Full_tests.csv

tactic;technique;executor;os;name;guid;sigma;nmr_test
defense-evasion;T1055.011;powershell;['windows'];Process Injection via Extra Window Memory (EWM) x64 executable;93ca40d2-336c-446d-bcef-87f14d438018;False;1
defense-evasion;T1218.011;command_prompt;['windows'];Rundll32 execute JavaScript Remote Payload With GetObject;57ba4ce9-ee7a-4f27-9928-3c70c489b59d;True;1
defense-evasion;T1218.011;command_prompt;['windows'];Rundll32 execute VBscript command;638730e7-7aed-43dc-bf8c-8117f805f5bb;True;2
defense-evasion;T1218.011;command_prompt;['windows'];Rundll32 execute VBscript command using Ordinal number;32d1cf1b-cbc2-4c09-8d05-07ec5c83a821;True;3
defense-evasion;T1218.011;command_prompt;['windows'];Rundll32 advpack.dll Execution;d91cae26-7fc1-457b-a854-34c8aad48c89;True;4
defense-evasion;T1218.011;command_prompt;['windows'];Rundll32 ieadvpack.dll Execution;5e46a58e-cbf6-45ef-a289-ed7754603df9;True;5
defense-evasion;T1218.011;command_prompt;['windows'];Rundll32 syssetup.dll Execution;41fa324a-3946-401e-bbdd-d7991c628125;True;6
defense-evasion;T1218.011;command_prompt;['windows'];Rundll32 setupapi.dll Execution;71d771cd-d6b3-4f34-bc76-a63d47a10b19;True;7
defense-evasion;T1218.011;command_prompt;['windows'];Execution of HTA and VBS Files using Rundll32 and URL.dll;22cfde89-befe-4e15-9753-47306b37a6e3;True;8
defense-evasion;T1218.011;command_prompt;['windows'];Launches an executable using Rundll32 and pcwutl.dll;9f5d081a-ee5a-42f9-a04e-b7bdc487e676;True;9
defense-evasion;T1218.011;powershell;['windows'];Execution of non-dll using rundll32.exe;ae3a8605-b26e-457c-b6b3-2702fd335bac;True;10
defense-evasion;T1218.011;command_prompt;['windows'];Rundll32 with Ordinal Value;9fd5a74b-ba89-482a-8a3e-a5feaa3697b0;True;11
defense-evasion;T1218.011;command_prompt;['windows'];Rundll32 with Control_RunDLL;e4c04b6f-c492-4782-82c7-3bf75eb8077e;True;12
defense-evasion;T1218.011;command_prompt;['windows'];Rundll32 with desk.cpl;83a95136-a496-423c-81d3-1c6750133917;True;13
defense-evasion;T1218.011;command_prompt;['windows'];Running DLL with .init extension and function;2d5029f0-ae20-446f-8811-e7511b58e8b6;True;14
defense-evasion;T1218.011;command_prompt;['windows'];Rundll32 execute command via FileProtocolHandler;f3ad3c5b-1db1-45c1-81bf-d3370ebab6c8;True;15
defense-evasion;T1556.003;sh;['linux'];Malicious PAM rule;4b9dde80-ae22-44b1-a82a-644bf009eb9c;False;1
defense-evasion;T1556.003;sh;['linux'];Malicious PAM rule (freebsd);b17eacac-282d-4ca8-a240-46602cf863e3;False;2
defense-evasion;T1556.003;sh;['linux'];Malicious PAM module;65208808-3125-4a2e-8389-a0a00e9ab326;False;3
defense-evasion;T1222.002;sh;['linux', 'macos'];chmod - Change file or folder mode (numeric mode);34ca1464-de9d-40c6-8c77-690adf36a135;False;1
defense-evasion;T1222.002;sh;['linux', 'macos'];chmod - Change file or folder mode (symbolic mode);fc9d6695-d022-4a80-91b1-381f5c35aff3;False;2
defense-evasion;T1222.002;sh;['linux', 'macos'];chmod - Change file or folder mode (numeric mode) recursively;ea79f937-4a4d-4348-ace6-9916aec453a4;False;3
defense-evasion;T1222.002;bash;['linux', 'macos'];chmod - Change file or folder mode (symbolic mode) recursively;0451125c-b5f6-488f-993b-5a32b09f7d8f;False;4
defense-evasion;T1222.002;bash;['macos', 'linux'];chown - Change file or folder ownership and group;d169e71b-85f9-44ec-8343-27093ff3dfc0;False;5
defense-evasion;T1222.002;bash;['macos', 'linux'];chown - Change file or folder ownership and group recursively;b78598be-ff39-448f-a463-adbf2a5b7848;False;6
defense-evasion;T1222.002;sh;['linux', 'macos'];chown - Change file or folder mode ownership only;967ba79d-f184-4e0e-8d09-6362b3162e99;False;7
defense-evasion;T1222.002;bash;['macos', 'linux'];chown - Change file or folder ownership recursively;3b015515-b3d8-44e9-b8cd-6fa84faf30b2;False;8
defense-evasion;T1222.002;sh;['macos', 'linux'];chattr - Remove immutable file attribute;e7469fe2-ad41-4382-8965-99b94dd3c13f;False;9
defense-evasion;T1222.002;sh;['linux'];chflags - Remove immutable file attribute;60eee3ea-2ebd-453b-a666-c52ce08d2709;False;10
defense-evasion;T1222.002;sh;['macos', 'linux'];Chmod through c script;973631cf-6680-4ffa-a053-045e1b6b67ab;False;11
defense-evasion;T1222.002;sh;['linux'];Chmod through c script (freebsd);da40b5fe-3098-4b3b-a410-ff177e49ee2e;False;12
defense-evasion;T1222.002;sh;['macos', 'linux'];Chown through c script;18592ba1-5f88-4e3c-abc8-ab1c6042e389;False;13
defense-evasion;T1222.002;sh;['linux'];Chown through c script (freebsd);eb577a19-b730-4918-9b03-c5edcf51dc4e;False;14
defense-evasion;T1216.001;command_prompt;['windows'];PubPrn.vbs Signed Script Bypass;9dd29a1f-1e16-4862-be83-913b10a88f6c;True;1
defense-evasion;T1006;powershell;['windows'];Read volume boot sector via DOS device path (PowerShell);88f6327e-51ec-4bbf-b2e8-3fea534eab8b;True;1
defense-evasion;T1014;sh;['linux'];Loadable Kernel Module based Rootkit;dfb50072-e45a-4c75-a17e-a484809c8553;False;1
defense-evasion;T1014;sh;['linux'];Loadable Kernel Module based Rootkit;75483ef8-f10f-444a-bf02-62eb0e48db6f;False;2
defense-evasion;T1014;sh;['linux'];dynamic-linker based rootkit (libprocesshider);1338bf0c-fd0c-48c0-9e65-329f18e2c0d3;False;3
defense-evasion;T1014;sh;['linux'];Loadable Kernel Module based Rootkit (Diamorphine);0b996469-48c6-46e2-8155-a17f8b6c2247;False;4
defense-evasion;T1548.002;command_prompt;['windows'];Bypass UAC using Event Viewer (cmd);5073adf8-9a50-4bd9-b298-a9bd2ead8af9;True;1
defense-evasion;T1548.002;powershell;['windows'];Bypass UAC using Event Viewer (PowerShell);a6ce9acf-842a-4af6-8f79-539be7608e2b;True;2
defense-evasion;T1548.002;command_prompt;['windows'];Bypass UAC using Fodhelper;58f641ea-12e3-499a-b684-44dee46bd182;True;3
defense-evasion;T1548.002;powershell;['windows'];Bypass UAC using Fodhelper - PowerShell;3f627297-6c38-4e7d-a278-fc2563eaaeaa;True;4
defense-evasion;T1548.002;powershell;['windows'];Bypass UAC using ComputerDefaults (PowerShell);3c51abf2-44bf-42d8-9111-dc96ff66750f;True;5
defense-evasion;T1548.002;command_prompt;['windows'];Bypass UAC by Mocking Trusted Directories;f7a35090-6f7f-4f64-bb47-d657bf5b10c1;True;6
defense-evasion;T1548.002;powershell;['windows'];Bypass UAC using sdclt DelegateExecute;3be891eb-4608-4173-87e8-78b494c029b7;True;7
defense-evasion;T1548.002;command_prompt;['windows'];Disable UAC using reg.exe;9e8af564-53ec-407e-aaa8-3cb20c3af7f9;True;8
defense-evasion;T1548.002;command_prompt;['windows'];Bypass UAC using SilentCleanup task;28104f8a-4ff1-4582-bcf6-699dce156608;True;9
defense-evasion;T1548.002;command_prompt;['windows'];UACME Bypass Method 23;8ceab7a2-563a-47d2-b5ba-0995211128d7;True;10
defense-evasion;T1548.002;command_prompt;['windows'];UACME Bypass Method 31;b0f76240-9f33-4d34-90e8-3a7d501beb15;True;11
defense-evasion;T1548.002;command_prompt;['windows'];UACME Bypass Method 33;e514bb03-f71c-4b22-9092-9f961ec6fb03;True;12
defense-evasion;T1548.002;command_prompt;['windows'];UACME Bypass Method 34;695b2dac-423e-448e-b6ef-5b88e93011d6;True;13
defense-evasion;T1548.002;command_prompt;['windows'];UACME Bypass Method 39;56163687-081f-47da-bb9c-7b231c5585cf;True;14
defense-evasion;T1548.002;command_prompt;['windows'];UACME Bypass Method 56;235ec031-cd2d-465d-a7ae-68bab281e80e;True;15
defense-evasion;T1548.002;command_prompt;['windows'];UACME Bypass Method 59;dfb1b667-4bb8-4a63-a85e-29936ea75f29;True;16
defense-evasion;T1548.002;command_prompt;['windows'];UACME Bypass Method 61;7825b576-744c-4555-856d-caf3460dc236;True;17
defense-evasion;T1548.002;powershell;['windows'];WinPwn - UAC Magic;964d8bf8-37bc-4fd3-ba36-ad13761ebbcc;True;18
defense-evasion;T1548.002;powershell;['windows'];WinPwn - UAC Bypass ccmstp technique;f3c145f9-3c8d-422c-bd99-296a17a8f567;True;19
defense-evasion;T1548.002;powershell;['windows'];WinPwn - UAC Bypass DiskCleanup technique;1ed67900-66cd-4b09-b546-2a0ef4431a0c;True;20
defense-evasion;T1548.002;powershell;['windows'];WinPwn - UAC Bypass DccwBypassUAC technique;2b61977b-ae2d-4ae4-89cb-5c36c89586be;True;21
defense-evasion;T1548.002;powershell;['windows'];Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key;251c5936-569f-42f4-9ac2-87a173b9e9b8;True;22
defense-evasion;T1548.002;powershell;['windows'];UAC Bypass with WSReset Registry Modification;3b96673f-9c92-40f1-8a3e-ca060846f8d9;True;23
defense-evasion;T1548.002;powershell;['windows'];Disable UAC - Switch to the secure desktop when prompting for elevation via registry key;85f3a526-4cfa-4fe7-98c1-dea99be025c7;False;24
defense-evasion;T1548.002;command_prompt;['windows'];Disable UAC notification via registry keys;160a7c77-b00e-4111-9e45-7c2a44eda3fd;True;25
defense-evasion;T1548.002;command_prompt;['windows'];Disable ConsentPromptBehaviorAdmin via registry keys;a768aaa2-2442-475c-8990-69cf33af0f4e;True;26
defense-evasion;T1548.003;sh;['macos', 'linux'];Sudo usage;150c3a08-ee6e-48a6-aeaf-3659d24ceb4e;False;1
defense-evasion;T1548.003;sh;['linux'];Sudo usage (freebsd);2bf9a018-4664-438a-b435-cc6f8c6f71b1;False;2
defense-evasion;T1548.003;sh;['macos', 'linux'];Unlimited sudo cache timeout;a7b17659-dd5e-46f7-b7d1-e6792c91d0bc;False;3
defense-evasion;T1548.003;sh;['linux'];Unlimited sudo cache timeout (freebsd);a83ad6e8-6f24-4d7f-8f44-75f8ab742991;False;4
defense-evasion;T1548.003;sh;['macos', 'linux'];Disable tty_tickets for sudo caching;91a60b03-fb75-4d24-a42e-2eb8956e8de1;False;5
defense-evasion;T1548.003;sh;['linux'];Disable tty_tickets for sudo caching (freebsd);4df6a0fe-2bdd-4be8-8618-a6a19654a57a;False;6
defense-evasion;T1542.001;powershell;['windows'];UEFI Persistence via Wpbbin.exe File Creation;b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1;False;1
defense-evasion;T1574.011;powershell;['windows'];Service Registry Permissions Weakness;f7536d63-7fd4-466f-89da-7e48d550752a;True;1
defense-evasion;T1574.011;command_prompt;['windows'];Service ImagePath Change with reg.exe;f38e9eea-e1d7-4ba6-b716-584791963827;True;2
defense-evasion;T1036.005;sh;['macos', 'linux'];Execute a process from a directory masquerading as the current parent directory.;812c3ab8-94b0-4698-a9bf-9420af23ce24;False;1
defense-evasion;T1036.005;powershell;['windows'];Masquerade as a built-in system executable;35eb8d16-9820-4423-a2a1-90c4f5edd9ca;True;2
defense-evasion;T1564;powershell;['windows'];Extract binary files via VBA;6afe288a-8a8b-4d33-a629-8d03ba9dad3a;True;1
defense-evasion;T1564;command_prompt;['windows'];"Create a Hidden User Called ""$""";2ec63cc2-4975-41a6-bf09-dffdfb610778;True;2
defense-evasion;T1564;powershell;['windows'];"Create an ""Administrator "" user (with a space on the end)";5bb20389-39a5-4e99-9264-aeb92a55a85c;True;3
defense-evasion;T1564;command_prompt;['windows'];Create and Hide a Service with sc.exe;333c7de0-6fbe-42aa-ac2b-c7e40b18246a;True;4
defense-evasion;T1564;powershell;['windows'];Command Execution with NirCmd;2748ab4a-1e0b-4cf2-a2b0-8ef765bec7be;False;5
defense-evasion;T1484.002;powershell;['azure-ad'];Add Federation to Azure AD;8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7;False;1
defense-evasion;T1562.009;command_prompt;['windows'];Safe Mode Boot;2a78362e-b79a-4482-8e24-be397bce4d85;True;1
defense-evasion;T1497.001;sh;['linux'];Detect Virtualization Environment (Linux);dfbd1a21-540d-4574-9731-e852bd6fe840;False;1
defense-evasion;T1497.001;sh;['linux'];Detect Virtualization Environment (FreeBSD);e129d73b-3e03-4ae9-bf1e-67fc8921e0fd;False;2
defense-evasion;T1497.001;powershell;['windows'];Detect Virtualization Environment (Windows);502a7dc4-9d6f-4d28-abf2-f0e84692562d;True;3
defense-evasion;T1497.001;sh;['macos'];Detect Virtualization Environment (MacOS);a960185f-aef6-4547-8350-d1ce16680d09;False;4
defense-evasion;T1497.001;powershell;['windows'];Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows);4a41089a-48e0-47aa-82cb-5b81a463bc78;True;5
defense-evasion;T1070.002;sh;['macos', 'linux'];rm -rf;989cc1b1-3642-4260-a809-54f9dd559683;False;1
defense-evasion;T1070.002;sh;['linux'];rm -rf;bd8ccc45-d632-481e-b7cf-c467627d68f9;False;2
defense-evasion;T1070.002;sh;['macos'];Delete log files using built-in log utility;653d39cd-bae7-499a-898c-9fb96b8b5cd1;False;3
defense-evasion;T1070.002;sh;['macos'];Truncate system log files via truncate utility;6290f8a8-8ee9-4661-b9cf-390031bf6973;False;4
defense-evasion;T1070.002;sh;['linux'];Truncate system log files via truncate utility (freebsd);14033063-ee04-4eaf-8f5d-ba07ca7a097c;False;5
defense-evasion;T1070.002;sh;['macos'];Delete log files via cat utility by appending /dev/null or /dev/zero;c23bdb88-928d-493e-b46d-df2906a50941;False;6
defense-evasion;T1070.002;sh;['linux'];Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd);369878c6-fb04-48d6-8fc2-da9d97b3e054;False;7
defense-evasion;T1070.002;sh;['macos'];System log file deletion via find utility;bc8eeb4a-cc3e-45ec-aa6e-41e973da2558;False;8
defense-evasion;T1070.002;sh;['macos'];Overwrite macOS system log via echo utility;0208ea60-98f1-4e8c-8052-930dce8f742c;False;9
defense-evasion;T1070.002;sh;['linux'];Overwrite FreeBSD system log via echo utility;11cb8ee1-97fb-4960-8587-69b8388ee9d9;False;10
defense-evasion;T1070.002;sh;['macos'];Real-time system log clearance/deletion;848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c;False;11
defense-evasion;T1070.002;sh;['macos'];Delete system log files via unlink utility;03013b4b-01db-437d-909b-1fdaa5010ee8;False;12
defense-evasion;T1070.002;sh;['linux'];Delete system log files via unlink utility (freebsd);45ad4abd-19bd-4c5f-a687-41f3eee8d8c2;False;13
defense-evasion;T1070.002;sh;['macos'];Delete system log files using shred utility;86f0e4d5-3ca7-45fb-829d-4eda32b232bb;False;14
defense-evasion;T1070.002;sh;['macos'];Delete system log files using srm utility;b0768a5e-0f32-4e75-ae5b-d036edcf96b6;False;15
defense-evasion;T1070.002;sh;['macos'];Delete system log files using OSAScript;810a465f-cd4f-47bc-b43e-d2de3b033ecc;False;16
defense-evasion;T1070.002;sh;['macos'];Delete system log files using Applescript;e62f8694-cbc7-468f-862c-b10cd07e1757;False;17
defense-evasion;T1070.002;sh;['linux'];Delete system journal logs via rm and journalctl utilities;ca50dd85-81ff-48ca-92e1-61f119cb1dcf;False;18
defense-evasion;T1070.002;bash;['linux'];Overwrite Linux Mail Spool;1602ff76-ed7f-4c94-b550-2f727b4782d4;False;19
defense-evasion;T1070.002;bash;['linux'];Overwrite Linux Log;d304b2dc-90b4-4465-a650-16ddd503f7b5;False;20
defense-evasion;T1218.004;powershell;['windows'];CheckIfInstallable method call;ffd9c807-d402-47d2-879d-f915cf2a3a94;True;1
defense-evasion;T1218.004;powershell;['windows'];InstallHelper method call;d43a5bde-ae28-4c55-a850-3f4c80573503;True;2
defense-evasion;T1218.004;powershell;['windows'];InstallUtil class constructor method call;9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93;True;3
defense-evasion;T1218.004;powershell;['windows'];InstallUtil Install method call;9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b;True;4
defense-evasion;T1218.004;powershell;['windows'];InstallUtil Uninstall method call - /U variant;34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b;True;5
defense-evasion;T1218.004;powershell;['windows'];InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant;06d9deba-f732-48a8-af8e-bdd6e4d98c1d;True;6
defense-evasion;T1218.004;powershell;['windows'];InstallUtil HelpText method call;5a683850-1145-4326-a0e5-e91ced3c6022;True;7
defense-evasion;T1218.004;powershell;['windows'];InstallUtil evasive invocation;559e6d06-bb42-4307-bff7-3b95a8254bad;True;8
defense-evasion;T1574.001;command_prompt;['windows'];DLL Search Order Hijacking - amsi.dll;8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3;True;1
defense-evasion;T1553.001;sh;['macos'];Gatekeeper Bypass;fb3d46c6-9480-4803-8d7d-ce676e1f1a9b;False;1
defense-evasion;T1222.001;command_prompt;['windows'];Take ownership using takeown utility;98d34bb4-6e75-42ad-9c41-1dae7dc6a001;True;1
defense-evasion;T1222.001;command_prompt;['windows'];cacls - Grant permission to specified user or group recursively;a8206bcc-f282-40a9-a389-05d9c0263485;True;2
defense-evasion;T1222.001;command_prompt;['windows'];attrib - Remove read-only attribute;bec1e95c-83aa-492e-ab77-60c71bbd21b0;True;3
defense-evasion;T1222.001;command_prompt;['windows'];attrib - hide file;32b979da-7b68-42c9-9a99-0e39900fc36c;True;4
defense-evasion;T1222.001;command_prompt;['windows'];Grant Full Access to folder for Everyone - Ryuk Ransomware Style;ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6;True;5
defense-evasion;T1218.007;command_prompt;['windows'];Msiexec.exe - Execute Local MSI file with embedded JScript;a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04;True;1
defense-evasion;T1218.007;command_prompt;['windows'];Msiexec.exe - Execute Local MSI file with embedded VBScript;8d73c7b0-c2b1-4ac1-881a-4aa644f76064;True;2
defense-evasion;T1218.007;command_prompt;['windows'];Msiexec.exe - Execute Local MSI file with an embedded DLL;628fa796-76c5-44c3-93aa-b9d8214fd568;True;3
defense-evasion;T1218.007;command_prompt;['windows'];Msiexec.exe - Execute Local MSI file with an embedded EXE;ed3fa08a-ca18-4009-973e-03d13014d0e8;True;4
defense-evasion;T1218.007;powershell;['windows'];WMI Win32_Product Class - Execute Local MSI file with embedded JScript;882082f0-27c6-4eec-a43c-9aa80bccdb30;True;5
defense-evasion;T1218.007;powershell;['windows'];WMI Win32_Product Class - Execute Local MSI file with embedded VBScript;cf470d9a-58e7-43e5-b0d2-805dffc05576;True;6
defense-evasion;T1218.007;powershell;['windows'];WMI Win32_Product Class - Execute Local MSI file with an embedded DLL;32eb3861-30da-4993-897a-42737152f5f8;True;7
defense-evasion;T1218.007;powershell;['windows'];WMI Win32_Product Class - Execute Local MSI file with an embedded EXE;55080eb0-49ae-4f55-a440-4167b7974f79;True;8
defense-evasion;T1218.007;command_prompt;['windows'];Msiexec.exe - Execute the DllRegisterServer function of a DLL;0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d;True;9
defense-evasion;T1218.007;command_prompt;['windows'];Msiexec.exe - Execute the DllUnregisterServer function of a DLL;ab09ec85-4955-4f9c-b8e0-6851baf4d47f;True;10
defense-evasion;T1218.007;command_prompt;['windows'];Msiexec.exe - Execute Remote MSI file;44a4bedf-ffe3-452e-bee4-6925ab125662;True;11
defense-evasion;T1556.002;powershell;['windows'];Install and Register Password Filter DLL;a7961770-beb5-4134-9674-83d7e1fa865c;True;1
defense-evasion;T1070.003;sh;['linux', 'macos'];Clear Bash history (rm);a934276e-2be5-4a36-93fd-98adbb5bd4fc;False;1
defense-evasion;T1070.003;sh;['linux'];Clear Bash history (echo);cbf506a5-dd78-43e5-be7e-a46b7c7a0a11;False;2
defense-evasion;T1070.003;sh;['linux', 'macos'];Clear Bash history (cat dev/null);b1251c35-dcd3-4ea1-86da-36d27b54f31f;False;3
defense-evasion;T1070.003;sh;['linux', 'macos'];Clear Bash history (ln dev/null);23d348f3-cc5c-4ba9-bd0a-ae09069f0914;False;4
defense-evasion;T1070.003;sh;['linux'];Clear Bash history (truncate);47966a1d-df4f-4078-af65-db6d9aa20739;False;5
defense-evasion;T1070.003;sh;['linux', 'macos'];Clear history of a bunch of shells;7e6721df-5f08-4370-9255-f06d8a77af4c;False;6
defense-evasion;T1070.003;sh;['linux', 'macos'];Clear and Disable Bash History Logging;784e4011-bd1a-4ecd-a63a-8feb278512e6;False;7
defense-evasion;T1070.003;sh;['linux', 'macos'];Use Space Before Command to Avoid Logging to History;53b03a54-4529-4992-852d-a00b4b7215a6;False;8
defense-evasion;T1070.003;sh;['linux'];Disable Bash History Logging with SSH -T;5f8abd62-f615-43c5-b6be-f780f25790a1;False;9
defense-evasion;T1070.003;bash;['linux'];Clear Docker Container Logs;553b39f9-1e8c-47b1-abf5-8daf7b0391e9;False;10
defense-evasion;T1070.003;powershell;['windows'];Prevent Powershell History Logging;2f898b81-3e97-4abb-bc3f-a95138988370;True;11
defense-evasion;T1070.003;powershell;['windows'];Clear Powershell History by Deleting History File;da75ae8d-26d6-4483-b0fe-700e4df4f037;True;12
defense-evasion;T1070.003;powershell;['windows'];Set Custom AddToHistoryHandler to Avoid History File Logging;1d0d9aa6-6111-4f89-927b-53e8afae7f94;True;13
defense-evasion;T1202;command_prompt;['windows'];Indirect Command Execution - pcalua.exe;cecfea7a-5f03-4cdd-8bc8-6f7c22862440;True;1
defense-evasion;T1202;command_prompt;['windows'];Indirect Command Execution - forfiles.exe;8b34a448-40d9-4fc3-a8c8-4bb286faf7dc;True;2
defense-evasion;T1202;command_prompt;['windows'];Indirect Command Execution - conhost.exe;cf3391e0-b482-4b02-87fc-ca8362269b29;True;3
defense-evasion;T1140;command_prompt;['windows'];Deobfuscate/Decode Files Or Information;dc6fe391-69e6-4506-bd06-ea5eeb4082f8;True;1
defense-evasion;T1140;command_prompt;['windows'];Certutil Rename and Decode;71abc534-3c05-4d0c-80f7-cbe93cb2aa94;True;2
defense-evasion;T1140;sh;['linux', 'macos'];Base64 decoding with Python;356dc0e8-684f-4428-bb94-9313998ad608;False;3
defense-evasion;T1140;sh;['linux', 'macos'];Base64 decoding with Perl;6604d964-b9f6-4d4b-8ce8-499829a14d0a;False;4
defense-evasion;T1140;sh;['linux', 'macos'];Base64 decoding with shell utilities;b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e;False;5
defense-evasion;T1140;sh;['linux'];Base64 decoding with shell utilities (freebsd);b6097712-c42e-4174-b8f2-4b1e1a5bbb3d;False;6
defense-evasion;T1140;sh;['linux'];FreeBSD b64encode Shebang in CLI;18ee2002-66e8-4518-87c5-c0ec9c8299ac;False;7
defense-evasion;T1140;sh;['linux', 'macos'];Hex decoding with shell utilities;005943f9-8dd5-4349-8b46-0313c0a9f973;False;8
defense-evasion;T1140;sh;['linux', 'macos'];Linux Base64 Encoded Shebang in CLI;3a15c372-67c1-4430-ac8e-ec06d641ce4d;False;9
defense-evasion;T1140;bash;['linux', 'macos'];XOR decoding and command execution using Python;c3b65cd5-ee51-4e98-b6a3-6cbdec138efc;False;10
defense-evasion;T1562;command_prompt;['windows'];Windows Disable LSA Protection;40075d5f-3a70-4c66-9125-f72bee87247d;True;1
defense-evasion;T1562;sh;['linux'];Disable journal logging via systemctl utility;c3a377f9-1203-4454-aa35-9d391d34768f;False;2
defense-evasion;T1562;sh;['linux'];Disable journal logging via sed utility;12e5551c-8d5c-408e-b3e4-63f53b03379f;False;3
defense-evasion;T1055.003;powershell;['windows'];Thread Execution Hijacking;578025d5-faa9-4f6d-8390-aae527d503e1;True;1
defense-evasion;T1036;powershell;['windows'];System File Copied to Unusual Location;51005ac7-52e2-45e0-bdab-d17c6d4916cd;True;1
defense-evasion;T1036;powershell;['windows'];Malware Masquerading and Execution from Zip File;4449c89b-ec82-43a4-89c1-91e2f1abeecc;True;2
defense-evasion;T1070.008;powershell;['windows'];Copy and Delete Mailbox Data on Windows;d29f01ea-ac72-4efc-8a15-bea64b77fabf;True;1
defense-evasion;T1070.008;bash;['linux'];Copy and Delete Mailbox Data on Linux;25e2be0e-96f7-4417-bd16-a4a2500e3802;False;2
defense-evasion;T1070.008;bash;['macos'];Copy and Delete Mailbox Data on macOS;3824130e-a6e4-4528-8091-3a52eeb540f6;False;3
defense-evasion;T1070.008;powershell;['windows'];Copy and Modify Mailbox Data on Windows;edddff85-fee0-499d-9501-7d4d2892e79b;False;4
defense-evasion;T1070.008;bash;['linux'];Copy and Modify Mailbox Data on Linux;6d99f93c-da56-49e3-b195-163090ace4f6;False;5
defense-evasion;T1070.008;bash;['macos'];Copy and Modify Mailbox Data on macOS;8a0b1579-5a36-483a-9cde-0236983e1665;False;6
defense-evasion;T1055;powershell;['windows'];Shellcode execution via VBA;1c91e740-1729-4329-b779-feba6e71d048;True;1
defense-evasion;T1055;command_prompt;['windows'];Remote Process Injection in LSASS via mimikatz;3203ad24-168e-4bec-be36-f79b13ef8a83;True;2
defense-evasion;T1055;powershell;['windows'];Section View Injection;c6952f41-6cf0-450a-b352-2ca8dae7c178;True;3
defense-evasion;T1055;powershell;['windows'];Dirty Vanity process Injection;49543237-25db-497b-90df-d0a0a6e8fe2c;False;4
defense-evasion;T1055;powershell;['windows'];Read-Write-Execute process Injection;0128e48e-8c1a-433a-a11a-a5387384f1e1;False;5
defense-evasion;T1055;powershell;['windows'];Process Injection with Go using UuidFromStringA WinAPI;2315ce15-38b6-46ac-a3eb-5e21abef2545;False;6
defense-evasion;T1055;powershell;['windows'];Process Injection with Go using EtwpCreateEtwThread WinAPI;7362ecef-6461-402e-8716-7410e1566400;False;7
defense-evasion;T1055;powershell;['windows'];Remote Process Injection with Go using RtlCreateUserThread WinAPI;a0c1725f-abcd-40d6-baac-020f3cf94ecd;False;8
defense-evasion;T1055;powershell;['windows'];Remote Process Injection with Go using CreateRemoteThread WinAPI;69534efc-d5f5-4550-89e6-12c6457b9edd;False;9
defense-evasion;T1055;powershell;['windows'];Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively);2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39;False;10
defense-evasion;T1055;powershell;['windows'];Process Injection with Go using CreateThread WinAPI;2871ed59-3837-4a52-9107-99500ebc87cb;False;11
defense-evasion;T1055;powershell;['windows'];Process Injection with Go using CreateThread WinAPI (Natively);2a3c7035-d14f-467a-af94-933e49fe6786;False;12
defense-evasion;T1055;powershell;['windows'];UUID custom process Injection;0128e48e-8c1a-433a-a11a-a5304734f1e1;False;13
defense-evasion;T1218;command_prompt;['windows'];mavinject - Inject DLL into running process;c426dacf-575d-4937-8611-a148a86a5e61;True;1
defense-evasion;T1218;command_prompt;['windows'];Register-CimProvider - Execute evil dll;ad2c17ed-f626-4061-b21e-b9804a6f3655;True;2
defense-evasion;T1218;command_prompt;['windows'];InfDefaultInstall.exe .inf Execution;54ad7d5a-a1b5-472c-b6c4-f8090fb2daef;True;3
defense-evasion;T1218;command_prompt;['windows'];ProtocolHandler.exe Downloaded a Suspicious File;db020456-125b-4c8b-a4a7-487df8afb5a2;True;4
defense-evasion;T1218;powershell;['windows'];Microsoft.Workflow.Compiler.exe Payload Execution;7cbb0f26-a4c1-4f77-b180-a009aa05637e;True;5
defense-evasion;T1218;powershell;['windows'];Renamed Microsoft.Workflow.Compiler.exe Payload Executions;4cc40fd7-87b8-4b16-b2d7-57534b86b911;True;6
defense-evasion;T1218;powershell;['windows'];Invoke-ATHRemoteFXvGPUDisablementCommand base test;9ebe7901-7edf-45c0-b5c7-8366300919db;True;7
defense-evasion;T1218;powershell;['windows'];DiskShadow Command Execution;0e1483ba-8f0c-425d-b8c6-42736e058eaa;True;8
defense-evasion;T1218;command_prompt;['windows'];Load Arbitrary DLL via Wuauclt (Windows Update Client);49fbd548-49e9-4bb7-94a6-3769613912b8;True;9
defense-evasion;T1218;command_prompt;['windows'];Lolbin Gpscript logon option;5bcda9cd-8e85-48fa-861d-b5a85d91d48c;True;10
defense-evasion;T1218;command_prompt;['windows'];Lolbin Gpscript startup option;f8da74bb-21b8-4af9-8d84-f2c8e4a220e3;True;11
defense-evasion;T1218;command_prompt;['windows'];Lolbas ie4uinit.exe use as proxy;13c0804e-615e-43ad-b223-2dfbacd0b0b3;True;12
defense-evasion;T1218;powershell;['windows'];LOLBAS CustomShellHost to Spawn Process;b1eeb683-90bb-4365-bbc2-2689015782fe;True;13
defense-evasion;T1218;command_prompt;['windows'];Provlaunch.exe Executes Arbitrary Command via Registry Key;ab76e34f-28bf-441f-a39c-8db4835b89cc;True;14
defense-evasion;T1218;powershell;['windows'];LOLBAS Msedge to Spawn Process;e5eedaed-ad42-4c1e-8783-19529738a349;True;15
defense-evasion;T1070.006;sh;['linux', 'macos'];Set a file's access timestamp;5f9113d5-ed75-47ed-ba23-ea3573d05810;False;1
defense-evasion;T1070.006;sh;['linux', 'macos'];Set a file's modification timestamp;20ef1523-8758-4898-b5a2-d026cc3d2c52;False;2
defense-evasion;T1070.006;sh;['linux', 'macos'];Set a file's creation timestamp;8164a4a6-f99c-4661-ac4f-80f5e4e78d2b;False;3
defense-evasion;T1070.006;sh;['linux', 'macos'];Modify file timestamps using reference file;631ea661-d661-44b0-abdb-7a7f3fc08e50;False;4
defense-evasion;T1070.006;powershell;['windows'];Windows - Modify file creation timestamp with PowerShell;b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c;True;5
defense-evasion;T1070.006;powershell;['windows'];Windows - Modify file last modified timestamp with PowerShell;f8f6634d-93e1-4238-8510-f8a90a20dcf2;True;6
defense-evasion;T1070.006;powershell;['windows'];Windows - Modify file last access timestamp with PowerShell;da627f63-b9bd-4431-b6f8-c5b44d061a62;True;7
defense-evasion;T1070.006;powershell;['windows'];Windows - Timestomp a File;d7512c33-3a75-4806-9893-69abc3ccdd43;True;8
defense-evasion;T1070.006;sh;['macos'];MacOS - Timestomp Date Modified;87fffff4-d371-4057-a539-e3b24c37e564;False;9
defense-evasion;T1620;powershell;['windows'];WinPwn - Reflectively load Mimik@tz into memory;56b9589c-9170-4682-8c3d-33b86ecb5119;True;1
defense-evasion;T1218.003;command_prompt;['windows'];CMSTP Executing Remote Scriptlet;34e63321-9683-496b-bbc1-7566bc55e624;True;1
defense-evasion;T1218.003;command_prompt;['windows'];CMSTP Executing UAC Bypass;748cb4f6-2fb3-4e97-b7ad-b22635a09ab0;True;2
defense-evasion;T1562.002;powershell;['windows'];Disable Windows IIS HTTP Logging;69435dcf-c66f-4ec0-a8b1-82beb76b34db;True;1
defense-evasion;T1562.002;powershell;['windows'];Disable Windows IIS HTTP Logging via PowerShell;a957fb0f-1e85-49b2-a211-413366784b1e;False;2
defense-evasion;T1562.002;powershell;['windows'];Kill Event Log Service Threads;41ac52ba-5d5e-40c0-b267-573ed90489bd;True;3
defense-evasion;T1562.002;command_prompt;['windows'];Impair Windows Audit Log Policy;5102a3a7-e2d7-4129-9e45-f483f2e0eea8;True;4
defense-evasion;T1562.002;command_prompt;['windows'];Clear Windows Audit Policy Config;913c0e4e-4b37-4b78-ad0b-90e7b25010f6;True;5
defense-evasion;T1562.002;command_prompt;['windows'];Disable Event Logging with wevtutil;b26a3340-dad7-4360-9176-706269c74103;True;6
defense-evasion;T1562.002;command_prompt;['windows'];Makes Eventlog blind with Phant0m;3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741;False;7
defense-evasion;T1218.002;command_prompt;['windows'];Control Panel Items;037e9d8a-9e46-4255-8b33-2ae3b545ca6f;True;1
defense-evasion;T1562.004;command_prompt;['windows'];Disable Microsoft Defender Firewall;88d05800-a5e4-407e-9b53-ece4174f197f;True;1
defense-evasion;T1562.004;command_prompt;['windows'];Disable Microsoft Defender Firewall via Registry;afedc8c4-038c-4d82-b3e5-623a95f8a612;True;2
defense-evasion;T1562.004;command_prompt;['windows'];Allow SMB and RDP on Microsoft Defender Firewall;d9841bf8-f161-4c73-81e9-fd773a5ff8c1;True;3
defense-evasion;T1562.004;command_prompt;['windows'];Opening ports for proxy - HARDRAIN;15e57006-79dd-46df-9bf9-31bc24fb5a80;True;4
defense-evasion;T1562.004;powershell;['windows'];Open a local port through Windows Firewall to any profile;9636dd6e-7599-40d2-8eee-ac16434f35ed;True;5
defense-evasion;T1562.004;powershell;['windows'];Allow Executable Through Firewall Located in Non-Standard Location;6f5822d2-d38d-4f48-9bfc-916607ff6b8c;True;6
defense-evasion;T1562.004;sh;['linux'];Stop/Start UFW firewall;fe135572-edcd-49a2-afe6-1d39521c5a9a;False;7
defense-evasion;T1562.004;sh;['linux'];Stop/Start Packet Filter;0ca82ed1-0a94-4774-9a9a-a2c83a8022b7;False;8
defense-evasion;T1562.004;sh;['linux'];Stop/Start UFW firewall systemctl;9fd99609-1854-4f3c-b47b-97d9a5972bd1;False;9
defense-evasion;T1562.004;sh;['linux'];Turn off UFW logging;8a95b832-2c2a-494d-9cb0-dc9dd97c8bad;False;10
defense-evasion;T1562.004;sh;['linux'];Add and delete UFW firewall rules;b2563a4e-c4b8-429c-8d47-d5bcb227ba7a;False;11
defense-evasion;T1562.004;sh;['linux'];Add and delete Packet Filter rules;8b23cae1-66c1-41c5-b79d-e095b6098b5b;False;12
defense-evasion;T1562.004;sh;['linux'];Edit UFW firewall user.rules file;beaf815a-c883-4194-97e9-fdbbb2bbdd7c;False;13
defense-evasion;T1562.004;sh;['linux'];Edit UFW firewall ufw.conf file;c1d8c4eb-88da-4927-ae97-c7c25893803b;False;14
defense-evasion;T1562.004;sh;['linux'];Edit UFW firewall sysctl.conf file;c4ae0701-88d3-4cd8-8bce-4801ed9f97e4;False;15
defense-evasion;T1562.004;sh;['linux'];Edit UFW firewall main configuration file;7b697ece-8270-46b5-bbc7-6b9e27081831;False;16
defense-evasion;T1562.004;sh;['linux'];Tail the UFW firewall log file;419cca0c-fa52-4572-b0d7-bc7c6f388a27;False;17
defense-evasion;T1562.004;sh;['linux'];Disable iptables;7784c64e-ed0b-4b65-bf63-c86db229fd56;False;18
defense-evasion;T1562.004;sh;['linux'];Modify/delete iptables firewall rules;899a7fb5-d197-4951-8614-f19ac4a73ad4;False;19
defense-evasion;T1562.004;command_prompt;['windows'];LockBit Black - Unusual Windows firewall registry modification -cmd;a4651931-ebbb-4cde-9363-ddf3d66214cb;True;20
defense-evasion;T1562.004;powershell;['windows'];LockBit Black - Unusual Windows firewall registry modification -Powershell;80b453d1-eec5-4144-bf08-613a6c3ffe12;True;21
defense-evasion;T1562.004;command_prompt;['windows'];Blackbit - Disable Windows Firewall using netsh firewall;91f348e6-3760-4997-a93b-2ceee7f254ee;True;22
defense-evasion;T1562.004;command_prompt;['windows'];ESXi - Disable Firewall via Esxcli;bac8a340-be64-4491-a0cc-0985cb227f5a;False;23
defense-evasion;T1562.004;powershell;['windows'];Set a firewall rule using New-NetFirewallRule;94be7646-25f6-467e-af23-585fb13000c8;True;24
defense-evasion;T1553.003;command_prompt;['windows'];SIP (Subject Interface Package) Hijacking via Custom DLL;e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675;True;1
defense-evasion;T1562.012;sh;['linux'];Delete all auditd rules using auditctl;33a29ab1-cabb-407f-9448-269041bf2856;False;1
defense-evasion;T1562.012;sh;['linux'];Disable auditd using auditctl;7906f0a6-b527-46ee-9026-6e81a9184e08;False;2
defense-evasion;T1207;powershell;['windows'];DCShadow (Active Directory);0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6;True;1
defense-evasion;T1553.006;command_prompt;['windows'];Code Signing Policy Modification;bb6b51e1-ab92-45b5-aeea-e410d06405f8;False;1
defense-evasion;T1610;bash;['containers'];Deploy Docker container;59aa6f26-7620-417e-9318-589e0fb7a372;False;1
defense-evasion;T1112;command_prompt;['windows'];Modify Registry of Current User Profile - cmd;1324796b-d0f6-455a-b4ae-21ffee6aa6b9;True;1
defense-evasion;T1112;command_prompt;['windows'];Modify Registry of Local Machine - cmd;282f929a-6bc5-42b8-bd93-960c3ba35afe;True;2
defense-evasion;T1112;command_prompt;['windows'];Modify registry to store logon credentials;c0413fb5-33e2-40b7-9b6f-60b29f4a7a18;True;3
defense-evasion;T1112;powershell;['windows'];Use Powershell to Modify registry to store logon credentials;68254a85-aa42-4312-a695-38b7276307f8;False;4
defense-evasion;T1112;powershell;['windows'];Add domain to Trusted sites Zone;cf447677-5a4e-4937-a82c-e47d254afd57;True;5
defense-evasion;T1112;powershell;['windows'];Javascript in registry;15f44ea9-4571-4837-be9e-802431a7bfae;True;6
defense-evasion;T1112;powershell;['windows'];Change Powershell Execution Policy to Bypass;f3a6cceb-06c9-48e5-8df8-8867a6814245;True;7
defense-evasion;T1112;command_prompt;['windows'];BlackByte Ransomware Registry Changes - CMD;4f4e2f9f-6209-4fcf-9b15-3b7455706f5b;True;8
defense-evasion;T1112;powershell;['windows'];BlackByte Ransomware Registry Changes - Powershell;0b79c06f-c788-44a2-8630-d69051f1123d;True;9
defense-evasion;T1112;command_prompt;['windows'];Disable Windows Registry Tool;ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8;True;10
defense-evasion;T1112;powershell;['windows'];Disable Windows CMD application;d2561a6d-72bd-408c-b150-13efe1801c2a;True;11
defense-evasion;T1112;command_prompt;['windows'];Disable Windows Task Manager application;af254e70-dd0e-4de6-9afe-a994d9ea8b62;True;12
defense-evasion;T1112;command_prompt;['windows'];Disable Windows Notification Center;c0d6d67f-1f63-42cc-95c0-5fd6b20082ad;True;13
defense-evasion;T1112;command_prompt;['windows'];Disable Windows Shutdown Button;6e0d1131-2d7e-4905-8ca5-d6172f05d03d;True;14
defense-evasion;T1112;command_prompt;['windows'];Disable Windows LogOff Button;e246578a-c24d-46a7-9237-0213ff86fb0c;True;15
defense-evasion;T1112;command_prompt;['windows'];Disable Windows Change Password Feature;d4a6da40-618f-454d-9a9e-26af552aaeb0;True;16
defense-evasion;T1112;command_prompt;['windows'];Disable Windows Lock Workstation Feature;3dacb0d2-46ee-4c27-ac1b-f9886bf91a56;True;17
defense-evasion;T1112;command_prompt;['windows'];Activate Windows NoDesktop Group Policy Feature;93386d41-525c-4a1b-8235-134a628dee17;True;18
defense-evasion;T1112;command_prompt;['windows'];Activate Windows NoRun Group Policy Feature;d49ff3cc-8168-4123-b5b3-f057d9abbd55;True;19
defense-evasion;T1112;command_prompt;['windows'];Activate Windows NoFind Group Policy Feature;ffbb407e-7f1d-4c95-b22e-548169db1fbd;True;20
defense-evasion;T1112;command_prompt;['windows'];Activate Windows NoControlPanel Group Policy Feature;a450e469-ba54-4de1-9deb-9023a6111690;True;21
defense-evasion;T1112;command_prompt;['windows'];Activate Windows NoFileMenu Group Policy Feature;5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4;True;22
defense-evasion;T1112;command_prompt;['windows'];Activate Windows NoClose Group Policy Feature;12f50e15-dbc6-478b-a801-a746e8ba1723;True;23
defense-evasion;T1112;command_prompt;['windows'];Activate Windows NoSetTaskbar Group Policy Feature;d29b7faf-7355-4036-9ed3-719bd17951ed;True;24
defense-evasion;T1112;command_prompt;['windows'];Activate Windows NoTrayContextMenu Group Policy Feature;4d72d4b1-fa7b-4374-b423-0fe326da49d2;True;25
defense-evasion;T1112;command_prompt;['windows'];Activate Windows NoPropertiesMyDocuments Group Policy Feature;20fc9daa-bd48-4325-9aff-81b967a84b1d;True;26
defense-evasion;T1112;command_prompt;['windows'];Hide Windows Clock Group Policy Feature;8023db1e-ad06-4966-934b-b6a0ae52689e;True;27
defense-evasion;T1112;command_prompt;['windows'];Windows HideSCAHealth Group Policy Feature;a4637291-40b1-4a96-8c82-b28f1d73e54e;True;28
defense-evasion;T1112;command_prompt;['windows'];Windows HideSCANetwork Group Policy Feature;3e757ce7-eca0-411a-9583-1c33b8508d52;True;29
defense-evasion;T1112;command_prompt;['windows'];Windows HideSCAPower Group Policy Feature;8d85a5d8-702f-436f-bc78-fcd9119496fc;True;30
defense-evasion;T1112;command_prompt;['windows'];Windows HideSCAVolume Group Policy Feature;7f037590-b4c6-4f13-b3cc-e424c5ab8ade;True;31
defense-evasion;T1112;command_prompt;['windows'];Windows Modify Show Compress Color And Info Tip Registry;795d3248-0394-4d4d-8e86-4e8df2a2693f;True;32
defense-evasion;T1112;command_prompt;['windows'];Windows Powershell Logging Disabled;95b25212-91a7-42ff-9613-124aca6845a8;True;33
defense-evasion;T1112;command_prompt;['windows'];Windows Add Registry Value to Load Service in Safe Mode without Network;1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5;True;34
defense-evasion;T1112;command_prompt;['windows'];Windows Add Registry Value to Load Service in Safe Mode with Network;c173c948-65e5-499c-afbe-433722ed5bd4;True;35
defense-evasion;T1112;command_prompt;['windows'];Disable Windows Toast Notifications;003f466a-6010-4b15-803a-cbb478a314d7;True;36
defense-evasion;T1112;command_prompt;['windows'];Disable Windows Security Center Notifications;45914594-8df6-4ea9-b3cc-7eb9321a807e;True;37
defense-evasion;T1112;command_prompt;['windows'];Suppress Win Defender Notifications;c30dada3-7777-4590-b970-dc890b8cf113;True;38
defense-evasion;T1112;command_prompt;['windows'];Allow RDP Remote Assistance Feature;86677d0e-0b5e-4a2b-b302-454175f9aa9e;True;39
defense-evasion;T1112;command_prompt;['windows'];NetWire RAT Registry Key Creation;65704cd4-6e36-4b90-b6c1-dc29a82c8e56;True;40
defense-evasion;T1112;command_prompt;['windows'];Ursnif Malware Registry Key Creation;c375558d-7c25-45e9-bd64-7b23a97c1db0;True;41
defense-evasion;T1112;command_prompt;['windows'];Terminal Server Client Connection History Cleared;3448824b-3c35-4a9e-a8f5-f887f68bea21;True;42
defense-evasion;T1112;command_prompt;['windows'];Disable Windows Error Reporting Settings;d2c9e41e-cd86-473d-980d-b6403562e3e1;True;43
defense-evasion;T1112;command_prompt;['windows'];DisallowRun Execution Of Certain Applications;71db768a-5a9c-4047-b5e7-59e01f188e84;True;44
defense-evasion;T1112;command_prompt;['windows'];Enabling Restricted Admin Mode via Command_Prompt;fe7974e5-5813-477b-a7bd-311d4f535e83;True;45
defense-evasion;T1112;command_prompt;['windows'];Mimic Ransomware - Enable Multiple User Sessions;39f1f378-ba8a-42b3-96dc-2a6540cfc1e3;False;46
defense-evasion;T1112;command_prompt;['windows'];Mimic Ransomware - Allow Multiple RDP Sessions per User;35727d9e-7a7f-4d0c-a259-dc3906d6e8b9;True;47
defense-evasion;T1112;command_prompt;['windows'];Event Viewer Registry Modification - Redirection URL;6174be7f-5153-4afd-92c5-e0c3b7cdb5ae;True;48
defense-evasion;T1112;command_prompt;['windows'];Event Viewer Registry Modification - Redirection Program;81483501-b8a5-4225-8b32-52128e2f69db;True;49
defense-evasion;T1112;command_prompt;['windows'];Enabling Remote Desktop Protocol via Remote Registry;e3ad8e83-3089-49ff-817f-e52f8c948090;True;50
defense-evasion;T1112;command_prompt;['windows'];Disable Win Defender Notification;12e03af7-79f9-4f95-af48-d3f12f28a260;False;51
defense-evasion;T1112;command_prompt;['windows'];Disable Windows OS Auto Update;01b20ca8-c7a3-4d86-af59-059f15ed5474;False;52
defense-evasion;T1112;command_prompt;['windows'];Disable Windows Auto Reboot for current logon user;396f997b-c5f8-4a96-bb2c-3c8795cf459d;False;53
defense-evasion;T1112;command_prompt;['windows'];Windows Auto Update Option to Notify before download;335a6b15-b8d2-4a3f-a973-ad69aa2620d7;False;54
defense-evasion;T1112;command_prompt;['windows'];Do Not Connect To Win Update;d1de3767-99c2-4c6c-8c5a-4ba4586474c8;False;55
defense-evasion;T1112;command_prompt;['windows'];Tamper Win Defender Protection;3b625eaa-c10d-4635-af96-3eae7d2a2f3c;True;56
defense-evasion;T1112;powershell;['windows'];Snake Malware Registry Blob;8318ad20-0488-4a64-98f4-72525a012f6b;False;57
defense-evasion;T1112;command_prompt;['windows'];Allow Simultaneous Download Registry;37950714-e923-4f92-8c7c-51e4b6fffbf6;False;58
defense-evasion;T1112;command_prompt;['windows'];Modify Internet Zone Protocol Defaults in Current User Registry - cmd;c88ef166-50fa-40d5-a80c-e2b87d4180f7;False;59
defense-evasion;T1112;powershell;['windows'];Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell;b1a4d687-ba52-4057-81ab-757c3dc0d3b5;False;60
defense-evasion;T1112;command_prompt;['windows'];Activities To Disable Secondary Authentication Detected By Modified Registry Value.;c26fb85a-fa50-4fab-a64a-c51f5dc538d5;False;61
defense-evasion;T1112;command_prompt;['windows'];Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.;ffeddced-bb9f-49c6-97f0-3d07a509bf94;False;62
defense-evasion;T1112;command_prompt;['windows'];Scarab Ransomware Defense Evasion Activities;ca8ba39c-3c5a-459f-8e15-280aec65a910;False;63
defense-evasion;T1112;command_prompt;['windows'];Disable Remote Desktop Anti-Alias Setting Through Registry;61d35188-f113-4334-8245-8c6556d43909;False;64
defense-evasion;T1112;command_prompt;['windows'];Disable Remote Desktop Security Settings Through Registry;4b81bcfa-fb0a-45e9-90c2-e3efe5160140;False;65
defense-evasion;T1112;command_prompt;['windows'];Disabling ShowUI Settings of Windows Error Reporting (WER);09147b61-40f6-4b2a-b6fb-9e73a3437c96;False;66
defense-evasion;T1112;command_prompt;['windows'];Enable Proxy Settings;eb0ba433-63e5-4a8c-a9f0-27c4192e1336;False;67
defense-evasion;T1112;command_prompt;['windows'];Set-Up Proxy Server;d88a3d3b-d016-4939-a745-03638aafd21b;False;68
defense-evasion;T1112;command_prompt;['windows'];RDP Authentication Level Override;7e7b62e9-5f83-477d-8935-48600f38a3c6;False;69
defense-evasion;T1112;command_prompt;['windows'];Enable RDP via Registry (fDenyTSConnections);16bdbe52-371c-4ccf-b708-79fba61f1db4;False;70
defense-evasion;T1112;command_prompt;['windows'];Disable Windows Prefetch Through Registry;7979dd41-2045-48b2-a54e-b1bc2415c9da;False;71
defense-evasion;T1574.008;powershell;['windows'];powerShell Persistence via hijacking default modules - Get-Variable.exe;1561de08-0b4b-498e-8261-e922f3494aae;True;1
defense-evasion;T1027.001;sh;['linux', 'macos'];Pad Binary to Change Hash - Linux/macOS dd;ffe2346c-abd5-4b45-a713-bf5f1ebd573a;False;1
defense-evasion;T1027.001;sh;['linux', 'macos'];Pad Binary to Change Hash using truncate command - Linux/macOS;e22a9e89-69c7-410f-a473-e6c212cd2292;False;2
defense-evasion;T1484.001;command_prompt;['windows'];LockBit Black - Modify Group policy settings -cmd;9ab80952-74ee-43da-a98c-1e740a985f28;True;1
defense-evasion;T1484.001;powershell;['windows'];LockBit Black - Modify Group policy settings -Powershell;b51eae65-5441-4789-b8e8-64783c26c1d1;True;2
defense-evasion;T1078.001;command_prompt;['windows'];Enable Guest account with RDP capability and admin privileges;99747561-ed8d-47f2-9c91-1e5fde1ed6e0;True;1
defense-evasion;T1078.001;command_prompt;['windows'];Activate Guest Account;aa6cb8c4-b582-4f8e-b677-37733914abda;True;2
defense-evasion;T1078.001;command_prompt;['macos'];Enable Guest Account on macOS;0315bdff-4178-47e9-81e4-f31a6d23f7e4;False;3
defense-evasion;T1574.006;bash;['linux'];Shared Library Injection via /etc/ld.so.preload;39cb0e67-dd0d-4b74-a74b-c072db7ae991;False;1
defense-evasion;T1574.006;bash;['linux'];Shared Library Injection via LD_PRELOAD;bc219ff7-789f-4d51-9142-ecae3397deae;False;2
defense-evasion;T1574.006;bash;['macos'];Dylib Injection via DYLD_INSERT_LIBRARIES;4d66029d-7355-43fd-93a4-b63ba92ea1be;False;3
defense-evasion;T1070.001;command_prompt;['windows'];Clear Logs;e6abb60e-26b8-41da-8aae-0c35174b0967;True;1
defense-evasion;T1070.001;powershell;['windows'];Delete System Logs Using Clear-EventLog;b13e9306-3351-4b4b-a6e8-477358b0b498;True;2
defense-evasion;T1070.001;powershell;['windows'];Clear Event Logs via VBA;1b682d84-f075-4f93-9a89-8a8de19ffd6e;True;3
defense-evasion;T1134.002;powershell;['windows'];Access Token Manipulation;dbf4f5a9-b8e0-46a3-9841-9ad71247239e;True;1
defense-evasion;T1134.002;powershell;['windows'];WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique;ccf4ac39-ec93-42be-9035-90e2f26bcd92;True;2
defense-evasion;T1548.001;sh;['macos', 'linux'];Make and modify binary from C source;896dfe97-ae43-4101-8e96-9a7996555d80;False;1
defense-evasion;T1548.001;sh;['linux'];Make and modify binary from C source (freebsd);dd580455-d84b-481b-b8b0-ac96f3b1dc4c;False;2
defense-evasion;T1548.001;sh;['macos', 'linux'];Set a SetUID flag on file;759055b3-3885-4582-a8ec-c00c9d64dd79;False;3
defense-evasion;T1548.001;sh;['linux'];Set a SetUID flag on file (freebsd);9be9b827-ff47-4e1b-bef8-217db6fb7283;False;4
defense-evasion;T1548.001;sh;['macos', 'linux'];Set a SetGID flag on file;db55f666-7cba-46c6-9fe6-205a05c3242c;False;5
defense-evasion;T1548.001;sh;['linux'];Set a SetGID flag on file (freebsd);1f73af33-62a8-4bf1-bd10-3bea931f2c0d;False;6
defense-evasion;T1548.001;sh;['linux'];Make and modify capabilities of a binary;db53959c-207d-4000-9e7a-cd8eb417e072;False;7
defense-evasion;T1548.001;sh;['linux'];Provide the SetUID capability to a file;1ac3272f-9bcf-443a-9888-4b1d3de785c1;False;8
defense-evasion;T1548.001;sh;['linux'];Do reconnaissance for files that have the setuid bit set;8e36da01-cd29-45fd-be72-8a0fcaad4481;False;9
defense-evasion;T1548.001;sh;['linux'];Do reconnaissance for files that have the setgid bit set;3fb46e17-f337-4c14-9f9a-a471946533e2;False;10
defense-evasion;T1218.008;command_prompt;['windows'];Odbcconf.exe - Execute Arbitrary DLL;2430498b-06c0-4b92-a448-8ad263c388e2;True;1
defense-evasion;T1218.008;command_prompt;['windows'];Odbcconf.exe - Load Response File;331ce274-f9c9-440b-9f8c-a1006e1fce0b;True;2
defense-evasion;T1562.006;bash;['linux'];Auditing Configuration Changes on Linux Host;212cfbcf-4770-4980-bc21-303e37abd0e3;False;1
defense-evasion;T1562.006;sh;['linux'];Auditing Configuration Changes on FreeBSD Host;cedaf7e7-28ee-42ab-ba13-456abd35d1bd;False;2
defense-evasion;T1562.006;bash;['linux'];Logging Configuration Changes on Linux Host;7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c;False;3
defense-evasion;T1562.006;sh;['linux'];Logging Configuration Changes on FreeBSD Host;6b8ca3ab-5980-4321-80c3-bcd77c8daed8;False;4
defense-evasion;T1562.006;powershell;['windows'];Disable Powershell ETW Provider - Windows;6f118276-121d-4c09-bb58-a8fb4a72ee84;True;5
defense-evasion;T1562.006;command_prompt;['windows'];Disable .NET Event Tracing for Windows Via Registry (cmd);8a4c33be-a0d3-434a-bee6-315405edbd5b;True;6
defense-evasion;T1562.006;powershell;['windows'];Disable .NET Event Tracing for Windows Via Registry (powershell);19c07a45-452d-4620-90ed-4c34fffbe758;True;7
defense-evasion;T1562.006;command_prompt;['windows'];LockBit Black - Disable the ETW Provider of Windows Defender -cmd;f6df0b8e-2c83-44c7-ba5e-0fa4386bec41;True;8
defense-evasion;T1562.006;powershell;['windows'];LockBit Black - Disable the ETW Provider of Windows Defender -Powershell;69fc085b-5444-4879-8002-b24c8e1a3e02;True;9
defense-evasion;T1070;command_prompt;['windows'];Indicator Removal using FSUtil;b4115c7a-0e92-47f0-a61e-17e7218b2435;True;1
defense-evasion;T1070;powershell;['windows'];Indicator Manipulation using FSUtil;96e86706-6afd-45b6-95d6-108d23eaf2e9;False;2
defense-evasion;T1550.003;command_prompt;['windows'];Mimikatz Kerberos Ticket Attack;dbf38128-7ba7-4776-bedf-cc2eed432098;True;1
defense-evasion;T1550.003;powershell;['windows'];Rubeus Kerberos Pass The Ticket;a2fc4ec5-12c6-4fb4-b661-961f23f359cb;True;2
defense-evasion;T1036.004;command_prompt;['windows'];Creating W32Time similar named service using schtasks;f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9;True;1
defense-evasion;T1036.004;command_prompt;['windows'];Creating W32Time similar named service using sc;b721c6ef-472c-4263-a0d9-37f1f4ecff66;True;2
defense-evasion;T1036.004;sh;['linux'];linux rename /proc/pid/comm using prctl;f0e3aaea-5cd9-4db6-a077-631dd19b27a8;False;3
defense-evasion;T1055.004;command_prompt;['windows'];Process Injection via C#;611b39b7-e243-4c81-87a4-7145a90358b1;True;1
defense-evasion;T1055.004;powershell;['windows'];EarlyBird APC Queue Injection in Go;73785dd2-323b-4205-ab16-bb6f06677e14;False;2
defense-evasion;T1055.004;powershell;['windows'];Remote Process Injection with Go using NtQueueApcThreadEx WinAPI;4cc571b1-f450-414a-850f-879baf36aa06;False;3
defense-evasion;T1647;manual;['macos'];Plist Modification;394a538e-09bb-4a4a-95d1-b93cf12682a8;False;1
defense-evasion;T1553.005;powershell;['windows'];Mount ISO image;002cca30-4778-4891-878a-aaffcfa502fa;True;1
defense-evasion;T1553.005;powershell;['windows'];Mount an ISO image and run executable from the ISO;42f22b00-0242-4afc-a61b-0da05041f9cc;True;2
defense-evasion;T1553.005;powershell;['windows'];Remove the Zone.Identifier alternate data stream;64b12afc-18b8-4d3f-9eab-7f6cae7c73f9;True;3
defense-evasion;T1553.005;powershell;['windows'];Execute LNK file from ISO;c2587b8d-743d-4985-aa50-c83394eaeb68;True;4
defense-evasion;T1612;sh;['containers'];Build Image On Host;2db30061-589d-409b-b125-7b473944f9b3;False;1
defense-evasion;T1055.002;powershell;['windows'];Portable Executable Injection;578025d5-faa9-4f6d-8390-aae739d503e1;False;1
defense-evasion;T1562.010;powershell;['linux'];ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI;062f92c9-28b1-4391-a5f8-9d8ca6852091;False;1
defense-evasion;T1562.010;command_prompt;['linux'];ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI;14d55b96-b2f5-428d-8fed-49dc4d9dd616;False;2
defense-evasion;T1562.010;powershell;['windows'];PowerShell Version 2 Downgrade;47c96489-2f55-4774-a6df-39faff428f6f;True;3
defense-evasion;T1218.005;command_prompt;['windows'];Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject;1483fab9-4f52-4217-a9ce-daa9d7747cae;True;1
defense-evasion;T1218.005;command_prompt;['windows'];Mshta executes VBScript to execute malicious command;906865c3-e05f-4acc-85c4-fbc185455095;True;2
defense-evasion;T1218.005;powershell;['windows'];Mshta Executes Remote HTML Application (HTA);c4b97eeb-5249-4455-a607-59f95485cb45;True;3
defense-evasion;T1218.005;powershell;['windows'];Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement;007e5672-2088-4853-a562-7490ddc19447;True;4
defense-evasion;T1218.005;powershell;['windows'];Invoke HTML Application - Jscript Engine Simulating Double Click;58a193ec-131b-404e-b1ca-b35cf0b18c33;True;5
defense-evasion;T1218.005;powershell;['windows'];Invoke HTML Application - Direct download from URI;39ceed55-f653-48ac-bd19-aceceaf525db;True;6
defense-evasion;T1218.005;powershell;['windows'];Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler;e7e3a525-7612-4d68-a5d3-c4649181b8af;True;7
defense-evasion;T1218.005;powershell;['windows'];Invoke HTML Application - JScript Engine with Inline Protocol Handler;d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840;True;8
defense-evasion;T1218.005;powershell;['windows'];Invoke HTML Application - Simulate Lateral Movement over UNC Path;b8a8bdb2-7eae-490d-8251-d5e0295b2362;True;9
defense-evasion;T1218.005;command_prompt;['windows'];Mshta used to Execute PowerShell;8707a805-2b76-4f32-b1c0-14e558205772;True;10
defense-evasion;T1134.001;powershell;['windows'];Named pipe client impersonation;90db9e27-8e7c-4c04-b602-a45927884966;True;1
defense-evasion;T1134.001;powershell;['windows'];`SeDebugPrivilege` token duplication;34f0a430-9d04-4d98-bcb5-1989f14719f0;True;2
defense-evasion;T1134.001;powershell;['windows'];Launch NSudo Executable;7be1bc0f-d8e5-4345-9333-f5f67d742cb9;True;3
defense-evasion;T1134.001;powershell;['windows'];Bad Potato;9c6d799b-c111-4749-a42f-ec2f8cb51448;True;4
defense-evasion;T1134.001;powershell;['windows'];Juicy Potato;f095e373-b936-4eb4-8d22-f47ccbfbe64a;False;5
defense-evasion;T1564.002;sh;['macos'];Create Hidden User using UniqueID < 500;4238a7f0-a980-4fff-98a2-dfc0a363d507;False;1
defense-evasion;T1564.002;sh;['macos'];Create Hidden User using IsHidden option;de87ed7b-52c3-43fd-9554-730f695e7f31;False;2
defense-evasion;T1564.002;command_prompt;['windows'];Create Hidden User in Registry;173126b7-afe4-45eb-8680-fa9f6400431c;True;3
defense-evasion;T1562.003;sh;['linux', 'macos'];Disable history collection;4eafdb45-0f79-4d66-aa86-a3e2c08791f5;False;1
defense-evasion;T1562.003;sh;['linux'];Disable history collection (freebsd);cada55b4-8251-4c60-819e-8ec1b33c9306;False;2
defense-evasion;T1562.003;manual;['macos', 'linux'];Mac HISTCONTROL;468566d5-83e5-40c1-b338-511e1659628d;False;3
defense-evasion;T1562.003;bash;['linux'];Clear bash history;878794f7-c511-4199-a950-8c28b3ed8e5b;False;4
defense-evasion;T1562.003;bash;['linux'];Setting the HISTCONTROL environment variable;10ab786a-028e-4465-96f6-9e83ca6c5f24;False;5
defense-evasion;T1562.003;bash;['linux'];Setting the HISTFILESIZE environment variable;5cafd6c1-2f43-46eb-ac47-a5301ba0a618;False;6
defense-evasion;T1562.003;sh;['linux'];Setting the HISTSIZE environment variable;386d3850-2ce7-4508-b56b-c0558922c814;False;7
defense-evasion;T1562.003;bash;['linux'];Setting the HISTFILE environment variable;b3dacb6c-a9e3-44ec-bf87-38db60c5cad1;False;8
defense-evasion;T1562.003;sh;['linux'];Setting the HISTFILE environment variable (freebsd);f7308845-6da8-468e-99f2-4271f2f5bb67;False;9
defense-evasion;T1562.003;bash;['linux'];Setting the HISTIGNORE environment variable;f12acddb-7502-4ce6-a146-5b62c59592f1;False;10
defense-evasion;T1562.003;command_prompt;['windows'];Disable Windows Command Line Auditing using reg.exe;1329d5ab-e10e-4e5e-93d1-4d907eb656e5;False;11
defense-evasion;T1562.003;powershell;['windows'];Disable Windows Command Line Auditing using Powershell Cmdlet;95f5c72f-6dfe-45f3-a8c1-d8faa07176fa;False;12
defense-evasion;T1134.004;powershell;['windows'];Parent PID Spoofing using PowerShell;069258f4-2162-46e9-9a25-c9c6c56150d2;True;1
defense-evasion;T1134.004;powershell;['windows'];Parent PID Spoofing - Spawn from Current Process;14920ebd-1d61-491a-85e0-fe98efe37f25;True;2
defense-evasion;T1134.004;powershell;['windows'];Parent PID Spoofing - Spawn from Specified Process;cbbff285-9051-444a-9d17-c07cd2d230eb;True;3
defense-evasion;T1134.004;powershell;['windows'];Parent PID Spoofing - Spawn from svchost.exe;e9f2b777-3123-430b-805d-5cedc66ab591;True;4
defense-evasion;T1134.004;powershell;['windows'];Parent PID Spoofing - Spawn from New Process;2988133e-561c-4e42-a15f-6281e6a9b2db;True;5
defense-evasion;T1218.001;command_prompt;['windows'];Compiled HTML Help Local Payload;5cb87818-0d7c-4469-b7ef-9224107aebe8;True;1
defense-evasion;T1218.001;command_prompt;['windows'];Compiled HTML Help Remote Payload;0f8af516-9818-4172-922b-42986ef1e81d;True;2
defense-evasion;T1218.001;powershell;['windows'];Invoke CHM with default Shortcut Command Execution;29d6f0d7-be63-4482-8827-ea77126c1ef7;True;3
defense-evasion;T1218.001;powershell;['windows'];Invoke CHM with InfoTech Storage Protocol Handler;b4094750-5fc7-4e8e-af12-b4e36bf5e7f6;True;4
defense-evasion;T1218.001;powershell;['windows'];Invoke CHM Simulate Double click;5decef42-92b8-4a93-9eb2-877ddcb9401a;True;5
defense-evasion;T1218.001;powershell;['windows'];Invoke CHM with Script Engine and Help Topic;4f83adda-f5ec-406d-b318-9773c9ca92e5;True;6
defense-evasion;T1218.001;powershell;['windows'];Invoke CHM Shortcut Command with ITS and Help Topic;15756147-7470-4a83-87fb-bb5662526247;True;7
defense-evasion;T1218.001;command_prompt;['windows'];Decompile Local CHM File;20cb05e0-1fa5-406d-92c1-84da4ba01813;True;8
defense-evasion;T1070.005;command_prompt;['windows'];Add Network Share;14c38f32-6509-46d8-ab43-d53e32d2b131;True;1
defense-evasion;T1070.005;command_prompt;['windows'];Remove Network Share;09210ad5-1ef2-4077-9ad3-7351e13e9222;True;2
defense-evasion;T1070.005;powershell;['windows'];Remove Network Share PowerShell;0512d214-9512-4d22-bde7-f37e058259b3;True;3
defense-evasion;T1070.005;command_prompt;['windows'];Disable Administrative Share Creation at Startup;99c657aa-ebeb-4179-a665-69288fdd12b8;True;4
defense-evasion;T1070.005;command_prompt;['windows'];Remove Administrative Shares;4299eff5-90f1-4446-b2f3-7f4f5cfd5d62;True;5
defense-evasion;T1562.001;sh;['linux'];Disable syslog;4ce786f8-e601-44b5-bfae-9ebb15a7d1c8;False;1
defense-evasion;T1562.001;sh;['linux'];Disable syslog (freebsd);db9de996-441e-4ae0-947b-61b6871e2fdf;False;2
defense-evasion;T1562.001;sh;['linux'];Disable Cb Response;ae8943f7-0f8d-44de-962d-fbc2e2f03eb8;False;3
defense-evasion;T1562.001;sh;['linux'];Disable SELinux;fc225f36-9279-4c39-b3f9-5141ab74f8d8;False;4
defense-evasion;T1562.001;sh;['linux'];Stop Crowdstrike Falcon on Linux;828a1278-81cc-4802-96ab-188bf29ca77d;False;5
defense-evasion;T1562.001;sh;['macos'];Disable Carbon Black Response;8fba7766-2d11-4b4a-979a-1e3d9cc9a88c;False;6
defense-evasion;T1562.001;sh;['macos'];Disable LittleSnitch;62155dd8-bb3d-4f32-b31c-6532ff3ac6a3;False;7
defense-evasion;T1562.001;sh;['macos'];Disable OpenDNS Umbrella;07f43b33-1e15-4e99-be70-bc094157c849;False;8
defense-evasion;T1562.001;sh;['macos'];Disable macOS Gatekeeper;2a821573-fb3f-4e71-92c3-daac7432f053;False;9
defense-evasion;T1562.001;sh;['macos'];Stop and unload Crowdstrike Falcon on macOS;b3e7510c-2d4c-4249-a33f-591a2bc83eef;False;10
defense-evasion;T1562.001;command_prompt;['windows'];Unload Sysmon Filter Driver;811b3e76-c41b-430c-ac0d-e2380bfaa164;True;11
defense-evasion;T1562.001;command_prompt;['windows'];Uninstall Sysmon;a316fb2e-5344-470d-91c1-23e15c374edc;True;12
defense-evasion;T1562.001;powershell;['windows'];AMSI Bypass - AMSI InitFailed;695eed40-e949-40e5-b306-b4031e4154bd;True;13
defense-evasion;T1562.001;powershell;['windows'];AMSI Bypass - Remove AMSI Provider Reg Key;13f09b91-c953-438e-845b-b585e51cac9b;True;14
defense-evasion;T1562.001;command_prompt;['windows'];Disable Arbitrary Security Windows Service;a1230893-56ac-4c81-b644-2108e982f8f5;True;15
defense-evasion;T1562.001;powershell;['windows'];Tamper with Windows Defender ATP PowerShell;6b8df440-51ec-4d53-bf83-899591c9b5d7;True;16
defense-evasion;T1562.001;command_prompt;['windows'];Tamper with Windows Defender Command Prompt;aa875ed4-8935-47e2-b2c5-6ec00ab220d2;True;17
defense-evasion;T1562.001;powershell;['windows'];Tamper with Windows Defender Registry;1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45;True;18
defense-evasion;T1562.001;powershell;['windows'];Disable Microsoft Office Security Features;6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7;True;19
defense-evasion;T1562.001;command_prompt;['windows'];Remove Windows Defender Definition Files;3d47daaa-2f56-43e0-94cc-caf5d8d52a68;True;20
defense-evasion;T1562.001;powershell;['windows'];Stop and Remove Arbitrary Security Windows Service;ae753dda-0f15-4af6-a168-b9ba16143143;True;21
defense-evasion;T1562.001;powershell;['windows'];Uninstall Crowdstrike Falcon on Windows;b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297;True;22
defense-evasion;T1562.001;powershell;['windows'];Tamper with Windows Defender Evade Scanning -Folder;0b19f4ee-de90-4059-88cb-63c800c683ed;True;23
defense-evasion;T1562.001;powershell;['windows'];Tamper with Windows Defender Evade Scanning -Extension;315f4be6-2240-4552-b3e1-d1047f5eecea;True;24
defense-evasion;T1562.001;powershell;['windows'];Tamper with Windows Defender Evade Scanning -Process;a123ce6a-3916-45d6-ba9c-7d4081315c27;True;25
defense-evasion;T1562.001;powershell;['office-365'];office-365-Disable-AntiPhishRule;b9bbae2c-2ba6-4cf3-b452-8e8f908696f3;False;26
defense-evasion;T1562.001;command_prompt;['windows'];Disable Windows Defender with DISM;871438ac-7d6e-432a-b27d-3e7db69faf58;True;27
defense-evasion;T1562.001;powershell;['windows'];Disable Defender Using NirSoft AdvancedRun;81ce22fd-9612-4154-918e-8a1f285d214d;True;28
defense-evasion;T1562.001;powershell;['windows'];Kill antimalware protected processes using Backstab;24a12b91-05a7-4deb-8d7f-035fa98591bc;True;29
defense-evasion;T1562.001;powershell;['windows'];WinPwn - Kill the event log services for stealth;7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66;True;30
defense-evasion;T1562.001;powershell;['windows'];Tamper with Windows Defender ATP using Aliases - PowerShell;c531aa6e-9c97-4b29-afee-9b7be6fc8a64;True;31
defense-evasion;T1562.001;command_prompt;['windows'];LockBit Black - Disable Privacy Settings Experience Using Registry -cmd;d6d22332-d07d-498f-aea0-6139ecb7850e;True;32
defense-evasion;T1562.001;command_prompt;['windows'];LockBit Black - Use Registry Editor to turn on automatic logon -cmd;9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70;True;33
defense-evasion;T1562.001;powershell;['windows'];LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell;d8c57eaa-497a-4a08-961e-bd5efd7c9374;True;34
defense-evasion;T1562.001;powershell;['windows'];Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell;5e27f36d-5132-4537-b43b-413b0d5eec9a;True;35
defense-evasion;T1562.001;powershell;['windows'];Disable Windows Defender with PwSh Disable-WindowsOptionalFeature;f542ffd3-37b4-4528-837f-682874faa012;True;36
defense-evasion;T1562.001;command_prompt;['windows'];WMIC Tamper with Windows Defender Evade Scanning Folder;59d386fc-3a4b-41b8-850d-9e3eee24dfe4;True;37
defense-evasion;T1562.001;command_prompt;['windows'];Delete Windows Defender Scheduled Tasks;4b841aa1-0d05-4b32-bbe7-7564346e7c76;True;38
defense-evasion;T1562.001;sh;['linux'];Clear History;23b88394-091b-4968-a42d-fb8076992443;False;39
defense-evasion;T1562.001;sh;['linux'];Suspend History;94f6a1c9-aae7-46a4-9083-2bb1f5768ec4;False;40
defense-evasion;T1562.001;sh;['linux'];Reboot Linux Host via Kernel System Request;6d6d3154-1a52-4d1a-9d51-92ab8148b32e;False;41
defense-evasion;T1562.001;sh;['linux'];Clear Pagging Cache;f790927b-ea85-4a16-b7b2-7eb44176a510;False;42
defense-evasion;T1562.001;sh;['linux'];Disable Memory Swap;e74e4c63-6fde-4ad2-9ee8-21c3a1733114;False;43
defense-evasion;T1562.001;powershell;['windows'];Disable Hypervisor-Enforced Code Integrity (HVCI);70bd71e6-eba4-4e00-92f7-617911dbe020;True;44
defense-evasion;T1562.001;command_prompt;['windows'];AMSI Bypass - Override AMSI via COM;17538258-5699-4ff1-92d1-5ac9b0dc21f5;True;45
defense-evasion;T1562.001;bash;['iaas:aws'];AWS - GuardDuty Suspension or Deletion;11e65d8d-e7e4-470e-a3ff-82bc56ad938e;False;46
defense-evasion;T1562.001;sh;['linux', 'macos'];Tamper with Defender ATP on Linux/MacOS;40074085-dbc8-492b-90a3-11bcfc52fda8;False;47
defense-evasion;T1562.001;command_prompt;['windows'];Tamper with Windows Defender Registry - Reg.exe;1f6743da-6ecc-4a93-b03f-dc357e4b313f;True;48
defense-evasion;T1562.001;powershell;['windows'];Tamper with Windows Defender Registry - Powershell;a72cfef8-d252-48b3-b292-635d332625c3;True;49
defense-evasion;T1562.001;powershell;['linux'];ESXi - Disable Account Lockout Policy via PowerCLI;091a6290-cd29-41cb-81ea-b12f133c66cb;False;50
defense-evasion;T1562.001;powershell;['windows'];Delete Microsoft Defender ASR Rules - InTune;eea0a6c2-84e9-4e8c-a242-ac585d28d0d1;False;51
defense-evasion;T1562.001;powershell;['windows'];Delete Microsoft Defender ASR Rules - GPO;0e7b8a4b-2ca5-4743-a9f9-96051abb6e50;False;52
defense-evasion;T1055.012;powershell;['windows'];Process Hollowing using PowerShell;562427b4-39ef-4e8c-af88-463a78e70b9c;True;1
defense-evasion;T1055.012;powershell;['windows'];RunPE via VBA;3ad4a037-1598-4136-837c-4027e4fa319b;True;2
defense-evasion;T1055.012;powershell;['windows'];Process Hollowing in Go using CreateProcessW WinAPI;c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a;False;3
defense-evasion;T1055.012;powershell;['windows'];Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012);94903cc5-d462-498a-b919-b1e5ab155fee;False;4
defense-evasion;T1027;sh;['macos', 'linux'];Decode base64 Data into Script;f45df6be-2e1e-4136-a384-8f18ab3826fb;False;1
defense-evasion;T1027;powershell;['windows'];Execute base64-encoded PowerShell;a50d5a97-2531-499e-a1de-5544c74432c6;True;2
defense-evasion;T1027;powershell;['windows'];Execute base64-encoded PowerShell from Windows Registry;450e7218-7915-4be4-8b9b-464a49eafcec;True;3
defense-evasion;T1027;command_prompt;['windows'];Execution from Compressed File;f8c8a909-5f29-49ac-9244-413936ce6d1f;False;4
defense-evasion;T1027;powershell;['windows'];DLP Evasion via Sensitive Data in VBA Macro over email;129edb75-d7b8-42cd-a8ba-1f3db64ec4ad;True;5
defense-evasion;T1027;powershell;['windows'];DLP Evasion via Sensitive Data in VBA Macro over HTTP;e2d85e66-cb66-4ed7-93b1-833fc56c9319;True;6
defense-evasion;T1027;powershell;['windows'];Obfuscated Command in PowerShell;8b3f4ed6-077b-4bdd-891c-2d237f19410f;True;7
defense-evasion;T1027;manual;['windows'];Obfuscated Command Line using special Unicode characters;e68b945c-52d0-4dd9-a5e8-d173d70c448f;True;8
defense-evasion;T1027;powershell;['windows'];Snake Malware Encrypted crmlog file;7e47ee60-9dd1-4269-9c4f-97953b183268;False;9
defense-evasion;T1027;command_prompt;['windows'];Execution from Compressed JScript File;fad04df1-5229-4185-b016-fb6010cd87ac;False;10
defense-evasion;T1564.006;command_prompt;['windows'];Register Portable Virtualbox;c59f246a-34f8-4e4d-9276-c295ef9ba0dd;True;1
defense-evasion;T1564.006;command_prompt;['windows'];Create and start VirtualBox virtual machine;88b81702-a1c0-49a9-95b2-2dd53d755767;True;2
defense-evasion;T1564.006;powershell;['windows'];Create and start Hyper-V virtual machine;fb8d4d7e-f5a4-481c-8867-febf13f8b6d3;True;3
defense-evasion;T1134.005;command_prompt;['windows'];Injection SID-History with mimikatz;6bef32e5-9456-4072-8f14-35566fb85401;True;1
defense-evasion;T1218.010;command_prompt;['windows'];Regsvr32 local COM scriptlet execution;449aa403-6aba-47ce-8a37-247d21ef0306;True;1
defense-evasion;T1218.010;command_prompt;['windows'];Regsvr32 remote COM scriptlet execution;c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36;True;2
defense-evasion;T1218.010;command_prompt;['windows'];Regsvr32 local DLL execution;08ffca73-9a3d-471a-aeb0-68b4aa3ab37b;True;3
defense-evasion;T1218.010;command_prompt;['windows'];Regsvr32 Registering Non DLL;1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421;True;4
defense-evasion;T1218.010;command_prompt;['windows'];Regsvr32 Silent DLL Install Call DllRegisterServer;9d71c492-ea2e-4c08-af16-c6994cdf029f;True;5
defense-evasion;T1036.003;command_prompt;['windows'];Masquerading as Windows LSASS process;5ba5a3d1-cf3c-4499-968a-a93155d1f717;True;1
defense-evasion;T1036.003;sh;['linux'];Masquerading as FreeBSD or Linux crond process.;a315bfff-7a98-403b-b442-2ea1b255e556;False;2
defense-evasion;T1036.003;command_prompt;['windows'];Masquerading - cscript.exe running as notepad.exe;3a2a578b-0a01-46e4-92e3-62e2859b42f0;True;3
defense-evasion;T1036.003;command_prompt;['windows'];Masquerading - wscript.exe running as svchost.exe;24136435-c91a-4ede-9da1-8b284a1c1a23;True;4
defense-evasion;T1036.003;command_prompt;['windows'];Masquerading - powershell.exe running as taskhostw.exe;ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa;True;5
defense-evasion;T1036.003;powershell;['windows'];Masquerading - non-windows exe running as windows exe;bc15c13f-d121-4b1f-8c7d-28d95854d086;True;6
defense-evasion;T1036.003;powershell;['windows'];Masquerading - windows exe running as different windows exe;c3d24a39-2bfe-4c6a-b064-90cd73896cb0;True;7
defense-evasion;T1036.003;command_prompt;['windows'];Malicious process Masquerading as LSM.exe;83810c46-f45e-4485-9ab6-8ed0e9e6ed7f;True;8
defense-evasion;T1036.003;command_prompt;['windows'];File Extension Masquerading;c7fa0c3b-b57f-4cba-9118-863bf4e653fc;True;9
defense-evasion;T1574.009;command_prompt;['windows'];Execution of program.exe as service with unquoted service path;2770dea7-c50f-457b-84c4-c40a47460d9f;True;1
defense-evasion;T1218.009;command_prompt;['windows'];Regasm Uninstall Method Call Test;71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112;True;1
defense-evasion;T1218.009;powershell;['windows'];Regsvcs Uninstall Method Call Test;fd3c1c6a-02d2-4b72-82d9-71c527abb126;True;2
defense-evasion;T1553.004;sh;['linux'];Install root CA on CentOS/RHEL;9c096ec4-fd42-419d-a762-d64cc950627e;False;1
defense-evasion;T1553.004;sh;['linux'];Install root CA on FreeBSD;f4568003-1438-44ab-a234-b3252ea7e7a3;False;2
defense-evasion;T1553.004;sh;['linux'];Install root CA on Debian/Ubuntu;53bcf8a0-1549-4b85-b919-010c56d724ff;False;3
defense-evasion;T1553.004;sh;['macos'];Install root CA on macOS;cc4a0b8c-426f-40ff-9426-4e10e5bf4c49;False;4
defense-evasion;T1553.004;powershell;['windows'];Install root CA on Windows;76f49d86-5eb1-461a-a032-a480f86652f1;True;5
defense-evasion;T1553.004;powershell;['windows'];Install root CA on Windows with certutil;5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f;True;6
defense-evasion;T1553.004;powershell;['windows'];Add Root Certificate to CurrentUser Certificate Store;ca20a3f1-42b5-4e21-ad3f-1049199ec2e0;True;7
defense-evasion;T1027.004;command_prompt;['windows'];Compile After Delivery using csc.exe;ffcdbd6a-b0e8-487d-927a-09127fe9a206;True;1
defense-evasion;T1027.004;powershell;['windows'];Dynamic C# Compile;453614d8-3ba6-4147-acc0-7ec4b3e1faef;True;2
defense-evasion;T1027.004;sh;['linux', 'macos'];C compile;d0377aa6-850a-42b2-95f0-de558d80be57;False;3
defense-evasion;T1027.004;sh;['linux', 'macos'];CC compile;da97bb11-d6d0-4fc1-b445-e443d1346efe;False;4
defense-evasion;T1027.004;sh;['linux', 'macos'];Go compile;78bd3fa7-773c-449e-a978-dc1f1500bc52;False;5
defense-evasion;T1197;command_prompt;['windows'];Bitsadmin Download (cmd);3c73d728-75fb-4180-a12f-6712864d7421;True;1
defense-evasion;T1197;powershell;['windows'];Bitsadmin Download (PowerShell);f63b8bc4-07e5-4112-acba-56f646f3f0bc;True;2
defense-evasion;T1197;command_prompt;['windows'];Persist, Download, & Execute;62a06ec5-5754-47d2-bcfc-123d8314c6ae;True;3
defense-evasion;T1197;command_prompt;['windows'];Bits download using desktopimgdownldr.exe (cmd);afb5e09e-e385-4dee-9a94-6ee60979d114;True;4
defense-evasion;T1127.001;command_prompt;['windows'];MSBuild Bypass Using Inline Tasks (C#);58742c0f-cb01-44cd-a60b-fb26e8871c93;True;1
defense-evasion;T1127.001;command_prompt;['windows'];MSBuild Bypass Using Inline Tasks (VB);ab042179-c0c5-402f-9bc8-42741f5ce359;True;2
defense-evasion;T1562.008;sh;['iaas:aws'];AWS - CloudTrail Changes;9c10dc6b-20bd-403a-8e67-50ef7d07ed4e;False;1
defense-evasion;T1562.008;powershell;['iaas:azure'];Azure - Eventhub Deletion;5e09bed0-7d33-453b-9bf3-caea32bff719;False;2
defense-evasion;T1562.008;powershell;['office-365'];Office 365 - Exchange Audit Log Disabled;1ee572f3-056c-4632-a7fc-7e7c42b1543c;False;3
defense-evasion;T1562.008;sh;['linux', 'macos', 'iaas:aws'];AWS - Disable CloudTrail Logging Through Event Selectors using Stratus;a27418de-bdce-4ebd-b655-38f11142bf0c;False;4
defense-evasion;T1562.008;sh;['linux', 'macos'];AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus;22d89a2f-d475-4895-b2d4-68626d49c029;False;5
defense-evasion;T1562.008;sh;['linux', 'macos', 'iaas:aws'];AWS - Remove VPC Flow Logs using Stratus;93c150f5-ad7b-4ee3-8992-df06dec2ac79;False;6
defense-evasion;T1562.008;sh;['iaas:aws'];AWS - CloudWatch Log Group Deletes;89422c87-b57b-4a04-a8ca-802bb9d06121;False;7
defense-evasion;T1562.008;sh;['iaas:aws'];AWS CloudWatch Log Stream Deletes;33ca84bc-4259-4943-bd36-4655dc420932;False;8
defense-evasion;T1562.008;powershell;['office-365'];Office 365 - Set Audit Bypass For a Mailbox;c9a2f6fe-7197-488c-af6d-10c782121ca6;False;9
defense-evasion;T1562.008;sh;['iaas:gcp'];GCP - Delete Activity Event Log;d56152ec-01d9-42a2-877c-aac1f6ebe8e6;False;10
defense-evasion;T1564.003;powershell;['windows'];Hidden Window;f151ee37-9e2b-47e6-80e4-550b9f999b7a;True;1
defense-evasion;T1564.003;command_prompt;['windows'];Headless Browser Accessing Mockbin;0ad9ab92-c48c-4f08-9b20-9633277c4646;True;2
defense-evasion;T1027.006;powershell;['windows'];HTML Smuggling Remote Payload;30cbeda4-08d9-42f1-8685-197fad677734;False;1
defense-evasion;T1070.004;sh;['linux', 'macos'];Delete a single file - FreeBSD/Linux/macOS;562d737f-2fc6-4b09-8c2a-7f8ff0828480;False;1
defense-evasion;T1070.004;sh;['linux', 'macos'];Delete an entire folder - FreeBSD/Linux/macOS;a415f17e-ce8d-4ce2-a8b4-83b674e7017e;False;2
defense-evasion;T1070.004;sh;['linux'];Overwrite and delete a file with shred;039b4b10-2900-404b-b67f-4b6d49aa6499;False;3
defense-evasion;T1070.004;command_prompt;['windows'];Delete a single file - Windows cmd;861ea0b4-708a-4d17-848d-186c9c7f17e3;True;4
defense-evasion;T1070.004;command_prompt;['windows'];Delete an entire folder - Windows cmd;ded937c4-2add-42f7-9c2c-c742b7a98698;True;5
defense-evasion;T1070.004;powershell;['windows'];Delete a single file - Windows PowerShell;9dee89bd-9a98-4c4f-9e2d-4256690b0e72;True;6
defense-evasion;T1070.004;powershell;['windows'];Delete an entire folder - Windows PowerShell;edd779e4-a509-4cba-8dfa-a112543dbfb1;True;7
defense-evasion;T1070.004;sh;['linux'];Delete Filesystem - Linux;f3aa95fe-4f10-4485-ad26-abf22a764c52;False;8
defense-evasion;T1070.004;powershell;['windows'];Delete Prefetch File;36f96049-0ad7-4a5f-8418-460acaeb92fb;True;9
defense-evasion;T1070.004;powershell;['windows'];Delete TeamViewer Log Files;69f50a5f-967c-4327-a5bb-e1a9a9983785;True;10
defense-evasion;T1221;command_prompt;['windows'];WINWORD Remote Template Injection;1489e08a-82c7-44ee-b769-51b72d03521d;True;1
defense-evasion;T1027.002;sh;['linux'];Binary simply packed by UPX (linux);11c46cd8-e471-450e-acb8-52a1216ae6a4;False;1
defense-evasion;T1027.002;sh;['linux'];Binary packed by UPX, with modified headers (linux);f06197f8-ff46-48c2-a0c6-afc1b50665e1;False;2
defense-evasion;T1027.002;sh;['macos'];Binary simply packed by UPX;b16ef901-00bb-4dda-b4fc-a04db5067e20;False;3
defense-evasion;T1027.002;sh;['macos'];Binary packed by UPX, with modified headers;4d46e16b-5765-4046-9f25-a600d3e65e4d;False;4
defense-evasion;T1622;powershell;['windows'];Detect a Debugger Presence in the Machine;58bd8c8d-3a1a-4467-a69c-439c75469b07;False;1
defense-evasion;T1036.006;manual;['macos'];Space After Filename (Manual);89a7dd26-e510-4c9f-9b15-f3bae333360f;False;1
defense-evasion;T1036.006;sh;['macos', 'linux'];Space After Filename;b95ce2eb-a093-4cd8-938d-5258cef656ea;False;2
defense-evasion;T1550.002;command_prompt;['windows'];Mimikatz Pass the Hash;ec23cef9-27d9-46e4-a68d-6f75f7b86908;True;1
defense-evasion;T1550.002;command_prompt;['windows'];crackmapexec Pass the Hash;eb05b028-16c8-4ad8-adea-6f5b219da9a9;True;2
defense-evasion;T1550.002;powershell;['windows'];Invoke-WMIExec Pass the Hash;f8757545-b00a-4e4e-8cfb-8cfb961ee713;True;3
defense-evasion;T1574.002;command_prompt;['windows'];DLL Side-Loading using the Notepad++ GUP.exe binary;65526037-7079-44a9-bda1-2cb624838040;True;1
defense-evasion;T1574.002;command_prompt;['windows'];DLL Side-Loading using the dotnet startup hook environment variable;d322cdd7-7d60-46e3-9111-648848da7c02;False;2
defense-evasion;T1027.007;powershell;['windows'];Dynamic API Resolution-Ninja-syscall;578025d5-faa9-4f6d-8390-aae739d507e1;False;1
defense-evasion;T1055.015;powershell;['windows'];Process injection ListPlanting;4f3c7502-b111-4dfe-8a6e-529307891a59;False;1
defense-evasion;T1220;command_prompt;['windows'];MSXSL Bypass using local files;ca23bfb2-023f-49c5-8802-e66997de462d;True;1
defense-evasion;T1220;command_prompt;['windows'];MSXSL Bypass using remote files;a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985;True;2
defense-evasion;T1220;command_prompt;['windows'];WMIC bypass using local XSL file;1b237334-3e21-4a0c-8178-b8c996124988;True;3
defense-evasion;T1220;command_prompt;['windows'];WMIC bypass using remote XSL file;7f5be499-33be-4129-a560-66021f379b9b;True;4
defense-evasion;T1564.001;sh;['linux', 'macos'];Create a hidden file in a hidden directory;61a782e5-9a19-40b5-8ba4-69a4b9f3d7be;False;1
defense-evasion;T1564.001;sh;['macos'];Mac Hidden file;cddb9098-3b47-4e01-9d3b-6f5f323288a9;False;2
defense-evasion;T1564.001;command_prompt;['windows'];Create Windows System File with Attrib;f70974c8-c094-4574-b542-2c545af95a32;True;3
defense-evasion;T1564.001;command_prompt;['windows'];Create Windows Hidden File with Attrib;dadb792e-4358-4d8d-9207-b771faa0daa5;True;4
defense-evasion;T1564.001;sh;['macos'];Hidden files;3b7015f2-3144-4205-b799-b05580621379;False;5
defense-evasion;T1564.001;sh;['macos'];Hide a Directory;b115ecaf-3b24-4ed2-aefe-2fcb9db913d3;False;6
defense-evasion;T1564.001;sh;['macos'];Show all hidden files;9a1ec7da-b892-449f-ad68-67066d04380c;False;7
defense-evasion;T1564.001;command_prompt;['windows'];Hide Files Through Registry;f650456b-bd49-4bc1-ae9d-271b5b9581e7;True;8
defense-evasion;T1564.001;powershell;['windows'];Create Windows Hidden File with powershell;7f66d539-4fbe-4cfa-9a56-4a2bf660c58a;False;9
defense-evasion;T1564.001;powershell;['windows'];Create Windows System File with powershell;d380c318-0b34-45cb-9dad-828c11891e43;False;10
defense-evasion;T1078.004;sh;['google-workspace', 'iaas:gcp'];Creating GCP Service Account and Service Account Key;9fdd83fd-bd53-46e5-a716-9dec89c8ae8e;False;1
defense-evasion;T1078.004;powershell;['iaas:azure'];Azure Persistence Automation Runbook Created or Modified;348f4d14-4bd3-4f6b-bd8a-61237f78b3ac;False;2
defense-evasion;T1078.004;sh;['iaas:gcp'];GCP - Create Custom IAM Role;3a159042-69e6-4398-9a69-3308a4841c85;False;3
defense-evasion;T1564.004;command_prompt;['windows'];Alternate Data Streams (ADS);8822c3b0-d9f9-4daf-a043-49f4602364f4;True;1
defense-evasion;T1564.004;powershell;['windows'];Store file in Alternate Data Stream (ADS);2ab75061-f5d5-4c1a-b666-ba2a50df5b02;True;2
defense-evasion;T1564.004;command_prompt;['windows'];Create ADS command prompt;17e7637a-ddaf-4a82-8622-377e20de8fdb;True;3
defense-evasion;T1564.004;powershell;['windows'];Create ADS PowerShell;0045ea16-ed3c-4d4c-a9ee-15e44d1560d1;True;4
defense-evasion;T1564.004;command_prompt;['windows'];Create Hidden Directory via $index_allocation;3e6791e7-232c-481c-a680-a52f86b83fdf;False;5
defense-evasion;T1055.001;powershell;['windows'];Process Injection via mavinject.exe;74496461-11a1-4982-b439-4d87a550d254;True;1
defense-evasion;T1055.001;powershell;['windows'];WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique;8b56f787-73d9-4f1d-87e8-d07e89cbc7f5;True;2
defense-evasion;T1216;command_prompt;['windows'];SyncAppvPublishingServer Signed Script PowerShell Command Execution;275d963d-3f36-476c-8bef-a2a3960ee6eb;True;1
defense-evasion;T1216;command_prompt;['windows'];manage-bde.wsf Signed Script Command Execution;2a8f2d3c-3dec-4262-99dd-150cb2a4d63a;True;2
defense-evasion;T1078.003;command_prompt;['windows'];Create local account with admin privileges;a524ce99-86de-4db6-b4f9-e08f35a47a15;True;1
defense-evasion;T1078.003;bash;['macos'];Create local account with admin privileges - MacOS;f1275566-1c26-4b66-83e3-7f9f7f964daa;False;2
defense-evasion;T1078.003;bash;['macos'];Create local account with admin privileges using sysadminctl utility - MacOS;191db57d-091a-47d5-99f3-97fde53de505;False;3
defense-evasion;T1078.003;bash;['macos'];Enable root account using dsenableroot utility - MacOS;20b40ea9-0e17-4155-b8e6-244911a678ac;False;4
defense-evasion;T1078.003;bash;['macos'];Add a new/existing user to the admin group using dseditgroup utility - macOS;433842ba-e796-4fd5-a14f-95d3a1970875;False;5
defense-evasion;T1078.003;powershell;['windows'];WinPwn - Loot local Credentials - powerhell kittie;9e9fd066-453d-442f-88c1-ad7911d32912;True;6
defense-evasion;T1078.003;powershell;['windows'];WinPwn - Loot local Credentials - Safetykatz;e9fdb899-a980-4ba4-934b-486ad22e22f4;True;7
defense-evasion;T1078.003;bash;['linux'];Create local account (Linux);02a91c34-8a5b-4bed-87af-501103eb5357;False;8
defense-evasion;T1078.003;bash;['linux'];Reactivate a locked/expired account (Linux);d2b95631-62d7-45a3-aaef-0972cea97931;False;9
defense-evasion;T1078.003;sh;['linux'];Reactivate a locked/expired account (FreeBSD);09e3380a-fae5-4255-8b19-9950be0252cf;False;10
defense-evasion;T1078.003;bash;['linux'];Login as nobody (Linux);3d2cd093-ee05-41bd-a802-59ee5c301b85;False;11
defense-evasion;T1078.003;sh;['linux'];Login as nobody (freebsd);16f6374f-7600-459a-9b16-6a88fd96d310;False;12
defense-evasion;T1127;command_prompt;['windows'];Lolbin Jsc.exe compile javascript to exe;1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8;True;1
defense-evasion;T1127;command_prompt;['windows'];Lolbin Jsc.exe compile javascript to dll;3fc9fea2-871d-414d-8ef6-02e85e322b80;True;2
defense-evasion;T1574.012;powershell;['windows'];User scope COR_PROFILER;9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a;True;1
defense-evasion;T1574.012;powershell;['windows'];System Scope COR_PROFILER;f373b482-48c8-4ce4-85ed-d40c8b3f7310;True;2
defense-evasion;T1574.012;powershell;['windows'];Registry-free process scope COR_PROFILER;79d57242-bbef-41db-b301-9d01d9f6e817;True;3
privilege-escalation;T1055.011;powershell;['windows'];Process Injection via Extra Window Memory (EWM) x64 executable;93ca40d2-336c-446d-bcef-87f14d438018;False;1
privilege-escalation;T1053.005;command_prompt;['windows'];Scheduled Task Startup Script;fec27f65-db86-4c2d-b66c-61945aee87c2;True;1
privilege-escalation;T1053.005;command_prompt;['windows'];Scheduled task Local;42f53695-ad4a-4546-abb6-7d837f644a71;True;2
privilege-escalation;T1053.005;command_prompt;['windows'];Scheduled task Remote;2e5eac3e-327b-4a88-a0c0-c4057039a8dd;True;3
privilege-escalation;T1053.005;powershell;['windows'];Powershell Cmdlet Scheduled Task;af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd;True;4
privilege-escalation;T1053.005;powershell;['windows'];Task Scheduler via VBA;ecd3fa21-7792-41a2-8726-2c5c673414d3;True;5
privilege-escalation;T1053.005;powershell;['windows'];WMI Invoke-CimMethod Scheduled Task;e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b;True;6
privilege-escalation;T1053.005;command_prompt;['windows'];Scheduled Task Executing Base64 Encoded Commands From Registry;e895677d-4f06-49ab-91b6-ae3742d0a2ba;True;7
privilege-escalation;T1053.005;powershell;['windows'];Import XML Schedule Task with Hidden Attribute;cd925593-fbb4-486d-8def-16cbdf944bf4;True;8
privilege-escalation;T1053.005;powershell;['windows'];PowerShell Modify A Scheduled Task;dda6fc7b-c9a6-4c18-b98d-95ec6542af6d;True;9
privilege-escalation;T1053.005;command_prompt;['windows'];"Scheduled Task (""Ghost Task"") via Registry Key Manipulation";704333ca-cc12-4bcf-9916-101844881f54;False;10
privilege-escalation;T1546.013;powershell;['windows'];Append malicious start-process cmdlet;090e5aa5-32b6-473b-a49b-21e843a56896;True;1
privilege-escalation;T1053.007;bash;['containers'];ListCronjobs;ddfb0bc1-3c3f-47e9-a298-550ecfefacbd;False;1
privilege-escalation;T1053.007;bash;['containers'];CreateCronjob;f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3;False;2
privilege-escalation;T1548.002;command_prompt;['windows'];Bypass UAC using Event Viewer (cmd);5073adf8-9a50-4bd9-b298-a9bd2ead8af9;True;1
privilege-escalation;T1548.002;powershell;['windows'];Bypass UAC using Event Viewer (PowerShell);a6ce9acf-842a-4af6-8f79-539be7608e2b;True;2
privilege-escalation;T1548.002;command_prompt;['windows'];Bypass UAC using Fodhelper;58f641ea-12e3-499a-b684-44dee46bd182;True;3
privilege-escalation;T1548.002;powershell;['windows'];Bypass UAC using Fodhelper - PowerShell;3f627297-6c38-4e7d-a278-fc2563eaaeaa;True;4
privilege-escalation;T1548.002;powershell;['windows'];Bypass UAC using ComputerDefaults (PowerShell);3c51abf2-44bf-42d8-9111-dc96ff66750f;True;5
privilege-escalation;T1548.002;command_prompt;['windows'];Bypass UAC by Mocking Trusted Directories;f7a35090-6f7f-4f64-bb47-d657bf5b10c1;True;6
privilege-escalation;T1548.002;powershell;['windows'];Bypass UAC using sdclt DelegateExecute;3be891eb-4608-4173-87e8-78b494c029b7;True;7
privilege-escalation;T1548.002;command_prompt;['windows'];Disable UAC using reg.exe;9e8af564-53ec-407e-aaa8-3cb20c3af7f9;True;8
privilege-escalation;T1548.002;command_prompt;['windows'];Bypass UAC using SilentCleanup task;28104f8a-4ff1-4582-bcf6-699dce156608;True;9
privilege-escalation;T1548.002;command_prompt;['windows'];UACME Bypass Method 23;8ceab7a2-563a-47d2-b5ba-0995211128d7;True;10
privilege-escalation;T1548.002;command_prompt;['windows'];UACME Bypass Method 31;b0f76240-9f33-4d34-90e8-3a7d501beb15;True;11
privilege-escalation;T1548.002;command_prompt;['windows'];UACME Bypass Method 33;e514bb03-f71c-4b22-9092-9f961ec6fb03;True;12
privilege-escalation;T1548.002;command_prompt;['windows'];UACME Bypass Method 34;695b2dac-423e-448e-b6ef-5b88e93011d6;True;13
privilege-escalation;T1548.002;command_prompt;['windows'];UACME Bypass Method 39;56163687-081f-47da-bb9c-7b231c5585cf;True;14
privilege-escalation;T1548.002;command_prompt;['windows'];UACME Bypass Method 56;235ec031-cd2d-465d-a7ae-68bab281e80e;True;15
privilege-escalation;T1548.002;command_prompt;['windows'];UACME Bypass Method 59;dfb1b667-4bb8-4a63-a85e-29936ea75f29;True;16
privilege-escalation;T1548.002;command_prompt;['windows'];UACME Bypass Method 61;7825b576-744c-4555-856d-caf3460dc236;True;17
privilege-escalation;T1548.002;powershell;['windows'];WinPwn - UAC Magic;964d8bf8-37bc-4fd3-ba36-ad13761ebbcc;True;18
privilege-escalation;T1548.002;powershell;['windows'];WinPwn - UAC Bypass ccmstp technique;f3c145f9-3c8d-422c-bd99-296a17a8f567;True;19
privilege-escalation;T1548.002;powershell;['windows'];WinPwn - UAC Bypass DiskCleanup technique;1ed67900-66cd-4b09-b546-2a0ef4431a0c;True;20
privilege-escalation;T1548.002;powershell;['windows'];WinPwn - UAC Bypass DccwBypassUAC technique;2b61977b-ae2d-4ae4-89cb-5c36c89586be;True;21
privilege-escalation;T1548.002;powershell;['windows'];Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key;251c5936-569f-42f4-9ac2-87a173b9e9b8;True;22
privilege-escalation;T1548.002;powershell;['windows'];UAC Bypass with WSReset Registry Modification;3b96673f-9c92-40f1-8a3e-ca060846f8d9;True;23
privilege-escalation;T1548.002;powershell;['windows'];Disable UAC - Switch to the secure desktop when prompting for elevation via registry key;85f3a526-4cfa-4fe7-98c1-dea99be025c7;False;24
privilege-escalation;T1548.002;command_prompt;['windows'];Disable UAC notification via registry keys;160a7c77-b00e-4111-9e45-7c2a44eda3fd;True;25
privilege-escalation;T1548.002;command_prompt;['windows'];Disable ConsentPromptBehaviorAdmin via registry keys;a768aaa2-2442-475c-8990-69cf33af0f4e;True;26
privilege-escalation;T1548.003;sh;['macos', 'linux'];Sudo usage;150c3a08-ee6e-48a6-aeaf-3659d24ceb4e;False;1
privilege-escalation;T1548.003;sh;['linux'];Sudo usage (freebsd);2bf9a018-4664-438a-b435-cc6f8c6f71b1;False;2
privilege-escalation;T1548.003;sh;['macos', 'linux'];Unlimited sudo cache timeout;a7b17659-dd5e-46f7-b7d1-e6792c91d0bc;False;3
privilege-escalation;T1548.003;sh;['linux'];Unlimited sudo cache timeout (freebsd);a83ad6e8-6f24-4d7f-8f44-75f8ab742991;False;4
privilege-escalation;T1548.003;sh;['macos', 'linux'];Disable tty_tickets for sudo caching;91a60b03-fb75-4d24-a42e-2eb8956e8de1;False;5
privilege-escalation;T1548.003;sh;['linux'];Disable tty_tickets for sudo caching (freebsd);4df6a0fe-2bdd-4be8-8618-a6a19654a57a;False;6
privilege-escalation;T1574.011;powershell;['windows'];Service Registry Permissions Weakness;f7536d63-7fd4-466f-89da-7e48d550752a;True;1
privilege-escalation;T1574.011;command_prompt;['windows'];Service ImagePath Change with reg.exe;f38e9eea-e1d7-4ba6-b716-584791963827;True;2
privilege-escalation;T1547;command_prompt;['windows'];Add a driver;cb01b3da-b0e7-4e24-bf6d-de5223526785;True;1
privilege-escalation;T1547.014;powershell;['windows'];HKLM - Add atomic_test key to launch executable as part of user setup;deff4586-0517-49c2-981d-bbea24d48d71;True;1
privilege-escalation;T1547.014;powershell;['windows'];HKLM - Add malicious StubPath value to existing Active Setup Entry;39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a;True;2
privilege-escalation;T1547.014;powershell;['windows'];HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number;04d55cef-f283-40ba-ae2a-316bc3b5e78c;True;3
privilege-escalation;T1484.002;powershell;['azure-ad'];Add Federation to Azure AD;8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7;False;1
privilege-escalation;T1543.003;command_prompt;['windows'];Modify Fax service to run PowerShell;ed366cde-7d12-49df-a833-671904770b9f;True;1
privilege-escalation;T1543.003;command_prompt;['windows'];Service Installation CMD;981e2942-e433-44e9-afc1-8c957a1496b6;True;2
privilege-escalation;T1543.003;powershell;['windows'];Service Installation PowerShell;491a4af6-a521-4b74-b23b-f7b3f1ee9e77;True;3
privilege-escalation;T1543.003;command_prompt;['windows'];TinyTurla backdoor service w64time;ef0581fd-528e-4662-87bc-4c2affb86940;True;4
privilege-escalation;T1543.003;command_prompt;['windows'];Remote Service Installation CMD;fb4151a2-db33-4f8c-b7f8-78ea8790f961;True;5
privilege-escalation;T1543.003;powershell;['windows'];Modify Service to Run Arbitrary Binary (Powershell);1f896ce4-8070-4959-8a25-2658856a70c9;False;6
privilege-escalation;T1053.003;sh;['linux', 'macos'];Cron - Replace crontab with referenced file;435057fb-74b1-410e-9403-d81baf194f75;False;1
privilege-escalation;T1053.003;bash;['macos', 'linux'];Cron - Add script to all cron subfolders;b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0;False;2
privilege-escalation;T1053.003;sh;['linux'];Cron - Add script to /etc/cron.d folder;078e69eb-d9fb-450e-b9d0-2e118217c846;False;3
privilege-escalation;T1053.003;bash;['linux'];Cron - Add script to /var/spool/cron/crontabs/ folder;2d943c18-e74a-44bf-936f-25ade6cccab4;False;4
privilege-escalation;T1098.003;powershell;['azure-ad'];Azure AD - Add Company Administrator Role to a user;4d77f913-56f5-4a14-b4b1-bf7bb24298ad;False;1
privilege-escalation;T1098.003;powershell;['azure-ad'];Simulate - Post BEC persistence via user password reset followed by user added to company administrator role;14f3af20-61f1-45b8-ad31-4637815f3f44;False;2
privilege-escalation;T1547.012;powershell;['windows'];Print Processors;f7d38f47-c61b-47cc-a59d-fc0368f47ed0;True;1
privilege-escalation;T1574.001;command_prompt;['windows'];DLL Search Order Hijacking - amsi.dll;8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3;True;1
privilege-escalation;T1055.003;powershell;['windows'];Thread Execution Hijacking;578025d5-faa9-4f6d-8390-aae527d503e1;True;1
privilege-escalation;T1546.011;command_prompt;['windows'];Application Shim Installation;9ab27e22-ee62-4211-962b-d36d9a0e6a18;True;1
privilege-escalation;T1546.011;powershell;['windows'];New shim database files created in the default shim database directory;aefd6866-d753-431f-a7a4-215ca7e3f13d;True;2
privilege-escalation;T1546.011;powershell;['windows'];Registry key creation and/or modification events for SDB;9b6a06f9-ab5e-4e8d-8289-1df4289db02f;True;3
privilege-escalation;T1547.010;command_prompt;['windows'];Add Port Monitor persistence in Registry;d34ef297-f178-4462-871e-9ce618d44e50;True;1
privilege-escalation;T1037.002;manual;['macos'];Logon Scripts - Mac;f047c7de-a2d9-406e-a62b-12a09d9516f4;False;1
privilege-escalation;T1055;powershell;['windows'];Shellcode execution via VBA;1c91e740-1729-4329-b779-feba6e71d048;True;1
privilege-escalation;T1055;command_prompt;['windows'];Remote Process Injection in LSASS via mimikatz;3203ad24-168e-4bec-be36-f79b13ef8a83;True;2
privilege-escalation;T1055;powershell;['windows'];Section View Injection;c6952f41-6cf0-450a-b352-2ca8dae7c178;True;3
privilege-escalation;T1055;powershell;['windows'];Dirty Vanity process Injection;49543237-25db-497b-90df-d0a0a6e8fe2c;False;4
privilege-escalation;T1055;powershell;['windows'];Read-Write-Execute process Injection;0128e48e-8c1a-433a-a11a-a5387384f1e1;False;5
privilege-escalation;T1055;powershell;['windows'];Process Injection with Go using UuidFromStringA WinAPI;2315ce15-38b6-46ac-a3eb-5e21abef2545;False;6
privilege-escalation;T1055;powershell;['windows'];Process Injection with Go using EtwpCreateEtwThread WinAPI;7362ecef-6461-402e-8716-7410e1566400;False;7
privilege-escalation;T1055;powershell;['windows'];Remote Process Injection with Go using RtlCreateUserThread WinAPI;a0c1725f-abcd-40d6-baac-020f3cf94ecd;False;8
privilege-escalation;T1055;powershell;['windows'];Remote Process Injection with Go using CreateRemoteThread WinAPI;69534efc-d5f5-4550-89e6-12c6457b9edd;False;9
privilege-escalation;T1055;powershell;['windows'];Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively);2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39;False;10
privilege-escalation;T1055;powershell;['windows'];Process Injection with Go using CreateThread WinAPI;2871ed59-3837-4a52-9107-99500ebc87cb;False;11
privilege-escalation;T1055;powershell;['windows'];Process Injection with Go using CreateThread WinAPI (Natively);2a3c7035-d14f-467a-af94-933e49fe6786;False;12
privilege-escalation;T1055;powershell;['windows'];UUID custom process Injection;0128e48e-8c1a-433a-a11a-a5304734f1e1;False;13
privilege-escalation;T1611;sh;['containers'];Deploy container using nsenter container escape;0b2f9520-a17a-4671-9dba-3bd034099fff;False;1
privilege-escalation;T1611;sh;['containers'];Mount host filesystem to escape privileged Docker container;6c499943-b098-4bc6-8d38-0956fc182984;False;2
privilege-escalation;T1547.009;command_prompt;['windows'];Shortcut Modification;ce4fc678-364f-4282-af16-2fb4c78005ce;True;1
privilege-escalation;T1547.009;powershell;['windows'];Create shortcut to cmd in startup folders;cfdc954d-4bb0-4027-875b-a1893ce406f2;True;2
privilege-escalation;T1547.005;powershell;['windows'];Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry;afdfd7e3-8a0b-409f-85f7-886fdf249c9e;True;1
privilege-escalation;T1547.005;powershell;['windows'];Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry;de3f8e74-3351-4fdb-a442-265dbf231738;False;2
privilege-escalation;T1543.004;bash;['macos'];Launch Daemon;03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf;False;1
privilege-escalation;T1574.008;powershell;['windows'];powerShell Persistence via hijacking default modules - Get-Variable.exe;1561de08-0b4b-498e-8261-e922f3494aae;True;1
privilege-escalation;T1484.001;command_prompt;['windows'];LockBit Black - Modify Group policy settings -cmd;9ab80952-74ee-43da-a98c-1e740a985f28;True;1
privilege-escalation;T1484.001;powershell;['windows'];LockBit Black - Modify Group policy settings -Powershell;b51eae65-5441-4789-b8e8-64783c26c1d1;True;2
privilege-escalation;T1078.001;command_prompt;['windows'];Enable Guest account with RDP capability and admin privileges;99747561-ed8d-47f2-9c91-1e5fde1ed6e0;True;1
privilege-escalation;T1078.001;command_prompt;['windows'];Activate Guest Account;aa6cb8c4-b582-4f8e-b677-37733914abda;True;2
privilege-escalation;T1078.001;command_prompt;['macos'];Enable Guest Account on macOS;0315bdff-4178-47e9-81e4-f31a6d23f7e4;False;3
privilege-escalation;T1547.003;powershell;['windows'];Create a new time provider;df1efab7-bc6d-4b88-8be9-91f55ae017aa;True;1
privilege-escalation;T1547.003;powershell;['windows'];Edit an existing time provider;29e0afca-8d1d-471a-8d34-25512fc48315;True;2
privilege-escalation;T1546.005;sh;['macos', 'linux'];Trap EXIT;a74b2e07-5952-4c03-8b56-56274b076b61;False;1
privilege-escalation;T1546.005;sh;['linux'];Trap EXIT (freebsd);be1a5d70-6865-44aa-ab50-42244c9fd16f;False;2
privilege-escalation;T1546.005;sh;['macos', 'linux'];Trap SIGINT;a547d1ba-1d7a-4cc5-a9cb-8d65e8809636;False;3
privilege-escalation;T1546.005;sh;['linux'];Trap SIGINT (freebsd);ade10242-1eac-43df-8412-be0d4c704ada;False;4
privilege-escalation;T1574.006;bash;['linux'];Shared Library Injection via /etc/ld.so.preload;39cb0e67-dd0d-4b74-a74b-c072db7ae991;False;1
privilege-escalation;T1574.006;bash;['linux'];Shared Library Injection via LD_PRELOAD;bc219ff7-789f-4d51-9142-ecae3397deae;False;2
privilege-escalation;T1574.006;bash;['macos'];Dylib Injection via DYLD_INSERT_LIBRARIES;4d66029d-7355-43fd-93a4-b63ba92ea1be;False;3
privilege-escalation;T1134.002;powershell;['windows'];Access Token Manipulation;dbf4f5a9-b8e0-46a3-9841-9ad71247239e;True;1
privilege-escalation;T1134.002;powershell;['windows'];WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique;ccf4ac39-ec93-42be-9035-90e2f26bcd92;True;2
privilege-escalation;T1548.001;sh;['macos', 'linux'];Make and modify binary from C source;896dfe97-ae43-4101-8e96-9a7996555d80;False;1
privilege-escalation;T1548.001;sh;['linux'];Make and modify binary from C source (freebsd);dd580455-d84b-481b-b8b0-ac96f3b1dc4c;False;2
privilege-escalation;T1548.001;sh;['macos', 'linux'];Set a SetUID flag on file;759055b3-3885-4582-a8ec-c00c9d64dd79;False;3
privilege-escalation;T1548.001;sh;['linux'];Set a SetUID flag on file (freebsd);9be9b827-ff47-4e1b-bef8-217db6fb7283;False;4
privilege-escalation;T1548.001;sh;['macos', 'linux'];Set a SetGID flag on file;db55f666-7cba-46c6-9fe6-205a05c3242c;False;5
privilege-escalation;T1548.001;sh;['linux'];Set a SetGID flag on file (freebsd);1f73af33-62a8-4bf1-bd10-3bea931f2c0d;False;6
privilege-escalation;T1548.001;sh;['linux'];Make and modify capabilities of a binary;db53959c-207d-4000-9e7a-cd8eb417e072;False;7
privilege-escalation;T1548.001;sh;['linux'];Provide the SetUID capability to a file;1ac3272f-9bcf-443a-9888-4b1d3de785c1;False;8
privilege-escalation;T1548.001;sh;['linux'];Do reconnaissance for files that have the setuid bit set;8e36da01-cd29-45fd-be72-8a0fcaad4481;False;9
privilege-escalation;T1548.001;sh;['linux'];Do reconnaissance for files that have the setgid bit set;3fb46e17-f337-4c14-9f9a-a471946533e2;False;10
privilege-escalation;T1547.004;powershell;['windows'];Winlogon Shell Key Persistence - PowerShell;bf9f9d65-ee4d-4c3e-a843-777d04f19c38;True;1
privilege-escalation;T1547.004;powershell;['windows'];Winlogon Userinit Key Persistence - PowerShell;fb32c935-ee2e-454b-8fa3-1c46b42e8dfb;True;2
privilege-escalation;T1547.004;powershell;['windows'];Winlogon Notify Key Logon Persistence - PowerShell;d40da266-e073-4e5a-bb8b-2b385023e5f9;True;3
privilege-escalation;T1547.004;powershell;['windows'];Winlogon HKLM Shell Key Persistence - PowerShell;95a3c42f-8c88-4952-ad60-13b81d929a9d;True;4
privilege-escalation;T1547.004;powershell;['windows'];Winlogon HKLM Userinit Key Persistence - PowerShell;f9b8daff-8fa7-4e6a-a1a7-7c14675a545b;True;5
privilege-escalation;T1098.004;sh;['linux', 'macos'];Modify SSH Authorized Keys;342cc723-127c-4d3a-8292-9c0c6b4ecadc;False;1
privilege-escalation;T1546.012;command_prompt;['windows'];IFEO Add Debugger;fdda2626-5234-4c90-b163-60849a24c0b8;True;1
privilege-escalation;T1546.012;command_prompt;['windows'];IFEO Global Flags;46b1f278-c8ee-4aa5-acce-65e77b11f3c1;True;2
privilege-escalation;T1546.012;powershell;['windows'];GlobalFlags in Image File Execution Options;13117939-c9b2-4a43-999e-0a543df92f0d;True;3
privilege-escalation;T1546.008;powershell;['windows'];Attaches Command Prompt as a Debugger to a List of Target Processes;3309f53e-b22b-4eb6-8fd2-a6cf58b355a9;True;1
privilege-escalation;T1546.008;command_prompt;['windows'];Replace binary of sticky keys;934e90cf-29ca-48b3-863c-411737ad44e3;True;2
privilege-escalation;T1546.008;command_prompt;['windows'];Create Symbolic Link From osk.exe to cmd.exe;51ef369c-5e87-4f33-88cd-6d61be63edf2;True;3
privilege-escalation;T1546.008;command_prompt;['windows'];Atbroker.exe (AT) Executes Arbitrary Command via Registry Key;444ff124-4c83-4e28-8df6-6efd3ece6bd4;True;4
privilege-escalation;T1055.004;command_prompt;['windows'];Process Injection via C#;611b39b7-e243-4c81-87a4-7145a90358b1;True;1
privilege-escalation;T1055.004;powershell;['windows'];EarlyBird APC Queue Injection in Go;73785dd2-323b-4205-ab16-bb6f06677e14;False;2
privilege-escalation;T1055.004;powershell;['windows'];Remote Process Injection with Go using NtQueueApcThreadEx WinAPI;4cc571b1-f450-414a-850f-879baf36aa06;False;3
privilege-escalation;T1546.009;powershell;['windows'];Create registry persistence via AppCert DLL;a5ad6104-5bab-4c43-b295-b4c44c7c6b05;True;1
privilege-escalation;T1055.002;powershell;['windows'];Portable Executable Injection;578025d5-faa9-4f6d-8390-aae739d503e1;False;1
privilege-escalation;T1547.015;powershell;['windows'];Persistence by modifying Windows Terminal profile;ec5d76ef-82fe-48da-b931-bdb25a62bc65;False;1
privilege-escalation;T1547.015;bash;['macos'];Add macOS LoginItem using Applescript;716e756a-607b-41f3-8204-b214baf37c1d;False;2
privilege-escalation;T1134.001;powershell;['windows'];Named pipe client impersonation;90db9e27-8e7c-4c04-b602-a45927884966;True;1
privilege-escalation;T1134.001;powershell;['windows'];`SeDebugPrivilege` token duplication;34f0a430-9d04-4d98-bcb5-1989f14719f0;True;2
privilege-escalation;T1134.001;powershell;['windows'];Launch NSudo Executable;7be1bc0f-d8e5-4345-9333-f5f67d742cb9;True;3
privilege-escalation;T1134.001;powershell;['windows'];Bad Potato;9c6d799b-c111-4749-a42f-ec2f8cb51448;True;4
privilege-escalation;T1134.001;powershell;['windows'];Juicy Potato;f095e373-b936-4eb4-8d22-f47ccbfbe64a;False;5
privilege-escalation;T1098.001;powershell;['azure-ad'];Azure AD Application Hijacking - Service Principal;b8e747c3-bdf7-4d71-bce2-f1df2a057406;False;1
privilege-escalation;T1098.001;powershell;['azure-ad'];Azure AD Application Hijacking - App Registration;a12b5531-acab-4618-a470-0dafb294a87a;False;2
privilege-escalation;T1098.001;sh;['iaas:aws'];AWS - Create Access Key and Secret Key;8822c3b0-d9f9-4daf-a043-491160a31122;False;3
privilege-escalation;T1546.003;powershell;['windows'];Persistence via WMI Event Subscription - CommandLineEventConsumer;3c64f177-28e2-49eb-a799-d767b24dd1e0;True;1
privilege-escalation;T1546.003;powershell;['windows'];Persistence via WMI Event Subscription - ActiveScriptEventConsumer;fecd0dfd-fb55-45fa-a10b-6250272d0832;True;2
privilege-escalation;T1546.003;powershell;['windows'];Windows MOFComp.exe Load MOF File;29786d7e-8916-4de6-9c55-be7b093b2706;True;3
privilege-escalation;T1134.004;powershell;['windows'];Parent PID Spoofing using PowerShell;069258f4-2162-46e9-9a25-c9c6c56150d2;True;1
privilege-escalation;T1134.004;powershell;['windows'];Parent PID Spoofing - Spawn from Current Process;14920ebd-1d61-491a-85e0-fe98efe37f25;True;2
privilege-escalation;T1134.004;powershell;['windows'];Parent PID Spoofing - Spawn from Specified Process;cbbff285-9051-444a-9d17-c07cd2d230eb;True;3
privilege-escalation;T1134.004;powershell;['windows'];Parent PID Spoofing - Spawn from svchost.exe;e9f2b777-3123-430b-805d-5cedc66ab591;True;4
privilege-escalation;T1134.004;powershell;['windows'];Parent PID Spoofing - Spawn from New Process;2988133e-561c-4e42-a15f-6281e6a9b2db;True;5
privilege-escalation;T1546.001;command_prompt;['windows'];Change Default File Association;10a08978-2045-4d62-8c42-1957bbbea102;True;1
privilege-escalation;T1546.014;sh;['macos'];Persistance with Event Monitor - emond;23c9c127-322b-4c75-95ca-eff464906114;False;1
privilege-escalation;T1547.001;command_prompt;['windows'];Reg Key Run;e55be3fd-3521-4610-9d1a-e210e42dcf05;True;1
privilege-escalation;T1547.001;command_prompt;['windows'];Reg Key RunOnce;554cbd88-cde1-4b56-8168-0be552eed9eb;True;2
privilege-escalation;T1547.001;powershell;['windows'];PowerShell Registry RunOnce;eb44f842-0457-4ddc-9b92-c4caa144ac42;True;3
privilege-escalation;T1547.001;powershell;['windows'];Suspicious vbs file run from startup Folder;2cb98256-625e-4da9-9d44-f2e5f90b8bd5;True;4
privilege-escalation;T1547.001;powershell;['windows'];Suspicious jse file run from startup Folder;dade9447-791e-4c8f-b04b-3a35855dfa06;True;5
privilege-escalation;T1547.001;powershell;['windows'];Suspicious bat file run from startup Folder;5b6768e4-44d2-44f0-89da-a01d1430fd5e;True;6
privilege-escalation;T1547.001;powershell;['windows'];Add Executable Shortcut Link to User Startup Folder;24e55612-85f6-4bd6-ae74-a73d02e3441d;True;7
privilege-escalation;T1547.001;command_prompt;['windows'];Add persistance via Recycle bin;bda6a3d6-7aa7-4e89-908b-306772e9662f;True;8
privilege-escalation;T1547.001;powershell;['windows'];SystemBC Malware-as-a-Service Registry;9dc7767b-30c1-4cc4-b999-50cab5e27891;True;9
privilege-escalation;T1547.001;powershell;['windows'];Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value;acfef903-7662-447e-a391-9c91c2f00f7b;True;10
privilege-escalation;T1547.001;powershell;['windows'];Change Startup Folder - HKCU Modify User Shell Folders Startup Value;8834b65a-f808-4ece-ad7e-2acdf647aafa;True;11
privilege-escalation;T1547.001;powershell;['windows'];HKCU - Policy Settings Explorer Run Key;a70faea1-e206-4f6f-8d9a-67379be8f6f1;True;12
privilege-escalation;T1547.001;powershell;['windows'];HKLM - Policy Settings Explorer Run Key;b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f;True;13
privilege-escalation;T1547.001;powershell;['windows'];HKLM - Append Command to Winlogon Userinit KEY Value;f7fab6cc-8ece-4ca7-a0f1-30a22fccd374;True;14
privilege-escalation;T1547.001;powershell;['windows'];HKLM - Modify default System Shell - Winlogon Shell KEY Value ;1d958c61-09c6-4d9e-b26b-4130314e520e;True;15
privilege-escalation;T1547.001;command_prompt;['windows'];secedit used to create a Run key in the HKLM Hive;14fdc3f1-6fc3-4556-8d36-aa89d9d42d02;True;16
privilege-escalation;T1547.001;powershell;['windows'];Modify BootExecute Value;befc2b40-d487-4a5a-8813-c11085fb5672;True;17
privilege-escalation;T1098;powershell;['windows'];Admin Account Manipulate;5598f7cb-cf43-455e-883a-f6008c5d46af;True;1
privilege-escalation;T1098;powershell;['windows'];Domain Account and Group Manipulate;a55a22e9-a3d3-42ce-bd48-2653adb8f7a9;True;2
privilege-escalation;T1098;sh;['iaas:aws'];AWS - Create a group and add a user to that group;8822c3b0-d9f9-4daf-a043-49f110a31122;False;3
privilege-escalation;T1098;powershell;['azure-ad'];Azure AD - adding user to Azure AD role;0e65ae27-5385-46b4-98ac-607a8ee82261;False;4
privilege-escalation;T1098;powershell;['azure-ad'];Azure AD - adding service principal to Azure AD role;92c40b3f-c406-4d1f-8d2b-c039bf5009e4;False;5
privilege-escalation;T1098;powershell;['iaas:azure'];Azure - adding user to Azure role in subscription;1a94b3fc-b080-450a-b3d8-6d9b57b472ea;False;6
privilege-escalation;T1098;powershell;['iaas:azure'];Azure - adding service principal to Azure role in subscription;c8f4bc29-a151-48da-b3be-4680af56f404;False;7
privilege-escalation;T1098;powershell;['azure-ad'];Azure AD - adding permission to application;94ea9cc3-81f9-4111-8dde-3fb54f36af4b;False;8
privilege-escalation;T1098;command_prompt;['windows'];Password Change on Directory Service Restore Mode (DSRM) Account;d5b886d9-d1c7-4b6e-a7b0-460041bf2823;True;9
privilege-escalation;T1098;powershell;['windows'];Domain Password Policy Check: Short Password;fc5f9414-bd67-4f5f-a08e-e5381e29cbd1;True;10
privilege-escalation;T1098;powershell;['windows'];Domain Password Policy Check: No Number in Password;68190529-069b-4ffc-a942-919704158065;False;11
privilege-escalation;T1098;powershell;['windows'];Domain Password Policy Check: No Special Character in Password;7d984ef2-2db2-4cec-b090-e637e1698f61;False;12
privilege-escalation;T1098;powershell;['windows'];Domain Password Policy Check: No Uppercase Character in Password;b299c120-44a7-4d68-b8e2-8ba5a28511ec;False;13
privilege-escalation;T1098;powershell;['windows'];Domain Password Policy Check: No Lowercase Character in Password;945da11e-977e-4dab-85d2-f394d03c5887;False;14
privilege-escalation;T1098;powershell;['windows'];Domain Password Policy Check: Only Two Character Classes;784d1349-5a26-4d20-af5e-d6af53bae460;False;15
privilege-escalation;T1098;powershell;['windows'];Domain Password Policy Check: Common Password Use;81959d03-c51f-49a1-bb24-23f1ec885578;False;16
privilege-escalation;T1098;sh;['iaas:gcp'];GCP - Delete Service Account Key;7ece1dea-49f1-4d62-bdcc-5801e3292510;False;17
privilege-escalation;T1547.006;bash;['linux'];Linux - Load Kernel Module via insmod;687dcb93-9656-4853-9c36-9977315e9d23;False;1
privilege-escalation;T1547.006;bash;['macos'];MacOS - Load Kernel Module via kextload and kmutil;f4391089-d3a5-4dd1-ab22-0419527f2672;False;2
privilege-escalation;T1547.006;bash;['macos'];MacOS - Load Kernel Module via KextManagerLoadKextWithURL();f0007753-beb3-41ea-9948-760785e4c1e5;False;3
privilege-escalation;T1547.006;powershell;['windows'];Snake Malware Kernel Driver Comadmin;e5cb5564-cc7b-4050-86e8-f2d9eec1941f;True;4
privilege-escalation;T1053.006;bash;['linux'];Create Systemd Service and Timer;f4983098-bb13-44fb-9b2c-46149961807b;False;1
privilege-escalation;T1053.006;sh;['linux'];Create a user level transient systemd service and timer;3de33f5b-62e5-4e63-a2a0-6fd8808c80ec;False;2
privilege-escalation;T1053.006;sh;['linux'];Create a system level transient systemd service and timer;d3eda496-1fc0-49e9-aff5-3bec5da9fa22;False;3
privilege-escalation;T1055.012;powershell;['windows'];Process Hollowing using PowerShell;562427b4-39ef-4e8c-af88-463a78e70b9c;True;1
privilege-escalation;T1055.012;powershell;['windows'];RunPE via VBA;3ad4a037-1598-4136-837c-4027e4fa319b;True;2
privilege-escalation;T1055.012;powershell;['windows'];Process Hollowing in Go using CreateProcessW WinAPI;c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a;False;3
privilege-escalation;T1055.012;powershell;['windows'];Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012);94903cc5-d462-498a-b919-b1e5ab155fee;False;4
privilege-escalation;T1546;powershell;['windows'];Persistence with Custom AutodialDLL;aca9ae16-7425-4b6d-8c30-cad306fdbd5b;True;1
privilege-escalation;T1546;powershell;['windows'];HKLM - Persistence using CommandProcessor AutoRun key (With Elevation);a574dafe-a903-4cce-9701-14040f4f3532;True;2
privilege-escalation;T1546;powershell;['windows'];HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation);36b8dbf9-59b1-4e9b-a3bb-36e80563ef01;True;3
privilege-escalation;T1546;powershell;['windows'];WMI Invoke-CimMethod Start Process;adae83d3-0df6-45e7-b2c3-575f91584577;True;4
privilege-escalation;T1546.004;sh;['macos', 'linux'];Add command to .bash_profile;94500ae1-7e31-47e3-886b-c328da46872f;False;1
privilege-escalation;T1546.004;sh;['macos', 'linux'];Add command to .bashrc;0a898315-4cfa-4007-bafe-33a4646d115f;False;2
privilege-escalation;T1546.004;sh;['linux'];Add command to .shrc;41502021-591a-4649-8b6e-83c9192aff53;False;3
privilege-escalation;T1546.004;sh;['linux'];Append to the system shell profile;694b3cc8-6a78-4d35-9e74-0123d009e94b;False;4
privilege-escalation;T1546.004;sh;['linux'];Append commands user shell profile;bbdb06bc-bab6-4f5b-8232-ba3fbed51d77;False;5
privilege-escalation;T1546.004;sh;['linux'];System shell profile scripts;8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4;False;6
privilege-escalation;T1546.004;bash;['linux'];Create/Append to .bash_logout;37ad2f24-7c53-4a50-92da-427a4ad13f58;False;7
privilege-escalation;T1134.005;command_prompt;['windows'];Injection SID-History with mimikatz;6bef32e5-9456-4072-8f14-35566fb85401;True;1
privilege-escalation;T1547.002;powershell;['windows'];Authentication Package;be2590e8-4ac3-47ac-b4b5-945820f2fbe9;True;1
privilege-escalation;T1546.015;powershell;['windows'];COM Hijacking - InprocServer32;48117158-d7be-441b-bc6a-d9e36e47b52b;True;1
privilege-escalation;T1546.015;powershell;['windows'];Powershell Execute COM Object;752191b1-7c71-445c-9dbe-21bb031b18eb;True;2
privilege-escalation;T1546.015;powershell;['windows'];COM Hijacking with RunDLL32 (Local Server Switch);123520cc-e998-471b-a920-bd28e3feafa0;True;3
privilege-escalation;T1546.015;powershell;['windows'];COM hijacking via TreatAs;33eacead-f117-4863-8eb0-5c6304fbfaa9;True;4
privilege-escalation;T1574.009;command_prompt;['windows'];Execution of program.exe as service with unquoted service path;2770dea7-c50f-457b-84c4-c40a47460d9f;True;1
privilege-escalation;T1037.005;sh;['macos'];Add file to Local Library StartupItems;134627c3-75db-410e-bff8-7a920075f198;False;1
privilege-escalation;T1546.010;command_prompt;['windows'];Install AppInit Shim;a58d9386-3080-4242-ab5f-454c16503d18;True;1
privilege-escalation;T1546.002;command_prompt;['windows'];Set Arbitrary Binary as Screensaver;281201e7-de41-4dc9-b73d-f288938cbb64;True;1
privilege-escalation;T1543.001;bash;['macos'];Launch Agent;a5983dee-bf6c-4eaf-951c-dbc1a7b90900;False;1
privilege-escalation;T1543.001;bash;['macos'];Event Monitor Daemon Persistence;11979f23-9b9d-482a-9935-6fc9cd022c3e;False;2
privilege-escalation;T1037.004;bash;['macos'];rc.common;97a48daa-8bca-4bc0-b1a9-c1d163e762de;False;1
privilege-escalation;T1037.004;bash;['linux'];rc.common;c33f3d80-5f04-419b-a13a-854d1cbdbf3a;False;2
privilege-escalation;T1037.004;sh;['linux'];rc.local;126f71af-e1c9-405c-94ef-26a47b16c102;False;3
privilege-escalation;T1543.002;bash;['linux'];Create Systemd Service;d9e4f24f-aa67-4c6e-bcbf-85622b697a7c;False;1
privilege-escalation;T1543.002;sh;['linux'];Create SysV Service;760fe8d2-79d9-494f-905e-a239a3df86f6;False;2
privilege-escalation;T1543.002;bash;['linux'];Create Systemd Service file,  Enable the service , Modify and Reload the service.;c35ac4a8-19de-43af-b9f8-755da7e89c89;False;3
privilege-escalation;T1547.007;sh;['macos'];Copy in loginwindow.plist for Re-Opened Applications;5fefd767-ef54-4ac6-84d3-751ab85e8aba;False;1
privilege-escalation;T1547.007;sh;['macos'];Re-Opened Applications using LoginHook;5f5b71da-e03f-42e7-ac98-d63f9e0465cb;False;2
privilege-escalation;T1547.007;sh;['macos'];Append to existing loginwindow for Re-Opened Applications;766b6c3c-9353-4033-8b7e-38b309fa3a93;False;3
privilege-escalation;T1574.002;command_prompt;['windows'];DLL Side-Loading using the Notepad++ GUP.exe binary;65526037-7079-44a9-bda1-2cb624838040;True;1
privilege-escalation;T1574.002;command_prompt;['windows'];DLL Side-Loading using the dotnet startup hook environment variable;d322cdd7-7d60-46e3-9111-648848da7c02;False;2
privilege-escalation;T1098.002;powershell;['office-365'];EXO - Full access mailbox permission granted to a user;17d046be-fdd0-4cbb-b5c7-55c85d9d0714;False;1
privilege-escalation;T1037.001;command_prompt;['windows'];Logon Scripts;d6042746-07d4-4c92-9ad8-e644c114a231;True;1
privilege-escalation;T1055.015;powershell;['windows'];Process injection ListPlanting;4f3c7502-b111-4dfe-8a6e-529307891a59;False;1
privilege-escalation;T1547.008;powershell;['windows'];Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt;8ecef16d-d289-46b4-917b-0dba6dc81cf1;True;1
privilege-escalation;T1078.004;sh;['google-workspace', 'iaas:gcp'];Creating GCP Service Account and Service Account Key;9fdd83fd-bd53-46e5-a716-9dec89c8ae8e;False;1
privilege-escalation;T1078.004;powershell;['iaas:azure'];Azure Persistence Automation Runbook Created or Modified;348f4d14-4bd3-4f6b-bd8a-61237f78b3ac;False;2
privilege-escalation;T1078.004;sh;['iaas:gcp'];GCP - Create Custom IAM Role;3a159042-69e6-4398-9a69-3308a4841c85;False;3
privilege-escalation;T1053.002;command_prompt;['windows'];At.exe Scheduled task;4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8;True;1
privilege-escalation;T1053.002;sh;['linux'];At - Schedule a job;7266d898-ac82-4ec0-97c7-436075d0d08e;False;2
privilege-escalation;T1055.001;powershell;['windows'];Process Injection via mavinject.exe;74496461-11a1-4982-b439-4d87a550d254;True;1
privilege-escalation;T1055.001;powershell;['windows'];WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique;8b56f787-73d9-4f1d-87e8-d07e89cbc7f5;True;2
privilege-escalation;T1546.007;command_prompt;['windows'];Netsh Helper DLL Registration;3244697d-5a3a-4dfc-941c-550f69f91a4d;True;1
privilege-escalation;T1078.003;command_prompt;['windows'];Create local account with admin privileges;a524ce99-86de-4db6-b4f9-e08f35a47a15;True;1
privilege-escalation;T1078.003;bash;['macos'];Create local account with admin privileges - MacOS;f1275566-1c26-4b66-83e3-7f9f7f964daa;False;2
privilege-escalation;T1078.003;bash;['macos'];Create local account with admin privileges using sysadminctl utility - MacOS;191db57d-091a-47d5-99f3-97fde53de505;False;3
privilege-escalation;T1078.003;bash;['macos'];Enable root account using dsenableroot utility - MacOS;20b40ea9-0e17-4155-b8e6-244911a678ac;False;4
privilege-escalation;T1078.003;bash;['macos'];Add a new/existing user to the admin group using dseditgroup utility - macOS;433842ba-e796-4fd5-a14f-95d3a1970875;False;5
privilege-escalation;T1078.003;powershell;['windows'];WinPwn - Loot local Credentials - powerhell kittie;9e9fd066-453d-442f-88c1-ad7911d32912;True;6
privilege-escalation;T1078.003;powershell;['windows'];WinPwn - Loot local Credentials - Safetykatz;e9fdb899-a980-4ba4-934b-486ad22e22f4;True;7
privilege-escalation;T1078.003;bash;['linux'];Create local account (Linux);02a91c34-8a5b-4bed-87af-501103eb5357;False;8
privilege-escalation;T1078.003;bash;['linux'];Reactivate a locked/expired account (Linux);d2b95631-62d7-45a3-aaef-0972cea97931;False;9
privilege-escalation;T1078.003;sh;['linux'];Reactivate a locked/expired account (FreeBSD);09e3380a-fae5-4255-8b19-9950be0252cf;False;10
privilege-escalation;T1078.003;bash;['linux'];Login as nobody (Linux);3d2cd093-ee05-41bd-a802-59ee5c301b85;False;11
privilege-escalation;T1078.003;sh;['linux'];Login as nobody (freebsd);16f6374f-7600-459a-9b16-6a88fd96d310;False;12
privilege-escalation;T1574.012;powershell;['windows'];User scope COR_PROFILER;9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a;True;1
privilege-escalation;T1574.012;powershell;['windows'];System Scope COR_PROFILER;f373b482-48c8-4ce4-85ed-d40c8b3f7310;True;2
privilege-escalation;T1574.012;powershell;['windows'];Registry-free process scope COR_PROFILER;79d57242-bbef-41db-b301-9d01d9f6e817;True;3
execution;T1053.005;command_prompt;['windows'];Scheduled Task Startup Script;fec27f65-db86-4c2d-b66c-61945aee87c2;True;1
execution;T1053.005;command_prompt;['windows'];Scheduled task Local;42f53695-ad4a-4546-abb6-7d837f644a71;True;2
execution;T1053.005;command_prompt;['windows'];Scheduled task Remote;2e5eac3e-327b-4a88-a0c0-c4057039a8dd;True;3
execution;T1053.005;powershell;['windows'];Powershell Cmdlet Scheduled Task;af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd;True;4
execution;T1053.005;powershell;['windows'];Task Scheduler via VBA;ecd3fa21-7792-41a2-8726-2c5c673414d3;True;5
execution;T1053.005;powershell;['windows'];WMI Invoke-CimMethod Scheduled Task;e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b;True;6
execution;T1053.005;command_prompt;['windows'];Scheduled Task Executing Base64 Encoded Commands From Registry;e895677d-4f06-49ab-91b6-ae3742d0a2ba;True;7
execution;T1053.005;powershell;['windows'];Import XML Schedule Task with Hidden Attribute;cd925593-fbb4-486d-8def-16cbdf944bf4;True;8
execution;T1053.005;powershell;['windows'];PowerShell Modify A Scheduled Task;dda6fc7b-c9a6-4c18-b98d-95ec6542af6d;True;9
execution;T1053.005;command_prompt;['windows'];"Scheduled Task (""Ghost Task"") via Registry Key Manipulation";704333ca-cc12-4bcf-9916-101844881f54;False;10
execution;T1047;command_prompt;['windows'];WMI Reconnaissance Users;c107778c-dcf5-47c5-af2e-1d058a3df3ea;True;1
execution;T1047;command_prompt;['windows'];WMI Reconnaissance Processes;5750aa16-0e59-4410-8b9a-8a47ca2788e2;True;2
execution;T1047;command_prompt;['windows'];WMI Reconnaissance Software;718aebaa-d0e0-471a-8241-c5afa69c7414;True;3
execution;T1047;command_prompt;['windows'];WMI Reconnaissance List Remote Services;0fd48ef7-d890-4e93-a533-f7dedd5191d3;True;4
execution;T1047;command_prompt;['windows'];WMI Execute Local Process;b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3;True;5
execution;T1047;command_prompt;['windows'];WMI Execute Remote Process;9c8ef159-c666-472f-9874-90c8d60d136b;True;6
execution;T1047;command_prompt;['windows'];Create a Process using WMI Query and an Encoded Command;7db7a7f9-9531-4840-9b30-46220135441c;True;7
execution;T1047;powershell;['windows'];Create a Process using obfuscated Win32_Process;10447c83-fc38-462a-a936-5102363b1c43;True;8
execution;T1047;command_prompt;['windows'];WMI Execute rundll32;00738d2a-4651-4d76-adf2-c43a41dfb243;True;9
execution;T1047;command_prompt;['windows'];Application uninstall using WMIC;c510d25b-1667-467d-8331-a56d3e9bc4ff;True;10
execution;T1129;command_prompt;['windows'];ESXi - Install a custom VIB on an ESXi host;7f843046-abf2-443f-b880-07a83cf968ec;False;1
execution;T1059.007;command_prompt;['windows'];JScript execution to gather local computer information via cscript;01d75adf-ca1b-4dd1-ac96-7c9550ad1035;False;1
execution;T1059.007;command_prompt;['windows'];JScript execution to gather local computer information via wscript;0709945e-4fec-4c49-9faf-c3c292a74484;True;2
execution;T1053.007;bash;['containers'];ListCronjobs;ddfb0bc1-3c3f-47e9-a298-550ecfefacbd;False;1
execution;T1053.007;bash;['containers'];CreateCronjob;f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3;False;2
execution;T1559.002;manual;['windows'];Execute Commands;f592ba2a-e9e8-4d62-a459-ef63abd819fd;False;1
execution;T1559.002;command_prompt;['windows'];Execute PowerShell script via Word DDE;47c21fb6-085e-4b0d-b4d2-26d72c3830b3;True;2
execution;T1559.002;manual;['windows'];DDEAUTO;cf91174c-4e74-414e-bec0-8d60a104d181;False;3
execution;T1204.002;powershell;['windows'];OSTap Style Macro Execution;8bebc690-18c7-4549-bc98-210f7019efff;True;1
execution;T1204.002;command_prompt;['windows'];OSTap Payload Download;3f3af983-118a-4fa1-85d3-ba4daa739d80;True;2
execution;T1204.002;powershell;['windows'];Maldoc choice flags command execution;0330a5d2-a45a-4272-a9ee-e364411c4b18;True;3
execution;T1204.002;powershell;['windows'];OSTAP JS version;add560ef-20d6-4011-a937-2c340f930911;True;4
execution;T1204.002;powershell;['windows'];Office launching .bat file from AppData;9215ea92-1ded-41b7-9cd6-79f9a78397aa;True;5
execution;T1204.002;powershell;['windows'];Excel 4 Macro;4ea1fc97-8a46-4b4e-ba48-af43d2a98052;True;6
execution;T1204.002;powershell;['windows'];Headless Chrome code execution via VBA;a19ee671-ed98-4e9d-b19c-d1954a51585a;True;7
execution;T1204.002;powershell;['windows'];Potentially Unwanted Applications (PUA);02f35d62-9fdc-4a97-b899-a5d9a876d295;True;8
execution;T1204.002;powershell;['windows'];Office Generic Payload Download;5202ee05-c420-4148-bf5e-fd7f7d24850c;True;9
execution;T1204.002;powershell;['windows'];LNK Payload Download;581d7521-9c4b-420e-9695-2aec5241167f;True;10
execution;T1204.002;powershell;['windows'];Mirror Blast Emulation;24fd9719-7419-42dd-bce6-ab3463110b3c;True;11
execution;T1053.003;sh;['linux', 'macos'];Cron - Replace crontab with referenced file;435057fb-74b1-410e-9403-d81baf194f75;False;1
execution;T1053.003;bash;['macos', 'linux'];Cron - Add script to all cron subfolders;b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0;False;2
execution;T1053.003;sh;['linux'];Cron - Add script to /etc/cron.d folder;078e69eb-d9fb-450e-b9d0-2e118217c846;False;3
execution;T1053.003;bash;['linux'];Cron - Add script to /var/spool/cron/crontabs/ folder;2d943c18-e74a-44bf-936f-25ade6cccab4;False;4
execution;T1059.002;sh;['macos'];AppleScript;3600d97d-81b9-4171-ab96-e4386506e2c2;False;1
execution;T1106;command_prompt;['windows'];Execution through API - CreateProcess;99be2089-c52d-4a4a-b5c3-261ee42c8b62;True;1
execution;T1106;powershell;['windows'];WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique;ce4e76e6-de70-4392-9efe-b281fc2b4087;True;2
execution;T1106;powershell;['windows'];WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique;7ec5b74e-8289-4ff2-a162-b6f286a33abd;True;3
execution;T1106;powershell;['windows'];WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique;e1f93a06-1649-4f07-89a8-f57279a7d60e;True;4
execution;T1106;powershell;['windows'];Run Shellcode via Syscall in Go;ae56083f-28d0-417d-84da-df4242da1f7c;False;5
execution;T1610;bash;['containers'];Deploy Docker container;59aa6f26-7620-417e-9318-589e0fb7a372;False;1
execution;T1059;powershell;['windows'];AutoIt Script Execution;a9b93f17-31cb-435d-a462-5e838a2a6026;False;1
execution;T1609;bash;['containers'];ExecIntoContainer;d03bfcd3-ed87-49c8-8880-44bb772dea4b;False;1
execution;T1609;bash;['containers'];Docker Exec Into Container;900e2c49-221b-42ec-ae3c-4717e41e6219;False;2
execution;T1569.001;bash;['macos'];Launchctl;6fb61988-724e-4755-a595-07743749d4e2;False;1
execution;T1072;command_prompt;['windows'];Radmin Viewer Utility;b4988cad-6ed2-434d-ace5-ea2670782129;True;1
execution;T1072;command_prompt;['windows'];PDQ Deploy RAT;e447b83b-a698-4feb-bed1-a7aaf45c3443;True;2
execution;T1072;powershell;['windows'];Deploy 7-Zip Using Chocolatey;2169e8b0-2ee7-44cb-8a6e-d816a5db7d8a;False;3
execution;T1059.001;command_prompt;['windows'];Mimikatz;f3132740-55bc-48c4-bcc0-758a459cd027;True;1
execution;T1059.001;powershell;['windows'];Run BloodHound from local disk;a21bb23e-e677-4ee7-af90-6931b57b6350;True;2
execution;T1059.001;powershell;['windows'];Run Bloodhound from Memory using Download Cradle;bf8c1441-4674-4dab-8e4e-39d93d08f9b7;True;3
execution;T1059.001;powershell;['windows'];Mimikatz - Cradlecraft PsSendKeys;af1800cf-9f9d-4fd1-a709-14b1e6de020d;True;4
execution;T1059.001;command_prompt;['windows'];Invoke-AppPathBypass;06a220b6-7e29-4bd8-9d07-5b4d86742372;True;5
execution;T1059.001;command_prompt;['windows'];Powershell MsXml COM object - with prompt;388a7340-dbc1-4c9d-8e59-b75ad8c6d5da;True;6
execution;T1059.001;command_prompt;['windows'];Powershell XML requests;4396927f-e503-427b-b023-31049b9b09a6;True;7
execution;T1059.001;command_prompt;['windows'];Powershell invoke mshta.exe download;8a2ad40b-12c7-4b25-8521-2737b0a415af;True;8
execution;T1059.001;manual;['windows'];Powershell Invoke-DownloadCradle;cc50fa2a-a4be-42af-a88f-e347ba0bf4d7;False;9
execution;T1059.001;powershell;['windows'];PowerShell Fileless Script Execution;fa050f5e-bc75-4230-af73-b6fd7852cd73;True;10
execution;T1059.001;powershell;['windows'];NTFS Alternate Data Stream Access;8e5c5532-1181-4c1d-bb79-b3a9f5dbd680;True;11
execution;T1059.001;powershell;['windows'];PowerShell Session Creation and Use;7c1acec2-78fa-4305-a3e0-db2a54cddecd;True;12
execution;T1059.001;powershell;['windows'];ATHPowerShellCommandLineParameter -Command parameter variations;686a9785-f99b-41d4-90df-66ed515f81d7;True;13
execution;T1059.001;powershell;['windows'];ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments;1c0a870f-dc74-49cf-9afc-eccc45e58790;True;14
execution;T1059.001;powershell;['windows'];ATHPowerShellCommandLineParameter -EncodedCommand parameter variations;86a43bad-12e3-4e85-b97c-4d5cf25b95c3;True;15
execution;T1059.001;powershell;['windows'];ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments;0d181431-ddf3-4826-8055-2dbf63ae848b;True;16
execution;T1059.001;command_prompt;['windows'];PowerShell Command Execution;a538de64-1c74-46ed-aa60-b995ed302598;True;17
execution;T1059.001;powershell;['windows'];PowerShell Invoke Known Malicious Cmdlets;49eb9404-5e0f-4031-a179-b40f7be385e3;True;18
execution;T1059.001;powershell;['windows'];PowerUp Invoke-AllChecks;1289f78d-22d2-4590-ac76-166737e1811b;True;19
execution;T1059.001;powershell;['windows'];Abuse Nslookup with DNS Records;999bff6d-dc15-44c9-9f5c-e1051bfc86e1;True;20
execution;T1059.001;powershell;['windows'];SOAPHound - Dump BloodHound Data;6a5b2a50-d037-4879-bf01-43d4d6cbf73f;False;21
execution;T1059.001;powershell;['windows'];SOAPHound - Build Cache;4099086c-1470-4223-8085-8186e1ed5948;False;22
execution;T1053.006;bash;['linux'];Create Systemd Service and Timer;f4983098-bb13-44fb-9b2c-46149961807b;False;1
execution;T1053.006;sh;['linux'];Create a user level transient systemd service and timer;3de33f5b-62e5-4e63-a2a0-6fd8808c80ec;False;2
execution;T1053.006;sh;['linux'];Create a system level transient systemd service and timer;d3eda496-1fc0-49e9-aff5-3bec5da9fa22;False;3
execution;T1059.004;sh;['linux', 'macos'];Create and Execute Bash Shell Script;7e7ac3ed-f795-4fa5-b711-09d6fbe9b873;False;1
execution;T1059.004;sh;['linux', 'macos'];Command-Line Interface;d0c88567-803d-4dca-99b4-7ce65e7b257c;False;2
execution;T1059.004;sh;['linux'];Harvest SUID executable files;46274fc6-08a7-4956-861b-24cbbaa0503c;False;3
execution;T1059.004;sh;['linux'];LinEnum tool execution;a2b35a63-9df1-4806-9a4d-5fe0500845f2;False;4
execution;T1059.004;sh;['linux'];New script file in the tmp directory;8cd1947b-4a54-41fb-b5ea-07d0ace04f81;False;5
execution;T1059.004;sh;['linux'];What shell is running;7b38e5cc-47be-44f0-a425-390305c76c17;False;6
execution;T1059.004;sh;['linux'];What shells are available;bf23c7dc-1004-4949-8262-4c1d1ef87702;False;7
execution;T1059.004;sh;['linux'];Command line scripts;b04ed73c-7d43-4dc8-b563-a2fc595cba1a;False;8
execution;T1059.004;sh;['linux'];Obfuscated command line scripts;5bec4cc8-f41e-437b-b417-33ff60acf9af;False;9
execution;T1059.004;bash;['linux'];Change login shell;c7ac59cb-13cc-4622-81dc-6d2fee9bfac7;False;10
execution;T1059.004;sh;['linux'];Environment variable scripts;bdaebd56-368b-4970-a523-f905ff4a8a51;False;11
execution;T1059.004;sh;['linux'];Detecting pipe-to-shell;fca246a8-a585-4f28-a2df-6495973976a1;False;12
execution;T1059.004;sh;['linux'];Current kernel information enumeration;3a53734a-9e26-4f4b-ad15-059e767f5f14;False;13
execution;T1559;command_prompt;['windows'];Cobalt Strike Artifact Kit pipe;bd13b9fc-b758-496a-b81a-397462f82c72;True;1
execution;T1559;command_prompt;['windows'];Cobalt Strike Lateral Movement (psexec_psh) pipe;830c8b6c-7a70-4f40-b975-8bbe74558acd;True;2
execution;T1559;command_prompt;['windows'];Cobalt Strike SSH (postex_ssh) pipe;d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6;True;3
execution;T1559;command_prompt;['windows'];Cobalt Strike post-exploitation pipe (4.2 and later);7a48f482-246f-4aeb-9837-21c271ebf244;True;4
execution;T1559;command_prompt;['windows'];Cobalt Strike post-exploitation pipe (before 4.2);8dbfc15c-527b-4ab0-a272-019f469d367f;False;5
execution;T1204.003;powershell;['windows'];Malicious Execution from Mounted ISO Image;e9795c8d-42aa-4ed4-ad80-551ed793d006;True;1
execution;T1059.006;sh;['linux'];Execute shell script via python's command mode arguement;3a95cdb2-c6ea-4761-b24e-02b71889b8bb;False;1
execution;T1059.006;sh;['linux'];Execute Python via scripts;6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8;False;2
execution;T1059.006;sh;['linux'];Execute Python via Python executables;0b44d79b-570a-4b27-a31f-3bf2156e5eaa;False;3
execution;T1059.006;sh;['linux'];Python pty module and spawn function used to spawn sh or bash;161d694c-b543-4434-85c3-c3a433e33792;False;4
execution;T1059.003;powershell;['windows'];Create and Execute Batch Script;9e8894c0-50bd-4525-a96c-d4ac78ece388;True;1
execution;T1059.003;command_prompt;['windows'];Writes text to a file and displays it.;127b4afe-2346-4192-815c-69042bec570e;True;2
execution;T1059.003;command_prompt;['windows'];Suspicious Execution via Windows Command Shell;d0eb3597-a1b3-4d65-b33b-2cda8d397f20;True;3
execution;T1059.003;powershell;['windows'];Simulate BlackByte Ransomware Print Bombing;6b2903ac-8f36-450d-9ad5-b220e8a2dcb9;True;4
execution;T1059.003;command_prompt;['windows'];Command Prompt read contents from CMD file and execute;df81db1b-066c-4802-9bc8-b6d030c3ba8e;True;5
execution;T1059.003;command_prompt;['windows'];Command prompt writing script to file then executes it;00682c9f-7df4-4df8-950b-6dcaaa3ad9af;False;6
execution;T1059.005;powershell;['windows'];Visual Basic script execution to gather local computer information;1620de42-160a-4fe5-bbaf-d3fef0181ce9;False;1
execution;T1059.005;powershell;['windows'];Encoded VBS code execution;e8209d5f-e42d-45e6-9c2f-633ac4f1eefa;True;2
execution;T1059.005;powershell;['windows'];Extract Memory via VBA;8faff437-a114-4547-9a60-749652a03df6;True;3
execution;T1569.002;command_prompt;['windows'];Execute a Command as a Service;2382dee2-a75f-49aa-9378-f52df6ed3fb1;True;1
execution;T1569.002;command_prompt;['windows'];Use PsExec to execute a command on a remote host;873106b7-cfed-454b-8680-fa9f6400431c;True;2
execution;T1569.002;bash;['linux'];psexec.py (Impacket);edbcd8c9-3639-4844-afad-455c91e95a35;False;3
execution;T1569.002;powershell;['windows'];BlackCat pre-encryption cmds with Lateral Movement;31eb7828-97d7-4067-9c1e-c6feb85edc4b;True;4
execution;T1569.002;command_prompt;['windows'];Use RemCom to execute a command on a remote host;a5d8cdeb-be90-43a9-8b26-cc618deac1e0;True;5
execution;T1569.002;command_prompt;['windows'];Snake Malware Service Create;b8db787e-dbea-493c-96cb-9272296ddc49;True;6
execution;T1569.002;command_prompt;['windows'];Modifying ACL of Service Control Manager via SDET;bf07f520-3909-4ef5-aa22-877a50f2f77b;True;7
execution;T1053.002;command_prompt;['windows'];At.exe Scheduled task;4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8;True;1
execution;T1053.002;sh;['linux'];At - Schedule a job;7266d898-ac82-4ec0-97c7-436075d0d08e;False;2
persistence;T1053.005;command_prompt;['windows'];Scheduled Task Startup Script;fec27f65-db86-4c2d-b66c-61945aee87c2;True;1
persistence;T1053.005;command_prompt;['windows'];Scheduled task Local;42f53695-ad4a-4546-abb6-7d837f644a71;True;2
persistence;T1053.005;command_prompt;['windows'];Scheduled task Remote;2e5eac3e-327b-4a88-a0c0-c4057039a8dd;True;3
persistence;T1053.005;powershell;['windows'];Powershell Cmdlet Scheduled Task;af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd;True;4
persistence;T1053.005;powershell;['windows'];Task Scheduler via VBA;ecd3fa21-7792-41a2-8726-2c5c673414d3;True;5
persistence;T1053.005;powershell;['windows'];WMI Invoke-CimMethod Scheduled Task;e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b;True;6
persistence;T1053.005;command_prompt;['windows'];Scheduled Task Executing Base64 Encoded Commands From Registry;e895677d-4f06-49ab-91b6-ae3742d0a2ba;True;7
persistence;T1053.005;powershell;['windows'];Import XML Schedule Task with Hidden Attribute;cd925593-fbb4-486d-8def-16cbdf944bf4;True;8
persistence;T1053.005;powershell;['windows'];PowerShell Modify A Scheduled Task;dda6fc7b-c9a6-4c18-b98d-95ec6542af6d;True;9
persistence;T1053.005;command_prompt;['windows'];"Scheduled Task (""Ghost Task"") via Registry Key Manipulation";704333ca-cc12-4bcf-9916-101844881f54;False;10
persistence;T1556.003;sh;['linux'];Malicious PAM rule;4b9dde80-ae22-44b1-a82a-644bf009eb9c;False;1
persistence;T1556.003;sh;['linux'];Malicious PAM rule (freebsd);b17eacac-282d-4ca8-a240-46602cf863e3;False;2
persistence;T1556.003;sh;['linux'];Malicious PAM module;65208808-3125-4a2e-8389-a0a00e9ab326;False;3
persistence;T1546.013;powershell;['windows'];Append malicious start-process cmdlet;090e5aa5-32b6-473b-a49b-21e843a56896;True;1
persistence;T1133;powershell;['windows'];Running Chrome VPN Extensions via the Registry 2 vpn extension;4c8db261-a58b-42a6-a866-0a294deedde4;True;1
persistence;T1053.007;bash;['containers'];ListCronjobs;ddfb0bc1-3c3f-47e9-a298-550ecfefacbd;False;1
persistence;T1053.007;bash;['containers'];CreateCronjob;f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3;False;2
persistence;T1542.001;powershell;['windows'];UEFI Persistence via Wpbbin.exe File Creation;b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1;False;1
persistence;T1574.011;powershell;['windows'];Service Registry Permissions Weakness;f7536d63-7fd4-466f-89da-7e48d550752a;True;1
persistence;T1574.011;command_prompt;['windows'];Service ImagePath Change with reg.exe;f38e9eea-e1d7-4ba6-b716-584791963827;True;2
persistence;T1547;command_prompt;['windows'];Add a driver;cb01b3da-b0e7-4e24-bf6d-de5223526785;True;1
persistence;T1547.014;powershell;['windows'];HKLM - Add atomic_test key to launch executable as part of user setup;deff4586-0517-49c2-981d-bbea24d48d71;True;1
persistence;T1547.014;powershell;['windows'];HKLM - Add malicious StubPath value to existing Active Setup Entry;39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a;True;2
persistence;T1547.014;powershell;['windows'];HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number;04d55cef-f283-40ba-ae2a-316bc3b5e78c;True;3
persistence;T1543.003;command_prompt;['windows'];Modify Fax service to run PowerShell;ed366cde-7d12-49df-a833-671904770b9f;True;1
persistence;T1543.003;command_prompt;['windows'];Service Installation CMD;981e2942-e433-44e9-afc1-8c957a1496b6;True;2
persistence;T1543.003;powershell;['windows'];Service Installation PowerShell;491a4af6-a521-4b74-b23b-f7b3f1ee9e77;True;3
persistence;T1543.003;command_prompt;['windows'];TinyTurla backdoor service w64time;ef0581fd-528e-4662-87bc-4c2affb86940;True;4
persistence;T1543.003;command_prompt;['windows'];Remote Service Installation CMD;fb4151a2-db33-4f8c-b7f8-78ea8790f961;True;5
persistence;T1543.003;powershell;['windows'];Modify Service to Run Arbitrary Binary (Powershell);1f896ce4-8070-4959-8a25-2658856a70c9;False;6
persistence;T1053.003;sh;['linux', 'macos'];Cron - Replace crontab with referenced file;435057fb-74b1-410e-9403-d81baf194f75;False;1
persistence;T1053.003;bash;['macos', 'linux'];Cron - Add script to all cron subfolders;b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0;False;2
persistence;T1053.003;sh;['linux'];Cron - Add script to /etc/cron.d folder;078e69eb-d9fb-450e-b9d0-2e118217c846;False;3
persistence;T1053.003;bash;['linux'];Cron - Add script to /var/spool/cron/crontabs/ folder;2d943c18-e74a-44bf-936f-25ade6cccab4;False;4
persistence;T1137;command_prompt;['windows'];Office Application Startup - Outlook as a C2;bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c;True;1
persistence;T1098.003;powershell;['azure-ad'];Azure AD - Add Company Administrator Role to a user;4d77f913-56f5-4a14-b4b1-bf7bb24298ad;False;1
persistence;T1098.003;powershell;['azure-ad'];Simulate - Post BEC persistence via user password reset followed by user added to company administrator role;14f3af20-61f1-45b8-ad31-4637815f3f44;False;2
persistence;T1547.012;powershell;['windows'];Print Processors;f7d38f47-c61b-47cc-a59d-fc0368f47ed0;True;1
persistence;T1574.001;command_prompt;['windows'];DLL Search Order Hijacking - amsi.dll;8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3;True;1
persistence;T1137.006;powershell;['windows'];Code Executed Via Excel Add-in File (XLL);441b1a0f-a771-428a-8af0-e99e4698cda3;True;1
persistence;T1137.006;powershell;['windows'];Persistent Code Execution Via Excel Add-in File (XLL);9c307886-9fef-41d5-b344-073a0f5b2f5f;False;2
persistence;T1137.006;powershell;['windows'];Persistent Code Execution Via Word Add-in File (WLL);95408a99-4fa7-4cd6-a7ef-cb65f86351cf;True;3
persistence;T1137.006;powershell;['windows'];Persistent Code Execution Via Excel VBA Add-in File (XLAM);082141ed-b048-4c86-99c7-2b8da5b5bf48;False;4
persistence;T1137.006;powershell;['windows'];Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM);f89e58f9-2b49-423b-ac95-1f3e7cfd8277;False;5
persistence;T1505.002;powershell;['windows'];Install MS Exchange Transport Agent Persistence;43e92449-ff60-46e9-83a3-1a38089df94d;True;1
persistence;T1556.002;powershell;['windows'];Install and Register Password Filter DLL;a7961770-beb5-4134-9674-83d7e1fa865c;True;1
persistence;T1505.005;powershell;['windows'];Simulate Patching termsrv.dll;0b2eadeb-4a64-4449-9d43-3d999f4a317b;True;1
persistence;T1505.005;powershell;['windows'];Modify Terminal Services DLL Path;18136e38-0530-49b2-b309-eed173787471;True;2
persistence;T1176;manual;['linux', 'windows', 'macos'];Chrome/Chromium (Developer Mode);3ecd790d-2617-4abf-9a8c-4e8d47da9ee1;False;1
persistence;T1176;manual;['linux', 'windows', 'macos'];Chrome/Chromium (Chrome Web Store);4c83940d-8ca5-4bb2-8100-f46dc914bc3f;False;2
persistence;T1176;manual;['linux', 'windows', 'macos'];Firefox;cb790029-17e6-4c43-b96f-002ce5f10938;False;3
persistence;T1176;manual;['windows', 'macos'];Edge Chromium Addon - VPN;3d456e2b-a7db-4af8-b5b3-720e7c4d9da5;False;4
persistence;T1176;powershell;['windows'];Google Chrome Load Unpacked Extension With Command Line;7a714703-9f6b-461c-b06d-e6aeac650f27;True;5
persistence;T1546.011;command_prompt;['windows'];Application Shim Installation;9ab27e22-ee62-4211-962b-d36d9a0e6a18;True;1
persistence;T1546.011;powershell;['windows'];New shim database files created in the default shim database directory;aefd6866-d753-431f-a7a4-215ca7e3f13d;True;2
persistence;T1546.011;powershell;['windows'];Registry key creation and/or modification events for SDB;9b6a06f9-ab5e-4e8d-8289-1df4289db02f;True;3
persistence;T1547.010;command_prompt;['windows'];Add Port Monitor persistence in Registry;d34ef297-f178-4462-871e-9ce618d44e50;True;1
persistence;T1037.002;manual;['macos'];Logon Scripts - Mac;f047c7de-a2d9-406e-a62b-12a09d9516f4;False;1
persistence;T1547.009;command_prompt;['windows'];Shortcut Modification;ce4fc678-364f-4282-af16-2fb4c78005ce;True;1
persistence;T1547.009;powershell;['windows'];Create shortcut to cmd in startup folders;cfdc954d-4bb0-4027-875b-a1893ce406f2;True;2
persistence;T1547.005;powershell;['windows'];Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry;afdfd7e3-8a0b-409f-85f7-886fdf249c9e;True;1
persistence;T1547.005;powershell;['windows'];Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry;de3f8e74-3351-4fdb-a442-265dbf231738;False;2
persistence;T1543.004;bash;['macos'];Launch Daemon;03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf;False;1
persistence;T1574.008;powershell;['windows'];powerShell Persistence via hijacking default modules - Get-Variable.exe;1561de08-0b4b-498e-8261-e922f3494aae;True;1
persistence;T1505.003;command_prompt;['windows'];Web Shell Written to Disk;0a2ce662-1efa-496f-a472-2fe7b080db16;True;1
persistence;T1078.001;command_prompt;['windows'];Enable Guest account with RDP capability and admin privileges;99747561-ed8d-47f2-9c91-1e5fde1ed6e0;True;1
persistence;T1078.001;command_prompt;['windows'];Activate Guest Account;aa6cb8c4-b582-4f8e-b677-37733914abda;True;2
persistence;T1078.001;command_prompt;['macos'];Enable Guest Account on macOS;0315bdff-4178-47e9-81e4-f31a6d23f7e4;False;3
persistence;T1547.003;powershell;['windows'];Create a new time provider;df1efab7-bc6d-4b88-8be9-91f55ae017aa;True;1
persistence;T1547.003;powershell;['windows'];Edit an existing time provider;29e0afca-8d1d-471a-8d34-25512fc48315;True;2
persistence;T1546.005;sh;['macos', 'linux'];Trap EXIT;a74b2e07-5952-4c03-8b56-56274b076b61;False;1
persistence;T1546.005;sh;['linux'];Trap EXIT (freebsd);be1a5d70-6865-44aa-ab50-42244c9fd16f;False;2
persistence;T1546.005;sh;['macos', 'linux'];Trap SIGINT;a547d1ba-1d7a-4cc5-a9cb-8d65e8809636;False;3
persistence;T1546.005;sh;['linux'];Trap SIGINT (freebsd);ade10242-1eac-43df-8412-be0d4c704ada;False;4
persistence;T1574.006;bash;['linux'];Shared Library Injection via /etc/ld.so.preload;39cb0e67-dd0d-4b74-a74b-c072db7ae991;False;1
persistence;T1574.006;bash;['linux'];Shared Library Injection via LD_PRELOAD;bc219ff7-789f-4d51-9142-ecae3397deae;False;2
persistence;T1574.006;bash;['macos'];Dylib Injection via DYLD_INSERT_LIBRARIES;4d66029d-7355-43fd-93a4-b63ba92ea1be;False;3
persistence;T1136.001;bash;['linux'];Create a user account on a Linux system;40d8eabd-e394-46f6-8785-b9bfa1d011d2;False;1
persistence;T1136.001;sh;['linux'];Create a user account on a FreeBSD system;a39ee1bc-b8c1-4331-8e5f-1859eb408518;False;2
persistence;T1136.001;bash;['macos'];Create a user account on a MacOS system;01993ba5-1da3-4e15-a719-b690d4f0f0b2;False;3
persistence;T1136.001;command_prompt;['windows'];Create a new user in a command prompt;6657864e-0323-4206-9344-ac9cd7265a4f;True;4
persistence;T1136.001;powershell;['windows'];Create a new user in PowerShell;bc8be0ac-475c-4fbf-9b1d-9fffd77afbde;True;5
persistence;T1136.001;bash;['linux'];Create a new user in Linux with `root` UID and GID.;a1040a30-d28b-4eda-bd99-bb2861a4616c;False;6
persistence;T1136.001;sh;['linux'];Create a new user in FreeBSD with `root` GID.;d141afeb-d2bc-4934-8dd5-b7dba0f9f67a;False;7
persistence;T1136.001;command_prompt;['windows'];Create a new Windows admin user;fda74566-a604-4581-a4cc-fbbe21d66559;True;8
persistence;T1136.001;powershell;['windows'];Create a new Windows admin user via .NET;2170d9b5-bacd-4819-a952-da76dae0815f;False;9
persistence;T1547.004;powershell;['windows'];Winlogon Shell Key Persistence - PowerShell;bf9f9d65-ee4d-4c3e-a843-777d04f19c38;True;1
persistence;T1547.004;powershell;['windows'];Winlogon Userinit Key Persistence - PowerShell;fb32c935-ee2e-454b-8fa3-1c46b42e8dfb;True;2
persistence;T1547.004;powershell;['windows'];Winlogon Notify Key Logon Persistence - PowerShell;d40da266-e073-4e5a-bb8b-2b385023e5f9;True;3
persistence;T1547.004;powershell;['windows'];Winlogon HKLM Shell Key Persistence - PowerShell;95a3c42f-8c88-4952-ad60-13b81d929a9d;True;4
persistence;T1547.004;powershell;['windows'];Winlogon HKLM Userinit Key Persistence - PowerShell;f9b8daff-8fa7-4e6a-a1a7-7c14675a545b;True;5
persistence;T1098.004;sh;['linux', 'macos'];Modify SSH Authorized Keys;342cc723-127c-4d3a-8292-9c0c6b4ecadc;False;1
persistence;T1546.012;command_prompt;['windows'];IFEO Add Debugger;fdda2626-5234-4c90-b163-60849a24c0b8;True;1
persistence;T1546.012;command_prompt;['windows'];IFEO Global Flags;46b1f278-c8ee-4aa5-acce-65e77b11f3c1;True;2
persistence;T1546.012;powershell;['windows'];GlobalFlags in Image File Execution Options;13117939-c9b2-4a43-999e-0a543df92f0d;True;3
persistence;T1546.008;powershell;['windows'];Attaches Command Prompt as a Debugger to a List of Target Processes;3309f53e-b22b-4eb6-8fd2-a6cf58b355a9;True;1
persistence;T1546.008;command_prompt;['windows'];Replace binary of sticky keys;934e90cf-29ca-48b3-863c-411737ad44e3;True;2
persistence;T1546.008;command_prompt;['windows'];Create Symbolic Link From osk.exe to cmd.exe;51ef369c-5e87-4f33-88cd-6d61be63edf2;True;3
persistence;T1546.008;command_prompt;['windows'];Atbroker.exe (AT) Executes Arbitrary Command via Registry Key;444ff124-4c83-4e28-8df6-6efd3ece6bd4;True;4
persistence;T1136.002;command_prompt;['windows'];Create a new Windows domain admin user;fcec2963-9951-4173-9bfa-98d8b7834e62;True;1
persistence;T1136.002;command_prompt;['windows'];Create a new account similar to ANONYMOUS LOGON;dc7726d2-8ccb-4cc6-af22-0d5afb53a548;True;2
persistence;T1136.002;powershell;['windows'];Create a new Domain Account using PowerShell;5a3497a4-1568-4663-b12a-d4a5ed70c7d7;True;3
persistence;T1136.002;sh;['linux'];Active Directory Create Admin Account;562aa072-524e-459a-ba2b-91f1afccf5ab;False;4
persistence;T1136.002;sh;['linux'];Active Directory Create User Account (Non-elevated);8c992cb3-a46e-4fd5-b005-b1bab185af31;False;5
persistence;T1137.001;powershell;['windows'];Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell;940db09e-80b6-4dd0-8d4d-7764f89b47a8;False;1
persistence;T1546.009;powershell;['windows'];Create registry persistence via AppCert DLL;a5ad6104-5bab-4c43-b295-b4c44c7c6b05;True;1
persistence;T1547.015;powershell;['windows'];Persistence by modifying Windows Terminal profile;ec5d76ef-82fe-48da-b931-bdb25a62bc65;False;1
persistence;T1547.015;bash;['macos'];Add macOS LoginItem using Applescript;716e756a-607b-41f3-8204-b214baf37c1d;False;2
persistence;T1098.001;powershell;['azure-ad'];Azure AD Application Hijacking - Service Principal;b8e747c3-bdf7-4d71-bce2-f1df2a057406;False;1
persistence;T1098.001;powershell;['azure-ad'];Azure AD Application Hijacking - App Registration;a12b5531-acab-4618-a470-0dafb294a87a;False;2
persistence;T1098.001;sh;['iaas:aws'];AWS - Create Access Key and Secret Key;8822c3b0-d9f9-4daf-a043-491160a31122;False;3
persistence;T1546.003;powershell;['windows'];Persistence via WMI Event Subscription - CommandLineEventConsumer;3c64f177-28e2-49eb-a799-d767b24dd1e0;True;1
persistence;T1546.003;powershell;['windows'];Persistence via WMI Event Subscription - ActiveScriptEventConsumer;fecd0dfd-fb55-45fa-a10b-6250272d0832;True;2
persistence;T1546.003;powershell;['windows'];Windows MOFComp.exe Load MOF File;29786d7e-8916-4de6-9c55-be7b093b2706;True;3
persistence;T1546.001;command_prompt;['windows'];Change Default File Association;10a08978-2045-4d62-8c42-1957bbbea102;True;1
persistence;T1546.014;sh;['macos'];Persistance with Event Monitor - emond;23c9c127-322b-4c75-95ca-eff464906114;False;1
persistence;T1547.001;command_prompt;['windows'];Reg Key Run;e55be3fd-3521-4610-9d1a-e210e42dcf05;True;1
persistence;T1547.001;command_prompt;['windows'];Reg Key RunOnce;554cbd88-cde1-4b56-8168-0be552eed9eb;True;2
persistence;T1547.001;powershell;['windows'];PowerShell Registry RunOnce;eb44f842-0457-4ddc-9b92-c4caa144ac42;True;3
persistence;T1547.001;powershell;['windows'];Suspicious vbs file run from startup Folder;2cb98256-625e-4da9-9d44-f2e5f90b8bd5;True;4
persistence;T1547.001;powershell;['windows'];Suspicious jse file run from startup Folder;dade9447-791e-4c8f-b04b-3a35855dfa06;True;5
persistence;T1547.001;powershell;['windows'];Suspicious bat file run from startup Folder;5b6768e4-44d2-44f0-89da-a01d1430fd5e;True;6
persistence;T1547.001;powershell;['windows'];Add Executable Shortcut Link to User Startup Folder;24e55612-85f6-4bd6-ae74-a73d02e3441d;True;7
persistence;T1547.001;command_prompt;['windows'];Add persistance via Recycle bin;bda6a3d6-7aa7-4e89-908b-306772e9662f;True;8
persistence;T1547.001;powershell;['windows'];SystemBC Malware-as-a-Service Registry;9dc7767b-30c1-4cc4-b999-50cab5e27891;True;9
persistence;T1547.001;powershell;['windows'];Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value;acfef903-7662-447e-a391-9c91c2f00f7b;True;10
persistence;T1547.001;powershell;['windows'];Change Startup Folder - HKCU Modify User Shell Folders Startup Value;8834b65a-f808-4ece-ad7e-2acdf647aafa;True;11
persistence;T1547.001;powershell;['windows'];HKCU - Policy Settings Explorer Run Key;a70faea1-e206-4f6f-8d9a-67379be8f6f1;True;12
persistence;T1547.001;powershell;['windows'];HKLM - Policy Settings Explorer Run Key;b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f;True;13
persistence;T1547.001;powershell;['windows'];HKLM - Append Command to Winlogon Userinit KEY Value;f7fab6cc-8ece-4ca7-a0f1-30a22fccd374;True;14
persistence;T1547.001;powershell;['windows'];HKLM - Modify default System Shell - Winlogon Shell KEY Value ;1d958c61-09c6-4d9e-b26b-4130314e520e;True;15
persistence;T1547.001;command_prompt;['windows'];secedit used to create a Run key in the HKLM Hive;14fdc3f1-6fc3-4556-8d36-aa89d9d42d02;True;16
persistence;T1547.001;powershell;['windows'];Modify BootExecute Value;befc2b40-d487-4a5a-8813-c11085fb5672;True;17
persistence;T1136.003;sh;['iaas:aws'];AWS - Create a new IAM user;8d1c2368-b503-40c9-9057-8e42f21c58ad;False;1
persistence;T1136.003;powershell;['azure-ad'];Azure AD - Create a new user;e62d23ef-3153-4837-8625-fa4a3829134d;False;2
persistence;T1136.003;powershell;['azure-ad'];Azure AD - Create a new user via Azure CLI;228c7498-be31-48e9-83b7-9cb906504ec8;False;3
persistence;T1098;powershell;['windows'];Admin Account Manipulate;5598f7cb-cf43-455e-883a-f6008c5d46af;True;1
persistence;T1098;powershell;['windows'];Domain Account and Group Manipulate;a55a22e9-a3d3-42ce-bd48-2653adb8f7a9;True;2
persistence;T1098;sh;['iaas:aws'];AWS - Create a group and add a user to that group;8822c3b0-d9f9-4daf-a043-49f110a31122;False;3
persistence;T1098;powershell;['azure-ad'];Azure AD - adding user to Azure AD role;0e65ae27-5385-46b4-98ac-607a8ee82261;False;4
persistence;T1098;powershell;['azure-ad'];Azure AD - adding service principal to Azure AD role;92c40b3f-c406-4d1f-8d2b-c039bf5009e4;False;5
persistence;T1098;powershell;['iaas:azure'];Azure - adding user to Azure role in subscription;1a94b3fc-b080-450a-b3d8-6d9b57b472ea;False;6
persistence;T1098;powershell;['iaas:azure'];Azure - adding service principal to Azure role in subscription;c8f4bc29-a151-48da-b3be-4680af56f404;False;7
persistence;T1098;powershell;['azure-ad'];Azure AD - adding permission to application;94ea9cc3-81f9-4111-8dde-3fb54f36af4b;False;8
persistence;T1098;command_prompt;['windows'];Password Change on Directory Service Restore Mode (DSRM) Account;d5b886d9-d1c7-4b6e-a7b0-460041bf2823;True;9
persistence;T1098;powershell;['windows'];Domain Password Policy Check: Short Password;fc5f9414-bd67-4f5f-a08e-e5381e29cbd1;True;10
persistence;T1098;powershell;['windows'];Domain Password Policy Check: No Number in Password;68190529-069b-4ffc-a942-919704158065;False;11
persistence;T1098;powershell;['windows'];Domain Password Policy Check: No Special Character in Password;7d984ef2-2db2-4cec-b090-e637e1698f61;False;12
persistence;T1098;powershell;['windows'];Domain Password Policy Check: No Uppercase Character in Password;b299c120-44a7-4d68-b8e2-8ba5a28511ec;False;13
persistence;T1098;powershell;['windows'];Domain Password Policy Check: No Lowercase Character in Password;945da11e-977e-4dab-85d2-f394d03c5887;False;14
persistence;T1098;powershell;['windows'];Domain Password Policy Check: Only Two Character Classes;784d1349-5a26-4d20-af5e-d6af53bae460;False;15
persistence;T1098;powershell;['windows'];Domain Password Policy Check: Common Password Use;81959d03-c51f-49a1-bb24-23f1ec885578;False;16
persistence;T1098;sh;['iaas:gcp'];GCP - Delete Service Account Key;7ece1dea-49f1-4d62-bdcc-5801e3292510;False;17
persistence;T1547.006;bash;['linux'];Linux - Load Kernel Module via insmod;687dcb93-9656-4853-9c36-9977315e9d23;False;1
persistence;T1547.006;bash;['macos'];MacOS - Load Kernel Module via kextload and kmutil;f4391089-d3a5-4dd1-ab22-0419527f2672;False;2
persistence;T1547.006;bash;['macos'];MacOS - Load Kernel Module via KextManagerLoadKextWithURL();f0007753-beb3-41ea-9948-760785e4c1e5;False;3
persistence;T1547.006;powershell;['windows'];Snake Malware Kernel Driver Comadmin;e5cb5564-cc7b-4050-86e8-f2d9eec1941f;True;4
persistence;T1053.006;bash;['linux'];Create Systemd Service and Timer;f4983098-bb13-44fb-9b2c-46149961807b;False;1
persistence;T1053.006;sh;['linux'];Create a user level transient systemd service and timer;3de33f5b-62e5-4e63-a2a0-6fd8808c80ec;False;2
persistence;T1053.006;sh;['linux'];Create a system level transient systemd service and timer;d3eda496-1fc0-49e9-aff5-3bec5da9fa22;False;3
persistence;T1505.004;command_prompt;['windows'];Install IIS Module using AppCmd.exe;53adbdfa-8200-490c-871c-d3b1ab3324b2;False;1
persistence;T1505.004;powershell;['windows'];Install IIS Module using PowerShell Cmdlet New-WebGlobalModule;cc3381fb-4bd0-405c-a8e4-6cacfac3b06c;False;2
persistence;T1546;powershell;['windows'];Persistence with Custom AutodialDLL;aca9ae16-7425-4b6d-8c30-cad306fdbd5b;True;1
persistence;T1546;powershell;['windows'];HKLM - Persistence using CommandProcessor AutoRun key (With Elevation);a574dafe-a903-4cce-9701-14040f4f3532;True;2
persistence;T1546;powershell;['windows'];HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation);36b8dbf9-59b1-4e9b-a3bb-36e80563ef01;True;3
persistence;T1546;powershell;['windows'];WMI Invoke-CimMethod Start Process;adae83d3-0df6-45e7-b2c3-575f91584577;True;4
persistence;T1546.004;sh;['macos', 'linux'];Add command to .bash_profile;94500ae1-7e31-47e3-886b-c328da46872f;False;1
persistence;T1546.004;sh;['macos', 'linux'];Add command to .bashrc;0a898315-4cfa-4007-bafe-33a4646d115f;False;2
persistence;T1546.004;sh;['linux'];Add command to .shrc;41502021-591a-4649-8b6e-83c9192aff53;False;3
persistence;T1546.004;sh;['linux'];Append to the system shell profile;694b3cc8-6a78-4d35-9e74-0123d009e94b;False;4
persistence;T1546.004;sh;['linux'];Append commands user shell profile;bbdb06bc-bab6-4f5b-8232-ba3fbed51d77;False;5
persistence;T1546.004;sh;['linux'];System shell profile scripts;8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4;False;6
persistence;T1546.004;bash;['linux'];Create/Append to .bash_logout;37ad2f24-7c53-4a50-92da-427a4ad13f58;False;7
persistence;T1547.002;powershell;['windows'];Authentication Package;be2590e8-4ac3-47ac-b4b5-945820f2fbe9;True;1
persistence;T1546.015;powershell;['windows'];COM Hijacking - InprocServer32;48117158-d7be-441b-bc6a-d9e36e47b52b;True;1
persistence;T1546.015;powershell;['windows'];Powershell Execute COM Object;752191b1-7c71-445c-9dbe-21bb031b18eb;True;2
persistence;T1546.015;powershell;['windows'];COM Hijacking with RunDLL32 (Local Server Switch);123520cc-e998-471b-a920-bd28e3feafa0;True;3
persistence;T1546.015;powershell;['windows'];COM hijacking via TreatAs;33eacead-f117-4863-8eb0-5c6304fbfaa9;True;4
persistence;T1137.004;command_prompt;['windows'];Install Outlook Home Page Persistence;7a91ad51-e6d2-4d43-9471-f26362f5738e;True;1
persistence;T1574.009;command_prompt;['windows'];Execution of program.exe as service with unquoted service path;2770dea7-c50f-457b-84c4-c40a47460d9f;True;1
persistence;T1037.005;sh;['macos'];Add file to Local Library StartupItems;134627c3-75db-410e-bff8-7a920075f198;False;1
persistence;T1197;command_prompt;['windows'];Bitsadmin Download (cmd);3c73d728-75fb-4180-a12f-6712864d7421;True;1
persistence;T1197;powershell;['windows'];Bitsadmin Download (PowerShell);f63b8bc4-07e5-4112-acba-56f646f3f0bc;True;2
persistence;T1197;command_prompt;['windows'];Persist, Download, & Execute;62a06ec5-5754-47d2-bcfc-123d8314c6ae;True;3
persistence;T1197;command_prompt;['windows'];Bits download using desktopimgdownldr.exe (cmd);afb5e09e-e385-4dee-9a94-6ee60979d114;True;4
persistence;T1546.010;command_prompt;['windows'];Install AppInit Shim;a58d9386-3080-4242-ab5f-454c16503d18;True;1
persistence;T1546.002;command_prompt;['windows'];Set Arbitrary Binary as Screensaver;281201e7-de41-4dc9-b73d-f288938cbb64;True;1
persistence;T1543.001;bash;['macos'];Launch Agent;a5983dee-bf6c-4eaf-951c-dbc1a7b90900;False;1
persistence;T1543.001;bash;['macos'];Event Monitor Daemon Persistence;11979f23-9b9d-482a-9935-6fc9cd022c3e;False;2
persistence;T1037.004;bash;['macos'];rc.common;97a48daa-8bca-4bc0-b1a9-c1d163e762de;False;1
persistence;T1037.004;bash;['linux'];rc.common;c33f3d80-5f04-419b-a13a-854d1cbdbf3a;False;2
persistence;T1037.004;sh;['linux'];rc.local;126f71af-e1c9-405c-94ef-26a47b16c102;False;3
persistence;T1543.002;bash;['linux'];Create Systemd Service;d9e4f24f-aa67-4c6e-bcbf-85622b697a7c;False;1
persistence;T1543.002;sh;['linux'];Create SysV Service;760fe8d2-79d9-494f-905e-a239a3df86f6;False;2
persistence;T1543.002;bash;['linux'];Create Systemd Service file,  Enable the service , Modify and Reload the service.;c35ac4a8-19de-43af-b9f8-755da7e89c89;False;3
persistence;T1547.007;sh;['macos'];Copy in loginwindow.plist for Re-Opened Applications;5fefd767-ef54-4ac6-84d3-751ab85e8aba;False;1
persistence;T1547.007;sh;['macos'];Re-Opened Applications using LoginHook;5f5b71da-e03f-42e7-ac98-d63f9e0465cb;False;2
persistence;T1547.007;sh;['macos'];Append to existing loginwindow for Re-Opened Applications;766b6c3c-9353-4033-8b7e-38b309fa3a93;False;3
persistence;T1574.002;command_prompt;['windows'];DLL Side-Loading using the Notepad++ GUP.exe binary;65526037-7079-44a9-bda1-2cb624838040;True;1
persistence;T1574.002;command_prompt;['windows'];DLL Side-Loading using the dotnet startup hook environment variable;d322cdd7-7d60-46e3-9111-648848da7c02;False;2
persistence;T1098.002;powershell;['office-365'];EXO - Full access mailbox permission granted to a user;17d046be-fdd0-4cbb-b5c7-55c85d9d0714;False;1
persistence;T1037.001;command_prompt;['windows'];Logon Scripts;d6042746-07d4-4c92-9ad8-e644c114a231;True;1
persistence;T1137.002;powershell;['windows'];Office Application Startup Test Persistence (HKCU);c3e35b58-fe1c-480b-b540-7600fb612563;True;1
persistence;T1547.008;powershell;['windows'];Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt;8ecef16d-d289-46b4-917b-0dba6dc81cf1;True;1
persistence;T1078.004;sh;['google-workspace', 'iaas:gcp'];Creating GCP Service Account and Service Account Key;9fdd83fd-bd53-46e5-a716-9dec89c8ae8e;False;1
persistence;T1078.004;powershell;['iaas:azure'];Azure Persistence Automation Runbook Created or Modified;348f4d14-4bd3-4f6b-bd8a-61237f78b3ac;False;2
persistence;T1078.004;sh;['iaas:gcp'];GCP - Create Custom IAM Role;3a159042-69e6-4398-9a69-3308a4841c85;False;3
persistence;T1053.002;command_prompt;['windows'];At.exe Scheduled task;4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8;True;1
persistence;T1053.002;sh;['linux'];At - Schedule a job;7266d898-ac82-4ec0-97c7-436075d0d08e;False;2
persistence;T1546.007;command_prompt;['windows'];Netsh Helper DLL Registration;3244697d-5a3a-4dfc-941c-550f69f91a4d;True;1
persistence;T1078.003;command_prompt;['windows'];Create local account with admin privileges;a524ce99-86de-4db6-b4f9-e08f35a47a15;True;1
persistence;T1078.003;bash;['macos'];Create local account with admin privileges - MacOS;f1275566-1c26-4b66-83e3-7f9f7f964daa;False;2
persistence;T1078.003;bash;['macos'];Create local account with admin privileges using sysadminctl utility - MacOS;191db57d-091a-47d5-99f3-97fde53de505;False;3
persistence;T1078.003;bash;['macos'];Enable root account using dsenableroot utility - MacOS;20b40ea9-0e17-4155-b8e6-244911a678ac;False;4
persistence;T1078.003;bash;['macos'];Add a new/existing user to the admin group using dseditgroup utility - macOS;433842ba-e796-4fd5-a14f-95d3a1970875;False;5
persistence;T1078.003;powershell;['windows'];WinPwn - Loot local Credentials - powerhell kittie;9e9fd066-453d-442f-88c1-ad7911d32912;True;6
persistence;T1078.003;powershell;['windows'];WinPwn - Loot local Credentials - Safetykatz;e9fdb899-a980-4ba4-934b-486ad22e22f4;True;7
persistence;T1078.003;bash;['linux'];Create local account (Linux);02a91c34-8a5b-4bed-87af-501103eb5357;False;8
persistence;T1078.003;bash;['linux'];Reactivate a locked/expired account (Linux);d2b95631-62d7-45a3-aaef-0972cea97931;False;9
persistence;T1078.003;sh;['linux'];Reactivate a locked/expired account (FreeBSD);09e3380a-fae5-4255-8b19-9950be0252cf;False;10
persistence;T1078.003;bash;['linux'];Login as nobody (Linux);3d2cd093-ee05-41bd-a802-59ee5c301b85;False;11
persistence;T1078.003;sh;['linux'];Login as nobody (freebsd);16f6374f-7600-459a-9b16-6a88fd96d310;False;12
persistence;T1574.012;powershell;['windows'];User scope COR_PROFILER;9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a;True;1
persistence;T1574.012;powershell;['windows'];System Scope COR_PROFILER;f373b482-48c8-4ce4-85ed-d40c8b3f7310;True;2
persistence;T1574.012;powershell;['windows'];Registry-free process scope COR_PROFILER;79d57242-bbef-41db-b301-9d01d9f6e817;True;3
command-and-control;T1132.001;sh;['macos', 'linux'];Base64 Encoded data.;1164f70f-9a88-4dff-b9ff-dc70e7bf0c25;False;1
command-and-control;T1132.001;sh;['linux'];Base64 Encoded data (freebsd);2d97c626-7652-449e-a986-b02d9051c298;False;2
command-and-control;T1132.001;powershell;['windows'];XOR Encoded data.;c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08;True;3
command-and-control;T1071.004;powershell;['windows'];DNS Large Query Volume;1700f5d6-5a44-487b-84de-bc66f507b0a6;False;1
command-and-control;T1071.004;powershell;['windows'];DNS Regular Beaconing;3efc144e-1af8-46bb-8ca2-1376bb6db8b6;True;2
command-and-control;T1071.004;powershell;['windows'];DNS Long Domain Query;fef31710-223a-40ee-8462-a396d6b66978;False;3
command-and-control;T1071.004;powershell;['windows'];DNS C2;e7bf9802-2e78-4db9-93b5-181b7bcd37d7;True;4
command-and-control;T1071;powershell;['windows'];Telnet C2;3b0df731-030c-4768-b492-2a3216d90e53;False;1
command-and-control;T1219;powershell;['windows'];TeamViewer Files Detected Test on Windows;8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0;True;1
command-and-control;T1219;powershell;['windows'];AnyDesk Files Detected Test on Windows;6b8b7391-5c0a-4f8c-baee-78d8ce0ce330;True;2
command-and-control;T1219;powershell;['windows'];LogMeIn Files Detected Test on Windows;d03683ec-aae0-42f9-9b4c-534780e0f8e1;True;3
command-and-control;T1219;powershell;['windows'];GoToAssist Files Detected Test on Windows;1b72b3bd-72f8-4b63-a30b-84e91b9c3578;True;4
command-and-control;T1219;powershell;['windows'];ScreenConnect Application Download and Install on Windows;4a18cc4e-416f-4966-9a9d-75731c4684c0;True;5
command-and-control;T1219;powershell;['windows'];Ammyy Admin Software Execution;0ae9e327-3251-465a-a53b-485d4e3f58fa;True;6
command-and-control;T1219;powershell;['windows'];RemotePC Software Execution;fbff3f1f-b0bf-448e-840f-7e1687affdce;True;7
command-and-control;T1219;powershell;['windows'];NetSupport - RAT Execution;ecca999b-e0c8-40e8-8416-ad320b146a75;True;8
command-and-control;T1219;powershell;['windows'];UltraViewer - RAT Execution;19acf63b-55c4-4b6a-8552-00a8865105c8;True;9
command-and-control;T1219;powershell;['windows'];UltraVNC Execution;42e51815-a6cc-4c75-b970-3f0ff54b610e;True;10
command-and-control;T1219;powershell;['windows'];MSP360 Connect Execution;b1b8128b-c5d4-4de9-bf70-e60419274562;False;11
command-and-control;T1219;powershell;['windows'];RustDesk Files Detected Test on Windows;f1641ba9-919a-4323-b74f-33372333bf0e;False;12
command-and-control;T1219;powershell;['windows'];Splashtop Execution;b025c580-029e-4023-888d-a42710d76934;False;13
command-and-control;T1219;powershell;['windows'];Splashtop Streamer Execution;3e1858ee-3550-401c-86ec-5e70ed79295b;False;14
command-and-control;T1572;powershell;['windows'];DNS over HTTPS Large Query Volume;ae9ef4b0-d8c1-49d4-8758-06206f19af0a;True;1
command-and-control;T1572;powershell;['windows'];DNS over HTTPS Regular Beaconing;0c5f9705-c575-42a6-9609-cbbff4b2fc9b;True;2
command-and-control;T1572;powershell;['windows'];DNS over HTTPS Long Domain Query;748a73d5-cea4-4f34-84d8-839da5baa99c;True;3
command-and-control;T1572;powershell;['windows'];run ngrok;4cdc9fc7-53fb-4894-9f0c-64836943ea60;True;4
command-and-control;T1090.003;powershell;['windows'];Psiphon;14d55ca0-920e-4b44-8425-37eedd72b173;True;1
command-and-control;T1090.003;powershell;['windows'];Tor Proxy Usage - Windows;7b9d85e5-c4ce-4434-8060-d3de83595e69;True;2
command-and-control;T1090.003;sh;['linux'];Tor Proxy Usage - Debian/Ubuntu/FreeBSD;5ff9d047-6e9c-4357-b39b-5cf89d9b59c7;True;3
command-and-control;T1090.003;sh;['macos'];Tor Proxy Usage - MacOS;12631354-fdbc-4164-92be-402527e748da;False;4
command-and-control;T1571;powershell;['windows'];Testing usage of uncommonly used port with PowerShell;21fe622f-8e53-4b31-ba83-6d333c2583f4;True;1
command-and-control;T1571;sh;['linux', 'macos'];Testing usage of uncommonly used port;5db21e1d-dd9c-4a50-b885-b1e748912767;False;2
command-and-control;T1573;powershell;['windows'];OpenSSL C2;21caf58e-87ad-440c-a6b8-3ac259964003;True;1
command-and-control;T1095;powershell;['windows'];ICMP C2;0268e63c-e244-42db-bef7-72a9e59fc1fc;True;1
command-and-control;T1095;powershell;['windows'];Netcat C2;bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37;True;2
command-and-control;T1095;powershell;['windows'];Powercat C2;3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e;True;3
command-and-control;T1071.001;powershell;['windows'];Malicious User Agents - Powershell;81c13829-f6c9-45b8-85a6-053366d55297;True;1
command-and-control;T1071.001;command_prompt;['windows'];Malicious User Agents - CMD;dc3488b0-08c7-4fea-b585-905c83b48180;True;2
command-and-control;T1071.001;sh;['linux', 'macos'];Malicious User Agents - Nix;2d7c471a-e887-4b78-b0dc-b0df1f2e0658;False;3
command-and-control;T1105;sh;['linux', 'macos'];rsync remote file copy (push);0fc6e977-cb12-44f6-b263-2824ba917409;False;1
command-and-control;T1105;sh;['linux', 'macos'];rsync remote file copy (pull);3180f7d5-52c0-4493-9ea0-e3431a84773f;False;2
command-and-control;T1105;sh;['linux', 'macos'];scp remote file copy (push);83a49600-222b-4866-80a0-37736ad29344;False;3
command-and-control;T1105;sh;['linux', 'macos'];scp remote file copy (pull);b9d22b9a-9778-4426-abf0-568ea64e9c33;False;4
command-and-control;T1105;sh;['linux', 'macos'];sftp remote file copy (push);f564c297-7978-4aa9-b37a-d90477feea4e;False;5
command-and-control;T1105;sh;['linux', 'macos'];sftp remote file copy (pull);0139dba1-f391-405e-a4f5-f3989f2c88ef;False;6
command-and-control;T1105;command_prompt;['windows'];certutil download (urlcache);dd3b61dd-7bbc-48cd-ab51-49ad1a776df0;True;7
command-and-control;T1105;powershell;['windows'];certutil download (verifyctl);ffd492e3-0455-4518-9fb1-46527c9f241b;True;8
command-and-control;T1105;command_prompt;['windows'];Windows - BITSAdmin BITS Download;a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b;True;9
command-and-control;T1105;powershell;['windows'];Windows - PowerShell Download;42dc4460-9aa6-45d3-b1a6-3955d34e1fe8;True;10
command-and-control;T1105;command_prompt;['windows'];OSTAP Worming Activity;2ca61766-b456-4fcf-a35a-1233685e1cad;True;11
command-and-control;T1105;command_prompt;['windows'];svchost writing a file to a UNC path;fa5a2759-41d7-4e13-a19c-e8f28a53566f;True;12
command-and-control;T1105;command_prompt;['windows'];Download a File with Windows Defender MpCmdRun.exe;815bef8b-bf91-4b67-be4c-abe4c2a94ccc;True;13
command-and-control;T1105;sh;['linux', 'macos'];whois file download;c99a829f-0bb8-4187-b2c6-d47d1df74cab;False;14
command-and-control;T1105;powershell;['windows'];File Download via PowerShell;54a4daf1-71df-4383-9ba7-f1a295d8b6d2;True;15
command-and-control;T1105;command_prompt;['windows'];File download with finger.exe on Windows;5f507e45-8411-4f99-84e7-e38530c45d01;True;16
command-and-control;T1105;powershell;['windows'];Download a file with IMEWDBLD.exe;1a02df58-09af-4064-a765-0babe1a0d1e2;True;17
command-and-control;T1105;command_prompt;['windows'];Curl Download File;2b080b99-0deb-4d51-af0f-833d37c4ca6a;True;18
command-and-control;T1105;command_prompt;['windows'];Curl Upload File;635c9a38-6cbf-47dc-8615-3810bc1167cf;True;19
command-and-control;T1105;command_prompt;['windows'];Download a file with Microsoft Connection Manager Auto-Download;d239772b-88e2-4a2e-8473-897503401bcc;True;20
command-and-control;T1105;powershell;['windows'];MAZE Propagation Script;70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf;True;21
command-and-control;T1105;command_prompt;['windows'];Printer Migration Command-Line Tool UNC share folder into a zip file;49845fc1-7961-4590-a0f0-3dbcf065ae7e;True;22
command-and-control;T1105;command_prompt;['windows'];Lolbas replace.exe use to copy file;54782d65-12f0-47a5-b4c1-b70ee23de6df;True;23
command-and-control;T1105;command_prompt;['windows'];Lolbas replace.exe use to copy UNC file;ed0335ac-0354-400c-8148-f6151d20035a;True;24
command-and-control;T1105;command_prompt;['windows'];certreq download;6fdaae87-c05b-42f8-842e-991a74e8376b;True;25
command-and-control;T1105;command_prompt;['windows'];Download a file using wscript;97116a3f-efac-4b26-8336-b9cb18c45188;True;26
command-and-control;T1105;sh;['linux'];Linux Download File and Run;bdc373c5-e9cf-4563-8a7b-a9ba720a90f3;False;27
command-and-control;T1105;command_prompt;['windows'];Nimgrab - Transfer Files;b1729c57-9384-4d1c-9b99-9b220afb384e;True;28
command-and-control;T1105;command_prompt;['windows'];iwr or Invoke Web-Request download;c01cad7f-7a4c-49df-985e-b190dcf6a279;True;29
command-and-control;T1105;command_prompt;['windows'];Arbitrary file download using the Notepad++ GUP.exe binary;66ee226e-64cb-4dae-80e3-5bf5763e4a51;False;30
command-and-control;T1105;sh;['macos'];File download via nscurl;5bcefe5f-3f30-4f1c-a61a-8d7db3f4450c;False;31
command-and-control;T1001.002;powershell;['windows'];Steganographic Tarball Embedding;c7921449-8b62-4c4d-8a83-d9281ac0190b;False;1
command-and-control;T1001.002;powershell;['windows'];Embedded Script in Image Execution via Extract-Invoke-PSImage;04bb8e3d-1670-46ab-a3f1-5cee64da29b6;False;2
command-and-control;T1001.002;sh;['linux'];Execute Embedded Script in Image via Steganography;4ff61684-ad91-405c-9fbc-048354ff1d07;False;3
command-and-control;T1090.001;sh;['linux', 'macos'];Connection Proxy;0ac21132-4485-4212-a681-349e8a6637cd;False;1
command-and-control;T1090.001;sh;['macos'];Connection Proxy for macOS UI;648d68c1-8bcd-4486-9abe-71c6655b6a2c;False;2
command-and-control;T1090.001;powershell;['windows'];portproxy reg key;b8223ea9-4be2-44a6-b50a-9657a3d4e72a;True;3
collection;T1560.001;command_prompt;['windows'];Compress Data for Exfiltration With Rar;02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0;True;1
collection;T1560.001;command_prompt;['windows'];Compress Data and lock with password for Exfiltration with winrar;8dd61a55-44c6-43cc-af0c-8bdda276860c;True;2
collection;T1560.001;command_prompt;['windows'];Compress Data and lock with password for Exfiltration with winzip;01df0353-d531-408d-a0c5-3161bf822134;True;3
collection;T1560.001;command_prompt;['windows'];Compress Data and lock with password for Exfiltration with 7zip;d1334303-59cb-4a03-8313-b3e24d02c198;True;4
collection;T1560.001;sh;['linux', 'macos'];Data Compressed - nix - zip;c51cec55-28dd-4ad2-9461-1eacbc82c3a0;False;5
collection;T1560.001;sh;['linux', 'macos'];Data Compressed - nix - gzip Single File;cde3c2af-3485-49eb-9c1f-0ed60e9cc0af;False;6
collection;T1560.001;sh;['linux', 'macos'];Data Compressed - nix - tar Folder or File;7af2b51e-ad1c-498c-aca8-d3290c19535a;False;7
collection;T1560.001;sh;['linux', 'macos'];Data Encrypted with zip and gpg symmetric;0286eb44-e7ce-41a0-b109-3da516e05a5f;False;8
collection;T1560.001;bash;['linux', 'macos'];Encrypts collected data with AES-256 and Base64;a743e3a6-e8b2-4a30-abe7-ca85d201b5d3;False;9
collection;T1560.001;powershell;['windows'];ESXi - Remove Syslog remote IP;36c62584-d360-41d6-886f-d194654be7c2;False;10
collection;T1113;bash;['macos'];Screencapture;0f47ceb1-720f-4275-96b8-21f0562217ac;False;1
collection;T1113;bash;['macos'];Screencapture (silent);deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4;False;2
collection;T1113;bash;['linux'];X Windows Capture;8206dd0c-faf6-4d74-ba13-7fbe13dce6ac;False;3
collection;T1113;sh;['linux'];X Windows Capture (freebsd);562f3bc2-74e8-46c5-95c7-0e01f9ccc65c;False;4
collection;T1113;bash;['linux'];Capture Linux Desktop using Import Tool;9cd1cccb-91e4-4550-9139-e20a586fcea1;False;5
collection;T1113;sh;['linux'];Capture Linux Desktop using Import Tool (freebsd);18397d87-38aa-4443-a098-8a48a8ca5d8d;False;6
collection;T1113;powershell;['windows'];Windows Screencapture;3c898f62-626c-47d5-aad2-6de873d69153;True;7
collection;T1113;powershell;['windows'];Windows Screen Capture (CopyFromScreen);e9313014-985a-48ef-80d9-cde604ffc187;True;8
collection;T1056.001;powershell;['windows'];Input Capture;d9b633ca-8efb-45e6-b838-70f595c6ae26;True;1
collection;T1056.001;sh;['linux'];Living off the land Terminal Input Capture on Linux with pam.d;9c6bdb34-a89f-4b90-acb1-5970614c711b;False;2
collection;T1056.001;sh;['linux'];Logging bash history to syslog;0e59d59d-3265-4d35-bebd-bf5c1ec40db5;False;3
collection;T1056.001;sh;['linux'];Logging sh history to syslog/messages;b04284dc-3bd9-4840-8d21-61b8d31c99f2;False;4
collection;T1056.001;bash;['linux'];Bash session based keylogger;7f85a946-a0ea-48aa-b6ac-8ff539278258;False;5
collection;T1056.001;sh;['linux'];SSHD PAM keylogger;81d7d2ad-d644-4b6a-bea7-28ffe43becca;False;6
collection;T1056.001;sh;['linux'];Auditd keylogger;a668edb9-334e-48eb-8c2e-5413a40867af;False;7
collection;T1056.001;bash;['macos'];MacOS Swift Keylogger;aee3a097-4c5c-4fff-bbd3-0a705867ae29;False;8
collection;T1123;powershell;['windows'];using device audio capture commandlet;9c3ad250-b185-4444-b5a9-d69218a10c95;True;1
collection;T1123;command_prompt;['windows'];Registry artefact when application use microphone;7a21cce2-6ada-4f7c-afd9-e1e9c481e44a;True;2
collection;T1123;sh;['macos'];using Quicktime Player;c7a0bb71-70ce-4a53-b115-881f241b795b;False;3
collection;T1074.001;powershell;['windows'];Stage data from Discovery.bat;107706a5-6f9f-451a-adae-bab8c667829f;True;1
collection;T1074.001;sh;['linux', 'macos'];Stage data from Discovery.sh;39ce0303-ae16-4b9e-bb5b-4f53e8262066;False;2
collection;T1074.001;powershell;['windows'];Zip a Folder with PowerShell for Staging in Temp;a57fbe4b-3440-452a-88a7-943531ac872a;True;3
collection;T1114.001;powershell;['windows'];Email Collection with PowerShell Get-Inbox;3f1b5096-0139-4736-9b78-19bcb02bb1cb;True;1
collection;T1119;command_prompt;['windows'];Automated Collection Command Prompt;cb379146-53f1-43e0-b884-7ce2c635ff5b;True;1
collection;T1119;powershell;['windows'];Automated Collection PowerShell;634bd9b9-dc83-4229-b19f-7f83ba9ad313;True;2
collection;T1119;powershell;['windows'];Recon information for export with PowerShell;c3f6d794-50dd-482f-b640-0384fbb7db26;True;3
collection;T1119;command_prompt;['windows'];Recon information for export with Command Prompt;aa1180e2-f329-4e1e-8625-2472ec0bfaf3;True;4
collection;T1115;command_prompt;['windows'];Utilize Clipboard to store or execute commands from;0cd14633-58d4-4422-9ede-daa2c9474ae7;True;1
collection;T1115;powershell;['windows'];Execute Commands from Clipboard using PowerShell;d6dc21af-bec9-4152-be86-326b6babd416;True;2
collection;T1115;bash;['macos'];Execute commands from clipboard;1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff;False;3
collection;T1115;powershell;['windows'];Collect Clipboard Data via VBA;9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52;True;4
collection;T1115;sh;['linux'];Add or copy content to clipboard with xClip;ee363e53-b083-4230-aff3-f8d955f2d5bb;False;5
collection;T1530;powershell;['iaas:azure'];Azure - Enumerate Azure Blobs with MicroBurst;3dab4bcc-667f-4459-aea7-4162dd2d6590;False;1
collection;T1530;powershell;['iaas:azure'];Azure - Scan for Anonymous Access to Azure Storage (Powershell);146af1f1-b74e-4aa7-9895-505eb559b4b0;False;2
collection;T1530;sh;['iaas:aws'];AWS - Scan for Anonymous Access to S3;979356b9-b588-4e49-bba4-c35517c484f5;False;3
collection;T1005;powershell;['windows'];Search files of interest and save them to a single zip file (Windows);d3d9af44-b8ad-4375-8b0a-4bff4b7e419c;False;1
collection;T1005;bash;['linux'];Find and dump sqlite databases (Linux);00cbb875-7ae4-4cf1-b638-e543fd825300;False;2
collection;T1560.002;sh;['linux'];Compressing data using GZip in Python (FreeBSD/Linux);391f5298-b12d-4636-8482-35d9c17d53a8;False;1
collection;T1560.002;sh;['linux'];Compressing data using bz2 in Python (FreeBSD/Linux);c75612b2-9de0-4d7c-879c-10d7b077072d;False;2
collection;T1560.002;sh;['linux'];Compressing data using zipfile in Python (FreeBSD/Linux);001a042b-859f-44d9-bf81-fd1c4e2200b0;False;3
collection;T1560.002;sh;['linux'];Compressing data using tarfile in Python (FreeBSD/Linux);e86f1b4b-fcc1-4a2a-ae10-b49da01458db;False;4
collection;T1560;powershell;['windows'];Compress Data for Exfiltration With PowerShell;41410c60-614d-4b9d-b66e-b0192dd9c597;True;1
collection;T1557.001;powershell;['windows'];LLMNR Poisoning with Inveigh (PowerShell);deecd55f-afe0-4a62-9fba-4d1ba2deb321;True;1
collection;T1125;command_prompt;['windows'];Registry artefact when application use webcam;6581e4a7-42e3-43c5-a0d2-5a0d62f9702a;True;1
collection;T1114.003;powershell;['office-365'];Office365 - Email Forwarding;3234117e-151d-4254-9150-3d0bac41e38c;False;1
collection;T1056.002;bash;['macos'];AppleScript - Prompt User for Password;76628574-0bc1-4646-8fe2-8f4427b47d15;False;1
collection;T1056.002;powershell;['windows'];PowerShell - Prompt User for Password;2b162bfd-0928-4d4c-9ec3-4d9f88374b52;True;2
collection;T1056.002;bash;['macos'];AppleScript - Spoofing a credential prompt using osascript;b7037b89-947a-427a-ba29-e7e9f09bc045;False;3
collection;T1039;command_prompt;['windows'];Copy a sensitive File over Administrative share with copy;6ed67921-1774-44ba-bac6-adb51ed60660;True;1
collection;T1039;powershell;['windows'];Copy a sensitive File over Administrative share with Powershell;7762e120-5879-44ff-97f8-008b401b9a98;True;2
collection;T1114.002;powershell;['office-365'];Office365 - Remote Mail Collected;36657d95-d9d6-4fbf-8a31-f4085607bafd;False;1
collection;T1056.004;powershell;['windows'];Hook PowerShell TLS Encrypt/Decrypt Messages;de1934ea-1fbf-425b-8795-65fb27dd7e33;True;1
lateral-movement;T1021.005;sh;['macos'];Enable Apple Remote Desktop Agent;8a930abe-841c-4d4f-a877-72e9fe90b9ea;False;1
lateral-movement;T1021.004;powershell;['linux'];ESXi - Enable SSH via PowerCLI;8f6c14d1-f13d-4616-b7fc-98cc69fe56ec;False;1
lateral-movement;T1091;powershell;['windows'];USB Malware Spread Simulation;d44b7297-622c-4be8-ad88-ec40d7563c75;False;1
lateral-movement;T1021.002;command_prompt;['windows'];Map admin share;3386975b-367a-4fbb-9d77-4dcf3639ffd3;True;1
lateral-movement;T1021.002;powershell;['windows'];Map Admin Share PowerShell;514e9cd7-9207-4882-98b1-c8f791bae3c5;True;2
lateral-movement;T1021.002;command_prompt;['windows'];Copy and Execute File with PsExec;0eb03d41-79e4-4393-8e57-6344856be1cf;True;3
lateral-movement;T1021.002;command_prompt;['windows'];Execute command writing output to local Admin Share;d41aaab5-bdfe-431d-a3d5-c29e9136ff46;True;4
lateral-movement;T1021.006;powershell;['windows'];Enable Windows Remote Management;9059e8de-3d7d-4954-a322-46161880b9cf;True;1
lateral-movement;T1021.006;powershell;['windows'];Remote Code Execution with PS Credentials Using Invoke-Command;5295bd61-bd7e-4744-9d52-85962a4cf2d6;True;2
lateral-movement;T1021.006;powershell;['windows'];WinRM Access with Evil-WinRM;efe86d95-44c4-4509-ae42-7bfd9d1f5b3d;True;3
lateral-movement;T1021.003;powershell;['windows'];PowerShell Lateral Movement using MMC20;6dc74eb1-c9d6-4c53-b3b5-6f50ae339673;True;1
lateral-movement;T1021.003;powershell;['windows'];PowerShell Lateral Movement Using Excel Application Object;505f24be-1c11-4694-b614-e01ae1cd2570;False;2
lateral-movement;T1550.003;command_prompt;['windows'];Mimikatz Kerberos Ticket Attack;dbf38128-7ba7-4776-bedf-cc2eed432098;True;1
lateral-movement;T1550.003;powershell;['windows'];Rubeus Kerberos Pass The Ticket;a2fc4ec5-12c6-4fb4-b661-961f23f359cb;True;2
lateral-movement;T1072;command_prompt;['windows'];Radmin Viewer Utility;b4988cad-6ed2-434d-ace5-ea2670782129;True;1
lateral-movement;T1072;command_prompt;['windows'];PDQ Deploy RAT;e447b83b-a698-4feb-bed1-a7aaf45c3443;True;2
lateral-movement;T1072;powershell;['windows'];Deploy 7-Zip Using Chocolatey;2169e8b0-2ee7-44cb-8a6e-d816a5db7d8a;False;3
lateral-movement;T1570;powershell;['windows'];Exfiltration Over SMB over QUIC (New-SmbMapping);d8d13303-159e-4f33-89f4-9f07812d016f;False;1
lateral-movement;T1570;powershell;['windows'];Exfiltration Over SMB over QUIC (NET USE);183235ca-8e6c-422c-88c2-3aa28c4825d9;False;2
lateral-movement;T1563.002;command_prompt;['windows'];RDP hijacking;a37ac520-b911-458e-8aed-c5f1576d9f46;True;1
lateral-movement;T1550.002;command_prompt;['windows'];Mimikatz Pass the Hash;ec23cef9-27d9-46e4-a68d-6f75f7b86908;True;1
lateral-movement;T1550.002;command_prompt;['windows'];crackmapexec Pass the Hash;eb05b028-16c8-4ad8-adea-6f5b219da9a9;True;2
lateral-movement;T1550.002;powershell;['windows'];Invoke-WMIExec Pass the Hash;f8757545-b00a-4e4e-8cfb-8cfb961ee713;True;3
lateral-movement;T1021.001;powershell;['windows'];RDP to DomainController;355d4632-8cb9-449d-91ce-b566d0253d3e;True;1
lateral-movement;T1021.001;powershell;['windows'];Changing RDP Port to Non Standard Port via Powershell;2f840dd4-8a2e-4f44-beb3-6b2399ea3771;True;2
lateral-movement;T1021.001;command_prompt;['windows'];Changing RDP Port to Non Standard Port via Command_Prompt;74ace21e-a31c-4f7d-b540-53e4eb6d1f73;True;3
lateral-movement;T1021.001;command_prompt;['windows'];Disable NLA for RDP via Command Prompt;01d1c6c0-faf0-408e-b368-752a02285cb2;False;4
credential-access;T1556.003;sh;['linux'];Malicious PAM rule;4b9dde80-ae22-44b1-a82a-644bf009eb9c;False;1
credential-access;T1556.003;sh;['linux'];Malicious PAM rule (freebsd);b17eacac-282d-4ca8-a240-46602cf863e3;False;2
credential-access;T1556.003;sh;['linux'];Malicious PAM module;65208808-3125-4a2e-8389-a0a00e9ab326;False;3
credential-access;T1056.001;powershell;['windows'];Input Capture;d9b633ca-8efb-45e6-b838-70f595c6ae26;True;1
credential-access;T1056.001;sh;['linux'];Living off the land Terminal Input Capture on Linux with pam.d;9c6bdb34-a89f-4b90-acb1-5970614c711b;False;2
credential-access;T1056.001;sh;['linux'];Logging bash history to syslog;0e59d59d-3265-4d35-bebd-bf5c1ec40db5;False;3
credential-access;T1056.001;sh;['linux'];Logging sh history to syslog/messages;b04284dc-3bd9-4840-8d21-61b8d31c99f2;False;4
credential-access;T1056.001;bash;['linux'];Bash session based keylogger;7f85a946-a0ea-48aa-b6ac-8ff539278258;False;5
credential-access;T1056.001;sh;['linux'];SSHD PAM keylogger;81d7d2ad-d644-4b6a-bea7-28ffe43becca;False;6
credential-access;T1056.001;sh;['linux'];Auditd keylogger;a668edb9-334e-48eb-8c2e-5413a40867af;False;7
credential-access;T1056.001;bash;['macos'];MacOS Swift Keylogger;aee3a097-4c5c-4fff-bbd3-0a705867ae29;False;8
credential-access;T1110.001;command_prompt;['windows'];Brute Force Credentials of single Active Directory domain users via SMB;09480053-2f98-4854-be6e-71ae5f672224;True;1
credential-access;T1110.001;powershell;['windows'];Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos);c2969434-672b-4ec8-8df0-bbb91f40e250;True;2
credential-access;T1110.001;powershell;['azure-ad'];Brute Force Credentials of single Azure AD user;5a51ef57-299e-4d62-8e11-2d440df55e69;False;3
credential-access;T1110.001;powershell;['windows'];Password Brute User using Kerbrute Tool;59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4;True;4
credential-access;T1110.001;bash;['linux'];SUDO Brute Force - Debian;ba1bf0b6-f32b-4db0-b7cc-d78cacc76700;False;5
credential-access;T1110.001;bash;['linux'];SUDO Brute Force - Redhat;4097bc00-5eeb-4d56-aaf9-287d60351d95;False;6
credential-access;T1110.001;bash;['linux'];SUDO Brute Force - FreeBSD;abcde488-e083-4ee7-bc85-a5684edd7541;False;7
credential-access;T1110.001;powershell;['windows'];ESXi - Brute Force Until Account Lockout;ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5;False;8
credential-access;T1003;command_prompt;['windows'];Gsecdump;96345bfc-8ae7-4b6a-80b7-223200f24ef9;True;1
credential-access;T1003;powershell;['windows'];Credential Dumping with NPPSpy;9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6;True;2
credential-access;T1003;powershell;['windows'];Dump svchost.exe to gather RDP credentials;d400090a-d8ca-4be0-982e-c70598a23de9;True;3
credential-access;T1003;powershell;['windows'];Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list);6c7a4fd3-5b0b-4b30-a93e-39411b25d889;True;4
credential-access;T1003;powershell;['windows'];Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config);42510244-5019-48fa-a0e5-66c3b76e6049;True;5
credential-access;T1003;powershell;['windows'];Dump Credential Manager using keymgr.dll and rundll32.exe;84113186-ed3c-4d0d-8a3c-8980c86c1f4a;True;6
credential-access;T1003;powershell;['windows'];Send NTLM Hash with RPC Test Connection;0b207037-813c-4444-ac3f-b597cf280a67;False;7
credential-access;T1539;powershell;['windows'];Steal Firefox Cookies (Windows);4b437357-f4e9-4c84-9fa6-9bcee6f826aa;True;1
credential-access;T1539;powershell;['windows'];Steal Chrome Cookies (Windows);26a6b840-4943-4965-8df5-ef1f9a282440;True;2
credential-access;T1539;bash;['macos'];Steal Chrome Cookies via Remote Debugging (Mac);e43cfdaf-3fb8-4a45-8de0-7eee8741d072;False;3
credential-access;T1003.002;command_prompt;['windows'];Registry dump of SAM, creds, and secrets;5c2571d0-1572-416d-9676-812e64ca9f44;True;1
credential-access;T1003.002;command_prompt;['windows'];Registry parse with pypykatz;a96872b2-cbf3-46cf-8eb4-27e8c0e85263;True;2
credential-access;T1003.002;command_prompt;['windows'];esentutl.exe SAM copy;a90c2f4d-6726-444e-99d2-a00cd7c20480;True;3
credential-access;T1003.002;powershell;['windows'];PowerDump Hashes and Usernames from Registry;804f28fc-68fc-40da-b5a2-e9d0bce5c193;True;4
credential-access;T1003.002;command_prompt;['windows'];dump volume shadow copy hives with certutil;eeb9751a-d598-42d3-b11c-c122d9c3f6c7;True;5
credential-access;T1003.002;powershell;['windows'];dump volume shadow copy hives with System.IO.File;9d77fed7-05f8-476e-a81b-8ff0472c64d0;True;6
credential-access;T1003.002;powershell;['windows'];WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes;0c0f5f06-166a-4f4d-bb4a-719df9a01dbb;True;7
credential-access;T1552.005;powershell;['azure-ad'];Azure - Search Azure AD User Attributes for Passwords;ae9b2e3e-efa1-4483-86e2-fae529ab9fb6;False;1
credential-access;T1552.005;powershell;['iaas:azure'];Azure - Dump Azure Instance Metadata from Virtual Machines;cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7;False;2
credential-access;T1110.002;command_prompt;['windows'];Password Cracking with Hashcat;6d27df5d-69d4-4c91-bc33-5983ffe91692;True;1
credential-access;T1555.001;sh;['macos'];Keychain Dump;88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6;False;1
credential-access;T1555.001;sh;['macos'];Export Certificate Item(s);1864fdec-ff86-4452-8c30-f12507582a93;False;2
credential-access;T1555.001;sh;['macos'];Import Certificate Item(s) into Keychain;e544bbcb-c4e0-4bd0-b614-b92131635f59;False;3
credential-access;T1003.004;command_prompt;['windows'];Dumping LSA Secrets;55295ab0-a703-433b-9ca4-ae13807de12f;True;1
credential-access;T1606.002;powershell;['azure-ad'];Golden SAML;b16a03bc-1089-4dcc-ad98-30fe8f3a2b31;False;1
credential-access;T1003.007;sh;['linux'];Dump individual process memory with sh (Local);7e91138a-8e74-456d-a007-973d67a0bb80;False;1
credential-access;T1003.007;sh;['linux'];Dump individual process memory with sh on FreeBSD (Local);fa37b633-e097-4415-b2b8-c5bf4c86e423;False;2
credential-access;T1003.007;sh;['linux'];Dump individual process memory with Python (Local);437b2003-a20d-4ed8-834c-4964f24eec63;False;3
credential-access;T1003.007;bash;['linux'];Capture Passwords with MimiPenguin;a27418de-bdce-4ebd-b655-38f04842bf0c;False;4
credential-access;T1040;bash;['linux'];Packet Capture Linux using tshark or tcpdump;7fe741f7-b265-4951-a7c7-320889083b3e;False;1
credential-access;T1040;sh;['linux'];Packet Capture FreeBSD using tshark or tcpdump;c93f2492-9ebe-44b5-8b45-36574cccfe67;False;2
credential-access;T1040;bash;['macos'];Packet Capture macOS using tcpdump or tshark;9d04efee-eff5-4240-b8d2-07792b873608;False;3
credential-access;T1040;command_prompt;['windows'];Packet Capture Windows Command Prompt;a5b2f6a0-24b4-493e-9590-c699f75723ca;True;4
credential-access;T1040;command_prompt;['windows'];Windows Internal Packet Capture;b5656f67-d67f-4de8-8e62-b5581630f528;True;5
credential-access;T1040;command_prompt;['windows'];Windows Internal pktmon capture;c67ba807-f48b-446e-b955-e4928cd1bf91;True;6
credential-access;T1040;command_prompt;['windows'];Windows Internal pktmon set filter;855fb8b4-b8ab-4785-ae77-09f5df7bff55;True;7
credential-access;T1040;bash;['macos'];Packet Capture macOS using /dev/bpfN with sudo;e6fe5095-545d-4c8b-a0ae-e863914be3aa;False;8
credential-access;T1040;bash;['macos'];Filtered Packet Capture macOS using /dev/bpfN with sudo;e2480aee-23f3-4f34-80ce-de221e27cd19;False;9
credential-access;T1040;sh;['linux'];Packet Capture FreeBSD using /dev/bpfN with sudo;e2028771-1bfb-48f5-b5e6-e50ee0942a14;False;10
credential-access;T1040;sh;['linux'];Filtered Packet Capture FreeBSD using /dev/bpfN with sudo;a3a0d4c9-c068-4563-a08d-583bd05b884c;False;11
credential-access;T1040;bash;['linux'];Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo;10c710c9-9104-4d5f-8829-5b65391e2a29;False;12
credential-access;T1040;bash;['linux'];Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo;7a0895f0-84c1-4adf-8491-a21510b1d4c1;False;13
credential-access;T1040;bash;['linux'];Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo;515575ab-d213-42b1-aa64-ef6a2dd4641b;False;14
credential-access;T1040;bash;['linux'];Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo;b1cbdf8b-6078-48f5-a890-11ea19d7f8e9;False;15
credential-access;T1040;powershell;['windows'];PowerShell Network Sniffing;9c15a7de-de14-46c3-bc2a-6d94130986ae;False;16
credential-access;T1552.002;command_prompt;['windows'];Enumeration for Credentials in Registry;b6ec082c-7384-46b3-a111-9a9b8b14e5e7;True;1
credential-access;T1552.002;command_prompt;['windows'];Enumeration for PuTTY Credentials in Registry;af197fd7-e868-448e-9bd5-05d1bcd9d9e5;True;2
credential-access;T1556.002;powershell;['windows'];Install and Register Password Filter DLL;a7961770-beb5-4134-9674-83d7e1fa865c;True;1
credential-access;T1558.004;powershell;['windows'];Rubeus asreproast;615bd568-2859-41b5-9aed-61f6a88e48dd;True;1
credential-access;T1558.004;powershell;['windows'];Get-DomainUser with PowerView;d6139549-7b72-4e48-9ea1-324fc9bdf88a;True;2
credential-access;T1558.004;powershell;['windows'];WinPwn - PowerSharpPack - Kerberoasting Using Rubeus;8c385f88-4d47-4c9a-814d-93d9deec8c71;True;3
credential-access;T1555;powershell;['windows'];Extract Windows Credential Manager via VBA;234f9b7c-b53d-4f32-897b-b880a6c9ea7b;True;1
credential-access;T1555;powershell;['windows'];Dump credentials from Windows Credential Manager With PowerShell [windows Credentials];c89becbe-1758-4e7d-a0f4-97d2188a23e3;True;2
credential-access;T1555;powershell;['windows'];Dump credentials from Windows Credential Manager With PowerShell [web Credentials];8fd5a296-6772-4766-9991-ff4e92af7240;True;3
credential-access;T1555;powershell;['windows'];Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials];36753ded-e5c4-4eb5-bc3c-e8fba236878d;True;4
credential-access;T1555;powershell;['windows'];Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials];bc071188-459f-44d5-901a-f8f2625b2d2e;True;5
credential-access;T1555;powershell;['windows'];WinPwn - Loot local Credentials - lazagne;079ee2e9-6f16-47ca-a635-14efcd994118;True;6
credential-access;T1555;powershell;['windows'];WinPwn - Loot local Credentials - Wifi Credentials;afe369c2-b42e-447f-98a3-fb1f4e2b8552;True;7
credential-access;T1555;powershell;['windows'];WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords;db965264-3117-4bad-b7b7-2523b7856b92;True;8
credential-access;T1552;sh;['linux', 'macos', 'iaas:aws'];AWS - Retrieve EC2 Password Data using stratus;a21118de-b11e-4ebd-b655-42f11142df0c;False;1
credential-access;T1555.003;powershell;['windows'];Run Chrome-password Collector;8c05b133-d438-47ca-a630-19cc464c4622;True;1
credential-access;T1555.003;sh;['macos'];Search macOS Safari Cookies;c1402f7b-67ca-43a8-b5f3-3143abedc01b;False;2
credential-access;T1555.003;command_prompt;['windows'];LaZagne - Credentials from Browser;9a2915b3-3954-4cce-8c76-00fbf4dbd014;True;3
credential-access;T1555.003;powershell;['windows'];Simulating access to Chrome Login Data;3d111226-d09a-4911-8715-fe11664f960d;True;4
credential-access;T1555.003;powershell;['windows'];Simulating access to Opera Login Data;28498c17-57e4-495a-b0be-cc1e36de408b;True;5
credential-access;T1555.003;powershell;['windows'];Simulating access to Windows Firefox Login Data;eb8da98a-2e16-4551-b3dd-83de49baa14c;True;6
credential-access;T1555.003;powershell;['windows'];Simulating access to Windows Edge Login Data;a6a5ec26-a2d1-4109-9d35-58b867689329;True;7
credential-access;T1555.003;powershell;['windows'];Decrypt Mozilla Passwords with Firepwd.py;dc9cd677-c70f-4df5-bd1c-f114af3c2381;True;8
credential-access;T1555.003;sh;['linux'];LaZagne.py - Dump Credentials from Firefox Browser;87e88698-621b-4c45-8a89-4eaebdeaabb1;False;9
credential-access;T1555.003;powershell;['windows'];Stage Popular Credential Files for Exfiltration;f543635c-1705-42c3-b180-efd6dc6e7ee7;True;10
credential-access;T1555.003;powershell;['windows'];WinPwn - BrowserPwn;764ea176-fb71-494c-90ea-72e9d85dce76;True;11
credential-access;T1555.003;powershell;['windows'];WinPwn - Loot local Credentials - mimi-kittenz;ec1d0b37-f659-4186-869f-31a554891611;True;12
credential-access;T1555.003;powershell;['windows'];WinPwn - PowerSharpPack - Sharpweb for Browser Credentials;e5e3d639-6ea8-4408-9ecd-d5a286268ca0;True;13
credential-access;T1555.003;sh;['macos'];Simulating Access to Chrome Login Data - MacOS;124e13e5-d8a1-4378-a6ee-a53cd0c7e369;False;14
credential-access;T1555.003;powershell;['windows'];WebBrowserPassView - Credentials from Browser;e359627f-2d90-4320-ba5e-b0f878155bbe;True;15
credential-access;T1555.003;powershell;['windows'];BrowserStealer (Chrome / Firefox / Microsoft Edge);6f2c5c87-a4d5-4898-9bd1-47a55ecaf1dd;True;16
credential-access;T1555.003;command_prompt;['windows'];Dump Chrome Login Data with esentutl;70422253-8198-4019-b617-6be401b49fce;False;17
credential-access;T1552.004;command_prompt;['windows'];Private Keys;520ce462-7ca7-441e-b5a5-f8347f632696;True;1
credential-access;T1552.004;sh;['linux', 'macos'];Discover Private SSH Keys;46959285-906d-40fa-9437-5a439accd878;False;2
credential-access;T1552.004;sh;['linux'];Copy Private SSH Keys with CP;7c247dc7-5128-4643-907b-73a76d9135c3;False;3
credential-access;T1552.004;sh;['linux'];Copy Private SSH Keys with CP (freebsd);12e4a260-a7fd-4ed8-bf18-1a28c1395775;False;4
credential-access;T1552.004;sh;['macos', 'linux'];Copy Private SSH Keys with rsync;864bb0b2-6bb5-489a-b43b-a77b3a16d68a;False;5
credential-access;T1552.004;sh;['linux'];Copy Private SSH Keys with rsync (freebsd);922b1080-0b95-42b0-9585-b9a5ea0af044;False;6
credential-access;T1552.004;sh;['macos', 'linux'];Copy the users GnuPG directory with rsync;2a5a0601-f5fb-4e2e-aa09-73282ae6afca;False;7
credential-access;T1552.004;sh;['linux'];Copy the users GnuPG directory with rsync (freebsd);b05ac39b-515f-48e9-88e9-2f141b5bcad0;False;8
credential-access;T1552.004;powershell;['windows'];ADFS token signing and encryption certificates theft - Local;78e95057-d429-4e66-8f82-0f060c1ac96f;True;9
credential-access;T1552.004;powershell;['windows'];ADFS token signing and encryption certificates theft - Remote;cab413d8-9e4a-4b8d-9b84-c985bd73a442;True;10
credential-access;T1552.004;powershell;['windows'];CertUtil ExportPFX;336b25bf-4514-4684-8924-474974f28137;True;11
credential-access;T1552.004;powershell;['windows'];Export Root Certificate with Export-PFXCertificate;7617f689-bbd8-44bc-adcd-6f8968897848;True;12
credential-access;T1552.004;powershell;['windows'];Export Root Certificate with Export-Certificate;78b274f8-acb0-428b-b1f7-7b0d0e73330a;True;13
credential-access;T1552.004;command_prompt;['windows'];Export Certificates with Mimikatz;290df60e-4b5d-4a5e-b0c7-dc5348ea0c86;True;14
credential-access;T1557.001;powershell;['windows'];LLMNR Poisoning with Inveigh (PowerShell);deecd55f-afe0-4a62-9fba-4d1ba2deb321;True;1
credential-access;T1003.001;command_prompt;['windows'];Dump LSASS.exe Memory using ProcDump;0be2230c-9ab3-4ac2-8826-3199b9a0ebf8;True;1
credential-access;T1003.001;powershell;['windows'];Dump LSASS.exe Memory using comsvcs.dll;2536dee2-12fb-459a-8c37-971844fa73be;True;2
credential-access;T1003.001;command_prompt;['windows'];Dump LSASS.exe Memory using direct system calls and API unhooking;7ae7102c-a099-45c8-b985-4c7a2d05790d;True;3
credential-access;T1003.001;command_prompt;['windows'];Dump LSASS.exe Memory using NanoDump;dddd4aca-bbed-46f0-984d-e4c5971c51ea;True;4
credential-access;T1003.001;manual;['windows'];Dump LSASS.exe Memory using Windows Task Manager;dea6c349-f1c6-44f3-87a1-1ed33a59a607;True;5
credential-access;T1003.001;command_prompt;['windows'];Offline Credential Theft With Mimikatz;453acf13-1dbd-47d7-b28a-172ce9228023;True;6
credential-access;T1003.001;command_prompt;['windows'];LSASS read with pypykatz;c37bc535-5c62-4195-9cc3-0517673171d8;False;7
credential-access;T1003.001;powershell;['windows'];Dump LSASS.exe Memory using Out-Minidump.ps1;6502c8f0-b775-4dbd-9193-1298f56b6781;True;8
credential-access;T1003.001;command_prompt;['windows'];Create Mini Dump of LSASS.exe using ProcDump;7cede33f-0acd-44ef-9774-15511300b24b;True;9
credential-access;T1003.001;powershell;['windows'];Powershell Mimikatz;66fb0bc1-3c3f-47e9-a298-550ecfefacbc;True;10
credential-access;T1003.001;powershell;['windows'];Dump LSASS with createdump.exe from .Net v5;9d0072c8-7cca-45c4-bd14-f852cfa35cf0;True;11
credential-access;T1003.001;powershell;['windows'];Dump LSASS.exe using imported Microsoft DLLs;86fc3f40-237f-4701-b155-81c01c48d697;True;12
credential-access;T1003.001;powershell;['windows'];Dump LSASS.exe using lolbin rdrleakdiag.exe;47a539d1-61b9-4364-bf49-a68bc2a95ef0;False;13
credential-access;T1003.001;command_prompt;['windows'];Dump LSASS.exe Memory through Silent Process Exit;eb5adf16-b601-4926-bca7-dad22adffb37;False;14
credential-access;T1110.003;command_prompt;['windows'];Password Spray all Domain Users;90bc2e54-6c84-47a5-9439-0a2a92b4b175;True;1
credential-access;T1110.003;powershell;['windows'];Password Spray (DomainPasswordSpray);263ae743-515f-4786-ac7d-41ef3a0d4b2b;True;2
credential-access;T1110.003;powershell;['windows'];Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos);f14d956a-5b6e-4a93-847f-0c415142f07d;True;3
credential-access;T1110.003;powershell;['azure-ad'];Password spray all Azure AD users with a single password;a8aa2d3e-1c52-4016-bc73-0f8854cfa80a;False;4
credential-access;T1110.003;powershell;['windows'];WinPwn - DomainPasswordSpray Attacks;5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82;True;5
credential-access;T1110.003;powershell;['windows'];Password Spray Invoke-DomainPasswordSpray Light;b15bc9a5-a4f3-4879-9304-ea0011ace63a;True;6
credential-access;T1110.003;powershell;['azure-ad'];Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365);f3a10056-0160-4785-8744-d9bd7c12dc39;False;7
credential-access;T1110.003;powershell;['windows'];Password Spray using Kerbrute Tool;c6f25ec3-6475-47a9-b75d-09ac593c5ecb;True;8
credential-access;T1110.003;sh;['iaas:aws'];AWS - Password Spray an AWS using GoAWSConsoleSpray;9c10d16b-20b1-403a-8e67-50ef7117ed4e;False;9
credential-access;T1003.005;command_prompt;['windows'];Cached Credential Dump via Cmdkey;56506854-89d6-46a3-9804-b7fde90791f9;True;1
credential-access;T1558.001;powershell;['windows'];Crafting Active Directory golden tickets with mimikatz;9726592a-dabc-4d4d-81cd-44070008b3af;True;1
credential-access;T1558.001;powershell;['windows'];Crafting Active Directory golden tickets with Rubeus;e42d33cd-205c-4acf-ab59-a9f38f6bad9c;True;2
credential-access;T1649;powershell;['windows'];Staging Local Certificates via Export-Certificate;eb121494-82d1-4148-9e2b-e624e03fbf3d;True;1
credential-access;T1552.003;sh;['linux', 'macos'];Search Through Bash History;3cfde62b-7c33-4b26-a61e-755d6131c8ce;False;1
credential-access;T1552.003;sh;['linux'];Search Through sh History;d87d3b94-05b4-40f2-a80f-99864ffa6803;False;2
credential-access;T1552.001;sh;['macos', 'linux'];Find AWS credentials;2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17;False;1
credential-access;T1552.001;bash;['macos'];Extract Browser and System credentials with LaZagne;9e507bb8-1d30-4e3b-a49b-cb5727d7ea79;False;2
credential-access;T1552.001;sh;['linux', 'macos'];Extract passwords with grep;bd4cf0d1-7646-474e-8610-78ccf5a097c4;False;3
credential-access;T1552.001;powershell;['windows'];Extracting passwords with findstr;0e56bf29-ff49-4ea5-9af4-3b81283fd513;True;4
credential-access;T1552.001;command_prompt;['windows'];Access unattend.xml;367d4004-5fc0-446d-823f-960c74ae52c3;True;5
credential-access;T1552.001;bash;['linux', 'macos'];Find and Access Github Credentials;da4f751a-020b-40d7-b9ff-d433b7799803;False;6
credential-access;T1552.001;powershell;['windows'];WinPwn - sensitivefiles;114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0;True;7
credential-access;T1552.001;powershell;['windows'];WinPwn - Snaffler;fdd0c913-714b-4c13-b40f-1824d6c015f2;True;8
credential-access;T1552.001;powershell;['windows'];WinPwn - powershellsensitive;75f66e03-37d3-4704-9520-3210efbe33ce;True;9
credential-access;T1552.001;powershell;['windows'];WinPwn - passhunt;00e3e3c7-6c3c-455e-bd4b-461c7f0e7797;True;10
credential-access;T1552.001;powershell;['windows'];WinPwn - SessionGopher;c9dc9de3-f961-4284-bd2d-f959c9f9fda5;True;11
credential-access;T1552.001;powershell;['windows'];WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials;aaa87b0e-5232-4649-ae5c-f1724a4b2798;True;12
credential-access;T1528;powershell;['iaas:azure'];Azure - Dump All Azure Key Vaults with Microburst;1b83cddb-eaa7-45aa-98a5-85fb0a8807ea;False;1
credential-access;T1552.006;command_prompt;['windows'];GPP Passwords (findstr);870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f;True;1
credential-access;T1552.006;powershell;['windows'];GPP Passwords (Get-GPPPassword);e9584f82-322c-474a-b831-940fd8b4455c;True;2
credential-access;T1056.002;bash;['macos'];AppleScript - Prompt User for Password;76628574-0bc1-4646-8fe2-8f4427b47d15;False;1
credential-access;T1056.002;powershell;['windows'];PowerShell - Prompt User for Password;2b162bfd-0928-4d4c-9ec3-4d9f88374b52;True;2
credential-access;T1056.002;bash;['macos'];AppleScript - Spoofing a credential prompt using osascript;b7037b89-947a-427a-ba29-e7e9f09bc045;False;3
credential-access;T1110.004;bash;['linux'];SSH Credential Stuffing From Linux;4f08197a-2a8a-472d-9589-cd2895ef22ad;False;1
credential-access;T1110.004;bash;['macos'];SSH Credential Stuffing From MacOS;d546a3d9-0be5-40c7-ad82-5a7d79e1b66b;False;2
credential-access;T1110.004;sh;['linux'];SSH Credential Stuffing From FreeBSD;a790d50e-7ebf-48de-8daa-d9367e0911d4;False;3
credential-access;T1110.004;powershell;['windows'];Brute Force:Credential Stuffing using Kerbrute Tool;4852c630-87a9-409b-bb5e-5dc12c9ebcde;True;4
credential-access;T1187;powershell;['windows'];PetitPotam;485ce873-2e65-4706-9c7e-ae3ab9e14213;True;1
credential-access;T1187;powershell;['windows'];WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS;7f06b25c-799e-40f1-89db-999c9cc84317;True;2
credential-access;T1187;powershell;['windows'];Trigger an authenticated RPC call to a target server with no Sign flag set;81cfdd7f-1f41-4cc5-9845-bb5149438e37;False;3
credential-access;T1003.008;bash;['linux'];Access /etc/shadow (Local);3723ab77-c546-403c-8fb4-bb577033b235;False;1
credential-access;T1003.008;sh;['linux'];Access /etc/master.passwd (Local);5076874f-a8e6-4077-8ace-9e5ab54114a5;False;2
credential-access;T1003.008;sh;['linux'];Access /etc/passwd (Local);60e860b6-8ae6-49db-ad07-5e73edd88f5d;False;3
credential-access;T1003.008;sh;['linux'];Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat;df1a55ae-019d-4120-bc35-94f4bc5c4b0a;False;4
credential-access;T1003.008;sh;['linux'];Access /etc/{shadow,passwd,master.passwd} with shell builtins;f5aa6543-6cb2-4fae-b9c2-b96e14721713;False;5
credential-access;T1558.002;powershell;['windows'];Crafting Active Directory silver tickets with mimikatz;385e59aa-113e-4711-84d9-f637aef01f2c;True;1
credential-access;T1555.004;command_prompt;['windows'];Access Saved Credentials via VaultCmd;9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439;True;1
credential-access;T1555.004;powershell;['windows'];WinPwn - Loot local Credentials - Invoke-WCMDump;fa714db1-63dd-479e-a58e-7b2b52ca5997;True;2
credential-access;T1003.003;command_prompt;['windows'];Create Volume Shadow Copy with vssadmin;dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f;True;1
credential-access;T1003.003;command_prompt;['windows'];Copy NTDS.dit from Volume Shadow Copy;c6237146-9ea6-4711-85c9-c56d263a6b03;True;2
credential-access;T1003.003;command_prompt;['windows'];Dump Active Directory Database with NTDSUtil;2364e33d-ceab-4641-8468-bfb1d7cc2723;True;3
credential-access;T1003.003;command_prompt;['windows'];Create Volume Shadow Copy with WMI;224f7de0-8f0a-4a94-b5d8-989b036c86da;True;4
credential-access;T1003.003;command_prompt;['windows'];Create Volume Shadow Copy remotely with WMI;d893459f-71f0-484d-9808-ec83b2b64226;True;5
credential-access;T1003.003;command_prompt;['windows'];Create Volume Shadow Copy remotely (WMI) with esentutl;21c7bf80-3e8b-40fa-8f9d-f5b194ff2865;True;6
credential-access;T1003.003;powershell;['windows'];Create Volume Shadow Copy with Powershell;542bb97e-da53-436b-8e43-e0a7d31a6c24;True;7
credential-access;T1003.003;command_prompt;['windows'];Create Symlink to Volume Shadow Copy;21748c28-2793-4284-9e07-d6d028b66702;True;8
credential-access;T1003.003;command_prompt;['windows'];Create Volume Shadow Copy with diskshadow;b385996c-0e7d-4e27-95a4-aca046b119a7;False;9
credential-access;T1558.003;powershell;['windows'];Request for service tickets;3f987809-3681-43c8-bcd8-b3ff3a28533a;True;1
credential-access;T1558.003;powershell;['windows'];Rubeus kerberoast;14625569-6def-4497-99ac-8e7817105b55;True;2
credential-access;T1558.003;command_prompt;['windows'];Extract all accounts in use as SPN using setspn;e6f4affd-d826-4871-9a62-6c9004b8fe06;True;3
credential-access;T1558.003;powershell;['windows'];Request A Single Ticket via PowerShell;988539bc-2ed7-4e62-aec6-7c5cf6680863;True;4
credential-access;T1558.003;powershell;['windows'];Request All Tickets via PowerShell;902f4ed2-1aba-4133-90f2-cff6d299d6da;True;5
credential-access;T1558.003;powershell;['windows'];WinPwn - Kerberoasting;78d10e20-c874-45f2-a9df-6fea0120ec27;True;6
credential-access;T1558.003;powershell;['windows'];WinPwn - PowerSharpPack - Kerberoasting Using Rubeus;29094950-2c96-4cbd-b5e4-f7c65079678f;True;7
credential-access;T1003.006;command_prompt;['windows'];DCSync (Active Directory);129efd28-8497-4c87-a1b0-73b9a870ca3e;True;1
credential-access;T1003.006;powershell;['windows'];Run DSInternals Get-ADReplAccount;a0bced08-3fc5-4d8b-93b7-e8344739376e;True;2
credential-access;T1056.004;powershell;['windows'];Hook PowerShell TLS Encrypt/Decrypt Messages;de1934ea-1fbf-425b-8795-65fb27dd7e33;True;1
credential-access;T1552.007;bash;['containers'];List All Secrets;31e794c4-48fd-4a76-aca4-6587c155bc11;False;1
credential-access;T1552.007;bash;['containers'];ListSecrets;43c3a49d-d15c-45e6-b303-f6e177e44a9a;False;2
credential-access;T1552.007;sh;['linux'];Cat the contents of a Kubernetes service account token file;788e0019-a483-45da-bcfe-96353d46820f;False;3
discovery;T1033;command_prompt;['windows'];System Owner/User Discovery;4c4959bf-addf-4b4a-be86-8d09cc1857aa;True;1
discovery;T1033;sh;['linux', 'macos'];System Owner/User Discovery;2a9b677d-a230-44f4-ad86-782df1ef108c;False;2
discovery;T1033;powershell;['windows'];Find computers where user has session - Stealth mode (PowerView);29857f27-a36f-4f7e-8084-4557cd6207ca;True;3
discovery;T1033;powershell;['windows'];User Discovery With Env Vars PowerShell Script;dcb6cdee-1fb0-4087-8bf8-88cfd136ba51;True;4
discovery;T1033;powershell;['windows'];GetCurrent User with PowerShell Script;1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b;True;5
discovery;T1033;powershell;['windows'];System Discovery - SocGholish whoami;3d257a03-eb80-41c5-b744-bb37ac7f65c7;True;6
discovery;T1033;command_prompt;['windows'];System Owner/User Discovery Using Command Prompt;ba38e193-37a6-4c41-b214-61b33277fe36;True;7
discovery;T1613;sh;['containers'];Docker Container and Resource Discovery;ea2255df-d781-493b-9693-ac328f9afc3f;False;1
discovery;T1613;sh;['containers'];Podman Container and Resource Discovery;fc631702-3f03-4f2b-8d8a-6b3d055580a1;False;2
discovery;T1615;command_prompt;['windows'];Display group policy information via gpresult;0976990f-53b1-4d3f-a185-6df5be429d3b;True;1
discovery;T1615;powershell;['windows'];Get-DomainGPO to display group policy information via PowerView;4e524c4e-0e02-49aa-8df5-93f3f7959b9f;True;2
discovery;T1615;powershell;['windows'];WinPwn - GPOAudit;bc25c04b-841e-4965-855f-d1f645d7ab73;True;3
discovery;T1615;powershell;['windows'];WinPwn - GPORemoteAccessPolicy;7230d01a-0a72-4bd5-9d7f-c6d472bc6a59;True;4
discovery;T1615;powershell;['windows'];MSFT Get-GPO Cmdlet;52778a8f-a10b-41a4-9eae-52ddb74072bf;True;5
discovery;T1087.002;command_prompt;['windows'];Enumerate all accounts (Domain);6fbc9e68-5ad7-444a-bd11-8bf3136c477e;True;1
discovery;T1087.002;powershell;['windows'];Enumerate all accounts via PowerShell (Domain);8b8a6449-be98-4f42-afd2-dedddc7453b2;True;2
discovery;T1087.002;command_prompt;['windows'];Enumerate logged on users via CMD (Domain);161dcd85-d014-4f5e-900c-d3eaae82a0f7;True;3
discovery;T1087.002;powershell;['windows'];Automated AD Recon (ADRecon);95018438-454a-468c-a0fa-59c800149b59;True;4
discovery;T1087.002;command_prompt;['windows'];Adfind -Listing password policy;736b4f53-f400-4c22-855d-1a6b5a551600;True;5
discovery;T1087.002;command_prompt;['windows'];Adfind - Enumerate Active Directory Admins;b95fd967-4e62-4109-b48d-265edfd28c3a;True;6
discovery;T1087.002;command_prompt;['windows'];Adfind - Enumerate Active Directory User Objects;e1ec8d20-509a-4b9a-b820-06c9b2da8eb7;True;7
discovery;T1087.002;command_prompt;['windows'];Adfind - Enumerate Active Directory Exchange AD Objects;5e2938fb-f919-47b6-8b29-2f6a1f718e99;True;8
discovery;T1087.002;command_prompt;['windows'];Enumerate Default Domain Admin Details (Domain);c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef;True;9
discovery;T1087.002;powershell;['windows'];Enumerate Active Directory for Unconstrained Delegation;46f8dbe9-22a5-4770-8513-66119c5be63b;True;10
discovery;T1087.002;powershell;['windows'];Get-DomainUser with PowerView;93662494-5ed7-4454-a04c-8c8372808ac2;True;11
discovery;T1087.002;powershell;['windows'];Enumerate Active Directory Users with ADSISearcher;02e8be5a-3065-4e54-8cc8-a14d138834d3;True;12
discovery;T1087.002;powershell;['windows'];Enumerate Linked Policies In ADSISearcher Discovery;7ab0205a-34e4-4a44-9b04-e1541d1a57be;True;13
discovery;T1087.002;powershell;['windows'];Enumerate Root Domain linked policies Discovery;00c652e2-0750-4ca6-82ff-0204684a6fe4;True;14
discovery;T1087.002;powershell;['windows'];WinPwn - generaldomaininfo;ce483c35-c74b-45a7-a670-631d1e69db3d;True;15
discovery;T1087.002;powershell;['windows'];Kerbrute - userenum;f450461c-18d1-4452-9f0d-2c42c3f08624;True;16
discovery;T1087.002;powershell;['windows'];Wevtutil - Discover NTLM Users Remote;b8a563d4-a836-4993-a74e-0a19b8481bfe;True;17
discovery;T1087.002;powershell;['windows'];Suspicious LAPS Attributes Query with Get-ADComputer all properties;394012d9-2164-4d4f-b9e5-acf30ba933fe;False;18
discovery;T1087.002;powershell;['windows'];Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property;6e85bdf9-7bc4-4259-ac0f-f0cb39964443;False;19
discovery;T1087.002;powershell;['windows'];Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope;ffbcfd62-15d6-4989-a21a-80bfc8e58bb5;False;20
discovery;T1087.002;powershell;['windows'];Suspicious LAPS Attributes Query with adfind all properties;abf00f6c-9983-4d9a-afbc-6b1c6c6448e1;False;21
discovery;T1087.002;powershell;['windows'];Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd;51a98f96-0269-4e09-a10f-e307779a8b05;False;22
discovery;T1087.002;sh;['linux'];Active Directory Domain Search;096b6d2a-b63f-4100-8fa0-525da4cd25ca;False;23
discovery;T1087.002;sh;['linux'];Account Enumeration with LDAPDomainDump;a54d497e-8dbe-4558-9895-44944baa395f;False;24
discovery;T1087.001;sh;['linux'];Enumerate all accounts (Local);f8aab3dd-5990-4bf8-b8ab-2226c951696f;False;1
discovery;T1087.001;sh;['linux', 'macos'];View sudoers access;fed9be70-0186-4bde-9f8a-20945f9370c2;False;2
discovery;T1087.001;sh;['linux', 'macos'];View accounts with UID 0;c955a599-3653-4fe5-b631-f11c00eb0397;False;3
discovery;T1087.001;sh;['linux', 'macos'];List opened files by user;7e46c7a5-0142-45be-a858-1a3ecb4fd3cb;False;4
discovery;T1087.001;sh;['linux'];Show if a user account has ever logged in remotely;0f0b6a29-08c3-44ad-a30b-47fd996b2110;False;5
discovery;T1087.001;sh;['linux', 'macos'];Enumerate users and groups;e6f36545-dc1e-47f0-9f48-7f730f54a02e;False;6
discovery;T1087.001;sh;['macos'];Enumerate users and groups;319e9f6c-7a9e-432e-8c62-9385c803b6f2;False;7
discovery;T1087.001;command_prompt;['windows'];Enumerate all accounts on Windows (Local);80887bec-5a9b-4efc-a81d-f83eb2eb32ab;True;8
discovery;T1087.001;powershell;['windows'];Enumerate all accounts via PowerShell (Local);ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b;True;9
discovery;T1087.001;command_prompt;['windows'];Enumerate logged on users via CMD (Local);a138085e-bfe5-46ba-a242-74a6fb884af3;True;10
discovery;T1497.001;sh;['linux'];Detect Virtualization Environment (Linux);dfbd1a21-540d-4574-9731-e852bd6fe840;False;1
discovery;T1497.001;sh;['linux'];Detect Virtualization Environment (FreeBSD);e129d73b-3e03-4ae9-bf1e-67fc8921e0fd;False;2
discovery;T1497.001;powershell;['windows'];Detect Virtualization Environment (Windows);502a7dc4-9d6f-4d28-abf2-f0e84692562d;True;3
discovery;T1497.001;sh;['macos'];Detect Virtualization Environment (MacOS);a960185f-aef6-4547-8350-d1ce16680d09;False;4
discovery;T1497.001;powershell;['windows'];Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows);4a41089a-48e0-47aa-82cb-5b81a463bc78;True;5
discovery;T1069.002;command_prompt;['windows'];Basic Permission Groups Discovery Windows (Domain);dd66d77d-8998-48c0-8024-df263dc2ce5d;True;1
discovery;T1069.002;powershell;['windows'];Permission Groups Discovery PowerShell (Domain);6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7;True;2
discovery;T1069.002;command_prompt;['windows'];Elevated group enumeration using net group (Domain);0afb5163-8181-432e-9405-4322710c0c37;True;3
discovery;T1069.002;powershell;['windows'];Find machines where user has local admin access (PowerView);a2d71eee-a353-4232-9f86-54f4288dd8c1;True;4
discovery;T1069.002;powershell;['windows'];Find local admins on all machines in domain (PowerView);a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd;True;5
discovery;T1069.002;powershell;['windows'];Find Local Admins via Group Policy (PowerView);64fdb43b-5259-467a-b000-1b02c00e510a;True;6
discovery;T1069.002;powershell;['windows'];Enumerate Users Not Requiring Pre Auth (ASRepRoast);870ba71e-6858-4f6d-895c-bb6237f6121b;True;7
discovery;T1069.002;command_prompt;['windows'];Adfind - Query Active Directory Groups;48ddc687-82af-40b7-8472-ff1e742e8274;True;8
discovery;T1069.002;powershell;['windows'];Enumerate Active Directory Groups with Get-AdGroup;3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8;True;9
discovery;T1069.002;powershell;['windows'];Enumerate Active Directory Groups with ADSISearcher;9f4e344b-8434-41b3-85b1-d38f29d148d0;True;10
discovery;T1069.002;powershell;['windows'];Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting);43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8;True;11
discovery;T1069.002;powershell;['windows'];Get-DomainGroupMember with PowerView;46352f40-f283-4fe5-b56d-d9a71750e145;True;12
discovery;T1069.002;powershell;['windows'];Get-DomainGroup with PowerView;5a8a181c-2c8e-478d-a943-549305a01230;True;13
discovery;T1069.002;command_prompt;['windows'];Active Directory Enumeration with LDIFDE;22cf8cb9-adb1-4e8c-80ca-7c723dfc8784;True;14
discovery;T1069.002;sh;['linux'];Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS;d58d749c-4450-4975-a9e9-8b1d562755c2;False;15
discovery;T1007;command_prompt;['windows'];System Service Discovery;89676ba1-b1f8-47ee-b940-2e1a113ebc71;True;1
discovery;T1007;command_prompt;['windows'];System Service Discovery - net.exe;5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3;True;2
discovery;T1007;bash;['linux'];System Service Discovery - systemctl/service;f4b26bce-4c2c-46c0-bcc5-fce062d38bef;False;3
discovery;T1040;bash;['linux'];Packet Capture Linux using tshark or tcpdump;7fe741f7-b265-4951-a7c7-320889083b3e;False;1
discovery;T1040;sh;['linux'];Packet Capture FreeBSD using tshark or tcpdump;c93f2492-9ebe-44b5-8b45-36574cccfe67;False;2
discovery;T1040;bash;['macos'];Packet Capture macOS using tcpdump or tshark;9d04efee-eff5-4240-b8d2-07792b873608;False;3
discovery;T1040;command_prompt;['windows'];Packet Capture Windows Command Prompt;a5b2f6a0-24b4-493e-9590-c699f75723ca;True;4
discovery;T1040;command_prompt;['windows'];Windows Internal Packet Capture;b5656f67-d67f-4de8-8e62-b5581630f528;True;5
discovery;T1040;command_prompt;['windows'];Windows Internal pktmon capture;c67ba807-f48b-446e-b955-e4928cd1bf91;True;6
discovery;T1040;command_prompt;['windows'];Windows Internal pktmon set filter;855fb8b4-b8ab-4785-ae77-09f5df7bff55;True;7
discovery;T1040;bash;['macos'];Packet Capture macOS using /dev/bpfN with sudo;e6fe5095-545d-4c8b-a0ae-e863914be3aa;False;8
discovery;T1040;bash;['macos'];Filtered Packet Capture macOS using /dev/bpfN with sudo;e2480aee-23f3-4f34-80ce-de221e27cd19;False;9
discovery;T1040;sh;['linux'];Packet Capture FreeBSD using /dev/bpfN with sudo;e2028771-1bfb-48f5-b5e6-e50ee0942a14;False;10
discovery;T1040;sh;['linux'];Filtered Packet Capture FreeBSD using /dev/bpfN with sudo;a3a0d4c9-c068-4563-a08d-583bd05b884c;False;11
discovery;T1040;bash;['linux'];Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo;10c710c9-9104-4d5f-8829-5b65391e2a29;False;12
discovery;T1040;bash;['linux'];Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo;7a0895f0-84c1-4adf-8491-a21510b1d4c1;False;13
discovery;T1040;bash;['linux'];Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo;515575ab-d213-42b1-aa64-ef6a2dd4641b;False;14
discovery;T1040;bash;['linux'];Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo;b1cbdf8b-6078-48f5-a890-11ea19d7f8e9;False;15
discovery;T1040;powershell;['windows'];PowerShell Network Sniffing;9c15a7de-de14-46c3-bc2a-6d94130986ae;False;16
discovery;T1135;sh;['macos'];Network Share Discovery;f94b5ad9-911c-4eff-9718-fd21899db4f7;False;1
discovery;T1135;bash;['linux'];Network Share Discovery - linux;875805bc-9e86-4e87-be86-3a5527315cae;False;2
discovery;T1135;sh;['linux'];Network Share Discovery - FreeBSD;77e468a6-3e5c-45a1-9948-c4b5603747cb;False;3
discovery;T1135;command_prompt;['windows'];Network Share Discovery command prompt;20f1097d-81c1-405c-8380-32174d493bbb;True;4
discovery;T1135;powershell;['windows'];Network Share Discovery PowerShell;1b0814d1-bb24-402d-9615-1b20c50733fb;True;5
discovery;T1135;command_prompt;['windows'];View available share drives;ab39a04f-0c93-4540-9ff2-83f862c385ae;True;6
discovery;T1135;powershell;['windows'];Share Discovery with PowerView;b1636f0a-ba82-435c-b699-0d78794d8bfd;True;7
discovery;T1135;powershell;['windows'];PowerView ShareFinder;d07e4cc1-98ae-447e-9d31-36cb430d28c4;True;8
discovery;T1135;powershell;['windows'];WinPwn - shareenumeration;987901d1-5b87-4558-a6d9-cffcabc638b8;True;9
discovery;T1135;command_prompt;['windows'];Network Share Discovery via dir command;13daa2cf-195a-43df-a8bd-7dd5ffb607b5;False;10
discovery;T1135;powershell;['windows'];Enumerate All Network Shares with SharpShares;d1fa2a69-b0a2-4e8a-9112-529b00c19a41;False;11
discovery;T1135;powershell;['windows'];Enumerate All Network Shares with Snaffler;b19d74b7-5e72-450a-8499-82e49e379d1a;False;12
discovery;T1120;powershell;['windows'];Win32_PnPEntity Hardware Inventory;2cb4dbf2-2dca-4597-8678-4d39d207a3a5;True;1
discovery;T1120;powershell;['windows'];WinPwn - printercheck;cb6e76ca-861e-4a7f-be08-564caa3e6f75;True;2
discovery;T1120;command_prompt;['windows'];Peripheral Device Discovery via fsutil;424e18fd-48b8-4201-8d3a-bf591523a686;False;3
discovery;T1082;command_prompt;['windows'];System Information Discovery;66703791-c902-4560-8770-42b8a91f7667;True;1
discovery;T1082;sh;['macos'];System Information Discovery;edff98ec-0f73-4f63-9890-6b117092aff6;False;2
discovery;T1082;sh;['linux', 'macos'];List OS Information;cccb070c-df86-4216-a5bc-9fb60c74e27c;False;3
discovery;T1082;bash;['linux'];Linux VM Check via Hardware;31dad7ad-2286-4c02-ae92-274418c85fec;False;4
discovery;T1082;bash;['linux'];Linux VM Check via Kernel Modules;8057d484-0fae-49a4-8302-4812c4f1e64e;False;5
discovery;T1082;sh;['linux'];FreeBSD VM Check via Kernel Modules;eefe6a49-d88b-41d8-8fc2-b46822da90d3;False;6
discovery;T1082;command_prompt;['windows'];Hostname Discovery (Windows);85cfbf23-4a1e-4342-8792-007e004b975f;True;7
discovery;T1082;sh;['linux', 'macos'];Hostname Discovery;486e88ea-4f56-470f-9b57-3f4d73f39133;False;8
discovery;T1082;command_prompt;['windows'];Windows MachineGUID Discovery;224b4daf-db44-404e-b6b2-f4d1f0126ef8;True;9
discovery;T1082;powershell;['windows'];Griffon Recon;69bd4abe-8759-49a6-8d21-0f15822d6370;True;10
discovery;T1082;command_prompt;['windows'];Environment variables discovery on windows;f400d1c0-1804-4ff8-b069-ef5ddd2adbf3;False;11
discovery;T1082;sh;['linux', 'macos'];Environment variables discovery on freebsd, macos and linux;fcbdd43f-f4ad-42d5-98f3-0218097e2720;False;12
discovery;T1082;sh;['macos'];Show System Integrity Protection status (MacOS);327cc050-9e99-4c8e-99b5-1d15f2fb6b96;False;13
discovery;T1082;powershell;['windows'];WinPwn - winPEAS;eea1d918-825e-47dd-acc2-814d6c58c0e1;True;14
discovery;T1082;powershell;['windows'];WinPwn - itm4nprivesc;3d256a2f-5e57-4003-8eb6-64d91b1da7ce;True;15
discovery;T1082;powershell;['windows'];WinPwn - Powersploits privesc checks;345cb8e4-d2de-4011-a580-619cf5a9e2d7;True;16
discovery;T1082;powershell;['windows'];WinPwn - General privesc checks;5b6f39a2-6ec7-4783-a5fd-2c54a55409ed;True;17
discovery;T1082;powershell;['windows'];WinPwn - GeneralRecon;7804659b-fdbf-4cf6-b06a-c03e758590e8;True;18
discovery;T1082;powershell;['windows'];WinPwn - Morerecon;3278b2f6-f733-4875-9ef4-bfed34244f0a;True;19
discovery;T1082;powershell;['windows'];WinPwn - RBCD-Check;dec6a0d8-bcaf-4c22-9d48-2aee59fb692b;True;20
discovery;T1082;powershell;['windows'];WinPwn - PowerSharpPack - Watson searching for missing windows patches;07b18a66-6304-47d2-bad0-ef421eb2e107;True;21
discovery;T1082;powershell;['windows'];WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors;efb79454-1101-4224-a4d0-30c9c8b29ffc;True;22
discovery;T1082;powershell;['windows'];WinPwn - PowerSharpPack - Seatbelt;5c16ceb4-ba3a-43d7-b848-a13c1f216d95;True;23
discovery;T1082;powershell;['azure-ad'];Azure Security Scan with SkyArk;26a18d3d-f8bc-486b-9a33-d6df5d78a594;False;24
discovery;T1082;sh;['linux'];Linux List Kernel Modules;034fe21c-3186-49dd-8d5d-128b35f181c7;False;25
discovery;T1082;sh;['linux'];FreeBSD List Kernel Modules;4947897f-643a-4b75-b3f5-bed6885749f6;False;26
discovery;T1082;command_prompt;['windows'];System Information Discovery with WMIC;8851b73a-3624-4bf7-8704-aa312411565c;True;27
discovery;T1082;command_prompt;['windows'];Driver Enumeration using DriverQuery;bd85e3d1-4aeb-4a1d-850f-7be3cb8d60b9;False;28
discovery;T1082;command_prompt;['windows'];System Information Discovery;4060ee98-01ae-4c8e-8aad-af8300519cc7;False;29
discovery;T1082;command_prompt;['windows'];Check computer location;96be6002-9200-47db-94cb-c3e27de1cb36;False;30
discovery;T1082;command_prompt;['windows'];BIOS Information Discovery through Registry;f2f91612-d904-49d7-87c2-6c165d23bead;False;31
discovery;T1082;command_prompt;['linux'];ESXi - VM Discovery using ESXCLI;2040405c-eea6-4c1c-aef3-c2acc430fac9;False;32
discovery;T1082;command_prompt;['linux'];ESXi - Darkside system information discovery;f89812e5-67d1-4f49-86fa-cbc6609ea86a;False;33
discovery;T1016.002;command_prompt;['windows'];Enumerate Stored Wi-Fi Profiles And Passwords via netsh;53cf1903-0fa7-4177-ab14-f358ae809eec;False;1
discovery;T1010;command_prompt;['windows'];List Process Main Windows - C# .NET;fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4;True;1
discovery;T1580;sh;['linux', 'macos', 'iaas:aws'];AWS - EC2 Enumeration from Cloud Instance;99ee161b-dcb1-4276-8ecb-7cfdcb207820;False;1
discovery;T1580;command_prompt;['iaas:aws'];AWS - EC2 Security Group Enumeration;99b38f24-5acc-4aa3-85e5-b7f97a5d37ac;False;2
discovery;T1217;sh;['linux'];List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux;3a41f169-a5ab-407f-9269-abafdb5da6c2;False;1
discovery;T1217;sh;['macos'];List Mozilla Firefox Bookmark Database Files on macOS;1ca1f9c7-44bc-46bb-8c85-c50e2e94267b;False;2
discovery;T1217;sh;['macos'];List Google Chrome Bookmark JSON Files on macOS;b789d341-154b-4a42-a071-9111588be9bc;False;3
discovery;T1217;sh;['linux'];List Google Chromium Bookmark JSON Files on FreeBSD;88ca025b-3040-44eb-9168-bd8af22b82fa;False;4
discovery;T1217;powershell;['windows'];List Google Chrome / Opera Bookmarks on Windows with powershell;faab755e-4299-48ec-8202-fc7885eb6545;True;5
discovery;T1217;command_prompt;['windows'];List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt;76f71e2f-480e-4bed-b61e-398fe17499d5;True;6
discovery;T1217;command_prompt;['windows'];List Mozilla Firefox bookmarks on Windows with command prompt;4312cdbc-79fc-4a9c-becc-53d49c734bc5;True;7
discovery;T1217;command_prompt;['windows'];List Internet Explorer Bookmarks using the command prompt;727dbcdb-e495-4ab1-a6c4-80c7f77aef85;True;8
discovery;T1217;sh;['macos'];List Safari Bookmarks on MacOS;5fc528dd-79de-47f5-8188-25572b7fafe0;False;9
discovery;T1016;command_prompt;['windows'];System Network Configuration Discovery on Windows;970ab6a1-0157-4f3f-9a73-ec4166754b23;True;1
discovery;T1016;command_prompt;['windows'];List Windows Firewall Rules;038263cb-00f4-4b0a-98ae-0696c67e1752;True;2
discovery;T1016;sh;['macos', 'linux'];System Network Configuration Discovery;c141bbdb-7fca-4254-9fd6-f47e79447e17;False;3
discovery;T1016;command_prompt;['windows'];System Network Configuration Discovery (TrickBot Style);dafaf052-5508-402d-bf77-51e0700c02e2;True;4
discovery;T1016;powershell;['windows'];List Open Egress Ports;4b467538-f102-491d-ace7-ed487b853bf5;True;5
discovery;T1016;command_prompt;['windows'];Adfind - Enumerate Active Directory Subnet Objects;9bb45dd7-c466-4f93-83a1-be30e56033ee;True;6
discovery;T1016;command_prompt;['windows'];Qakbot Recon;121de5c6-5818-4868-b8a7-8fd07c455c1b;True;7
discovery;T1016;bash;['macos'];List macOS Firewall Rules;ff1d8c25-2aa4-4f18-a425-fede4a41ee88;False;8
discovery;T1016;command_prompt;['windows'];DNS Server Discovery Using nslookup;34557863-344a-468f-808b-a1bfb89b4fa9;True;9
discovery;T1482;command_prompt;['windows'];Windows - Discover domain trusts with dsquery;4700a710-c821-4e17-a3ec-9e4c81d6845f;True;1
discovery;T1482;command_prompt;['windows'];Windows - Discover domain trusts with nltest;2e22641d-0498-48d2-b9ff-c71e496ccdbe;True;2
discovery;T1482;powershell;['windows'];Powershell enumerate domains and forests;c58fbc62-8a62-489e-8f2d-3565d7d96f30;True;3
discovery;T1482;command_prompt;['windows'];Adfind - Enumerate Active Directory OUs;d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec;True;4
discovery;T1482;command_prompt;['windows'];Adfind - Enumerate Active Directory Trusts;15fe436d-e771-4ff3-b655-2dca9ba52834;True;5
discovery;T1482;powershell;['windows'];Get-DomainTrust with PowerView;f974894c-5991-4b19-aaf5-7cc2fe298c5d;True;6
discovery;T1482;powershell;['windows'];Get-ForestTrust with PowerView;58ed10e8-0738-4651-8408-3a3e9a526279;True;7
discovery;T1482;command_prompt;['windows'];TruffleSnout - Listing AD Infrastructure;ea1b4f2d-5b82-4006-b64f-f2845608a3bf;True;8
discovery;T1083;command_prompt;['windows'];File and Directory Discovery (cmd.exe);0e36303b-6762-4500-b003-127743b80ba6;True;1
discovery;T1083;powershell;['windows'];File and Directory Discovery (PowerShell);2158908e-b7ef-4c21-8a83-3ce4dd05a924;False;2
discovery;T1083;sh;['linux', 'macos'];Nix File and Directory Discovery;ffc8b249-372a-4b74-adcd-e4c0430842de;False;3
discovery;T1083;sh;['linux', 'macos'];Nix File and Directory Discovery 2;13c5e1ae-605b-46c4-a79f-db28c77ff24e;False;4
discovery;T1083;powershell;['windows'];Simulating MAZE Directory Enumeration;c6c34f61-1c3e-40fb-8a58-d017d88286d8;True;5
discovery;T1083;powershell;['windows'];Launch DirLister Executable;c5bec457-43c9-4a18-9a24-fe151d8971b7;True;6
discovery;T1083;command_prompt;['linux'];ESXi - Enumerate VMDKs available on an ESXi Host;4a233a40-caf7-4cf1-890a-c6331bbc72cf;False;7
discovery;T1049;command_prompt;['windows'];System Network Connections Discovery;0940a971-809a-48f1-9c4d-b1d785e96ee5;True;1
discovery;T1049;powershell;['windows'];System Network Connections Discovery with PowerShell;f069f0f1-baad-4831-aa2b-eddac4baac4a;True;2
discovery;T1049;sh;['linux', 'macos'];System Network Connections Discovery FreeBSD, Linux & MacOS;9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2;False;3
discovery;T1049;powershell;['windows'];System Discovery using SharpView;96f974bb-a0da-4d87-a744-ff33e73367e9;True;4
discovery;T1619;sh;['iaas:aws'];AWS S3 Enumeration;3c7094f8-71ec-4917-aeb8-a633d7ec4ef5;False;1
discovery;T1654;powershell;['windows'];Get-EventLog To Enumerate Windows Security Log;a9030b20-dd4b-4405-875e-3462c6078fdc;False;1
discovery;T1654;command_prompt;['windows'];Enumerate Windows Security Log via WevtUtil;fef0ace1-3550-4bf1-a075-9fea55a778dd;False;2
discovery;T1057;sh;['linux', 'macos'];Process Discovery - ps;4ff64f0b-aaf2-4866-b39d-38d9791407cc;False;1
discovery;T1057;command_prompt;['windows'];Process Discovery - tasklist;c5806a4f-62b8-4900-980b-c7ec004e9908;True;2
discovery;T1057;powershell;['windows'];Process Discovery - Get-Process;3b3809b6-a54b-4f5b-8aff-cb51f2e97b34;False;3
discovery;T1057;powershell;['windows'];Process Discovery - get-wmiObject;b51239b4-0129-474f-a2b4-70f855b9f2c2;False;4
discovery;T1057;command_prompt;['windows'];Process Discovery - wmic process;640cbf6d-659b-498b-ba53-f6dd1a1cc02c;True;5
discovery;T1057;command_prompt;['windows'];Discover Specific Process - tasklist;11ba69ee-902e-4a0f-b3b6-418aed7d7ddb;False;6
discovery;T1057;powershell;['windows'];Process Discovery - Process Hacker;966f4c16-1925-4d9b-8ce0-01334ee0867d;False;7
discovery;T1069.001;sh;['linux', 'macos'];Permission Groups Discovery (Local);952931a4-af0b-4335-bbbe-73c8c5b327ae;False;1
discovery;T1069.001;command_prompt;['windows'];Basic Permission Groups Discovery Windows (Local);1f454dd6-e134-44df-bebb-67de70fb6cd8;True;2
discovery;T1069.001;powershell;['windows'];Permission Groups Discovery PowerShell (Local);a580462d-2c19-4bc7-8b9a-57a41b7d3ba4;True;3
discovery;T1069.001;powershell;['windows'];SharpHound3 - LocalAdmin;e03ada14-0980-4107-aff1-7783b2b59bb1;True;4
discovery;T1069.001;command_prompt;['windows'];Wmic Group Discovery;7413be50-be8e-430f-ad4d-07bf197884b2;True;5
discovery;T1069.001;powershell;['windows'];WMIObject Group Discovery;69119e58-96db-4110-ad27-954e48f3bb13;True;6
discovery;T1069.001;sh;['containers'];Permission Groups Discovery for Containers- Local Groups;007d7aa4-8c4d-4f55-ba6a-7c965d51219c;False;7
discovery;T1201;bash;['linux'];Examine password complexity policy - Ubuntu;085fe567-ac84-47c7-ac4c-2688ce28265b;False;1
discovery;T1201;sh;['linux'];Examine password complexity policy - FreeBSD;a7893624-a3d7-4aed-9676-80498f31820f;False;2
discovery;T1201;bash;['linux'];Examine password complexity policy - CentOS/RHEL 7.x;78a12e65-efff-4617-bc01-88f17d71315d;False;3
discovery;T1201;bash;['linux'];Examine password complexity policy - CentOS/RHEL 6.x;6ce12552-0adb-4f56-89ff-95ce268f6358;False;4
discovery;T1201;bash;['linux'];Examine password expiration policy - All Linux;7c86c55c-70fa-4a05-83c9-3aa19b145d1a;False;5
discovery;T1201;command_prompt;['windows'];Examine local password policy - Windows;4588d243-f24e-4549-b2e3-e627acc089f6;True;6
discovery;T1201;command_prompt;['windows'];Examine domain password policy - Windows;46c2c362-2679-4ef5-aec9-0e958e135be4;True;7
discovery;T1201;bash;['macos'];Examine password policy - macOS;4b7fa042-9482-45e1-b348-4b756b2a0742;False;8
discovery;T1201;powershell;['windows'];Get-DomainPolicy with PowerView;3177f4da-3d4b-4592-8bdc-aa23d0b2e843;True;9
discovery;T1201;powershell;['windows'];Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy;b2698b33-984c-4a1c-93bb-e4ba72a0babb;True;10
discovery;T1201;command_prompt;['windows'];Use of SecEdit.exe to export the local security policy (including the password policy);510cc97f-56ac-4cd3-a198-d3218c23d889;True;11
discovery;T1201;sh;['iaas:aws'];Examine AWS Password Policy;15330820-d405-450b-bd08-16b5be5be9f4;False;12
discovery;T1614.001;command_prompt;['windows'];Discover System Language by Registry Query;631d4cf1-42c9-4209-8fe9-6bd4de9421be;True;1
discovery;T1614.001;command_prompt;['windows'];Discover System Language with chcp;d91473ca-944e-477a-b484-0e80217cd789;True;2
discovery;T1614.001;sh;['linux'];Discover System Language with locale;837d609b-845e-4519-90ce-edc3b4b0e138;False;3
discovery;T1614.001;sh;['linux'];Discover System Language with localectl;07ce871a-b3c3-44a3-97fa-a20118fdc7c9;False;4
discovery;T1614.001;sh;['linux'];Discover System Language by locale file;5d7057c9-2c8a-4026-91dd-13b5584daa69;False;5
discovery;T1614.001;sh;['linux'];Discover System Language by Environment Variable Query;cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a;False;6
discovery;T1012;command_prompt;['windows'];Query Registry;8f7578c4-9863-4d83-875c-a565573bbdf0;True;1
discovery;T1012;powershell;['windows'];Query Registry with Powershell cmdlets;0434d081-bb32-42ce-bcbb-3548e4f2628f;False;2
discovery;T1012;powershell;['windows'];Enumerate COM Objects in Registry with Powershell;0d80d088-a84c-4353-af1a-fc8b439f1564;True;3
discovery;T1518.001;command_prompt;['windows'];Security Software Discovery;f92a380f-ced9-491f-b338-95a991418ce2;True;1
discovery;T1518.001;powershell;['windows'];Security Software Discovery - powershell;7f566051-f033-49fb-89de-b6bacab730f0;True;2
discovery;T1518.001;sh;['macos'];Security Software Discovery - ps (macOS);ba62ce11-e820-485f-9c17-6f3c857cd840;False;3
discovery;T1518.001;sh;['linux'];Security Software Discovery - ps (Linux);23b91cd2-c99c-4002-9e41-317c63e024a2;False;4
discovery;T1518.001;sh;['linux'];Security Software Discovery - pgrep (FreeBSD);fa96c21c-5fd6-4428-aa28-51a2fbecdbdc;False;5
discovery;T1518.001;command_prompt;['windows'];Security Software Discovery - Sysmon Service;fe613cf3-8009-4446-9a0f-bc78a15b66c9;True;6
discovery;T1518.001;command_prompt;['windows'];Security Software Discovery - AV Discovery via WMI;1553252f-14ea-4d3b-8a08-d7a4211aa945;True;7
discovery;T1518.001;command_prompt;['windows'];Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets;015cd268-996e-4c32-8347-94c80c6286ee;False;8
discovery;T1518.001;powershell;['windows'];Security Software Discovery - Windows Defender Enumeration;d3415a0e-66ef-429b-acf4-a768876954f6;False;9
discovery;T1518.001;powershell;['windows'];Security Software Discovery - Windows Firewall Enumeration;9dca5a1d-f78c-4a8d-accb-d6de67cfed6b;False;10
discovery;T1526;powershell;['iaas:azure'];Azure - Dump Subscription Data with MicroBurst;1e40bb1d-195e-401e-a86b-c192f55e005c;False;1
discovery;T1018;command_prompt;['windows'];Remote System Discovery - net;85321a9c-897f-4a60-9f20-29788e50bccd;True;1
discovery;T1018;command_prompt;['windows'];Remote System Discovery - net group Domain Computers;f1bf6c8f-9016-4edf-aff9-80b65f5d711f;True;2
discovery;T1018;command_prompt;['windows'];Remote System Discovery - nltest;52ab5108-3f6f-42fb-8ba3-73bc054f22c8;True;3
discovery;T1018;command_prompt;['windows'];Remote System Discovery - ping sweep;6db1f57f-d1d5-4223-8a66-55c9c65a9592;True;4
discovery;T1018;command_prompt;['windows'];Remote System Discovery - arp;2d5a61f5-0447-4be4-944a-1f8530ed6574;True;5
discovery;T1018;sh;['linux', 'macos'];Remote System Discovery - arp nix;acb6b1ff-e2ad-4d64-806c-6c35fe73b951;False;6
discovery;T1018;sh;['linux', 'macos'];Remote System Discovery - sweep;96db2632-8417-4dbb-b8bb-a8b92ba391de;False;7
discovery;T1018;powershell;['windows'];Remote System Discovery - nslookup;baa01aaa-5e13-45ec-8a0d-e46c93c9760f;True;8
discovery;T1018;command_prompt;['windows'];Remote System Discovery - adidnsdump;95e19466-469e-4316-86d2-1dc401b5a959;True;9
discovery;T1018;command_prompt;['windows'];Adfind - Enumerate Active Directory Computer Objects;a889f5be-2d54-4050-bd05-884578748bb4;True;10
discovery;T1018;command_prompt;['windows'];Adfind - Enumerate Active Directory Domain Controller Objects;5838c31e-a0e2-4b9f-b60a-d79d2cb7995e;True;11
discovery;T1018;sh;['linux'];Remote System Discovery - ip neighbour;158bd4dd-6359-40ab-b13c-285b9ef6fa25;False;12
discovery;T1018;sh;['linux'];Remote System Discovery - ip route;1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1;False;13
discovery;T1018;sh;['linux'];Remote System Discovery - netstat;d2791d72-b67f-4615-814f-ec824a91f514;False;14
discovery;T1018;sh;['linux'];Remote System Discovery - ip tcp_metrics;6c2da894-0b57-43cb-87af-46ea3b501388;False;15
discovery;T1018;powershell;['windows'];Enumerate domain computers within Active Directory using DirectorySearcher;962a6017-1c09-45a6-880b-adc9c57cb22e;True;16
discovery;T1018;powershell;['windows'];Enumerate Active Directory Computers with Get-AdComputer;97e89d9e-e3f5-41b5-a90f-1e0825df0fdf;True;17
discovery;T1018;powershell;['windows'];Enumerate Active Directory Computers with ADSISearcher;64ede6ac-b57a-41c2-a7d1-32c6cd35397d;True;18
discovery;T1018;powershell;['windows'];Get-DomainController with PowerView;b9d2e8ca-5520-4737-8076-4f08913da2c4;True;19
discovery;T1018;powershell;['windows'];Get-WmiObject to Enumerate Domain Controllers;e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad;True;20
discovery;T1018;command_prompt;['windows'];Remote System Discovery - net group Domain Controller;5843529a-5056-4bc1-9c13-a311e2af4ca0;True;21
discovery;T1018;powershell;['windows'];Enumerate Remote Hosts with Netscan;b8147c9a-84db-4ec1-8eee-4e0da75f0de5;False;22
discovery;T1046;bash;['linux', 'macos'];Port Scan;68e907da-2539-48f6-9fc9-257a78c05540;False;1
discovery;T1046;sh;['linux', 'macos'];Port Scan Nmap;515942b0-a09f-4163-a7bb-22fefb6f185f;True;2
discovery;T1046;powershell;['windows'];Port Scan NMap for Windows;d696a3cb-d7a8-4976-8eb5-5af4abf2e3df;True;3
discovery;T1046;powershell;['windows'];Port Scan using python;6ca45b04-9f15-4424-b9d3-84a217285a5c;True;4
discovery;T1046;powershell;['windows'];WinPwn - spoolvulnscan;54574908-f1de-4356-9021-8053dd57439a;True;5
discovery;T1046;powershell;['windows'];WinPwn - MS17-10;97585b04-5be2-40e9-8c31-82157b8af2d6;True;6
discovery;T1046;powershell;['windows'];WinPwn - bluekeep;1cca5640-32a9-46e6-b8e0-fabbe2384a73;True;7
discovery;T1046;powershell;['windows'];WinPwn - fruit;bb037826-cbe8-4a41-93ea-b94059d6bb98;True;8
discovery;T1046;sh;['containers'];Network Service Discovery for Containers;06eaafdb-8982-426e-8a31-d572da633caa;False;9
discovery;T1046;powershell;['windows'];Port-Scanning /24 Subnet with PowerShell;05df2a79-dba6-4088-a804-9ca0802ca8e4;False;10
discovery;T1518;command_prompt;['windows'];Find and Display Internet Explorer Browser Version;68981660-6670-47ee-a5fa-7e74806420a4;True;1
discovery;T1518;powershell;['windows'];Applications Installed;c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b;True;2
discovery;T1518;sh;['macos'];Find and Display Safari Browser Version;103d6533-fd2a-4d08-976a-4a598565280f;False;3
discovery;T1518;powershell;['windows'];WinPwn - Dotnetsearch;7e79a1b6-519e-433c-ad55-3ff293667101;True;4
discovery;T1518;powershell;['windows'];WinPwn - DotNet;10ba02d0-ab76-4f80-940d-451633f24c5b;True;5
discovery;T1518;powershell;['windows'];WinPwn - powerSQL;0bb64470-582a-4155-bde2-d6003a95ed34;True;6
discovery;T1622;powershell;['windows'];Detect a Debugger Presence in the Machine;58bd8c8d-3a1a-4467-a69c-439c75469b07;False;1
discovery;T1124;command_prompt;['windows'];System Time Discovery;20aba24b-e61f-4b26-b4ce-4784f763ca20;True;1
discovery;T1124;powershell;['windows'];System Time Discovery - PowerShell;1d5711d6-655c-4a47-ae9c-6503c74fa877;True;2
discovery;T1124;sh;['linux', 'macos'];System Time Discovery in FreeBSD/macOS;f449c933-0891-407f-821e-7916a21a1a6f;False;3
discovery;T1124;command_prompt;['windows'];System Time Discovery W32tm as a Delay;d5d5a6b0-0f92-42d8-985d-47aafa2dd4db;True;4
discovery;T1124;command_prompt;['windows'];System Time with Windows time Command;53ead5db-7098-4111-bb3f-563be390e72e;False;5
reconnaissance;T1592.001;powershell;['windows'];Enumerate PlugNPlay Camera;d430bf85-b656-40e7-b238-42db01df0183;True;1
impact;T1489;command_prompt;['windows'];Windows - Stop service using Service Controller;21dfb440-830d-4c86-a3e5-2a491d5a8d04;True;1
impact;T1489;command_prompt;['windows'];Windows - Stop service using net.exe;41274289-ec9c-4213-bea4-e43c4aa57954;True;2
impact;T1489;command_prompt;['windows'];Windows - Stop service by killing process;f3191b84-c38b-400b-867e-3a217a27795f;True;3
impact;T1491.001;powershell;['windows'];Replace Desktop Wallpaper;30558d53-9d76-41c4-9267-a7bd5184bed3;True;1
impact;T1491.001;powershell;['windows'];Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message;ffcbfaab-c9ff-470b-928c-f086b326089b;True;2
impact;T1531;command_prompt;['windows'];Change User Password - Windows;1b99ef28-f83c-4ec5-8a08-1a56263a5bb2;True;1
impact;T1531;command_prompt;['windows'];Delete User - Windows;f21a1d7d-a62f-442a-8c3a-2440d43b19e5;True;2
impact;T1531;powershell;['windows'];Remove Account From Domain Admin Group;43f71395-6c37-498e-ab17-897d814a0947;True;3
impact;T1531;sh;['macos', 'linux'];Change User Password via passwd;3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6;False;4
impact;T1531;sh;['macos'];Delete User via dscl utility;4d938c43-2fe8-4d70-a5b3-5bf239aa7846;False;5
impact;T1531;sh;['macos'];Delete User via sysadminctl utility;d3812c4e-30ee-466a-a0aa-07e355b561d6;False;6
impact;T1531;powershell;['azure-ad'];Azure AD - Delete user via Azure AD PowerShell;4f577511-dc1c-4045-bcb8-75d2457f01f4;False;7
impact;T1531;powershell;['azure-ad'];Azure AD - Delete user via Azure CLI;c955c1c7-3145-4a22-af2d-63eea0d967f0;False;8
impact;T1486;sh;['linux'];Encrypt files using gpg (FreeBSD/Linux);7b8ce084-3922-4618-8d22-95f996173765;False;1
impact;T1486;sh;['linux'];Encrypt files using 7z (FreeBSD/Linux);53e6735a-4727-44cc-b35b-237682a151ad;False;2
impact;T1486;sh;['linux'];Encrypt files using ccrypt (FreeBSD/Linux);08cbf59f-85da-4369-a5f4-049cffd7709f;False;3
impact;T1486;sh;['linux'];Encrypt files using openssl (FreeBSD/Linux);142752dc-ca71-443b-9359-cf6f497315f1;False;4
impact;T1486;command_prompt;['windows'];PureLocker Ransom Note;649349c7-9abf-493b-a7a2-b1aa4d141528;True;5
impact;T1486;sh;['macos'];Encrypt files using 7z utility - macOS;645f0f5a-ef09-48d8-b9bc-f0e24c642d72;False;6
impact;T1486;sh;['macos'];Encrypt files using openssl utility - macOS;1a01f6b8-b1e8-418e-bbe3-78a6f822759e;False;7
impact;T1486;powershell;['windows'];Data Encrypted with GPG4Win;4541e2c2-33c8-44b1-be79-9161440f1718;False;8
impact;T1486;command_prompt;['windows'];Data Encrypt Using DiskCryptor;44b68e11-9da2-4d45-a0d9-893dabd60f30;False;9
impact;T1496;sh;['linux', 'macos'];FreeBSD/macOS/Linux - Simulate CPU Load with Yes;904a5a0e-fb02-490d-9f8d-0e256eb37549;False;1
impact;T1485;powershell;['windows'];Windows - Overwrite file with SysInternals SDelete;476419b5-aebf-4366-a131-ae3e8dae5fc2;True;1
impact;T1485;sh;['linux', 'macos'];FreeBSD/macOS/Linux - Overwrite file with DD;38deee99-fd65-4031-bec8-bfa4f9f26146;False;2
impact;T1485;command_prompt;['windows'];Overwrite deleted data on C drive;321fd25e-0007-417f-adec-33232252be19;True;3
impact;T1485;sh;['iaas:gcp'];GCP - Delete Bucket;4ac71389-40f4-448a-b73f-754346b3f928;False;4
impact;T1490;command_prompt;['windows'];Windows - Delete Volume Shadow Copies;43819286-91a9-4369-90ed-d31fb4da2c01;True;1
impact;T1490;command_prompt;['windows'];Windows - Delete Volume Shadow Copies via WMI;6a3ff8dd-f49c-4272-a658-11c2fe58bd88;True;2
impact;T1490;command_prompt;['windows'];Windows - wbadmin Delete Windows Backup Catalog;263ba6cb-ea2b-41c9-9d4e-b652dadd002c;True;3
impact;T1490;command_prompt;['windows'];Windows - Disable Windows Recovery Console Repair;cf21060a-80b3-4238-a595-22525de4ab81;True;4
impact;T1490;powershell;['windows'];Windows - Delete Volume Shadow Copies via WMI with PowerShell;39a295ca-7059-4a88-86f6-09556c1211e7;True;5
impact;T1490;command_prompt;['windows'];Windows - Delete Backup Files;6b1dbaf6-cc8a-4ea6-891f-6058569653bf;True;6
impact;T1490;command_prompt;['windows'];Windows - wbadmin Delete systemstatebackup;584331dd-75bc-4c02-9e0b-17f5fd81c748;True;7
impact;T1490;command_prompt;['windows'];Windows - Disable the SR scheduled task;1c68c68d-83a4-4981-974e-8993055fa034;True;8
impact;T1490;command_prompt;['windows'];Disable System Restore Through Registry;66e647d1-8741-4e43-b7c1-334760c2047f;True;9
impact;T1490;powershell;['windows'];Windows - vssadmin Resize Shadowstorage Volume;da558b07-69ae-41b9-b9d4-4d98154a7049;False;10
impact;T1490;command_prompt;['windows'];Modify VSS Service Permissions;a4420f93-5386-4290-b780-f4f66abc7070;False;11
impact;T1490;sh;['macos'];Disable Time Machine;ed952f70-91d4-445a-b7ff-30966bfb1aff;False;12
impact;T1529;command_prompt;['windows'];Shutdown System - Windows;ad254fa8-45c0-403b-8c77-e00b3d3e7a64;True;1
impact;T1529;command_prompt;['windows'];Restart System - Windows;f4648f0d-bf78-483c-bafc-3ec99cd1c302;True;2
impact;T1529;sh;['linux', 'macos'];Restart System via `shutdown` - FreeBSD/macOS/Linux;6326dbc4-444b-4c04-88f4-27e94d0327cb;False;3
impact;T1529;sh;['linux', 'macos'];Shutdown System via `shutdown` - FreeBSD/macOS/Linux;4963a81e-a3ad-4f02-adda-812343b351de;False;4
impact;T1529;sh;['linux', 'macos'];Restart System via `reboot` - FreeBSD/macOS/Linux;47d0b042-a918-40ab-8cf9-150ffe919027;False;5
impact;T1529;sh;['linux'];Shutdown System via `halt` - FreeBSD/Linux;918f70ab-e1ef-49ff-bc57-b27021df84dd;False;6
impact;T1529;sh;['linux'];Reboot System via `halt` - FreeBSD;7b1cee42-320f-4890-b056-d65c8b884ba5;False;7
impact;T1529;bash;['linux'];Reboot System via `halt` - Linux;78f92e14-f1e9-4446-b3e9-f1b921f2459e;False;8
impact;T1529;sh;['linux'];Shutdown System via `poweroff` - FreeBSD/Linux;73a90cd2-48a2-4ac5-8594-2af35fa909fa;False;9
impact;T1529;sh;['linux'];Reboot System via `poweroff` - FreeBSD;5a282e50-86ff-438d-8cef-8ae01c9e62e1;False;10
impact;T1529;bash;['linux'];Reboot System via `poweroff` - Linux;61303105-ff60-427b-999e-efb90b314e41;False;11
impact;T1529;command_prompt;['windows'];Logoff System - Windows;3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4;True;12
impact;T1529;command_prompt;['linux'];ESXi - Terminates VMs using pkill;987c9b4d-a637-42db-b1cb-e9e242c3991b;False;13
impact;T1529;command_prompt;['linux'];ESXi - Avoslocker enumerates VMs and forcefully kills VMs;189f7d6e-9442-4160-9bc3-5e4104d93ece;False;14
initial-access;T1133;powershell;['windows'];Running Chrome VPN Extensions via the Registry 2 vpn extension;4c8db261-a58b-42a6-a866-0a294deedde4;True;1
initial-access;T1566.001;powershell;['windows'];Download Macro-Enabled Phishing Attachment;114ccff9-ae6d-4547-9ead-4cd69f687306;True;1
initial-access;T1566.001;powershell;['windows'];Word spawned a command shell and used an IP address in the command line;cbb6799a-425c-4f83-9194-5447a909d67f;True;2
initial-access;T1091;powershell;['windows'];USB Malware Spread Simulation;d44b7297-622c-4be8-ad88-ec40d7563c75;False;1
initial-access;T1195;command_prompt;['windows'];Octopus Scanner Malware Open Source Supply Chain;82a9f001-94c5-495e-9ed5-f530dbded5e2;True;1
initial-access;T1078.001;command_prompt;['windows'];Enable Guest account with RDP capability and admin privileges;99747561-ed8d-47f2-9c91-1e5fde1ed6e0;True;1
initial-access;T1078.001;command_prompt;['windows'];Activate Guest Account;aa6cb8c4-b582-4f8e-b677-37733914abda;True;2
initial-access;T1078.001;command_prompt;['macos'];Enable Guest Account on macOS;0315bdff-4178-47e9-81e4-f31a6d23f7e4;False;3
initial-access;T1078.004;sh;['google-workspace', 'iaas:gcp'];Creating GCP Service Account and Service Account Key;9fdd83fd-bd53-46e5-a716-9dec89c8ae8e;False;1
initial-access;T1078.004;powershell;['iaas:azure'];Azure Persistence Automation Runbook Created or Modified;348f4d14-4bd3-4f6b-bd8a-61237f78b3ac;False;2
initial-access;T1078.004;sh;['iaas:gcp'];GCP - Create Custom IAM Role;3a159042-69e6-4398-9a69-3308a4841c85;False;3
initial-access;T1078.003;command_prompt;['windows'];Create local account with admin privileges;a524ce99-86de-4db6-b4f9-e08f35a47a15;True;1
initial-access;T1078.003;bash;['macos'];Create local account with admin privileges - MacOS;f1275566-1c26-4b66-83e3-7f9f7f964daa;False;2
initial-access;T1078.003;bash;['macos'];Create local account with admin privileges using sysadminctl utility - MacOS;191db57d-091a-47d5-99f3-97fde53de505;False;3
initial-access;T1078.003;bash;['macos'];Enable root account using dsenableroot utility - MacOS;20b40ea9-0e17-4155-b8e6-244911a678ac;False;4
initial-access;T1078.003;bash;['macos'];Add a new/existing user to the admin group using dseditgroup utility - macOS;433842ba-e796-4fd5-a14f-95d3a1970875;False;5
initial-access;T1078.003;powershell;['windows'];WinPwn - Loot local Credentials - powerhell kittie;9e9fd066-453d-442f-88c1-ad7911d32912;True;6
initial-access;T1078.003;powershell;['windows'];WinPwn - Loot local Credentials - Safetykatz;e9fdb899-a980-4ba4-934b-486ad22e22f4;True;7
initial-access;T1078.003;bash;['linux'];Create local account (Linux);02a91c34-8a5b-4bed-87af-501103eb5357;False;8
initial-access;T1078.003;bash;['linux'];Reactivate a locked/expired account (Linux);d2b95631-62d7-45a3-aaef-0972cea97931;False;9
initial-access;T1078.003;sh;['linux'];Reactivate a locked/expired account (FreeBSD);09e3380a-fae5-4255-8b19-9950be0252cf;False;10
initial-access;T1078.003;bash;['linux'];Login as nobody (Linux);3d2cd093-ee05-41bd-a802-59ee5c301b85;False;11
initial-access;T1078.003;sh;['linux'];Login as nobody (freebsd);16f6374f-7600-459a-9b16-6a88fd96d310;False;12
exfiltration;T1020;powershell;['windows'];IcedID Botnet HTTP PUT;9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0;True;1
exfiltration;T1020;powershell;['windows'];Exfiltration via Encrypted FTP;5b380e96-b0ef-4072-8a8e-f194cb9eb9ac;False;2
exfiltration;T1048.002;command_prompt;['windows'];Exfiltrate data HTTPS using curl windows;1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0;True;1
exfiltration;T1048.002;bash;['macos', 'linux'];Exfiltrate data HTTPS using curl freebsd,linux or macos;4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01;False;2
exfiltration;T1048.002;sh;['linux'];Exfiltrate data in a file over HTTPS using wget;7ccdfcfa-6707-46bc-b812-007ab6ff951c;False;3
exfiltration;T1048.002;sh;['linux'];Exfiltrate data as text over HTTPS using wget;8bec51da-7a6d-4346-b941-51eca448c4b0;False;4
exfiltration;T1041;powershell;['windows'];C2 Data Exfiltration;d1253f6e-c29b-49dc-b466-2147a6191932;True;1
exfiltration;T1041;powershell;['windows'];Text Based Data Exfiltration using DNS subdomains;c9207f3e-213d-4cc7-ad2a-7697a7237df9;False;2
exfiltration;T1048;sh;['macos', 'linux'];Exfiltration Over Alternative Protocol - SSH;f6786cc8-beda-4915-a4d6-ac2f193bb988;False;1
exfiltration;T1048;sh;['macos', 'linux'];Exfiltration Over Alternative Protocol - SSH;7c3cb337-35ae-4d06-bf03-3032ed2ec268;False;2
exfiltration;T1048;powershell;['windows'];DNSExfiltration (doh);c943d285-ada3-45ca-b3aa-7cd6500c6a48;True;3
exfiltration;T1567.003;powershell;['windows'];Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows);c2e8ab6e-431e-460a-a2aa-3bc6a32022e3;False;1
exfiltration;T1567.002;powershell;['windows'];Exfiltrate data with rclone to cloud Storage - Mega (Windows);8529ee44-279a-4a19-80bf-b846a40dda58;True;1
exfiltration;T1030;sh;['macos', 'linux'];Data Transfer Size Limits;ab936c51-10f4-46ce-9144-e02137b2016a;False;1
exfiltration;T1030;powershell;['windows'];Network-Based Data Transfer in Small Chunks;f0287b58-f4bc-40f6-87eb-692e126e7f8f;False;2
exfiltration;T1048.003;manual;['macos', 'linux'];Exfiltration Over Alternative Protocol - HTTP;1d1abbd6-a3d3-4b2e-bef5-c59293f46eff;False;1
exfiltration;T1048.003;powershell;['windows'];Exfiltration Over Alternative Protocol - ICMP;dd4b4421-2e25-4593-90ae-7021947ad12e;True;2
exfiltration;T1048.003;manual;['linux'];Exfiltration Over Alternative Protocol - DNS;c403b5a4-b5fc-49f2-b181-d1c80d27db45;False;3
exfiltration;T1048.003;powershell;['windows'];Exfiltration Over Alternative Protocol - HTTP;6aa58451-1121-4490-a8e9-1dada3f1c68c;True;4
exfiltration;T1048.003;powershell;['windows'];Exfiltration Over Alternative Protocol - SMTP;ec3a835e-adca-4c7c-88d2-853b69c11bb9;True;5
exfiltration;T1048.003;powershell;['windows'];MAZE FTP Upload;57799bc2-ad1e-4130-a793-fb0c385130ba;True;6
exfiltration;T1048.003;powershell;['windows'];Exfiltration Over Alternative Protocol - FTP - Rclone;b854eb97-bf9b-45ab-a1b5-b94e4880c56b;True;7
exfiltration;T1048.003;sh;['linux'];Python3 http.server;3ea1f938-f80a-4305-9aa8-431bc4867313;False;8