AttackRuleMap
Mapping of open-source detection rules and atomic tests.
Tech ID | Atomic Attack Name | Platform | Sigma Rules | Splunk Rules |
---|---|---|---|---|
T1562.001 |
Disable Windows Defender with DISM
GUID: 871438ac-7d6e-432a-b27d-3e7db69faf58 |
|||
T1560.001 |
Compress Data and lock with password for Exfiltration with 7zip
GUID: d1334303-59cb-4a03-8313-b3e24d02c198 |
|
||
T1558.004 |
WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
GUID: 8c385f88-4d47-4c9a-814d-93d9deec8c71 |
|||
T1558.004 |
Rubeus asreproast
GUID: 615bd568-2859-41b5-9aed-61f6a88e48dd |
|
||
T1558.003 |
WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
GUID: 29094950-2c96-4cbd-b5e4-f7c65079678f |
|||
T1558.003 |
Extract all accounts in use as SPN using setspn
GUID: e6f4affd-d826-4871-9a62-6c9004b8fe06 |
|
||
T1558.003 |
Rubeus kerberoast
GUID: 14625569-6def-4497-99ac-8e7817105b55 |
|
||
T1555.004 |
WinPwn - Loot local Credentials - Invoke-WCMDump
GUID: fa714db1-63dd-479e-a58e-7b2b52ca5997 |
|||
T1555.003 |
WinPwn - PowerSharpPack - Sharpweb for Browser Credentials
GUID: e5e3d639-6ea8-4408-9ecd-d5a286268ca0 |
|||
T1552.006 |
GPP Passwords (findstr)
GUID: 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f |
|||
T1552.004 |
Private Keys
GUID: 520ce462-7ca7-441e-b5a5-f8347f632696 |
|||
T1552.001 |
List Credential Files via Command Prompt
GUID: b0cdacf6-8949-4ffe-9274-a9643a788e55 |
|
||
T1550.003 |
Mimikatz Kerberos Ticket Attack
GUID: dbf38128-7ba7-4776-bedf-cc2eed432098 |
|||
T1550.002 |
Mimikatz Pass the Hash
GUID: ec23cef9-27d9-46e4-a68d-6f75f7b86908 |
|||
T1548.002 |
WinPwn - UAC Bypass DccwBypassUAC technique
GUID: 2b61977b-ae2d-4ae4-89cb-5c36c89586be |
|||
T1548.002 |
Bypass UAC by Mocking Trusted Directories
GUID: f7a35090-6f7f-4f64-bb47-d657bf5b10c1 |
|||
T1546.003 |
Windows MOFComp.exe Load MOF File
GUID: 29786d7e-8916-4de6-9c55-be7b093b2706 |
|||
T1543.003 |
Remote Service Installation CMD
GUID: fb4151a2-db33-4f8c-b7f8-78ea8790f961 |
|||
T1531 |
Delete User - Windows
GUID: f21a1d7d-a62f-442a-8c3a-2440d43b19e5 |
|||
T1531 |
Change User Password - Windows
GUID: 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2 |
|||
T1529 |
ESXi - vim-cmd Used to Power Off VMs
GUID: 622cc1a0-45e7-428c-aed7-c96dd605fbe6 |
|||
T1529 |
ESXi - Avoslocker enumerates VMs and forcefully kills VMs
GUID: 189f7d6e-9442-4160-9bc3-5e4104d93ece |
|||
T1529 |
ESXi - Terminates VMs using pkill
GUID: 987c9b4d-a637-42db-b1cb-e9e242c3991b |
|||
T1518.001 |
Get Windows Defender exclusion settings using WMIC
GUID: e31564c8-4c60-40cd-a8f4-9261307e8336 |
|
||
T1505.004 |
Install IIS Module using AppCmd.exe
GUID: 53adbdfa-8200-490c-871c-d3b1ab3324b2 |
|||
T1491.001 |
ESXi - Change Welcome Message on Direct Console User Interface (DCUI)
GUID: 30905f21-34f3-4504-8b4c-f7a5e314b810 |
|||
T1485 |
ESXi - Delete VM Snapshots
GUID: 1207ddff-f25b-41b3-aa0e-7c26d2b546d1 |
|||
T1485 |
Windows - Overwrite file with SysInternals SDelete
GUID: 476419b5-aebf-4366-a131-ae3e8dae5fc2 |
|
||
T1482 |
TruffleSnout - Listing AD Infrastructure
GUID: ea1b4f2d-5b82-4006-b64f-f2845608a3bf |
|
||
T1482 |
Adfind - Enumerate Active Directory OUs
GUID: d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec |
|||
T1219 |
GoToAssist Files Detected Test on Windows
GUID: 1b72b3bd-72f8-4b63-a30b-84e91b9c3578 |
|||
T1219 |
AnyDesk Files Detected Test on Windows
GUID: 6b8b7391-5c0a-4f8c-baee-78d8ce0ce330 |
|||
T1218.011 |
Rundll32 with Control_RunDLL
GUID: e4c04b6f-c492-4782-82c7-3bf75eb8077e |
|||
T1218.011 |
Rundll32 with Ordinal Value
GUID: 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0 |
|||
T1218.011 |
Execution of non-dll using rundll32.exe
GUID: ae3a8605-b26e-457c-b6b3-2702fd335bac |
|||
T1218.011 |
Rundll32 setupapi.dll Execution
GUID: 71d771cd-d6b3-4f34-bc76-a63d47a10b19 |
|||
T1218.011 |
Rundll32 syssetup.dll Execution
GUID: 41fa324a-3946-401e-bbdd-d7991c628125 |
|||
T1218.011 |
Rundll32 ieadvpack.dll Execution
GUID: 5e46a58e-cbf6-45ef-a289-ed7754603df9 |
|||
T1218.011 |
Rundll32 advpack.dll Execution
GUID: d91cae26-7fc1-457b-a854-34c8aad48c89 |
|||
T1218.011 |
Rundll32 execute VBscript command using Ordinal number
GUID: 32d1cf1b-cbc2-4c09-8d05-07ec5c83a821 |
|||
T1218.010 |
Regsvr32 Registering Non DLL
GUID: 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421 |
|||
T1218.010 |
Regsvr32 remote COM scriptlet execution
GUID: c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36 |
|||
T1218.010 |
Regsvr32 local COM scriptlet execution
GUID: 449aa403-6aba-47ce-8a37-247d21ef0306 |
|||
T1218.008 |
Odbcconf.exe - Load Response File
GUID: 331ce274-f9c9-440b-9f8c-a1006e1fce0b |
|||
T1218.008 |
Odbcconf.exe - Execute Arbitrary DLL
GUID: 2430498b-06c0-4b92-a448-8ad263c388e2 |
|||
T1218.007 |
Msiexec.exe - Execute Remote MSI file
GUID: 44a4bedf-ffe3-452e-bee4-6925ab125662 |
|||
T1218.007 |
Msiexec.exe - Execute the DllUnregisterServer function of a DLL
GUID: ab09ec85-4955-4f9c-b8e0-6851baf4d47f |
|||
T1218.007 |
Msiexec.exe - Execute the DllRegisterServer function of a DLL
GUID: 0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d |
|||
T1218.001 |
Decompile Local CHM File
GUID: 20cb05e0-1fa5-406d-92c1-84da4ba01813 |
|||
T1218.001 |
Invoke CHM Shortcut Command with ITS and Help Topic
GUID: 15756147-7470-4a83-87fb-bb5662526247 |
|
||
T1218.001 |
Compiled HTML Help Remote Payload
GUID: 0f8af516-9818-4172-922b-42986ef1e81d |
|||
T1218.001 |
Compiled HTML Help Local Payload
GUID: 5cb87818-0d7c-4469-b7ef-9224107aebe8 |
|||
T1218 |
DiskShadow Command Execution
GUID: 0e1483ba-8f0c-425d-b8c6-42736e058eaa |
|||
T1218 |
Renamed Microsoft.Workflow.Compiler.exe Payload Executions
GUID: 4cc40fd7-87b8-4b16-b2d7-57534b86b911 |
|||
T1218 |
mavinject - Inject DLL into running process
GUID: c426dacf-575d-4937-8611-a148a86a5e61 |
|||
T1216 |
SyncAppvPublishingServer Signed Script PowerShell Command Execution
GUID: 275d963d-3f36-476c-8bef-a2a3960ee6eb |
|||
T1201 |
Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy
GUID: b2698b33-984c-4a1c-93bb-e4ba72a0babb |
|
||
T1201 |
Examine domain password policy - Windows
GUID: 46c2c362-2679-4ef5-aec9-0e958e135be4 |
|||
T1197 |
Bits download using desktopimgdownldr.exe (cmd)
GUID: afb5e09e-e385-4dee-9a94-6ee60979d114 |
|||
T1197 |
Bitsadmin Download (PowerShell)
GUID: f63b8bc4-07e5-4112-acba-56f646f3f0bc |
|||
T1197 |
Bitsadmin Download (cmd)
GUID: 3c73d728-75fb-4180-a12f-6712864d7421 |
|||
T1195 |
Octopus Scanner Malware Open Source Supply Chain
GUID: 82a9f001-94c5-495e-9ed5-f530dbded5e2 |
|||
T1187 |
WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
GUID: 7f06b25c-799e-40f1-89db-999c9cc84317 |
|||
T1136.002 |
Create a new account similar to ANONYMOUS LOGON
GUID: dc7726d2-8ccb-4cc6-af22-0d5afb53a548 |
|||
T1136.002 |
Create a new Windows domain admin user
GUID: fcec2963-9951-4173-9bfa-98d8b7834e62 |
|||
T1136.001 |
Create a new Windows admin user via .NET
GUID: 2170d9b5-bacd-4819-a952-da76dae0815f |
|||
T1136.001 |
Create a new Windows admin user
GUID: fda74566-a604-4581-a4cc-fbbe21d66559 |
|||
T1136.001 |
Create a new user in a command prompt
GUID: 6657864e-0323-4206-9344-ac9cd7265a4f |
|||
T1134.005 |
Injection SID-History with mimikatz
GUID: 6bef32e5-9456-4072-8f14-35566fb85401 |
|||
T1134.002 |
WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique
GUID: ccf4ac39-ec93-42be-9035-90e2f26bcd92 |
|||
T1129 |
ESXi - Install a custom VIB on an ESXi host
GUID: 7f843046-abf2-443f-b880-07a83cf968ec |
|||
T1124 |
System Time Discovery W32tm as a Delay
GUID: d5d5a6b0-0f92-42d8-985d-47aafa2dd4db |
|||
T1114.001 |
Email Collection with PowerShell Get-Inbox
GUID: 3f1b5096-0139-4736-9b78-19bcb02bb1cb |
|||
T1112 |
Flush Shimcache
GUID: ecbd533e-b45d-4239-aeff-b857c6f6d68b |
|||
T1112 |
Change Powershell Execution Policy to Bypass
GUID: f3a6cceb-06c9-48e5-8df8-8867a6814245 |
|||
T1110.002 |
Password Cracking with Hashcat
GUID: 6d27df5d-69d4-4c91-bc33-5983ffe91692 |
|||
T1110.001 |
ESXi - Brute Force Until Account Lockout
GUID: ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5 |
|||
T1106 |
WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
GUID: e1f93a06-1649-4f07-89a8-f57279a7d60e |
|||
T1106 |
WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
GUID: 7ec5b74e-8289-4ff2-a162-b6f286a33abd |
|||
T1106 |
WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
GUID: ce4e76e6-de70-4392-9efe-b281fc2b4087 |
|||
T1105 |
Arbitrary file download using the Notepad++ GUP.exe binary
GUID: 66ee226e-64cb-4dae-80e3-5bf5763e4a51 |
|||
T1105 |
Nimgrab - Transfer Files
GUID: b1729c57-9384-4d1c-9b99-9b220afb384e |
|
||
T1105 |
File Download via PowerShell
GUID: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 |
|||
T1105 |
Windows - PowerShell Download
GUID: 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8 |
|||
T1105 |
Windows - BITSAdmin BITS Download
GUID: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b |
|||
T1105 |
certutil download (urlcache)
GUID: dd3b61dd-7bbc-48cd-ab51-49ad1a776df0 |
|
||
T1095 |
Powercat C2
GUID: 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e |
|||
T1095 |
ICMP C2
GUID: 0268e63c-e244-42db-bef7-72a9e59fc1fc |
|||
T1087.002 |
Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope
GUID: ffbcfd62-15d6-4989-a21a-80bfc8e58bb5 |
|
||
T1087.002 |
Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property
GUID: 6e85bdf9-7bc4-4259-ac0f-f0cb39964443 |
|
||
T1087.002 |
Suspicious LAPS Attributes Query with Get-ADComputer all properties
GUID: 394012d9-2164-4d4f-b9e5-acf30ba933fe |
|
||
T1087.002 |
Enumerate Default Domain Admin Details (Domain)
GUID: c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef |
|||
T1087.002 |
Adfind - Enumerate Active Directory User Objects
GUID: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 |
|||
T1087.002 |
Enumerate logged on users via CMD (Domain)
GUID: 161dcd85-d014-4f5e-900c-d3eaae82a0f7 |
|
||
T1087.002 |
Enumerate all accounts (Domain)
GUID: 6fbc9e68-5ad7-444a-bd11-8bf3136c477e |
|||
T1087.001 |
ESXi - Local Account Discovery via ESXCLI
GUID: 9762ac6e-aa60-4449-a2f0-cbbd0e1fd22c |
|||
T1087.001 |
Enumerate logged on users via CMD (Local)
GUID: a138085e-bfe5-46ba-a242-74a6fb884af3 |
|
||
T1083 |
ESXi - Enumerate VMDKs available on an ESXi Host
GUID: 4a233a40-caf7-4cf1-890a-c6331bbc72cf |
|||
T1082 |
ESXi - Darkside system information discovery
GUID: f89812e5-67d1-4f49-86fa-cbc6609ea86a |
|||
T1082 |
ESXi - VM Discovery using ESXCLI
GUID: 2040405c-eea6-4c1c-aef3-c2acc430fac9 |
|||
T1082 |
WinPwn - PowerSharpPack - Seatbelt
GUID: 5c16ceb4-ba3a-43d7-b848-a13c1f216d95 |
|||
T1082 |
WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors
GUID: efb79454-1101-4224-a4d0-30c9c8b29ffc |
|||
T1082 |
WinPwn - PowerSharpPack - Watson searching for missing windows patches
GUID: 07b18a66-6304-47d2-bad0-ef421eb2e107 |
|||
T1078.003 |
Use PsExec to elevate to NT Authority\SYSTEM account
GUID: 6904235f-0f55-4039-8aed-41c300ff7733 |
|||
T1078.001 |
Activate Guest Account
GUID: aa6cb8c4-b582-4f8e-b677-37733914abda |
|||
T1071.004 |
DNS C2
GUID: e7bf9802-2e78-4db9-93b5-181b7bcd37d7 |
|||
T1070.004 |
Clears Recycle bin via rd
GUID: f723d13d-48dc-4317-9990-cf43a9ac0bf2 |
|
||
T1070.004 |
Delete an entire folder - Windows cmd
GUID: ded937c4-2add-42f7-9c2c-c742b7a98698 |
|||
T1069.002 |
Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
GUID: 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8 |
|
||
T1069.002 |
Enumerate Active Directory Groups with Get-AdGroup
GUID: 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8 |
|
||
T1069.002 |
Adfind - Query Active Directory Groups
GUID: 48ddc687-82af-40b7-8472-ff1e742e8274 |
|||
T1069.002 |
Permission Groups Discovery PowerShell (Domain)
GUID: 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7 |
|
||
T1069.001 |
WMIObject Group Discovery
GUID: 69119e58-96db-4110-ad27-954e48f3bb13 |
|
||
T1069.001 |
Wmic Group Discovery
GUID: 7413be50-be8e-430f-ad4d-07bf197884b2 |
|||
T1069.001 |
SharpHound3 - LocalAdmin
GUID: e03ada14-0980-4107-aff1-7783b2b59bb1 |
|||
T1069.001 |
Basic Permission Groups Discovery Windows (Local)
GUID: 1f454dd6-e134-44df-bebb-67de70fb6cd8 |
|||
T1059.001 |
SOAPHound - Build Cache
GUID: 4099086c-1470-4223-8085-8186e1ed5948 |
|||
T1059.001 |
SOAPHound - Dump BloodHound Data
GUID: 6a5b2a50-d037-4879-bf01-43d4d6cbf73f |
|||
T1059.001 |
ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
GUID: 0d181431-ddf3-4826-8055-2dbf63ae848b |
|||
T1059.001 |
ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
GUID: 86a43bad-12e3-4e85-b97c-4d5cf25b95c3 |
|||
T1059.001 |
ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
GUID: 1c0a870f-dc74-49cf-9afc-eccc45e58790 |
|||
T1059.001 |
ATHPowerShellCommandLineParameter -Command parameter variations
GUID: 686a9785-f99b-41d4-90df-66ed515f81d7 |
|
||
T1059.001 |
Powershell invoke mshta.exe download
GUID: 8a2ad40b-12c7-4b25-8521-2737b0a415af |
|
||
T1059.001 |
Powershell MsXml COM object - with prompt
GUID: 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da |
|||
T1059.001 |
Invoke-AppPathBypass
GUID: 06a220b6-7e29-4bd8-9d07-5b4d86742372 |
|||
T1059.001 |
Mimikatz
GUID: f3132740-55bc-48c4-bcc0-758a459cd027 |
|
||
T1059 |
AutoIt Script Execution
GUID: a9b93f17-31cb-435d-a462-5e838a2a6026 |
|
||
T1055.001 |
WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
GUID: 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5 |
|
||
T1053.005 |
Scheduled Task ("Ghost Task") via Registry Key Manipulation
GUID: 704333ca-cc12-4bcf-9916-101844881f54 |
|||
T1053.005 |
Scheduled task Remote
GUID: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd |
|||
T1053.005 |
Scheduled Task Startup Script
GUID: fec27f65-db86-4c2d-b66c-61945aee87c2 |
|||
T1049 |
System Network Connections Discovery with PowerShell
GUID: f069f0f1-baad-4831-aa2b-eddac4baac4a |
|
||
T1048.002 |
Exfiltrate data HTTPS using curl windows
GUID: 1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0 |
|
||
T1047 |
Application uninstall using WMIC
GUID: c510d25b-1667-467d-8331-a56d3e9bc4ff |
|||
T1047 |
WMI Execute rundll32
GUID: 00738d2a-4651-4d76-adf2-c43a41dfb243 |
|||
T1047 |
Create a Process using WMI Query and an Encoded Command
GUID: 7db7a7f9-9531-4840-9b30-46220135441c |
|||
T1047 |
WMI Execute Remote Process
GUID: 9c8ef159-c666-472f-9874-90c8d60d136b |
|||
T1047 |
WMI Execute Local Process
GUID: b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3 |
|||
T1047 |
WMI Reconnaissance List Remote Services
GUID: 0fd48ef7-d890-4e93-a533-f7dedd5191d3 |
|||
T1047 |
WMI Reconnaissance Users
GUID: c107778c-dcf5-47c5-af2e-1d058a3df3ea |
|
||
T1036.004 |
Creating W32Time similar named service using schtasks
GUID: f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9 |
|||
T1036.003 |
Masquerading - wscript.exe running as svchost.exe
GUID: 24136435-c91a-4ede-9da1-8b284a1c1a23 |
|||
T1033 |
GetCurrent User with PowerShell Script
GUID: 1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b |
|
||
T1021.004 |
ESXi - Enable SSH via VIM-CMD
GUID: 280812c8-4dae-43e9-a74e-1d08ab997c0e |
|||
T1021.003 |
PowerShell Lateral Movement using MMC20
GUID: 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 |
|
||
T1021.002 |
Execute command writing output to local Admin Share
GUID: d41aaab5-bdfe-431d-a3d5-c29e9136ff46 |
|||
T1021.002 |
Copy and Execute File with PsExec
GUID: 0eb03d41-79e4-4393-8e57-6344856be1cf |
|||
T1021.002 |
Map admin share
GUID: 3386975b-367a-4fbb-9d77-4dcf3639ffd3 |
|
||
T1018 |
Remote System Discovery - net group Domain Controller
GUID: 5843529a-5056-4bc1-9c13-a311e2af4ca0 |
|||
T1018 |
Get-WmiObject to Enumerate Domain Controllers
GUID: e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad |
|
||
T1018 |
Enumerate Active Directory Computers with Get-AdComputer
GUID: 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf |
|
||
T1018 |
Adfind - Enumerate Active Directory Computer Objects
GUID: a889f5be-2d54-4050-bd05-884578748bb4 |
|||
T1018 |
Remote System Discovery - nltest
GUID: 52ab5108-3f6f-42fb-8ba3-73bc054f22c8 |
|||
T1018 |
Remote System Discovery - net group Domain Computers
GUID: f1bf6c8f-9016-4edf-aff9-80b65f5d711f |
|||
T1018 |
Remote System Discovery - net
GUID: 85321a9c-897f-4a60-9f20-29788e50bccd |
|||
T1016 |
DNS Server Discovery Using nslookup
GUID: 34557863-344a-468f-808b-a1bfb89b4fa9 |
|||
T1016 |
Adfind - Enumerate Active Directory Subnet Objects
GUID: 9bb45dd7-c466-4f93-83a1-be30e56033ee |
|||
T1003.006 |
DCSync (Active Directory)
GUID: 129efd28-8497-4c87-a1b0-73b9a870ca3e |
|||
T1003.004 |
Dump Kerberos Tickets from LSA using dumper.ps1
GUID: 2dfa3bff-9a27-46db-ab75-7faefdaca732 |
|||
T1003.004 |
Dumping LSA Secrets
GUID: 55295ab0-a703-433b-9ca4-ae13807de12f |
|||
T1003.003 |
Create Volume Shadow Copy with diskshadow
GUID: b385996c-0e7d-4e27-95a4-aca046b119a7 |
|||
T1003.003 |
Create Symlink to Volume Shadow Copy
GUID: 21748c28-2793-4284-9e07-d6d028b66702 |
|||
T1003.003 |
Create Volume Shadow Copy remotely (WMI) with esentutl
GUID: 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865 |
|||
T1003.003 |
Create Volume Shadow Copy remotely with WMI
GUID: d893459f-71f0-484d-9808-ec83b2b64226 |
|||
T1003.003 |
Create Volume Shadow Copy with WMI
GUID: 224f7de0-8f0a-4a94-b5d8-989b036c86da |
|||
T1003.003 |
Copy NTDS.dit from Volume Shadow Copy
GUID: c6237146-9ea6-4711-85c9-c56d263a6b03 |
|||
T1003.003 |
Create Volume Shadow Copy with vssadmin
GUID: dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f |
|||
T1003.002 |
dump volume shadow copy hives with certutil
GUID: eeb9751a-d598-42d3-b11c-c122d9c3f6c7 |
|||
T1003.002 |
esentutl.exe SAM copy
GUID: a90c2f4d-6726-444e-99d2-a00cd7c20480 |
|||
T1003.002 |
Registry dump of SAM, creds, and secrets
GUID: 5c2571d0-1572-416d-9676-812e64ca9f44 |
|
||
T1003.001 |
Powershell Mimikatz
GUID: 66fb0bc1-3c3f-47e9-a298-550ecfefacbc |
|
||
T1562.001 |
Kill antimalware protected processes using Backstab
GUID: 24a12b91-05a7-4deb-8d7f-035fa98591bc |
|
||
T1562.001 |
Uninstall Crowdstrike Falcon on Windows
GUID: b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297 |
|
||
T1562.001 |
Remove Windows Defender Definition Files
GUID: 3d47daaa-2f56-43e0-94cc-caf5d8d52a68 |
|
||
T1562.001 |
Tamper with Windows Defender Command Prompt
GUID: aa875ed4-8935-47e2-b2c5-6ec00ab220d2 |
|
||
T1562.001 |
Disable Arbitrary Security Windows Service
GUID: a1230893-56ac-4c81-b644-2108e982f8f5 |
|
||
T1562.001 |
AMSI Bypass - AMSI InitFailed
GUID: 695eed40-e949-40e5-b306-b4031e4154bd |
|
||
T1562.001 |
Unload Sysmon Filter Driver
GUID: 811b3e76-c41b-430c-ac0d-e2380bfaa164 |
|
||
T1562 |
Windows Disable LSA Protection
GUID: 40075d5f-3a70-4c66-9125-f72bee87247d |
|
||
T1560.001 |
Compress Data and lock with password for Exfiltration with winzip
GUID: 01df0353-d531-408d-a0c5-3161bf822134 |
|
||
T1560.001 |
Compress Data and lock with password for Exfiltration with winrar
GUID: 8dd61a55-44c6-43cc-af0c-8bdda276860c |
|
||
T1555.004 |
Access Saved Credentials via VaultCmd
GUID: 9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439 |
|
||
T1555.003 |
Dump Chrome Login Data with esentutl
GUID: 70422253-8198-4019-b617-6be401b49fce |
|
||
T1555.003 |
Simulating access to Windows Edge Login Data
GUID: a6a5ec26-a2d1-4109-9d35-58b867689329 |
|
||
T1555.003 |
Simulating access to Windows Firefox Login Data
GUID: eb8da98a-2e16-4551-b3dd-83de49baa14c |
|
||
T1555.003 |
Simulating access to Opera Login Data
GUID: 28498c17-57e4-495a-b0be-cc1e36de408b |
|
||
T1555.003 |
Simulating access to Chrome Login Data
GUID: 3d111226-d09a-4911-8715-fe11664f960d |
|
||
T1555.003 |
LaZagne - Credentials from Browser
GUID: 9a2915b3-3954-4cce-8c76-00fbf4dbd014 |
|
||
T1555.003 |
Run Chrome-password Collector
GUID: 8c05b133-d438-47ca-a630-19cc464c4622 |
|
||
T1555 |
Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]
GUID: bc071188-459f-44d5-901a-f8f2625b2d2e |
|
||
T1555 |
Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]
GUID: 36753ded-e5c4-4eb5-bc3c-e8fba236878d |
|
||
T1555 |
Dump credentials from Windows Credential Manager With PowerShell [web Credentials]
GUID: 8fd5a296-6772-4766-9991-ff4e92af7240 |
|
||
T1555 |
Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]
GUID: c89becbe-1758-4e7d-a0f4-97d2188a23e3 |
|
||
T1553.004 |
Add Root Certificate to CurrentUser Certificate Store
GUID: ca20a3f1-42b5-4e21-ad3f-1049199ec2e0 |
|
||
T1553.003 |
SIP (Subject Interface Package) Hijacking via Custom DLL
GUID: e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675 |
|
||
T1552.006 |
GPP Passwords (Get-GPPPassword)
GUID: e9584f82-322c-474a-b831-940fd8b4455c |
|
||
T1552.004 |
Export Certificates with Mimikatz
GUID: 290df60e-4b5d-4a5e-b0c7-dc5348ea0c86 |
|
||
T1552.004 |
CertUtil ExportPFX
GUID: 336b25bf-4514-4684-8924-474974f28137 |
|
||
T1552.002 |
Enumeration for PuTTY Credentials in Registry
GUID: af197fd7-e868-448e-9bd5-05d1bcd9d9e5 |
|
||
T1552.002 |
Enumeration for Credentials in Registry
GUID: b6ec082c-7384-46b3-a111-9a9b8b14e5e7 |
|
||
T1548.002 |
Bypass UAC using Fodhelper
GUID: 58f641ea-12e3-499a-b684-44dee46bd182 |
|
||
T1547.009 |
Shortcut Modification
GUID: ce4fc678-364f-4282-af16-2fb4c78005ce |
|
||
T1547.001 |
Creating Boot Verification Program Key for application execution during successful boot
GUID: 6e1666d5-3f2b-4b9a-80aa-f011322380d4 |
|
||
T1547.001 |
Reg Key RunOnce
GUID: 554cbd88-cde1-4b56-8168-0be552eed9eb |
|
||
T1547.001 |
Reg Key Run
GUID: e55be3fd-3521-4610-9d1a-e210e42dcf05 |
|
||
T1547 |
Driver Installation Using pnputil.exe
GUID: 5cb0b071-8a5a-412f-839d-116beb2ed9f7 |
|
||
T1547 |
Add a driver
GUID: cb01b3da-b0e7-4e24-bf6d-de5223526785 |
|
||
T1546.011 |
New shim database files created in the default shim database directory
GUID: aefd6866-d753-431f-a7a4-215ca7e3f13d |
|
||
T1546.011 |
Application Shim Installation
GUID: 9ab27e22-ee62-4211-962b-d36d9a0e6a18 |
|
||
T1546.008 |
Create Symbolic Link From osk.exe to cmd.exe
GUID: 51ef369c-5e87-4f33-88cd-6d61be63edf2 |
|
||
T1546.008 |
Replace binary of sticky keys
GUID: 934e90cf-29ca-48b3-863c-411737ad44e3 |
|
||
T1546.007 |
Netsh Helper DLL Registration
GUID: 3244697d-5a3a-4dfc-941c-550f69f91a4d |
|
||
T1546.002 |
Set Arbitrary Binary as Screensaver
GUID: 281201e7-de41-4dc9-b73d-f288938cbb64 |
|
||
T1546.001 |
Change Default File Association
GUID: 10a08978-2045-4d62-8c42-1957bbbea102 |
|
||
T1546 |
Persistence via ErrorHandler.cmd script execution
GUID: 547a4736-dd1c-4b48-b4fe-e916190bb2e7 |
|
||
T1543.003 |
TinyTurla backdoor service w64time
GUID: ef0581fd-528e-4662-87bc-4c2affb86940 |
|
||
T1543.003 |
Service Installation PowerShell
GUID: 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 |
|
||
T1543.003 |
Service Installation CMD
GUID: 981e2942-e433-44e9-afc1-8c957a1496b6 |
|
||
T1543.003 |
Modify Fax service to run PowerShell
GUID: ed366cde-7d12-49df-a833-671904770b9f |
|
||
T1518.001 |
Security Software Discovery - AV Discovery via WMI
GUID: 1553252f-14ea-4d3b-8a08-d7a4211aa945 |
|
||
T1518.001 |
Security Software Discovery - Sysmon Service
GUID: fe613cf3-8009-4446-9a0f-bc78a15b66c9 |
|
||
T1518.001 |
Security Software Discovery
GUID: f92a380f-ced9-491f-b338-95a991418ce2 |
|
||
T1518 |
Find and Display Internet Explorer Browser Version
GUID: 68981660-6670-47ee-a5fa-7e74806420a4 |
|
||
T1505.003 |
Web Shell Written to Disk
GUID: 0a2ce662-1efa-496f-a472-2fe7b080db16 |
|
||
T1505.002 |
Install MS Exchange Transport Agent Persistence
GUID: 43e92449-ff60-46e9-83a3-1a38089df94d |
|
||
T1490 |
Modify VSS Service Permissions
GUID: a4420f93-5386-4290-b780-f4f66abc7070 |
|
||
T1490 |
Windows - vssadmin Resize Shadowstorage Volume
GUID: da558b07-69ae-41b9-b9d4-4d98154a7049 |
|
||
T1490 |
Windows - Disable the SR scheduled task
GUID: 1c68c68d-83a4-4981-974e-8993055fa034 |
|
||
T1490 |
Windows - Delete Backup Files
GUID: 6b1dbaf6-cc8a-4ea6-891f-6058569653bf |
|
||
T1490 |
Windows - Delete Volume Shadow Copies via WMI with PowerShell
GUID: 39a295ca-7059-4a88-86f6-09556c1211e7 |
|
||
T1490 |
Windows - Disable Windows Recovery Console Repair
GUID: cf21060a-80b3-4238-a595-22525de4ab81 |
|
||
T1490 |
Windows - Delete Volume Shadow Copies via WMI
GUID: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88 |
|
||
T1490 |
Windows - Delete Volume Shadow Copies
GUID: 43819286-91a9-4369-90ed-d31fb4da2c01 |
|
||
T1489 |
Windows - Stop service by killing process
GUID: f3191b84-c38b-400b-867e-3a217a27795f |
|
||
T1489 |
Windows - Stop service using net.exe
GUID: 41274289-ec9c-4213-bea4-e43c4aa57954 |
|
||
T1489 |
Windows - Stop service using Service Controller
GUID: 21dfb440-830d-4c86-a3e5-2a491d5a8d04 |
|
||
T1486 |
PureLocker Ransom Note
GUID: 649349c7-9abf-493b-a7a2-b1aa4d141528 |
|
||
T1485 |
Overwrite deleted data on C drive
GUID: 321fd25e-0007-417f-adec-33232252be19 |
|
||
T1482 |
Adfind - Enumerate Active Directory Trusts
GUID: 15fe436d-e771-4ff3-b655-2dca9ba52834 |
|
||
T1482 |
Windows - Discover domain trusts with nltest
GUID: 2e22641d-0498-48d2-b9ff-c71e496ccdbe |
|
||
T1222.001 |
Grant Full Access to folder for Everyone - Ryuk Ransomware Style
GUID: ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 |
|
||
T1222.001 |
attrib - hide file
GUID: 32b979da-7b68-42c9-9a99-0e39900fc36c |
|
||
T1222.001 |
attrib - Remove read-only attribute
GUID: bec1e95c-83aa-492e-ab77-60c71bbd21b0 |
|
||
T1222.001 |
cacls - Grant permission to specified user or group recursively
GUID: a8206bcc-f282-40a9-a389-05d9c0263485 |
|
||
T1222.001 |
Take ownership using takeown utility
GUID: 98d34bb4-6e75-42ad-9c41-1dae7dc6a001 |
|
||
T1222 |
Enable Local and Remote Symbolic Links via fsutil
GUID: 6c4ac96f-d4fa-44f4-83ca-56d8f4a55c02 |
|
||
T1220 |
WMIC bypass using remote XSL file
GUID: 7f5be499-33be-4129-a560-66021f379b9b |
|
||
T1220 |
WMIC bypass using local XSL file
GUID: 1b237334-3e21-4a0c-8178-b8c996124988 |
|
||
T1218.011 |
Rundll32 execute payload by calling RouteTheCall
GUID: 8a7f56ee-10e7-444c-a139-0109438288eb |
|
||
T1218.011 |
Rundll32 execute command via FileProtocolHandler
GUID: f3ad3c5b-1db1-45c1-81bf-d3370ebab6c8 |
|
||
T1218.011 |
Running DLL with .init extension and function
GUID: 2d5029f0-ae20-446f-8811-e7511b58e8b6 |
|
||
T1218.011 |
Rundll32 with desk.cpl
GUID: 83a95136-a496-423c-81d3-1c6750133917 |
|
||
T1218.011 |
Launches an executable using Rundll32 and pcwutl.dll
GUID: 9f5d081a-ee5a-42f9-a04e-b7bdc487e676 |
|
||
T1218.011 |
Execution of HTA and VBS Files using Rundll32 and URL.dll
GUID: 22cfde89-befe-4e15-9753-47306b37a6e3 |
|
||
T1218.011 |
Rundll32 execute VBscript command
GUID: 638730e7-7aed-43dc-bf8c-8117f805f5bb |
|
||
T1218.011 |
Rundll32 execute JavaScript Remote Payload With GetObject
GUID: 57ba4ce9-ee7a-4f27-9928-3c70c489b59d |
|
||
T1218.010 |
Regsvr32 Silent DLL Install Call DllRegisterServer
GUID: 9d71c492-ea2e-4c08-af16-c6994cdf029f |
|
||
T1218.007 |
Msiexec.exe - Execute Local MSI file with an embedded EXE
GUID: ed3fa08a-ca18-4009-973e-03d13014d0e8 |
|
||
T1218.007 |
Msiexec.exe - Execute Local MSI file with an embedded DLL
GUID: 628fa796-76c5-44c3-93aa-b9d8214fd568 |
|
||
T1218.007 |
Msiexec.exe - Execute Local MSI file with embedded VBScript
GUID: 8d73c7b0-c2b1-4ac1-881a-4aa644f76064 |
|
||
T1218.007 |
Msiexec.exe - Execute Local MSI file with embedded JScript
GUID: a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04 |
|
||
T1218.005 |
Mshta used to Execute PowerShell
GUID: 8707a805-2b76-4f32-b1c0-14e558205772 |
|
||
T1218.005 |
Mshta executes VBScript to execute malicious command
GUID: 906865c3-e05f-4acc-85c4-fbc185455095 |
|
||
T1218.005 |
Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
GUID: 1483fab9-4f52-4217-a9ce-daa9d7747cae |
|
||
T1218.003 |
CMSTP Executing UAC Bypass
GUID: 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 |
|
||
T1218.003 |
CMSTP Executing Remote Scriptlet
GUID: 34e63321-9683-496b-bbc1-7566bc55e624 |
|
||
T1218 |
System Binary Proxy Execution - Wlrmdr Lolbin
GUID: 7816c252-b728-4ea6-a683-bd9441ca0b71 |
|
||
T1218 |
Provlaunch.exe Executes Arbitrary Command via Registry Key
GUID: ab76e34f-28bf-441f-a39c-8db4835b89cc |
|
||
T1218 |
Lolbas ie4uinit.exe use as proxy
GUID: 13c0804e-615e-43ad-b223-2dfbacd0b0b3 |
|
||
T1218 |
Lolbin Gpscript startup option
GUID: f8da74bb-21b8-4af9-8d84-f2c8e4a220e3 |
|
||
T1218 |
Lolbin Gpscript logon option
GUID: 5bcda9cd-8e85-48fa-861d-b5a85d91d48c |
|
||
T1218 |
Load Arbitrary DLL via Wuauclt (Windows Update Client)
GUID: 49fbd548-49e9-4bb7-94a6-3769613912b8 |
|
||
T1218 |
Invoke-ATHRemoteFXvGPUDisablementCommand base test
GUID: 9ebe7901-7edf-45c0-b5c7-8366300919db |
|
||
T1218 |
Microsoft.Workflow.Compiler.exe Payload Execution
GUID: 7cbb0f26-a4c1-4f77-b180-a009aa05637e |
|
||
T1218 |
InfDefaultInstall.exe .inf Execution
GUID: 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef |
|
||
T1218 |
Register-CimProvider - Execute evil dll
GUID: ad2c17ed-f626-4061-b21e-b9804a6f3655 |
|
||
T1217 |
List Internet Explorer Bookmarks using the command prompt
GUID: 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 |
|
||
T1217 |
List Mozilla Firefox bookmarks on Windows with command prompt
GUID: 4312cdbc-79fc-4a9c-becc-53d49c734bc5 |
|
||
T1217 |
List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt
GUID: 76f71e2f-480e-4bed-b61e-398fe17499d5 |
|
||
T1216.001 |
PubPrn.vbs Signed Script Bypass
GUID: 9dd29a1f-1e16-4862-be83-913b10a88f6c |
|
||
T1216 |
manage-bde.wsf Signed Script Command Execution
GUID: 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a |
|
||
T1204.002 |
LNK Payload Download
GUID: 581d7521-9c4b-420e-9695-2aec5241167f |
|
||
T1204.002 |
Potentially Unwanted Applications (PUA)
GUID: 02f35d62-9fdc-4a97-b899-a5d9a876d295 |
|
||
T1204.002 |
OSTap Payload Download
GUID: 3f3af983-118a-4fa1-85d3-ba4daa739d80 |
|
||
T1202 |
Indirect Command Execution - Scriptrunner.exe
GUID: 0fd14730-6226-4f5e-8d67-43c65f1be940 |
|
||
T1202 |
Indirect Command Execution - forfiles.exe
GUID: 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc |
|
||
T1202 |
Indirect Command Execution - pcalua.exe
GUID: cecfea7a-5f03-4cdd-8bc8-6f7c22862440 |
|
||
T1201 |
Use of SecEdit.exe to export the local security policy (including the password policy)
GUID: 510cc97f-56ac-4cd3-a198-d3218c23d889 |
|
||
T1201 |
Examine local password policy - Windows
GUID: 4588d243-f24e-4549-b2e3-e627acc089f6 |
|
||
T1187 |
Trigger an authenticated RPC call to a target server with no Sign flag set
GUID: 81cfdd7f-1f41-4cc5-9845-bb5149438e37 |
|
||
T1187 |
PetitPotam
GUID: 485ce873-2e65-4706-9c7e-ae3ab9e14213 |
|
||
T1140 |
Certutil Rename and Decode
GUID: 71abc534-3c05-4d0c-80f7-cbe93cb2aa94 |
|
||
T1140 |
Deobfuscate/Decode Files Or Information
GUID: dc6fe391-69e6-4506-bd06-ea5eeb4082f8 |
|
||
T1137 |
Office Application Startup - Outlook as a C2
GUID: bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c |
|
||
T1135 |
PowerView ShareFinder
GUID: d07e4cc1-98ae-447e-9d31-36cb430d28c4 |
|
||
T1135 |
View available share drives
GUID: ab39a04f-0c93-4540-9ff2-83f862c385ae |
|
||
T1135 |
Network Share Discovery command prompt
GUID: 20f1097d-81c1-405c-8380-32174d493bbb |
|
||
T1134.004 |
Parent PID Spoofing - Spawn from Specified Process
GUID: cbbff285-9051-444a-9d17-c07cd2d230eb |
|
||
T1127 |
Lolbin Jsc.exe compile javascript to dll
GUID: 3fc9fea2-871d-414d-8ef6-02e85e322b80 |
|
||
T1127 |
Lolbin Jsc.exe compile javascript to exe
GUID: 1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8 |
|
||
T1124 |
System Time Discovery
GUID: 20aba24b-e61f-4b26-b4ce-4784f763ca20 |
|
||
T1123 |
using device audio capture commandlet
GUID: 9c3ad250-b185-4444-b5a9-d69218a10c95 |
|
||
T1120 |
Peripheral Device Discovery via fsutil
GUID: 424e18fd-48b8-4201-8d3a-bf591523a686 |
|
||
T1119 |
Recon information for export with Command Prompt
GUID: aa1180e2-f329-4e1e-8625-2472ec0bfaf3 |
|
||
T1119 |
Automated Collection Command Prompt
GUID: cb379146-53f1-43e0-b884-7ce2c635ff5b |
|
||
T1115 |
Utilize Clipboard to store or execute commands from
GUID: 0cd14633-58d4-4422-9ede-daa2c9474ae7 |
|
||
T1113 |
Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
GUID: 5a496325-0115-4274-8eb9-755b649ad0fb |
|
||
T1112 |
Modify UseTPMKeyPIN Registry entry
GUID: 02d8b9f7-1a51-4011-8901-2d55cca667f9 |
|
||
T1112 |
Modify UseTPMKey Registry entry
GUID: c8480c83-a932-446e-a919-06a1fd1e512a |
|
||
T1112 |
Modify UseTPMPIN Registry entry
GUID: 10b33fb0-c58b-44cd-8599-b6da5ad6384c |
|
||
T1112 |
Modify EnableBDEWithNoTPM Registry entry
GUID: bacb3e73-8161-43a9-8204-a69fe0e4b482 |
|
||
T1112 |
Requires the BitLocker PIN for Pre-boot authentication
GUID: 26fc7375-a551-4336-90d7-3f2817564304 |
|
||
T1112 |
Disable Windows Remote Desktop Protocol
GUID: 5f8e36de-37ca-455e-b054-a2584f043c06 |
|
||
T1112 |
Enable RDP via Registry (fDenyTSConnections)
GUID: 16bdbe52-371c-4ccf-b708-79fba61f1db4 |
|
||
T1112 |
Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.
GUID: ffeddced-bb9f-49c6-97f0-3d07a509bf94 |
|
||
T1112 |
Modify Internet Zone Protocol Defaults in Current User Registry - cmd
GUID: c88ef166-50fa-40d5-a80c-e2b87d4180f7 |
|
||
T1112 |
Tamper Win Defender Protection
GUID: 3b625eaa-c10d-4635-af96-3eae7d2a2f3c |
|
||
T1112 |
Enabling Remote Desktop Protocol via Remote Registry
GUID: e3ad8e83-3089-49ff-817f-e52f8c948090 |
|
||
T1112 |
Mimic Ransomware - Allow Multiple RDP Sessions per User
GUID: 35727d9e-7a7f-4d0c-a259-dc3906d6e8b9 |
|
||
T1112 |
Disable Windows Error Reporting Settings
GUID: d2c9e41e-cd86-473d-980d-b6403562e3e1 |
|
||
T1112 |
Ursnif Malware Registry Key Creation
GUID: c375558d-7c25-45e9-bd64-7b23a97c1db0 |
|
||
T1112 |
NetWire RAT Registry Key Creation
GUID: 65704cd4-6e36-4b90-b6c1-dc29a82c8e56 |
|
||
T1112 |
Suppress Win Defender Notifications
GUID: c30dada3-7777-4590-b970-dc890b8cf113 |
|
||
T1112 |
Windows Add Registry Value to Load Service in Safe Mode with Network
GUID: c173c948-65e5-499c-afbe-433722ed5bd4 |
|
||
T1112 |
Windows Add Registry Value to Load Service in Safe Mode without Network
GUID: 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5 |
|
||
T1112 |
Windows Powershell Logging Disabled
GUID: 95b25212-91a7-42ff-9613-124aca6845a8 |
|
||
T1112 |
Modify registry to store logon credentials
GUID: c0413fb5-33e2-40b7-9b6f-60b29f4a7a18 |
|
||
T1112 |
Modify Registry of Local Machine - cmd
GUID: 282f929a-6bc5-42b8-bd93-960c3ba35afe |
|
||
T1110.001 |
Password Brute User using Kerbrute Tool
GUID: 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4 |
|
||
T1105 |
iwr or Invoke Web-Request download
GUID: c01cad7f-7a4c-49df-985e-b190dcf6a279 |
|
||
T1105 |
Download a file using wscript
GUID: 97116a3f-efac-4b26-8336-b9cb18c45188 |
|
||
T1105 |
certreq download
GUID: 6fdaae87-c05b-42f8-842e-991a74e8376b |
|
||
T1105 |
Lolbas replace.exe use to copy UNC file
GUID: ed0335ac-0354-400c-8148-f6151d20035a |
|
||
T1105 |
Lolbas replace.exe use to copy file
GUID: 54782d65-12f0-47a5-b4c1-b70ee23de6df |
|
||
T1105 |
Printer Migration Command-Line Tool UNC share folder into a zip file
GUID: 49845fc1-7961-4590-a0f0-3dbcf065ae7e |
|
||
T1105 |
Download a file with IMEWDBLD.exe
GUID: 1a02df58-09af-4064-a765-0babe1a0d1e2 |
|
||
T1105 |
File download with finger.exe on Windows
GUID: 5f507e45-8411-4f99-84e7-e38530c45d01 |
|
||
T1105 |
Download a File with Windows Defender MpCmdRun.exe
GUID: 815bef8b-bf91-4b67-be4c-abe4c2a94ccc |
|
||
T1105 |
svchost writing a file to a UNC path
GUID: fa5a2759-41d7-4e13-a19c-e8f28a53566f |
|
||
T1105 |
OSTAP Worming Activity
GUID: 2ca61766-b456-4fcf-a35a-1233685e1cad |
|
||
T1090.001 |
portproxy reg key
GUID: b8223ea9-4be2-44a6-b50a-9657a3d4e72a |
|
||
T1087.002 |
Enumerate Linked Policies In ADSISearcher Discovery
GUID: 7ab0205a-34e4-4a44-9b04-e1541d1a57be |
|
||
T1087.002 |
Enumerate Active Directory Users with ADSISearcher
GUID: 02e8be5a-3065-4e54-8cc8-a14d138834d3 |
|
||
T1087.002 |
Adfind - Enumerate Active Directory Exchange AD Objects
GUID: 5e2938fb-f919-47b6-8b29-2f6a1f718e99 |
|
||
T1087.002 |
Adfind - Enumerate Active Directory Admins
GUID: b95fd967-4e62-4109-b48d-265edfd28c3a |
|
||
T1087.002 |
Adfind -Listing password policy
GUID: 736b4f53-f400-4c22-855d-1a6b5a551600 |
|
||
T1087.002 |
Automated AD Recon (ADRecon)
GUID: 95018438-454a-468c-a0fa-59c800149b59 |
|
||
T1083 |
File and Directory Discovery (cmd.exe)
GUID: 0e36303b-6762-4500-b003-127743b80ba6 |
|
||
T1082 |
System Information Discovery
GUID: 4060ee98-01ae-4c8e-8aad-af8300519cc7 |
|
||
T1082 |
Griffon Recon
GUID: 69bd4abe-8759-49a6-8d21-0f15822d6370 |
|
||
T1082 |
Windows MachineGUID Discovery
GUID: 224b4daf-db44-404e-b6b2-f4d1f0126ef8 |
|
||
T1082 |
System Information Discovery
GUID: 66703791-c902-4560-8770-42b8a91f7667 |
|
||
T1078.003 |
Create local account with admin privileges
GUID: a524ce99-86de-4db6-b4f9-e08f35a47a15 |
|
||
T1078.001 |
Enable Guest account with RDP capability and admin privileges
GUID: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 |
|
||
T1074.001 |
Zip a Folder with PowerShell for Staging in Temp
GUID: a57fbe4b-3440-452a-88a7-943531ac872a |
|
||
T1074.001 |
Stage data from Discovery.bat
GUID: 107706a5-6f9f-451a-adae-bab8c667829f |
|
||
T1071.001 |
Malicious User Agents - CMD
GUID: dc3488b0-08c7-4fea-b585-905c83b48180 |
|
||
T1070.005 |
Remove Network Share
GUID: 09210ad5-1ef2-4077-9ad3-7351e13e9222 |
|
||
T1070.005 |
Add Network Share
GUID: 14c38f32-6509-46d8-ab43-d53e32d2b131 |
|
||
T1070.004 |
Delete Prefetch File
GUID: 36f96049-0ad7-4a5f-8418-460acaeb92fb |
|
||
T1070.004 |
Delete a single file - Windows cmd
GUID: 861ea0b4-708a-4d17-848d-186c9c7f17e3 |
|
||
T1070.001 |
Clear Logs
GUID: e6abb60e-26b8-41da-8aae-0c35174b0967 |
|
||
T1070 |
Indicator Removal using FSUtil
GUID: b4115c7a-0e92-47f0-a61e-17e7218b2435 |
|
||
T1069.002 |
Enumerate Active Directory Groups with ADSISearcher
GUID: 9f4e344b-8434-41b3-85b1-d38f29d148d0 |
|
||
T1059.007 |
JScript execution to gather local computer information via wscript
GUID: 0709945e-4fec-4c49-9faf-c3c292a74484 |
|
||
T1059.007 |
JScript execution to gather local computer information via cscript
GUID: 01d75adf-ca1b-4dd1-ac96-7c9550ad1035 |
|
||
T1059.005 |
Visual Basic script execution to gather local computer information
GUID: 1620de42-160a-4fe5-bbaf-d3fef0181ce9 |
|
||
T1059.003 |
Command prompt writing script to file then executes it
GUID: 00682c9f-7df4-4df8-950b-6dcaaa3ad9af |
|
||
T1059.003 |
Command Prompt read contents from CMD file and execute
GUID: df81db1b-066c-4802-9bc8-b6d030c3ba8e |
|
||
T1059.003 |
Writes text to a file and displays it.
GUID: 127b4afe-2346-4192-815c-69042bec570e |
|
||
T1059.001 |
PowerShell Invoke Known Malicious Cmdlets
GUID: 49eb9404-5e0f-4031-a179-b40f7be385e3 |
|
||
T1059.001 |
PowerShell Command Execution
GUID: a538de64-1c74-46ed-aa60-b995ed302598 |
|
||
T1059.001 |
Mimikatz - Cradlecraft PsSendKeys
GUID: af1800cf-9f9d-4fd1-a709-14b1e6de020d |
|
||
T1057 |
Discover Specific Process - tasklist
GUID: 11ba69ee-902e-4a0f-b3b6-418aed7d7ddb |
|
||
T1057 |
Process Discovery - wmic process
GUID: 640cbf6d-659b-498b-ba53-f6dd1a1cc02c |
|
||
T1057 |
Process Discovery - tasklist
GUID: c5806a4f-62b8-4900-980b-c7ec004e9908 |
|
||
T1056.004 |
Hook PowerShell TLS Encrypt/Decrypt Messages
GUID: de1934ea-1fbf-425b-8795-65fb27dd7e33 |
|
||
T1056.001 |
Input Capture
GUID: d9b633ca-8efb-45e6-b838-70f595c6ae26 |
|
||
T1055 |
Process Injection with Go using CreateThread WinAPI (Natively)
GUID: 2a3c7035-d14f-467a-af94-933e49fe6786 |
|
||
T1055 |
Process Injection with Go using CreateThread WinAPI
GUID: 2871ed59-3837-4a52-9107-99500ebc87cb |
|
||
T1055 |
Remote Process Injection in LSASS via mimikatz
GUID: 3203ad24-168e-4bec-be36-f79b13ef8a83 |
|
||
T1053.005 |
Scheduled Task Executing Base64 Encoded Commands From Registry
GUID: e895677d-4f06-49ab-91b6-ae3742d0a2ba |
|
||
T1053.005 |
Scheduled task Local
GUID: 42f53695-ad4a-4546-abb6-7d837f644a71 |
|
||
T1053.002 |
At.exe Scheduled task
GUID: 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 |
|
||
T1047 |
WMI Reconnaissance Software
GUID: 718aebaa-d0e0-471a-8241-c5afa69c7414 |
|
||
T1047 |
WMI Reconnaissance Processes
GUID: 5750aa16-0e59-4410-8b9a-8a47ca2788e2 |
|
||
T1040 |
Windows Internal pktmon set filter
GUID: 855fb8b4-b8ab-4785-ae77-09f5df7bff55 |
|
||
T1040 |
Windows Internal Packet Capture
GUID: b5656f67-d67f-4de8-8e62-b5581630f528 |
|
||
T1039 |
Copy a sensitive File over Administrative share with Powershell
GUID: 7762e120-5879-44ff-97f8-008b401b9a98 |
|
||
T1039 |
Copy a sensitive File over Administrative share with copy
GUID: 6ed67921-1774-44ba-bac6-adb51ed60660 |
|
||
T1037.001 |
Logon Scripts
GUID: d6042746-07d4-4c92-9ad8-e644c114a231 |
|
||
T1036.007 |
File Extension Masquerading
GUID: c7fa0c3b-b57f-4cba-9118-863bf4e653fc |
|
||
T1036.004 |
Creating W32Time similar named service using sc
GUID: b721c6ef-472c-4263-a0d9-37f1f4ecff66 |
|
||
T1036.003 |
Malicious process Masquerading as LSM.exe
GUID: 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f |
|
||
T1036.003 |
Masquerading - powershell.exe running as taskhostw.exe
GUID: ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa |
|
||
T1036.003 |
Masquerading - cscript.exe running as notepad.exe
GUID: 3a2a578b-0a01-46e4-92e3-62e2859b42f0 |
|
||
T1036.003 |
Masquerading as Windows LSASS process
GUID: 5ba5a3d1-cf3c-4499-968a-a93155d1f717 |
|
||
T1033 |
System Owner/User Discovery
GUID: 4c4959bf-addf-4b4a-be86-8d09cc1857aa |
|
||
T1027 |
Execution from Compressed JScript File
GUID: fad04df1-5229-4185-b016-fb6010cd87ac |
|
||
T1027 |
DLP Evasion via Sensitive Data in VBA Macro over HTTP
GUID: e2d85e66-cb66-4ed7-93b1-833fc56c9319 |
|
||
T1021.001 |
Disable NLA for RDP via Command Prompt
GUID: 01d1c6c0-faf0-408e-b368-752a02285cb2 |
|
||
T1021.001 |
Changing RDP Port to Non Standard Port via Command_Prompt
GUID: 74ace21e-a31c-4f7d-b540-53e4eb6d1f73 |
|
||
T1018 |
Enumerate Remote Hosts with Netscan
GUID: b8147c9a-84db-4ec1-8eee-4e0da75f0de5 |
|
||
T1018 |
Enumerate Active Directory Computers with ADSISearcher
GUID: 64ede6ac-b57a-41c2-a7d1-32c6cd35397d |
|
||
T1018 |
Remote System Discovery - ping sweep
GUID: 6db1f57f-d1d5-4223-8a66-55c9c65a9592 |
|
||
T1016.002 |
Enumerate Stored Wi-Fi Profiles And Passwords via netsh
GUID: 53cf1903-0fa7-4177-ab14-f358ae809eec |
|
||
T1016 |
System Network Configuration Discovery (TrickBot Style)
GUID: dafaf052-5508-402d-bf77-51e0700c02e2 |
|
||
T1016 |
System Network Configuration Discovery on Windows
GUID: 970ab6a1-0157-4f3f-9a73-ec4166754b23 |
|
||
T1007 |
System Service Discovery - net.exe
GUID: 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3 |
|
||
T1007 |
System Service Discovery
GUID: 89676ba1-b1f8-47ee-b940-2e1a113ebc71 |
|
||
T1003.006 |
Run DSInternals Get-ADReplAccount
GUID: a0bced08-3fc5-4d8b-93b7-e8344739376e |
|
||
T1003.005 |
Cached Credential Dump via Cmdkey
GUID: 56506854-89d6-46a3-9804-b7fde90791f9 |
|
||
T1003.003 |
Create Volume Shadow Copy with Powershell
GUID: 542bb97e-da53-436b-8e43-e0a7d31a6c24 |
|
||
T1003.003 |
Dump Active Directory Database with NTDSUtil
GUID: 2364e33d-ceab-4641-8468-bfb1d7cc2723 |
|
||
T1003.001 |
Dump LSASS.exe Memory through Silent Process Exit
GUID: eb5adf16-b601-4926-bca7-dad22adffb37 |
|
||
T1003.001 |
Dump LSASS.exe using imported Microsoft DLLs
GUID: 86fc3f40-237f-4701-b155-81c01c48d697 |
|
||
T1003.001 |
Create Mini Dump of LSASS.exe using ProcDump
GUID: 7cede33f-0acd-44ef-9774-15511300b24b |
|
||
T1003.001 |
Offline Credential Theft With Mimikatz
GUID: 453acf13-1dbd-47d7-b28a-172ce9228023 |
|
||
T1003.001 |
Dump LSASS.exe Memory using NanoDump
GUID: dddd4aca-bbed-46f0-984d-e4c5971c51ea |
|
||
T1003.001 |
Dump LSASS.exe Memory using comsvcs.dll
GUID: 2536dee2-12fb-459a-8c37-971844fa73be |
|
||
T1003.001 |
Dump LSASS.exe Memory using ProcDump
GUID: 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8 |
|
||
T1003 |
Send NTLM Hash with RPC Test Connection
GUID: 0b207037-813c-4444-ac3f-b597cf280a67 |
|
||
T1003 |
Dump Credential Manager using keymgr.dll and rundll32.exe
GUID: 84113186-ed3c-4d0d-8a3c-8980c86c1f4a |
|
||
T1003 |
Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
GUID: 42510244-5019-48fa-a0e5-66c3b76e6049 |
|