.002 | Adfind - Enumerate Active Directory Exchange AD Objects |
|
|
||
| T1087.002 | Adfind - Enumerate Active Directory Admins |
|
|
||
| T1087.002 | Adfind -Listing password policy |
|
|
||
| T1087.002 | Automated AD Recon (ADRecon) |
|
|
||
| T1090.001 | Connection Proxy |
|
|
||
| T1090.001 | portproxy reg key |
|
|
||
| T1095 | Powercat C2 |
|
|
||
| T1095 | ICMP C2 |
|
|
||
| T1105 | Linux Download File and Run |
|
|
||
| T1105 | sftp remote file copy (push) |
|
|
||
| T1105 | Arbitrary file download using the Notepad++ GUP.exe binary |
|
|
||
| T1105 | File Download via PowerShell |
|
|
||
| T1105 | Windows - PowerShell Download |
|
|
||
| T1105 | Windows - BITSAdmin BITS Download |
|
|
||
| T1105 | iwr or Invoke Web-Request download |
|
|
||
| T1105 | Download a file using wscript |
|
|
||
| T1105 | certreq download |
|
|
||
| T1105 | Lolbas replace.exe use to copy UNC file |
|
|
||
| T1105 | Lolbas replace.exe use to copy file |
|
|
||
| T1105 | Printer Migration Command-Line Tool UNC share folder into a zip file |
|
|
||
| T1105 | Download a file with IMEWDBLD.exe |
|
|
||
| T1105 | File download with finger.exe on Windows |
|
|
||
| T1105 | Download a File with Windows Defender MpCmdRun.exe |
|
|
||
| T1105 | svchost writing a file to a UNC path |
|
|
||
| T1105 | OSTAP Worming Activity |
|
|
||
| T1106 | WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique |
|
|
|
|
| T1106 | WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique |
|
|
|
|
| T1106 | WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique |
|
|
|
|
| T1110.001 | ESXi - Brute Force Until Account Lockout |
|
|
||
| T1110.001 | Password Brute User using Kerbrute Tool |
|
|
||
| T1110.002 | Password Cracking with Hashcat |
|
|
||
| T1110.004 | SSH Credential Stuffing From Linux |
|
|
||
| T1112 | Flush Shimcache |
|
|
||
| T1112 | Change Powershell Execution Policy to Bypass |
|
|
||
| T1112 | Modify UseTPMKeyPIN Registry entry |
|
|
||
| T1112 | Modify UseTPMKey Registry entry |
|
|
||
| T1112 | Modify UseTPMPIN Registry entry |
|
|
||
| T1112 | Modify EnableBDEWithNoTPM Registry entry |
|
|
||
| T1112 | Requires the BitLocker PIN for Pre-boot authentication |
|
|
||
| T1112 | Disable Windows Remote Desktop Protocol |
|
|
||
| T1112 | Enable RDP via Registry (fDenyTSConnections) |
|
|
||
| T1112 | Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. |
|
|
||
| T1112 | Modify Internet Zone Protocol Defaults in Current User Registry - cmd |
|
|
||
| T1112 | Tamper Win Defender Protection |
|
|
||
| T1112 | Enabling Remote Desktop Protocol via Remote Registry |
|
|
||
| T1112 | Mimic Ransomware - Allow Multiple RDP Sessions per User |
|
|
||
| T1112 | Disable Windows Error Reporting Settings |
|
|
||
| T1112 | Ursnif Malware Registry Key Creation |
|
|
||
| T1112 | NetWire RAT Registry Key Creation |
|
|
||
| T1112 | Suppress Win Defender Notifications |
|
|
||
| T1112 | Windows Add Registry Value to Load Service in Safe Mode with Network |
|
|
||
| T1112 | Windows Add Registry Value to Load Service in Safe Mode without Network |
|
|
||
| T1112 | Windows Powershell Logging Disabled |
|
|
||
| T1112 | Modify registry to store logon credentials |
|
|
||
| T1112 | Modify Registry of Local Machine - cmd |
|
|
||
| T1113 | Capture Linux Desktop using Import Tool |
|
|
||
| T1113 | Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted |
|
|
||
| T1114.001 | Email Collection with PowerShell Get-Inbox |
|
|
||
| T1115 | Utilize Clipboard to store or execute commands from |
|
|
||
| T1119 | Recon information for export with Command Prompt |
|
|
||
| T1119 | Automated Collection Command Prompt |
|
|
||
| T1120 | Peripheral Device Discovery via fsutil |
|
|
||
| T1123 | using device audio capture commandlet |
|
|
||
| T1124 | System Time Discovery W32tm as a Delay |
|
|
||
| T1124 | System Time Discovery |
|
|
||
| T1127 | Lolbin Jsc.exe compile javascript to dll |
|
|
||
| T1127 | Lolbin Jsc.exe compile javascript to exe |
|
|
||
| T1129 | ESXi - Install a custom VIB on an ESXi host |
|
|
||
| T1132.001 | Base64 Encoded data (freebsd) |
|
|
||
| T1132.001 | Base64 Encoded data. |
|
|
||
| T1134.002 | WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique |
|
|
|
|
| T1134.004 | Parent PID Spoofing - Spawn from Specified Process |
|
|
||
| T1134.005 | Injection SID-History with mimikatz |
|
|
||
| T1135 | PowerView ShareFinder |
|
|
||
| T1135 | View available share drives |
|
|
||
| T1135 | Network Share Discovery command prompt |
|
|
||
| T1136.001 | Create a new Windows admin user via .NET |
|
|
|
|
| T1136.001 | Create a new Windows admin user |
|
|
||
| T1136.001 | Create a new user in a command prompt |
|
|
||
| T1136.002 | Create a new account similar to ANONYMOUS LOGON |
|
|
||
| T1136.002 | Create a new Windows domain admin user |
|
|
||
| T1137 | Office Application Startup - Outlook as a C2 |
|
|
||
| T1140 | Linux Base64 Encoded Shebang in CLI |
|
|
||
| T1140 | FreeBSD b64encode Shebang in CLI |
|
|
||
| T1140 | Certutil Rename and Decode |
|
|
||
| T1140 | Deobfuscate/Decode Files Or Information |
|
|
||
| T1187 | WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS |
|
|
|
|
| T1187 | Trigger an authenticated RPC call to a target server with no Sign flag set |
|
|
||
| T1187 | PetitPotam |
|
|
||
| T1195 | Octopus Scanner Malware Open Source Supply Chain |
|
|
||
| T1197 | Bits download using desktopimgdownldr.exe (cmd) |
|
|
||
| T1197 | Bitsadmin Download (PowerShell) |
|
|
||
| T1197 | Bitsadmin Download (cmd) |
|
|
||
| T1201 | Examine domain password policy - Windows |
|
|
||
| T1201 | Use of SecEdit.exe to export the local security policy (including the password policy) |
|
|
||
| T1201 | Examine local password policy - Windows |
|
|
||
| T1202 | Indirect Command Execution - Scriptrunner.exe |
|
|
||
| T1202 | Indirect Command Execution - forfiles.exe |
|
|
||
| T1202 | Indirect Command Execution - pcalua.exe |
|
|
||
| T1204.002 | LNK Payload Download |
|
|
||
| T1204.002 | Potentially Unwanted Applications (PUA) |
|
|
||
| T1204.002 | OSTap Payload Download |
|
|
||
| T1216 | SyncAppvPublishingServer Signed Script PowerShell Command Execution |
|
|
||
| T1216 | manage-bde.wsf Signed Script Command Execution |
|
|
||
| T1216.001 | PubPrn.vbs Signed Script Bypass |
|
|
||
| T1217 | List Internet Explorer Bookmarks using the command prompt |
|
|
||
| T1217 | List Mozilla Firefox bookmarks on Windows with command prompt |
|
|
||
| T1217 | List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt |
|
|
||
| T1218 | DiskShadow Command Execution |
|
|
||
| T1218 | Renamed Microsoft.Workflow.Compiler.exe Payload Executions |
|
|
||
| T1218 | mavinject - Inject DLL into running process |
|
|
||
| T1218 | System Binary Proxy Execution - Wlrmdr Lolbin |
|
|
||
| T1218 | Provlaunch.exe Executes Arbitrary Command via Registry Key |
|
|
||
| T1218 | Lolbas ie4uinit.exe use as proxy |
|
|
||
| T1218 | Lolbin Gpscript startup option |
|
|
||
| T1218 | Lolbin Gpscript logon option |
|
|
||
| T1218 | Load Arbitrary DLL via Wuauclt (Windows Update Client) |
|
|
||
| T1218 | Invoke-ATHRemoteFXvGPUDisablementCommand base test |
|
|
||
| T1218 | Microsoft.Workflow.Compiler.exe Payload Execution |
|
|
||
| T1218 | InfDefaultInstall.exe .inf Execution |
|
|
||
| T1218 | Register-CimProvider - Execute evil dll |
|
|
||
| T1218.001 | Decompile Local CHM File |
|
|
||
| T1218.001 | Compiled HTML Help Remote Payload |
|
|
||
| T1218.001 | Compiled HTML Help Local Payload |
|
|
||
| T1218.003 | CMSTP Executing UAC Bypass |
|
|
||
| T1218.003 | CMSTP Executing Remote Scriptlet |
|
|
||
| T1218.005 | Mshta used to Execute PowerShell |
|
|
||
| T1218.005 | Mshta executes VBScript to execute malicious command |
|
|
||
| T1218.005 | Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject |
|
|
||
| T1218.007 | Msiexec.exe - Execute Remote MSI file |
|
|
||
| T1218.007 | Msiexec.exe - Execute the DllUnregisterServer function of a DLL |
|
|
||
| T1218.007 | Msiexec.exe - Execute the DllRegisterServer function of a DLL |
|
|
||
| T1218.007 | Msiexec.exe - Execute Local MSI file with an embedded EXE |
|
|
||
| T1218.007 | Msiexec.exe - Execute Local MSI file with an embedded DLL |
|
|
||
| T1218.007 | Msiexec.exe - Execute Local MSI file with embedded VBScript |
|
|
||
| T1218.007 | Msiexec.exe - Execute Local MSI file with embedded JScript |
|
|
||
| T1218.008 | Odbcconf.exe - Load Response File |
|
|
||
| T1218.008 | Odbcconf.exe - Execute Arbitrary DLL |
|
|
||
| T1218.010 | Regsvr32 Registering Non DLL |
|
|
||
| T1218.010 | Regsvr32 remote COM scriptlet execution |
|
|
||
| T1218.010 | Regsvr32 local COM scriptlet execution |
|
|
||
| T1218.010 | Regsvr32 Silent DLL Install Call DllRegisterServer |
|
|
||
| T1218.011 | Rundll32 with Control_RunDLL |
|
|
||
| T1218.011 | Rundll32 with Ordinal Value |
|
|
||
| T1218.011 | Execution of non-dll using rundll32.exe |
|
|
||
| T1218.011 | Rundll32 setupapi.dll Execution |
|
|
||
| T1218.011 | Rundll32 syssetup.dll Execution |
|
|
||
| T1218.011 | Rundll32 ieadvpack.dll Execution |
|
|
||
| T1218.011 | Rundll32 advpack.dll Execution |
|
|
||
| T1218.011 | Rundll32 execute VBscript command using Ordinal number |
|
|
||
| T1218.011 | Rundll32 execute payload by calling RouteTheCall |
|
|
||
| T1218.011 | Rundll32 execute command via FileProtocolHandler |
|
|
||
| T1218.011 | Running DLL with .init extension and function |
|
|
||
| T1218.011 | Rundll32 with desk.cpl |
|
|
||
| T1218.011 | Launches an executable using Rundll32 and pcwutl.dll |
|
|
||
| T1218.011 | Execution of HTA and VBS Files using Rundll32 and URL.dll |
|
|
||
| T1218.011 | Rundll32 execute VBscript command |
|
|
||
| T1218.011 | Rundll32 execute JavaScript Remote Payload With GetObject |
|
|
||
| T1219 | GoToAssist Files Detected Test on Windows |
|
|
||
| T1219 | AnyDesk Files Detected Test on Windows |
|
|
||
| T1220 | WMIC bypass using remote XSL file |
|
|
||
| T1220 | WMIC bypass using local XSL file |
|
|
||
| T1222 | Enable Local and Remote Symbolic Links via fsutil |
|
|
||
| T1222.001 | Grant Full Access to folder for Everyone - Ryuk Ransomware Style |
|
|
||
| T1222.001 | attrib - hide file |
|
|
||
| T1222.001 | attrib - Remove read-only attribute |
|
|
||
| T1222.001 | cacls - Grant permission to specified user or group recursively |
|
|
||
| T1222.001 | Take ownership using takeown utility |
|
|
||
| T1222.002 | chattr - Remove immutable file attribute |
|
|
||
| T1222.002 | chown - Change file or folder ownership recursively |
|
|
||
| T1222.002 | chown - Change file or folder ownership and group recursively |
|
|
||
| T1222.002 | chown - Change file or folder ownership and group |
|
|
||
| T1222.002 | chmod - Change file or folder mode (symbolic mode) recursively |
|
|
||
| T1222.002 | chmod - Change file or folder mode (numeric mode) recursively |
|
|
||
| T1222.002 | chmod - Change file or folder mode (symbolic mode) |
|
|
||
| T1222.002 | chmod - Change file or folder mode (numeric mode) |
|
|
||
| T1482 | Adfind - Enumerate Active Directory OUs |
|
|
||
| T1482 | Adfind - Enumerate Active Directory Trusts |
|
|
||
| T1482 | Windows - Discover domain trusts with nltest |
|
|
||
| T1485 | FreeBSD/macOS/Linux - Overwrite file with DD |
|
|
||
| T1485 | ESXi - Delete VM Snapshots |
|
|
||
| T1485 | Overwrite deleted data on C drive |
|
|
||
| T1486 | PureLocker Ransom Note |
|
|
||
| T1489 | Linux - Stop service by killing process using pkill |
|
|
||
| T1489 | Linux - Stop service by killing process using killall |
|
|
||
| T1489 | Linux - Stop service using systemctl |
|
|
||
| T1489 | Windows - Stop service by killing process |
|
|
||
| T1489 | Windows - Stop service using net.exe |
|
|
||
| T1489 | Windows - Stop service using Service Controller |
|
|
||
| T1490 | Modify VSS Service Permissions |
|
|
||
| T1490 | Windows - vssadmin Resize Shadowstorage Volume |
|
|
||
| T1490 | Windows - Disable the SR scheduled task |
|
|
||
| T1490 | Windows - Delete Backup Files |
|
|
||
| T1490 | Windows - Delete Volume Shadow Copies via WMI with PowerShell |
|
|
||
| T1490 | Windows - Disable Windows Recovery Console Repair |
|
|
||
| T1490 | Windows - Delete Volume Shadow Copies via WMI |
|
|
||
| T1490 | Windows - Delete Volume Shadow Copies |
|
|
||
| T1491.001 | ESXi - Change Welcome Message on Direct Console User Interface (DCUI) |
|
|
||
| T1505.002 | Install MS Exchange Transport Agent Persistence |
|
|
||
| T1505.003 | Web Shell Written to Disk |
|
|
||
| T1505.004 | Install IIS Module using AppCmd.exe |
|
|
||
| T1518 | Find and Display Internet Explorer Browser Version |
|
|
||
| T1518.001 | Security Software Discovery - ps (Linux) |
|
|
||
| T1518.001 | Security Software Discovery - AV Discovery via WMI |
|
|
||
| T1518.001 | Security Software Discovery - Sysmon Service |
|
|
||
| T1518.001 | Security Software Discovery |
|
|
||
| T1529 | ESXi - vim-cmd Used to Power Off VMs |
|
|
||
| T1529 | ESXi - Avoslocker enumerates VMs and forcefully kills VMs |
|
|
||
| T1529 | ESXi - Terminates VMs using pkill |
|
|
||
| T1531 | Delete User - Windows |
|
|
||
| T1531 | Change User Password - Windows |
|
|
||
| T1543.002 | Create Systemd Service |
|
|
||
| T1543.003 | Remote Service Installation CMD |
|
|
||
| T1543.003 | TinyTurla backdoor service w64time |
|
|
||
| T1543.003 | Service Installation PowerShell |
|
|
||
| T1543.003 | Service Installation CMD |
|
|
||
| T1543.003 | Modify Fax service to run PowerShell |
|
|
||
| T1546 | Persistence via ErrorHandler.cmd script execution |
|
|
||
| T1546.001 | Change Default File Association |
|
|
||
| T1546.002 | Set Arbitrary Binary as Screensaver |
|
|
||
| T1546.003 | Windows MOFComp.exe Load MOF File |
|
|
||
| T1546.005 | Trap SIGINT (freebsd) |
|
|
||
| T1546.005 | Trap SIGINT |
|
|
||
| T1546.005 | Trap EXIT (freebsd) |
|
|
||
| T1546.005 | Trap EXIT |
|
|
||
| T1546.007 | Netsh Helper DLL Registration |
|
|
||
| T1546.008 | Create Symbolic Link From osk.exe to cmd.exe |
|
|
||
| T1546.008 | Replace binary of sticky keys |
|
|
||
| T1546.011 | New shim database files created in the default shim database directory |
|
|
||
| T1546.011 | Application Shim Installation |
|
|
||
| T1547 | Driver Installation Using pnputil.exe |
|
|
||
| T1547 | Add a driver |
|
|
||
| T1547.001 | Creating Boot Verification Program Key for application execution during successful boot |
|
|
||
| T1547.001 | Reg Key RunOnce |
|
|
||
| T1547.001 | Reg Key Run |
|
|
||
| T1547.006 | Linux - Load Kernel Module via insmod |
|
|
||
| T1547.009 | Shortcut Modification |
|
|
||
| T1548.001 | Make and modify binary from C source (freebsd) |
|
|
||
| T1548.001 | Make and modify binary from C source |
|
|
||
| T1548.001 | Do reconnaissance for files that have the setgid bit set |
|
|
||
| T1548.001 | Do reconnaissance for files that have the setuid bit set |
|
|
||
| T1548.002 | WinPwn - UAC Bypass DccwBypassUAC technique |
|
|
|
|
| T1548.002 | Bypass UAC by Mocking Trusted Directories |
|
|
||
| T1548.002 | Bypass UAC using Fodhelper |
|
|
||
| T1550.002 | Mimikatz Pass the Hash |
|
|
||
| T1550.003 | Mimikatz Kerberos Ticket Attack |
|
|
||
| T1552.002 | Enumeration for PuTTY Credentials in Registry |
|
|
||
| T1552.002 | Enumeration for Credentials in Registry |
|
|
||
| T1552.004 | Private Keys |
|
|
||
| T1552.004 | Export Certificates with Mimikatz |
|
|
||
| T1552.004 | CertUtil ExportPFX |
|
|
||
| T1552.006 | GPP Passwords (findstr) |
|
|
||
| T1552.006 | GPP Passwords (Get-GPPPassword) |
|
|
||
| T1553.003 | SIP (Subject Interface Package) Hijacking via Custom DLL |
|
|
||
| T1553.004 | Add Root Certificate to CurrentUser Certificate Store |
|
|
||
| T1555 | Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] |
|
|
||
| T1555 | Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] |
|
|
||
| T1555 | Dump credentials from Windows Credential Manager With PowerShell [web Credentials] |
|
|
||
| T1555 | Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] |
|
|
||
| T1555.003 | WinPwn - PowerSharpPack - Sharpweb for Browser Credentials |
|
|
|
|
| T1555.003 | Dump Chrome Login Data with esentutl |
|
|
||
| T1555.003 | Simulating access to Windows Edge Login Data |
|
|
||
| T1555.003 | Simulating access to Windows Firefox Login Data |
|
|
||
| T1555.003 | Simulating access to Opera Login Data |
|
|
||
| T1555.003 | Simulating access to Chrome Login Data |
|
|
||
| T1555.003 | LaZagne - Credentials from Browser |
|
|
||
| T1555.003 | Run Chrome-password Collector |
|
|
||
| T1555.004 | WinPwn - Loot local Credentials - Invoke-WCMDump |
|
|
|
|
| T1555.004 | Access Saved Credentials via VaultCmd |
|
|
||
| T1558.003 | WinPwn - PowerSharpPack - Kerberoasting Using Rubeus |
|
|
|
|
| T1558.004 | WinPwn - PowerSharpPack - Kerberoasting Using Rubeus |
|
|
|
|
| T1560.001 | Compress Data and lock with password for Exfiltration with winzip |
|
|
||
| T1560.001 | Compress Data and lock with password for Exfiltration with winrar |
|
|
||
| T1562 | Disable journal logging via systemctl utility |
|
|
||
| T1562 | Windows Disable LSA Protection |
|
|
||
| T1562.001 | Disable syslog |
|
|
||
| T1562.001 | Disable SELinux |
|
|
||
| T1562.001 | Disable Windows Defender with DISM |
|
|
||
| T1562.001 | Kill antimalware protected processes using Backstab |
|
|
||
| T1562.001 | Uninstall Crowdstrike Falcon on Windows |
|
|
||
| T1562.001 | Remove Windows Defender Definition Files |
|
|
||
| T1562.001 | Tamper with Windows Defender Command Prompt |
|
|
||
| T1562.001 | Disable Arbitrary Security Windows Service |
|
|
||
| T1562.001 | AMSI Bypass - AMSI InitFailed |
|
|
||
| T1562.001 | Unload Sysmon Filter Driver |
|
|
Atomic SecOps