Find a test to trigger a SigmaHQ rule

back

The rules

create_remote_thread_win_powershell_generic.yml
- T1018 Get-DomainController with PowerView
- T1134.004 Parent PID Spoofing using PowerShell
create_remote_thread_win_susp_uncommon_source_image.yml
- T1018 Get-DomainController with PowerView
- T1134.004 Parent PID Spoofing using PowerShell
create_remote_thread_win_susp_uncommon_target_image.yml
- T1055 Section View Injection
- T1055 Section View Injection
create_stream_hash_ads_executable.yml
- T1216.001 PubPrn.vbs Signed Script Bypass
create_stream_hash_creation_internet_file.yml
- T1216.001 PubPrn.vbs Signed Script Bypass
dns_query_win_regsvr32_dns_query.yml
- T1218.010 Regsvr32 remote COM scriptlet execution
dns_query_win_remote_access_software_domains_non_browsers.yml
- T1219 Ammyy Admin Software Execution
- T1219 GoToAssist Files Detected Test on Windows
- T1219 LogMeIn Files Detected Test on Windows
file_access_win_browser_credential_access.yml
- T1539 Steal Firefox Cookies (Windows)
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1555.003 Decrypt Mozilla Passwords with Firepwd.py
- T1552.001 WinPwn - passhunt
- T1539 Steal Chrome Cookies (Windows)
- T1555.003 WinPwn - PowerSharpPack - Sharpweb for Browser Credentials
- T1555.003 Stage Popular Credential Files for Exfiltration
- T1082 WinPwn - PowerSharpPack - Seatbelt
- T1555.003 WebBrowserPassView - Credentials from Browser
file_delete_win_delete_backup_file.yml
- T1490 Windows - Delete Backup Files
file_delete_win_delete_prefetch.yml
- T1070.004 Delete Prefetch File
file_delete_win_delete_teamviewer_logs.yml
- T1070.004 Delete TeamViewer Log Files
file_delete_win_sysinternals_sdelete_file_deletion.yml
- T1485 Windows - Overwrite file with SysInternals SDelete
file_event_win_access_susp_unattend_xml.yml
- T1552.001 Access unattend.xml
file_event_win_anydesk_artefact.yml
- T1219 AnyDesk Files Detected Test on Windows
file_event_win_creation_new_shim_database.yml
- T1546.011 New shim database files created in the default shim database directory
file_event_win_creation_scr_binary_file.yml
- T1546.002 Set Arbitrary Binary as Screensaver
- T1218.011 Rundll32 with desk.cpl
file_event_win_creation_system_file.yml
- T1036.003 Masquerading - wscript.exe running as svchost.exe
- T1036.003 Malicious process Masquerading as LSM.exe
- T1036.003 Masquerading as Windows LSASS process
- T1036.003 Masquerading - windows exe running as different windows exe
- T1036.003 Masquerading - non-windows exe running as windows exe
- T1105 svchost writing a file to a UNC path
- T1036.005 Masquerade as a built-in system executable
file_event_win_creation_unquoted_service_path.yml
- T1574.009 Execution of program.exe as service with unquoted service path
file_event_win_csharp_compile_artefact.yml
- T1046 WinPwn - bluekeep
- T1218.004 InstallUtil Uninstall method call - /U variant
- T1218.004 InstallUtil evasive invocation
- T1218.005 Invoke HTML Application - JScript Engine with Inline Protocol Handler
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1134.004 Parent PID Spoofing - Spawn from Specified Process
- T1071.004 DNS C2
- T1219 ScreenConnect Application Download and Install on Windows
- T1134.004 Parent PID Spoofing - Spawn from New Process
- T1218.005 Invoke HTML Application - Direct download from URI
- T1218.004 InstallHelper method call
- T1218.005 Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler
- T1134.002 Access Token Manipulation
- T1555.004 WinPwn - Loot local Credentials - Invoke-WCMDump
- T1218.004 InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1218.005 Invoke HTML Application - Simulate Lateral Movement over UNC Path
- T1046 WinPwn - spoolvulnscan
- T1127.001 MSBuild Bypass Using Inline Tasks (C#)
- T1127.001 MSBuild Bypass Using Inline Tasks (VB)
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1106 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
- T1552.004 ADFS token signing and encryption certificates theft - Local
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
- T1134.004 Parent PID Spoofing - Spawn from Current Process
- T1134.004 Parent PID Spoofing using PowerShell
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
- T1134.004 Parent PID Spoofing - Spawn from svchost.exe
- T1218 Invoke-ATHRemoteFXvGPUDisablementCommand base test
- T1218.004 CheckIfInstallable method call
- T1218.004 InstallUtil HelpText method call
- T1027.004 Dynamic C# Compile
- T1548.002 WinPwn - UAC Magic
- T1218.005 Invoke HTML Application - Jscript Engine Simulating Double Click
- T1218.004 InstallUtil Install method call
- T1055.012 Process Hollowing using PowerShell
- T1036.005 Masquerade as a built-in system executable
- T1218.004 InstallUtil class constructor method call
- T1218.005 Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - powershellsensitive
file_event_win_gotoopener_artefact.yml
- T1219 GoToAssist Files Detected Test on Windows
file_event_win_hktl_dumpert.yml
- T1003.001 Dump LSASS.exe Memory using direct system calls and API unhooking
file_event_win_hktl_nppspy.yml
- T1003 Credential Dumping with NPPSpy
file_event_win_hktl_powerup_dllhijacking.yml
- T1558.002 Crafting Active Directory silver tickets with mimikatz
- T1558.001 Crafting Active Directory golden tickets with mimikatz
- T1547.001 Suspicious bat file run from startup Folder
- T1558.001 Crafting Active Directory golden tickets with Rubeus
- T1074.001 Stage data from Discovery.bat
file_event_win_install_teamviewer_desktop.yml
- T1219 TeamViewer Files Detected Test on Windows
file_event_win_lsass_default_dump_file_names.yml
- T1003.001 Dump LSASS.exe using imported Microsoft DLLs
- T1003.001 Dump LSASS.exe Memory using Windows Task Manager
- T1003.001 Dump LSASS.exe Memory using Windows Task Manager
- T1003.001 Dump LSASS.exe Memory using Out-Minidump.ps1
- T1003.001 Create Mini Dump of LSASS.exe using ProcDump
- T1003.001 Dump LSASS.exe Memory using direct system calls and API unhooking
- T1003.001 Dump LSASS.exe Memory using ProcDump
- T1003.001 Dump LSASS.exe Memory using comsvcs.dll
file_event_win_mal_octopus_scanner.yml
- T1195 Octopus Scanner Malware Open Source Supply Chain
file_event_win_malware_snake_encrypted_payload_ioc.yml
- T1547.006 Snake Malware Kernel Driver Comadmin
file_event_win_net_cli_artefact.yml
- T1218 Renamed Microsoft.Workflow.Compiler.exe Payload Executions
- T1219 ScreenConnect Application Download and Install on Windows
- T1218.010 Regsvr32 local DLL execution
- T1553.005 Execute LNK file from ISO
- T1036.005 Masquerade as a built-in system executable
file_event_win_new_scr_file.yml
- T1218.011 Rundll32 with desk.cpl
file_event_win_office_addin_persistence.yml
- T1137.006 Persistent Code Execution Via Word Add-in File (WLL)
file_event_win_office_macro_files_from_susp_process.yml
- T1204.002 Mirror Blast Emulation
- T1566.001 Download Macro-Enabled Phishing Attachment
file_event_win_office_outlook_macro_creation.yml
- T1137 Office Application Startup - Outlook as a C2
file_event_win_office_outlook_newform.yml
- T1592.002 Enumerate COM Objects in Registry with Powershell
file_event_win_office_susp_file_extension.yml
- T1204.002 Excel 4 Macro
- T1204.002 Office launching .bat file from AppData
- T1564 Extract binary files via VBA
- T1055.012 RunPE via VBA
file_event_win_powershell_drop_binary_or_script.yml
- T1176 Google Chrome Load Unpacked Extension With Command Line
- T1505.005 Simulate Patching termsrv.dll
file_event_win_powershell_exploit_scripts.yml
- T1558.003 WinPwn - Kerberoasting
- T1552.001 WinPwn - SessionGopher
- T1082 WinPwn - itm4nprivesc
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1046 WinPwn - bluekeep
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1120 WinPwn - printercheck
- T1087.002 WinPwn - generaldomaininfo
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1046 WinPwn - fruit
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1082 WinPwn - GeneralRecon
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1548.002 WinPwn - UAC Magic
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
file_event_win_powershell_startup_shortcuts.yml
- T1547.001 Add Executable Shortcut Link to User Startup Folder
- T1547.009 Create shortcut to cmd in startup folders
file_event_win_remote_access_tools_screenconnect_artefact.yml
- T1219 ScreenConnect Application Download and Install on Windows
file_event_win_sam_dump.yml
- T1003.002 Registry dump of SAM, creds, and secrets
file_event_win_shell_write_susp_directory.yml
- T1564.004 Alternate Data Streams (ADS)
- T1546.009 Create registry persistence via AppCert DLL
- T1059.001 Powershell invoke mshta.exe download
- T1218.005 Invoke HTML Application - Direct download from URI
- T1220 WMIC bypass using remote XSL file
- T1105 certutil download (verifyctl)
- T1218.005 Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
- T1140 Deobfuscate/Decode Files Or Information
- T1547.003 Edit an existing time provider
- T1105 certutil download (urlcache)
- T1564.004 Store file in Alternate Data Stream (ADS)
- T1003.002 dump volume shadow copy hives with certutil
- T1547.003 Create a new time provider
file_event_win_startup_folder_file_write.yml
- T1547.001 Suspicious vbs file run from startup Folder
- T1547.001 Suspicious bat file run from startup Folder
- T1547.009 Shortcut Modification
- T1547.009 Create shortcut to cmd in startup folders
- T1547.001 Suspicious jse file run from startup Folder
file_event_win_susp_binary_dropper.yml
- T1204.002 LNK Payload Download
- T1555 WinPwn - Loot local Credentials - lazagne
- T1562.006 Disable Powershell ETW Provider - Windows
- T1547.001 Change Startup Folder - HKCU Modify User Shell Folders Startup Value
- T1552.001 WinPwn - passhunt
- T1547.001 Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value
- T1569.002 BlackCat pre-encryption cmds with Lateral Movement
- T1105 MAZE Propagation Script
- T1546.008 Replace binary of sticky keys
- T1127 Lolbin Jsc.exe compile javascript to exe
- T1218 Lolbas ie4uinit.exe use as proxy
file_event_win_susp_desktop_txt.yml
- T1486 PureLocker Ransom Note
file_event_win_susp_get_variable.yml
- T1574.008 powerShell Persistence via hijacking default modules - Get-Variable.exe
file_event_win_susp_pfx_file_creation.yml
- T1552.004 Export Root Certificate with Export-PFXCertificate
file_event_win_sysinternals_psexec_service.yml
- T1021.002 Copy and Execute File with PsExec
- T1562.006 Disable Powershell ETW Provider - Windows
- T1569.002 Use PsExec to execute a command on a remote host
- T1550.003 Rubeus Kerberos Pass The Ticket
- T1003.004 Dumping LSA Secrets
- T1207 DCShadow (Active Directory)
file_event_win_webshell_creation_detect.yml
- T1505.003 Web Shell Written to Disk
file_event_win_writing_local_admin_share.yml
- T1021.002 Execute command writing output to local Admin Share
file_rename_win_non_dll_to_dll_ext.yml
- T1036 Malware Masquerading and Execution from Zip File
image_load_dll_credui_uncommon_process_load.yml
- T1204.002 Excel 4 Macro
image_load_dll_dbghelp_dbgcore_susp_load.yml
- T1003 Dump svchost.exe to gather RDP credentials
- T1564 Extract binary files via VBA
- T1070.001 Clear Event Logs via VBA
- T1562.002 Kill Event Log Service Threads
- T1204.002 Office Generic Payload Download
- T1574.002 DLL Side-Loading using the Notepad++ GUP.exe binary
- T1003.001 Dump LSASS.exe Memory using Out-Minidump.ps1
- T1055.004 Process Injection via C#
- T1055.012 RunPE via VBA
- T1566.001 Word spawned a command shell and used an IP address in the command line
- T1003.001 Dump LSASS.exe Memory using comsvcs.dll
image_load_dll_system_drawing_load.yml
- T1218 Renamed Microsoft.Workflow.Compiler.exe Payload Executions
- T1218.010 Regsvr32 Silent DLL Install Call DllRegisterServer
- T1219 ScreenConnect Application Download and Install on Windows
image_load_dll_system_management_automation_susp_load.yml
- T1218.008 Odbcconf.exe - Load Response File
- T1036.003 Masquerading - powershell.exe running as taskhostw.exe
- T1036.003 Masquerading - powershell.exe running as taskhostw.exe
- T1055.012 RunPE via VBA
- T1055.012 RunPE via VBA
- T1574.001 DLL Search Order Hijacking - amsi.dll
- T1574.001 DLL Search Order Hijacking - amsi.dll
image_load_dll_vss_ps_susp_load.yml
- T1003.002 esentutl.exe SAM copy
- T1003.003 Create Volume Shadow Copy remotely (WMI) with esentutl
- T1003.003 Create Volume Shadow Copy with WMI
- T1003.002 dump volume shadow copy hives with certutil
image_load_office_dotnet_assembly_dll_load.yml
- T1055.012 RunPE via VBA
image_load_office_dotnet_clr_dll_load.yml
- T1055.012 RunPE via VBA
image_load_office_dotnet_gac_dll_load.yml
- T1055.012 RunPE via VBA
image_load_office_vbadll_load.yml
- T1204.002 Excel 4 Macro
- T1204.002 Office launching .bat file from AppData
- T1204.002 OSTap Style Macro Execution
- T1564 Extract binary files via VBA
- T1592.002 Enumerate COM Objects in Registry with Powershell
- T1204.002 Headless Chrome code execution via VBA
- T1070.001 Clear Event Logs via VBA
- T1204.002 Office Generic Payload Download
- T1204.002 Mirror Blast Emulation
- T1221 WINWORD Remote Template Injection
- T1055.012 RunPE via VBA
- T1059.005 Extract Memory via VBA
- T1566.001 Word spawned a command shell and used an IP address in the command line
- T1204.002 Maldoc choice flags command execution
- T1204.002 OSTAP JS version
- T1555 Extract Windows Credential Manager via VBA
- T1055 Shellcode execution via VBA
- T1053.005 Task Scheduler via VBA
- T1115 Collect Clipboard Data via VBA
- T1059.005 Encoded VBS code execution
image_load_susp_dll_load_system_process.yml
- T1547.003 Edit an existing time provider
- T1547.003 Create a new time provider
image_load_susp_python_image_load.yml
- T1555 WinPwn - Loot local Credentials - lazagne
- T1552.001 WinPwn - passhunt
- T1550.002 crackmapexec Pass the Hash
- T1555.003 LaZagne - Credentials from Browser
image_load_wmic_remote_xsl_scripting_dlls.yml
- T1220 WMIC bypass using local XSL file
- T1220 WMIC bypass using remote XSL file
- T1569.002 BlackCat pre-encryption cmds with Lateral Movement
- T1082 WinPwn - General privesc checks
- T1082 WinPwn - GeneralRecon
- T1047 WMI Reconnaissance List Remote Services
- T1119 Recon information for export with Command Prompt
- T1033 System Owner/User Discovery
image_load_wsman_provider_image_load.yml
- T1218.008 Odbcconf.exe - Load Response File
- T1059.001 PowerShell Session Creation and Use
- T1021.006 Enable Windows Remote Management
- T1021.006 Remote Code Execution with PS Credentials Using Invoke-Command
net_connection_win_imewdbld.yml
- T1105 Download a file with IMEWDBLD.exe
net_connection_win_msiexec_http.yml
- T1219 ScreenConnect Application Download and Install on Windows
- T1218.007 Msiexec.exe - Execute Remote MSI file
- T1219 LogMeIn Files Detected Test on Windows
net_connection_win_office_outbound_non_local_ip.yml
- T1204.002 Excel 4 Macro
- T1592.002 Enumerate COM Objects in Registry with Powershell
- T1204.002 Mirror Blast Emulation
net_connection_win_powershell_network_connection.yml
- T1558.003 WinPwn - Kerberoasting
- T1082 WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors
- T1105 File Download via PowerShell
- T1204.002 LNK Payload Download
- T1033 Find computers where user has session - Stealth mode (PowerView)
- T1552.001 WinPwn - SessionGopher
- T1218.005 Mshta Executes Remote HTML Application (HTA)
- T1558.003 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1082 WinPwn - itm4nprivesc
- T1069.002 Get-DomainGroupMember with PowerView
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1055.001 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
- T1087.002 Enumerate Active Directory Users with ADSISearcher
- T1046 WinPwn - bluekeep
- T1558.004 Get-DomainUser with PowerView
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1069.002 Enumerate Active Directory Groups with Get-AdGroup
- T1041 C2 Data Exfiltration
- T1564 Extract binary files via VBA
- T1557.001 LLMNR Poisoning with Inveigh (PowerShell)
- T1071.001 Malicious User Agents - Powershell
- T1219 TeamViewer Files Detected Test on Windows
- T1120 WinPwn - printercheck
- T1134.001 Named pipe client impersonation
- T1558.004 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1087.002 WinPwn - generaldomaininfo
- T1572 DNS over HTTPS Long Domain Query
- T1201 Get-DomainPolicy with PowerView
- T1134.002 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique
- T1110.003 Password Spray Invoke-DomainPasswordSpray Light
- T1110.003 Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)
- T1048 DNSExfiltration (doh)
- T1204.002 Potentially Unwanted Applications (PUA)
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1016 List Open Egress Ports
- T1555.003 WinPwn - BrowserPwn
- T1204.002 Office Generic Payload Download
- T1046 WinPwn - fruit
- T1095 ICMP C2
- T1105 Windows - PowerShell Download
- T1059.001 Run BloodHound from local disk
- T1071.004 DNS C2
- T1552.001 WinPwn - sensitivefiles
- T1219 ScreenConnect Application Download and Install on Windows
- T1110.001 Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1082 WinPwn - GeneralRecon
- T1055.012 RunPE via VBA
- T1069.002 Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
- T1069.002 Get-DomainGroup with PowerView
- T1087.002 Get-DomainUser with PowerView
- T1046 WinPwn - spoolvulnscan
- T1553.004 Add Root Certificate to CurrentUser Certificate Store
- T1059.001 PowerUp Invoke-AllChecks
- T1018 Remote System Discovery - nslookup
- T1219 GoToAssist Files Detected Test on Windows
- T1059.001 Run Bloodhound from Memory using Download Cradle
- T1550.002 Invoke-WMIExec Pass the Hash
- T1552.004 ADFS token signing and encryption certificates theft - Remote
- T1201 Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy
- T1106 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
- T1082 WinPwn - PowerSharpPack - Seatbelt
- T1566.001 Download Macro-Enabled Phishing Attachment
- T1087.002 Enumerate Linked Policies In ADSISearcher Discovery
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
- T1055 Shellcode execution via VBA
- T1615 MSFT Get-GPO Cmdlet
- T1558.003 Request for service tickets
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1219 LogMeIn Files Detected Test on Windows
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
- T1562.001 WinPwn - Kill the event log services for stealth
- T1020 IcedID Botnet HTTP PUT
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1059.001 Invoke-AppPathBypass
- T1095 Powercat C2
- T1082 WinPwn - PowerSharpPack - Watson searching for missing windows patches
- T1615 Get-DomainGPO to display group policy information via PowerView
- T1572 DNS over HTTPS Large Query Volume
- T1132.001 XOR Encoded data.
- T1087.002 Enumerate Root Domain linked policies Discovery
- T1134.001 SeDebugPrivilege token duplication
- T1059.001 Powershell XML requests
- T1059.001 Powershell MsXml COM object - with prompt
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1074.001 Stage data from Discovery.bat
- T1552.001 WinPwn - powershellsensitive
net_connection_win_python.yml
- T1046 Port Scan using python
net_connection_win_rdp_outbound_over_non_standard_tools.yml
- T1016 List Open Egress Ports
net_connection_win_regsvr32_network_activity.yml
- T1218.010 Regsvr32 remote COM scriptlet execution
net_connection_win_rundll32_net_connections.yml
- T1218.011 Rundll32 advpack.dll Execution
- T1546.015 COM hijacking via TreatAs
- T1218.011 Rundll32 ieadvpack.dll Execution
- T1218.011 Rundll32 execute JavaScript Remote Payload With GetObject
net_connection_win_script.yml
- T1105 Download a file using wscript
- T1082 Griffon Recon
net_connection_win_script_wan.yml
- T1105 Download a file using wscript
net_connection_win_susp_file_sharing_domains_susp_folders.yml
- T1558.003 WinPwn - Kerberoasting
- T1082 WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors
- T1105 File Download via PowerShell
- T1204.002 LNK Payload Download
- T1552.001 WinPwn - SessionGopher
- T1218.005 Mshta Executes Remote HTML Application (HTA)
- T1558.003 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1082 WinPwn - itm4nprivesc
- T1069.002 Get-DomainGroupMember with PowerView
- T1555 WinPwn - Loot local Credentials - lazagne
- T1055.001 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
- T1046 WinPwn - bluekeep
- T1558.004 Get-DomainUser with PowerView
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1564 Extract binary files via VBA
- T1557.001 LLMNR Poisoning with Inveigh (PowerShell)
- T1120 WinPwn - printercheck
- T1134.001 Named pipe client impersonation
- T1087.002 WinPwn - generaldomaininfo
- T1134.002 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1546.015 COM hijacking via TreatAs
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1204.002 Office Generic Payload Download
- T1046 WinPwn - fruit
- T1095 ICMP C2
- T1105 Windows - PowerShell Download
- T1071.004 DNS C2
- T1552.001 WinPwn - sensitivefiles
- T1218.005 Invoke HTML Application - Direct download from URI
- T1220 WMIC bypass using remote XSL file
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1218.007 Msiexec.exe - Execute Remote MSI file
- T1105 certutil download (verifyctl)
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1082 WinPwn - GeneralRecon
- T1055.012 RunPE via VBA
- T1069.002 Get-DomainGroup with PowerView
- T1087.002 Get-DomainUser with PowerView
- T1046 WinPwn - spoolvulnscan
- T1218.005 Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
- T1553.004 Add Root Certificate to CurrentUser Certificate Store
- T1059.001 PowerUp Invoke-AllChecks
- T1059.001 Run Bloodhound from Memory using Download Cradle
- T1550.002 Invoke-WMIExec Pass the Hash
- T1106 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
- T1082 WinPwn - PowerSharpPack - Seatbelt
- T1566.001 Download Macro-Enabled Phishing Attachment
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
- T1055 Shellcode execution via VBA
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
- T1562.001 WinPwn - Kill the event log services for stealth
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1059.001 Invoke-AppPathBypass
- T1095 Powercat C2
- T1082 WinPwn - PowerSharpPack - Watson searching for missing windows patches
- T1615 Get-DomainGPO to display group policy information via PowerView
- T1134.001 SeDebugPrivilege token duplication
- T1218.011 Rundll32 execute JavaScript Remote Payload With GetObject
- T1059.001 Powershell XML requests
- T1059.001 Powershell MsXml COM object - with prompt
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
net_connection_win_susp_outbound_kerberos_connection.yml
- T1110.001 Password Brute User using Kerbrute Tool
- T1087.002 Kerbrute - userenum
- T1110.003 Password Spray using Kerbrute Tool
- T1016 List Open Egress Ports
- T1110.004 Brute Force:Credential Stuffing using Kerbrute Tool
net_connection_win_susp_outbound_smtp_connections.yml
- T1048.003 Exfiltration Over Alternative Protocol - SMTP
net_connection_win_susp_remote_powershell_session.yml
- T1059.001 PowerShell Session Creation and Use
- T1105 Windows - BITSAdmin BITS Download
- T1021.006 Remote Code Execution with PS Credentials Using Invoke-Command
pipe_created_hktl_cobaltstrike.yml
- T1559 Cobalt Strike SSH (postex_ssh) pipe
- T1559 Cobalt Strike Artifact Kit pipe
- T1559 Cobalt Strike post-exploitation pipe (4.2 and later)
- T1559 Cobalt Strike Lateral Movement (psexec_psh) pipe
pipe_created_hktl_efspotato.yml
- T1134.001 Bad Potato
pipe_created_sysinternals_psexec_default_pipe.yml
- T1021.002 Copy and Execute File with PsExec
- T1569.002 Use PsExec to execute a command on a remote host
- T1207 DCShadow (Active Directory)
posh_pm_alternate_powershell_hosts.yml
- T1218.008 Odbcconf.exe - Load Response File
- T1036.003 Masquerading - powershell.exe running as taskhostw.exe
- T1552.001 WinPwn - passhunt
- T1204.002 Office Generic Payload Download
- T1204.002 Office Generic Payload Download
- T1055.012 RunPE via VBA
- T1021.006 Remote Code Execution with PS Credentials Using Invoke-Command
posh_pm_bad_opsec_artifacts.yml
- T1558.003 WinPwn - Kerberoasting
- T1082 WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors
- T1033 Find computers where user has session - Stealth mode (PowerView)
- T1552.001 WinPwn - SessionGopher
- T1558.003 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1082 WinPwn - itm4nprivesc
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1055.001 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
- T1046 WinPwn - bluekeep
- T1558.004 Get-DomainUser with PowerView
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1187 WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
- T1120 WinPwn - printercheck
- T1134.001 Named pipe client impersonation
- T1558.004 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1087.002 WinPwn - generaldomaininfo
- T1134.002 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique
- T1562.002 Kill Event Log Service Threads
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1046 WinPwn - fruit
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1555.003 WinPwn - PowerSharpPack - Sharpweb for Browser Credentials
- T1082 WinPwn - GeneralRecon
- T1555.004 WinPwn - Loot local Credentials - Invoke-WCMDump
- T1548.002 WinPwn - UAC Bypass DccwBypassUAC technique
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1553.004 Add Root Certificate to CurrentUser Certificate Store
- T1558.003 Rubeus kerberoast
- T1558.003 Rubeus kerberoast
- T1550.002 Invoke-WMIExec Pass the Hash
- T1552.004 CertUtil ExportPFX
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1106 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
- T1082 WinPwn - PowerSharpPack - Seatbelt
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
- T1553.005 Execute LNK file from ISO
- T1558.003 Request for service tickets
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1082 WinPwn - PowerSharpPack - Watson searching for missing windows patches
- T1548.002 WinPwn - UAC Magic
- T1615 Get-DomainGPO to display group policy information via PowerView
- T1134.001 SeDebugPrivilege token duplication
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
posh_pm_clear_powershell_history.yml
- T1070.003 Prevent Powershell History Logging
- T1070.003 Set Custom AddToHistoryHandler to Avoid History File Logging
posh_pm_exploit_scripts.yml
- T1095 Powercat C2
posh_pm_get_clipboard.yml
- T1115 Execute Commands from Clipboard using PowerShell
posh_pm_malicious_commandlets.yml
- T1033 System Discovery - SocGholish whoami
posh_pm_remotefxvgpudisablement_abuse.yml
- T1218 Invoke-ATHRemoteFXvGPUDisablementCommand base test
posh_pm_susp_ad_group_reco.yml
- T1069.002 Enumerate Active Directory Groups with Get-AdGroup
- T1069.002 Enumerate Users Not Requiring Pre Auth (ASRepRoast)
- T1069.002 Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
- T1069.002 Permission Groups Discovery PowerShell (Domain)
posh_pm_susp_download.yml
- T1095 ICMP C2
- T1105 Windows - PowerShell Download
- T1071.004 DNS C2
- T1095 Powercat C2
posh_pm_susp_get_nettcpconnection.yml
- T1003 Dump svchost.exe to gather RDP credentials
- T1049 System Network Connections Discovery with PowerShell
posh_pm_susp_invocation_specific.yml
- T1558.003 WinPwn - Kerberoasting
- T1082 WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors
- T1552.001 WinPwn - SessionGopher
- T1558.003 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1082 WinPwn - itm4nprivesc
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1055.001 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
- T1046 WinPwn - bluekeep
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1187 WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
- T1120 WinPwn - printercheck
- T1558.004 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1087.002 WinPwn - generaldomaininfo
- T1134.002 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1003.001 Powershell Mimikatz
- T1046 WinPwn - fruit
- T1095 ICMP C2
- T1071.004 DNS C2
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1003.001 Dump LSASS.exe Memory using Out-Minidump.ps1
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1555.003 WinPwn - PowerSharpPack - Sharpweb for Browser Credentials
- T1082 WinPwn - GeneralRecon
- T1555.004 WinPwn - Loot local Credentials - Invoke-WCMDump
- T1548.002 WinPwn - UAC Bypass DccwBypassUAC technique
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1059.001 Run Bloodhound from Memory using Download Cradle
- T1547.001 PowerShell Registry RunOnce
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1106 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
- T1082 WinPwn - PowerSharpPack - Seatbelt
- T1059.001 Mimikatz
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1059.001 Invoke-AppPathBypass
- T1095 Powercat C2
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1082 WinPwn - PowerSharpPack - Watson searching for missing windows patches
- T1548.002 WinPwn - UAC Magic
- T1615 Get-DomainGPO to display group policy information via PowerView
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
posh_pm_susp_local_group_reco.yml
- T1558.003 WinPwn - Kerberoasting
- T1552.001 WinPwn - SessionGopher
- T1082 WinPwn - itm4nprivesc
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1046 WinPwn - bluekeep
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1120 WinPwn - printercheck
- T1087.001 Enumerate all accounts via PowerShell (Local)
- T1087.002 WinPwn - generaldomaininfo
- T1098 Password Change on Directory Service Restore Mode (DSRM) Account
- T1098 Domain Account and Group Manipulate
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1046 WinPwn - fruit
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1082 WinPwn - GeneralRecon
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1218.005 Mshta executes VBScript to execute malicious command
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1087.002 Enumerate Linked Policies In ADSISearcher Discovery
- T1098 Admin Account Manipulate
- T1069.001 WMIObject Group Discovery
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1087.002 Enumerate all accounts via PowerShell (Domain)
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1548.002 WinPwn - UAC Magic
- T1069.001 Permission Groups Discovery PowerShell (Local)
- T1087.002 Enumerate Root Domain linked policies Discovery
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
posh_pm_susp_smb_share_reco.yml
- T1135 Network Share Discovery PowerShell
- T1135 WinPwn - shareenumeration
- T1070.005 Remove Network Share PowerShell
posh_pm_susp_zip_compress.yml
- T1074.001 Zip a Folder with PowerShell for Staging in Temp
- T1555.003 Stage Popular Credential Files for Exfiltration
posh_ps_access_to_browser_login_data.yml
- T1555.003 Simulating access to Opera Login Data
- T1555.003 Simulating access to Windows Edge Login Data
- T1555.003 BrowserStealer (Chrome / Firefox / Microsoft Edge)
- T1555.003 Stage Popular Credential Files for Exfiltration
- T1555.003 Simulating access to Windows Firefox Login Data
- T1555.003 Simulating access to Chrome Login Data
posh_ps_adrecon_execution.yml
- T1087.002 Automated AD Recon (ADRecon)
posh_ps_as_rep_roasting.yml
- T1069.002 Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
posh_ps_automated_collection.yml
- T1558.003 WinPwn - Kerberoasting
- T1552.001 WinPwn - SessionGopher
- T1082 WinPwn - itm4nprivesc
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1046 WinPwn - bluekeep
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1120 WinPwn - printercheck
- T1087.002 WinPwn - generaldomaininfo
- T1119 Automated Collection PowerShell
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1046 WinPwn - fruit
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1082 WinPwn - GeneralRecon
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1059.001 PowerUp Invoke-AllChecks
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1548.002 WinPwn - UAC Magic
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
posh_ps_capture_screenshots.yml
- T1113 Windows Screen Capture (CopyFromScreen)
posh_ps_clearing_windows_console_history.yml
- T1082 WinPwn - itm4nprivesc
- T1070.003 Clear Powershell History by Deleting History File
posh_ps_cmdlet_scheduled_task.yml
- T1053.005 Powershell Cmdlet Scheduled Task
- T1053.005 Import XML Schedule Task with Hidden Attribute
- T1053.005 WMI Invoke-CimMethod Scheduled Task
- T1053.005 PowerShell Modify A Scheduled Task
posh_ps_compress_archive_usage.yml
- T1560 Compress Data for Exfiltration With PowerShell
posh_ps_copy_item_system_directory.yml
- T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
- T1547.001 Change Startup Folder - HKCU Modify User Shell Folders Startup Value
- T1218.005 Invoke HTML Application - JScript Engine with Inline Protocol Handler
- T1547.001 Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value
- T1134.004 Parent PID Spoofing - Spawn from Specified Process
- T1134.004 Parent PID Spoofing - Spawn from New Process
- T1218.005 Invoke HTML Application - Direct download from URI
- T1218.005 Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler
- T1218.005 Invoke HTML Application - Simulate Lateral Movement over UNC Path
- T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
- T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations
- T1134.004 Parent PID Spoofing - Spawn from Current Process
- T1134.004 Parent PID Spoofing - Spawn from svchost.exe
- T1218 Invoke-ATHRemoteFXvGPUDisablementCommand base test
- T1556.002 Install and Register Password Filter DLL
- T1218.005 Invoke HTML Application - Jscript Engine Simulating Double Click
- T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
- T1218.005 Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement
posh_ps_cor_profiler.yml
- T1574.012 Registry-free process scope COR_PROFILER
posh_ps_create_local_user.yml
- T1136.001 Create a new user in PowerShell
- T1564 Create an “Administrator “ user (with a space on the end)
posh_ps_create_volume_shadow_copy.yml
- T1003.003 Create Volume Shadow Copy with Powershell
posh_ps_detect_vm_env.yml
- T1558.002 Crafting Active Directory silver tickets with mimikatz
- T1558.003 WinPwn - Kerberoasting
- T1552.001 WinPwn - SessionGopher
- T1082 WinPwn - itm4nprivesc
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1046 WinPwn - bluekeep
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1120 WinPwn - printercheck
- T1087.002 WinPwn - generaldomaininfo
- T1497.001 Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1046 WinPwn - fruit
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1082 WinPwn - GeneralRecon
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1497.001 Detect Virtualization Environment (Windows)
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1548.002 WinPwn - UAC Magic
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
posh_ps_directorysearcher.yml
- T1018 Enumerate domain computers within Active Directory using DirectorySearcher
posh_ps_directoryservices_accountmanagement.yml
- T1033 Find computers where user has session - Stealth mode (PowerView)
- T1069.002 Get-DomainGroupMember with PowerView
- T1046 WinPwn - bluekeep
- T1558.004 Get-DomainUser with PowerView
- T1135 WinPwn - shareenumeration
- T1136.002 Create a new Domain Account using PowerShell
- T1087.002 WinPwn - generaldomaininfo
- T1201 Get-DomainPolicy with PowerView
- T1069.002 Get-DomainGroup with PowerView
- T1087.002 Get-DomainUser with PowerView
- T1046 WinPwn - spoolvulnscan
- T1046 WinPwn - MS17-10
posh_ps_disable_windows_optional_feature.yml
- T1562.001 Disable Windows Defender with PwSh Disable-WindowsOptionalFeature
posh_ps_dump_password_windows_credential_manager.yml
- T1558.003 WinPwn - Kerberoasting
- T1552.001 WinPwn - SessionGopher
- T1082 WinPwn - itm4nprivesc
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1046 WinPwn - bluekeep
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1120 WinPwn - printercheck
- T1555 Dump credentials from Windows Credential Manager With PowerShell [web Credentials]
- T1087.002 WinPwn - generaldomaininfo
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1046 WinPwn - fruit
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1082 WinPwn - GeneralRecon
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1548.002 WinPwn - UAC Magic
- T1555 Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
posh_ps_enable_psremoting.yml
- T1021.006 Enable Windows Remote Management
posh_ps_enumerate_password_windows_credential_manager.yml
- T1555 Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]
- T1555 Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]
posh_ps_export_certificate.yml
- T1552.004 Export Root Certificate with Export-PFXCertificate
- T1552.004 Export Root Certificate with Export-Certificate
- T1552.004 ADFS token signing and encryption certificates theft - Local
posh_ps_get_acl_service.yml
- T1574.011 Service Registry Permissions Weakness
posh_ps_get_adcomputer.yml
- T1018 Enumerate Active Directory Computers with Get-AdComputer
posh_ps_get_adgroup.yml
- T1069.002 Enumerate Active Directory Groups with Get-AdGroup
posh_ps_get_adreplaccount.yml
- T1003.006 Run DSInternals Get-ADReplAccount
posh_ps_get_childitem_bookmarks.yml
- T1217 List Google Chrome / Opera Bookmarks on Windows with powershell
posh_ps_get_process_security_software_discovery.yml
- T1082 WinPwn - itm4nprivesc
- T1518.001 Security Software Discovery - powershell
posh_ps_icmp_exfiltration.yml
- T1095 ICMP C2
- T1048.003 Exfiltration Over Alternative Protocol - ICMP
posh_ps_invoke_command_remote.yml
- T1069.002 Get-DomainGroupMember with PowerView
- T1046 WinPwn - bluekeep
- T1558.004 Get-DomainUser with PowerView
- T1087.002 WinPwn - generaldomaininfo
- T1201 Get-DomainPolicy with PowerView
- T1562.002 Kill Event Log Service Threads
- T1046 WinPwn - fruit
- T1069.002 Get-DomainGroup with PowerView
- T1087.002 Get-DomainUser with PowerView
- T1046 WinPwn - spoolvulnscan
- T1562.001 WinPwn - Kill the event log services for stealth
- T1021.006 Remote Code Execution with PS Credentials Using Invoke-Command
- T1046 WinPwn - MS17-10
posh_ps_invoke_dnsexfiltration.yml
- T1048 DNSExfiltration (doh)
posh_ps_keylogging.yml
- T1059.001 PowerShell Invoke Known Malicious Cmdlets
- T1056.001 Input Capture
posh_ps_localuser.yml
- T1558.003 WinPwn - Kerberoasting
- T1552.001 WinPwn - SessionGopher
- T1082 WinPwn - itm4nprivesc
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1046 WinPwn - bluekeep
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1120 WinPwn - printercheck
- T1087.002 WinPwn - generaldomaininfo
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1046 WinPwn - fruit
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1082 WinPwn - GeneralRecon
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1218.005 Mshta executes VBScript to execute malicious command
- T1552.004 ADFS token signing and encryption certificates theft - Remote
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1564 Create an “Administrator “ user (with a space on the end)
- T1552.004 ADFS token signing and encryption certificates theft - Local
- T1098 Admin Account Manipulate
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1548.002 WinPwn - UAC Magic
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
posh_ps_malicious_commandlets.yml
- T1558.003 WinPwn - Kerberoasting
- T1082 WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors
- T1033 Find computers where user has session - Stealth mode (PowerView)
- T1552.001 WinPwn - SessionGopher
- T1558.003 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1082 WinPwn - itm4nprivesc
- T1069.002 Get-DomainGroupMember with PowerView
- T1135 PowerView ShareFinder
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1055.001 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
- T1046 WinPwn - bluekeep
- T1558.004 Get-DomainUser with PowerView
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1059.001 Mimikatz - Cradlecraft PsSendKeys
- T1557.001 LLMNR Poisoning with Inveigh (PowerShell)
- T1059.001 PowerShell Invoke Known Malicious Cmdlets
- T1187 WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
- T1120 WinPwn - printercheck
- T1134.001 Named pipe client impersonation
- T1558.004 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1087.002 WinPwn - generaldomaininfo
- T1201 Get-DomainPolicy with PowerView
- T1134.002 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique
- T1562.002 Kill Event Log Service Threads
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1003.002 PowerDump Hashes and Usernames from Registry
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1003.001 Powershell Mimikatz
- T1046 WinPwn - fruit
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1003.001 Dump LSASS.exe Memory using Out-Minidump.ps1
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1555.003 WinPwn - PowerSharpPack - Sharpweb for Browser Credentials
- T1082 WinPwn - GeneralRecon
- T1069.002 Get-DomainGroup with PowerView
- T1087.002 Get-DomainUser with PowerView
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1059.001 PowerUp Invoke-AllChecks
- T1552.004 ADFS token signing and encryption certificates theft - Remote
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1106 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
- T1082 WinPwn - PowerSharpPack - Seatbelt
- T1552.004 ADFS token signing and encryption certificates theft - Local
- T1059.001 Mimikatz
- T1003.006 Run DSInternals Get-ADReplAccount
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
- T1558.003 Request for service tickets
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1552.006 GPP Passwords (Get-GPPPassword)
- T1082 WinPwn - PowerSharpPack - Watson searching for missing windows patches
- T1548.002 WinPwn - UAC Magic
- T1615 Get-DomainGPO to display group policy information via PowerView
- T1134.001 SeDebugPrivilege token duplication
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
posh_ps_malicious_keywords.yml
- T1558.002 Crafting Active Directory silver tickets with mimikatz
- T1558.003 WinPwn - Kerberoasting
- T1033 Find computers where user has session - Stealth mode (PowerView)
- T1552.001 WinPwn - SessionGopher
- T1069.002 Find local admins on all machines in domain (PowerView)
- T1082 WinPwn - itm4nprivesc
- T1069.002 Get-DomainGroupMember with PowerView
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1046 WinPwn - bluekeep
- T1558.001 Crafting Active Directory golden tickets with mimikatz
- T1558.004 Get-DomainUser with PowerView
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1059.001 Mimikatz - Cradlecraft PsSendKeys
- T1557.001 LLMNR Poisoning with Inveigh (PowerShell)
- T1059.001 PowerShell Invoke Known Malicious Cmdlets
- T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
- T1120 WinPwn - printercheck
- T1069.002 Find machines where user has local admin access (PowerView)
- T1134.001 Named pipe client impersonation
- T1069.002 Find Local Admins via Group Policy (PowerView)
- T1087.002 WinPwn - generaldomaininfo
- T1201 Get-DomainPolicy with PowerView
- T1134.002 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique
- T1218.005 Invoke HTML Application - JScript Engine with Inline Protocol Handler
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1003.002 PowerDump Hashes and Usernames from Registry
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1482 Get-ForestTrust with PowerView
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1003.001 Powershell Mimikatz
- T1046 WinPwn - fruit
- T1134.004 Parent PID Spoofing - Spawn from Specified Process
- T1552.001 WinPwn - sensitivefiles
- T1134.004 Parent PID Spoofing - Spawn from New Process
- T1218.005 Invoke HTML Application - Direct download from URI
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1003.001 Dump LSASS.exe Memory using Out-Minidump.ps1
- T1218.005 Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1135 Share Discovery with PowerView
- T1615 WinPwn - GPORemoteAccessPolicy
- T1082 WinPwn - GeneralRecon
- T1548.002 WinPwn - UAC Bypass DccwBypassUAC technique
- T1207 DCShadow (Active Directory)
- T1069.002 Get-DomainGroup with PowerView
- T1087.002 Get-DomainUser with PowerView
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1218.005 Invoke HTML Application - Simulate Lateral Movement over UNC Path
- T1046 WinPwn - spoolvulnscan
- T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
- T1059.001 PowerUp Invoke-AllChecks
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1552.004 ADFS token signing and encryption certificates theft - Local
- T1059.001 Mimikatz
- T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations
- T1134.004 Parent PID Spoofing - Spawn from Current Process
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
- T1134.004 Parent PID Spoofing - Spawn from svchost.exe
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1218 Invoke-ATHRemoteFXvGPUDisablementCommand base test
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1482 Get-DomainTrust with PowerView
- T1548.002 WinPwn - UAC Magic
- T1218.005 Invoke HTML Application - Jscript Engine Simulating Double Click
- T1055.012 Process Hollowing using PowerShell
- T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
- T1134.001 SeDebugPrivilege token duplication
- T1082 WinPwn - RBCD-Check
- T1218.005 Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
posh_ps_modify_group_policy_settings.yml
- T1484.001 LockBit Black - Modify Group policy settings -Powershell
posh_ps_msxml_com.yml
- T1059.001 Powershell MsXml COM object - with prompt
posh_ps_nishang_malicious_commandlets.yml
- T1558.003 WinPwn - Kerberoasting
- T1552.001 WinPwn - SessionGopher
- T1082 WinPwn - itm4nprivesc
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1046 WinPwn - bluekeep
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1120 WinPwn - printercheck
- T1087.002 WinPwn - generaldomaininfo
- T1056.001 Input Capture
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1003.001 Powershell Mimikatz
- T1046 WinPwn - fruit
- T1095 ICMP C2
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1082 WinPwn - GeneralRecon
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1552.004 ADFS token signing and encryption certificates theft - Remote
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1552.004 ADFS token signing and encryption certificates theft - Local
- T1059.001 Mimikatz
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1548.002 WinPwn - UAC Magic
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
posh_ps_ntfs_ads_access.yml
- T1564.004 Create ADS PowerShell
- T1059.001 NTFS Alternate Data Stream Access
posh_ps_office_comobject_registerxll.yml
- T1137.006 Code Executed Via Excel Add-in File (XLL)
posh_ps_powerview_malicious_commandlets.yml
- T1558.003 WinPwn - Kerberoasting
- T1110.003 Password Spray (DomainPasswordSpray)
- T1033 Find computers where user has session - Stealth mode (PowerView)
- T1552.001 WinPwn - SessionGopher
- T1082 WinPwn - itm4nprivesc
- T1069.002 Get-DomainGroupMember with PowerView
- T1135 PowerView ShareFinder
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1046 WinPwn - bluekeep
- T1558.004 Get-DomainUser with PowerView
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1120 WinPwn - printercheck
- T1087.002 WinPwn - generaldomaininfo
- T1201 Get-DomainPolicy with PowerView
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1046 WinPwn - fruit
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1087.002 Enumerate Active Directory for Unconstrained Delegation
- T1615 WinPwn - GPORemoteAccessPolicy
- T1082 WinPwn - GeneralRecon
- T1069.002 Get-DomainGroup with PowerView
- T1087.002 Get-DomainUser with PowerView
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1482 Powershell enumerate domains and forests
- T1046 WinPwn - spoolvulnscan
- T1552.004 ADFS token signing and encryption certificates theft - Remote
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1552.004 ADFS token signing and encryption certificates theft - Local
- T1558.003 Request for service tickets
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1548.002 WinPwn - UAC Magic
- T1615 Get-DomainGPO to display group policy information via PowerView
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
posh_ps_prompt_credentials.yml
- T1056.002 PowerShell - Prompt User for Password
posh_ps_remote_session_creation.yml
- T1059.001 PowerShell Session Creation and Use
posh_ps_remove_item_path.yml
- T1558.002 Crafting Active Directory silver tickets with mimikatz
- T1562.001 AMSI Bypass - Remove AMSI Provider Reg Key
- T1135 WinPwn - shareenumeration
- T1059.001 PowerShell Session Creation and Use
- T1087.002 WinPwn - generaldomaininfo
- T1082 WinPwn - Powersploits privesc checks
- T1555.003 WinPwn - BrowserPwn
- T1204.002 Office Generic Payload Download
- T1070.004 Delete an entire folder - Windows PowerShell
- T1070.004 Delete Prefetch File
- T1070.004 Delete a single file - Windows PowerShell
- T1070.008 Copy and Delete Mailbox Data on Windows
- T1098 Domain Password Policy Check: Short Password
- T1552.004 ADFS token signing and encryption certificates theft - Local
- T1021.006 Enable Windows Remote Management
- T1218 Invoke-ATHRemoteFXvGPUDisablementCommand base test
- T1059.001 Invoke-AppPathBypass
posh_ps_request_kerberos_ticket.yml
- T1033 Find computers where user has session - Stealth mode (PowerView)
- T1069.002 Get-DomainGroupMember with PowerView
- T1046 WinPwn - bluekeep
- T1558.004 Get-DomainUser with PowerView
- T1087.002 WinPwn - generaldomaininfo
- T1201 Get-DomainPolicy with PowerView
- T1069.002 Get-DomainGroup with PowerView
- T1087.002 Get-DomainUser with PowerView
- T1046 WinPwn - spoolvulnscan
- T1558.003 Request A Single Ticket via PowerShell
- T1046 WinPwn - MS17-10
posh_ps_root_certificate_installed.yml
- T1553.004 Install root CA on Windows
posh_ps_run_from_mount_diskimage.yml
- T1553.005 Mount an ISO image and run executable from the ISO
posh_ps_script_with_upload_capabilities.yml
- T1041 C2 Data Exfiltration
- T1048.003 Exfiltration Over Alternative Protocol - HTTP
- T1552.004 ADFS token signing and encryption certificates theft - Local
- T1027 DLP Evasion via Sensitive Data in VBA Macro over HTTP
- T1020 IcedID Botnet HTTP PUT
- T1132.001 XOR Encoded data.
posh_ps_send_mailmessage.yml
- T1048.003 Exfiltration Over Alternative Protocol - SMTP
- T1027 DLP Evasion via Sensitive Data in VBA Macro over email
- T1552.004 ADFS token signing and encryption certificates theft - Local
posh_ps_set_policies_to_unsecure_level.yml
- T1003.002 PowerDump Hashes and Usernames from Registry
- T1134.002 Access Token Manipulation
- T1112 Change Powershell Execution Policy to Bypass
posh_ps_shellintel_malicious_commandlets.yml
- T1059.001 PowerShell Invoke Known Malicious Cmdlets
- T1003.001 Dump LSASS.exe Memory using Out-Minidump.ps1
posh_ps_software_discovery.yml
- T1552.001 WinPwn - SessionGopher
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1518 WinPwn - powerSQL
- T1518 Applications Installed
- T1087.002 WinPwn - generaldomaininfo
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1082 WinPwn - General privesc checks
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1082 WinPwn - GeneralRecon
- T1046 WinPwn - spoolvulnscan
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1548.002 WinPwn - UAC Magic
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - powershellsensitive
posh_ps_store_file_in_alternate_data_stream.yml
- T1564.004 Store file in Alternate Data Stream (ADS)
posh_ps_susp_ad_group_reco.yml
- T1069.002 Enumerate Users Not Requiring Pre Auth (ASRepRoast)
- T1069.002 Permission Groups Discovery PowerShell (Domain)
posh_ps_susp_directory_enum.yml
- T1518 WinPwn - powerSQL
- T1592.002 Enumerate COM Objects in Registry with Powershell
- T1083 Simulating MAZE Directory Enumeration
- T1082 WinPwn - Powersploits privesc checks
posh_ps_susp_download.yml
- T1558.003 WinPwn - Kerberoasting
- T1552.001 WinPwn - SessionGopher
- T1082 WinPwn - itm4nprivesc
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1046 WinPwn - bluekeep
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1120 WinPwn - printercheck
- T1087.002 WinPwn - generaldomaininfo
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1046 WinPwn - fruit
- T1095 ICMP C2
- T1105 Windows - PowerShell Download
- T1071.004 DNS C2
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1082 WinPwn - GeneralRecon
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1095 Powercat C2
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1548.002 WinPwn - UAC Magic
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
posh_ps_susp_execute_batch_script.yml
- T1059.003 Create and Execute Batch Script
posh_ps_susp_extracting.yml
- T1558.003 WinPwn - Kerberoasting
- T1552.001 WinPwn - SessionGopher
- T1082 WinPwn - itm4nprivesc
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1046 WinPwn - bluekeep
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1120 WinPwn - printercheck
- T1087.002 WinPwn - generaldomaininfo
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1046 WinPwn - fruit
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1082 WinPwn - GeneralRecon
- T1069.002 Get-DomainGroup with PowerView
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1552.001 Extracting passwords with findstr
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1548.002 WinPwn - UAC Magic
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
posh_ps_susp_get_addefaultdomainpasswordpolicy.yml
- T1201 Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy
posh_ps_susp_get_current_user.yml
- T1558.003 WinPwn - Kerberoasting
- T1552.001 WinPwn - SessionGopher
- T1082 WinPwn - itm4nprivesc
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1046 WinPwn - bluekeep
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1120 WinPwn - printercheck
- T1087.002 WinPwn - generaldomaininfo
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1046 WinPwn - fruit
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1082 WinPwn - GeneralRecon
- T1033 User Discovery With Env Vars PowerShell Script
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1070.008 Copy and Delete Mailbox Data on Windows
- T1098 Domain Password Policy Check: Short Password
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1033 GetCurrent User with PowerShell Script
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1548.002 WinPwn - UAC Magic
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
posh_ps_susp_get_gpo.yml
- T1615 MSFT Get-GPO Cmdlet
posh_ps_susp_get_process.yml
- T1558.003 WinPwn - Kerberoasting
- T1552.001 WinPwn - SessionGopher
- T1082 WinPwn - itm4nprivesc
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1046 WinPwn - bluekeep
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1120 WinPwn - printercheck
- T1087.002 WinPwn - generaldomaininfo
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1046 WinPwn - fruit
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1082 WinPwn - GeneralRecon
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1548.002 WinPwn - UAC Magic
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
posh_ps_susp_getprocess_lsass.yml
- T1558.003 WinPwn - Kerberoasting
- T1552.001 WinPwn - SessionGopher
- T1082 WinPwn - itm4nprivesc
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1046 WinPwn - bluekeep
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1120 WinPwn - printercheck
- T1087.002 WinPwn - generaldomaininfo
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1046 WinPwn - fruit
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1003.001 Dump LSASS.exe Memory using Out-Minidump.ps1
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1134.002 Access Token Manipulation
- T1615 WinPwn - GPORemoteAccessPolicy
- T1082 WinPwn - GeneralRecon
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1003.001 Dump LSASS.exe Memory using comsvcs.dll
- T1548.002 WinPwn - UAC Magic
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
posh_ps_susp_gettypefromclsid.yml
- T1546.015 Powershell Execute COM Object
- T1553.005 Execute LNK file from ISO
posh_ps_susp_hyper_v_condlet.yml
- T1564.006 Create and start Hyper-V virtual machine
posh_ps_susp_invocation_specific.yml
- T1558.003 WinPwn - Kerberoasting
- T1082 WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors
- T1552.001 WinPwn - SessionGopher
- T1558.003 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1082 WinPwn - itm4nprivesc
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1055.001 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
- T1046 WinPwn - bluekeep
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1187 WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
- T1120 WinPwn - printercheck
- T1558.004 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1087.002 WinPwn - generaldomaininfo
- T1134.002 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1046 WinPwn - fruit
- T1095 ICMP C2
- T1071.004 DNS C2
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1003.001 Dump LSASS.exe Memory using Out-Minidump.ps1
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1555.003 WinPwn - PowerSharpPack - Sharpweb for Browser Credentials
- T1082 WinPwn - GeneralRecon
- T1555.004 WinPwn - Loot local Credentials - Invoke-WCMDump
- T1548.002 WinPwn - UAC Bypass DccwBypassUAC technique
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1059.001 Run Bloodhound from Memory using Download Cradle
- T1547.001 PowerShell Registry RunOnce
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1106 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
- T1082 WinPwn - PowerSharpPack - Seatbelt
- T1059.001 Mimikatz
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1059.001 Invoke-AppPathBypass
- T1095 Powercat C2
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1082 WinPwn - PowerSharpPack - Watson searching for missing windows patches
- T1548.002 WinPwn - UAC Magic
- T1615 Get-DomainGPO to display group policy information via PowerView
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
posh_ps_susp_invoke_webrequest_useragent.yml
- T1071.001 Malicious User Agents - Powershell
posh_ps_susp_iofilestream.yml
- T1006 Read volume boot sector via DOS device path (PowerShell)
posh_ps_susp_keywords.yml
- T1558.003 WinPwn - Kerberoasting
- T1033 Find computers where user has session - Stealth mode (PowerView)
- T1552.001 WinPwn - SessionGopher
- T1558.003 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1082 WinPwn - itm4nprivesc
- T1069.002 Get-DomainGroupMember with PowerView
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1046 WinPwn - bluekeep
- T1558.004 Get-DomainUser with PowerView
- T1518 WinPwn - powerSQL
- T1003 Dump svchost.exe to gather RDP credentials
- T1135 WinPwn - shareenumeration
- T1047 Create a Process using WMI Query and an Encoded Command
- T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
- T1187 WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
- T1120 WinPwn - printercheck
- T1134.001 Named pipe client impersonation
- T1558.004 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1087.002 WinPwn - generaldomaininfo
- T1201 Get-DomainPolicy with PowerView
- T1134.002 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique
- T1056.001 Input Capture
- T1048 DNSExfiltration (doh)
- T1218.005 Invoke HTML Application - JScript Engine with Inline Protocol Handler
- T1562.002 Kill Event Log Service Threads
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1546.015 COM hijacking via TreatAs
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1048.003 Exfiltration Over Alternative Protocol - HTTP
- T1003.001 Powershell Mimikatz
- T1046 WinPwn - fruit
- T1134.004 Parent PID Spoofing - Spawn from Specified Process
- T1059.001 Run BloodHound from local disk
- T1071.004 DNS C2
- T1552.001 WinPwn - sensitivefiles
- T1134.004 Parent PID Spoofing - Spawn from New Process
- T1218.005 Invoke HTML Application - Direct download from URI
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1218.005 Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1555.003 WinPwn - PowerSharpPack - Sharpweb for Browser Credentials
- T1082 WinPwn - GeneralRecon
- T1548.002 WinPwn - UAC Bypass DccwBypassUAC technique
- T1003 Dump Credential Manager using keymgr.dll and rundll32.exe
- T1069.002 Get-DomainGroup with PowerView
- T1087.002 Get-DomainUser with PowerView
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1218.005 Invoke HTML Application - Simulate Lateral Movement over UNC Path
- T1046 WinPwn - spoolvulnscan
- T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
- T1059.001 PowerUp Invoke-AllChecks
- T1218.011 Execution of non-dll using rundll32.exe
- T1059.001 Run Bloodhound from Memory using Download Cradle
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1082 WinPwn - PowerSharpPack - Seatbelt
- T1059.001 Mimikatz
- T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations
- T1047 Create a Process using obfuscated Win32_Process
- T1134.004 Parent PID Spoofing - Spawn from Current Process
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1134.004 Parent PID Spoofing - Spawn from svchost.exe
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1218 Invoke-ATHRemoteFXvGPUDisablementCommand base test
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1003.001 Dump LSASS.exe Memory using comsvcs.dll
- T1548.002 WinPwn - UAC Magic
- T1218.005 Invoke HTML Application - Jscript Engine Simulating Double Click
- T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
- T1134.001 SeDebugPrivilege token duplication
- T1082 WinPwn - RBCD-Check
- T1218.005 Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1546.015 COM Hijacking with RunDLL32 (Local Server Switch)
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
posh_ps_susp_local_group_reco.yml
- T1558.003 WinPwn - Kerberoasting
- T1552.001 WinPwn - SessionGopher
- T1082 WinPwn - itm4nprivesc
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1046 WinPwn - bluekeep
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1120 WinPwn - printercheck
- T1087.001 Enumerate all accounts via PowerShell (Local)
- T1087.002 WinPwn - generaldomaininfo
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1046 WinPwn - fruit
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1082 WinPwn - GeneralRecon
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1218.005 Mshta executes VBScript to execute malicious command
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1098 Admin Account Manipulate
- T1069.001 WMIObject Group Discovery
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1087.002 Enumerate all accounts via PowerShell (Domain)
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1548.002 WinPwn - UAC Magic
- T1069.001 Permission Groups Discovery PowerShell (Local)
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
posh_ps_susp_mail_acces.yml
- T1114.001 Email Collection with PowerShell Get-Inbox
posh_ps_susp_mount_diskimage.yml
- T1204.003 Malicious Execution from Mounted ISO Image
- T1553.005 Execute LNK file from ISO
- T1553.005 Mount an ISO image and run executable from the ISO
- T1553.005 Mount ISO image
posh_ps_susp_mounted_share_deletion.yml
- T1553.005 Execute LNK file from ISO
- T1553.005 Mount an ISO image and run executable from the ISO
- T1553.005 Mount ISO image
- T1070.005 Remove Network Share PowerShell
posh_ps_susp_networkcredential.yml
- T1557.001 LLMNR Poisoning with Inveigh (PowerShell)
- T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
- T1110.003 Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)
- T1048.003 MAZE FTP Upload
- T1218.005 Invoke HTML Application - JScript Engine with Inline Protocol Handler
- T1134.004 Parent PID Spoofing - Spawn from Specified Process
- T1134.004 Parent PID Spoofing - Spawn from New Process
- T1218.005 Invoke HTML Application - Direct download from URI
- T1110.001 Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)
- T1218.005 Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler
- T1218.005 Invoke HTML Application - Simulate Lateral Movement over UNC Path
- T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
- T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations
- T1134.004 Parent PID Spoofing - Spawn from Current Process
- T1134.004 Parent PID Spoofing - Spawn from svchost.exe
- T1218 Invoke-ATHRemoteFXvGPUDisablementCommand base test
- T1218.005 Invoke HTML Application - Jscript Engine Simulating Double Click
- T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
- T1218.005 Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement
posh_ps_susp_new_psdrive.yml
- T1135 WinPwn - shareenumeration
- T1087.002 WinPwn - generaldomaininfo
- T1021.002 Map Admin Share PowerShell
- T1552.001 WinPwn - sensitivefiles
posh_ps_susp_recon_export.yml
- T1555.003 Decrypt Mozilla Passwords with Firepwd.py
- T1592.002 Enumerate COM Objects in Registry with Powershell
- T1119 Recon information for export with PowerShell
posh_ps_susp_remove_adgroupmember.yml
- T1531 Remove Account From Domain Admin Group
posh_ps_susp_set_alias.yml
- T1552.004 CertUtil ExportPFX
- T1546 WMI Invoke-CimMethod Start Process
posh_ps_susp_smb_share_reco.yml
- T1135 Network Share Discovery PowerShell
- T1070.005 Remove Network Share PowerShell
posh_ps_susp_start_process.yml
- T1036.003 Masquerading - windows exe running as different windows exe
- T1036.003 Masquerading - non-windows exe running as windows exe
- T1218 Invoke-ATHRemoteFXvGPUDisablementCommand base test
posh_ps_susp_unblock_file.yml
- T1553.005 Remove the Zone.Identifier alternate data stream
- T1003.006 Run DSInternals Get-ADReplAccount
posh_ps_susp_wallpaper.yml
- T1491.001 Replace Desktop Wallpaper
posh_ps_susp_win32_pnpentity.yml
- T1120 Win32_PnPEntity Hardware Inventory
- T1592.001 Enumerate PlugNPlay Camera
posh_ps_susp_win32_shadowcopy.yml
- T1489 Windows - Stop service by killing process
- T1490 Windows - Delete Volume Shadow Copies via WMI with PowerShell
posh_ps_susp_windowstyle.yml
- T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
- T1218.001 Invoke CHM Simulate Double click
- T1218.005 Invoke HTML Application - JScript Engine with Inline Protocol Handler
- T1218.001 Invoke CHM with InfoTech Storage Protocol Handler
- T1134.004 Parent PID Spoofing - Spawn from Specified Process
- T1564.003 Hidden Window
- T1134.004 Parent PID Spoofing - Spawn from New Process
- T1218.005 Invoke HTML Application - Direct download from URI
- T1218.005 Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler
- T1218.005 Invoke HTML Application - Simulate Lateral Movement over UNC Path
- T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
- T1552.004 ADFS token signing and encryption certificates theft - Local
- T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations
- T1218.001 Invoke CHM with default Shortcut Command Execution
- T1547.001 SystemBC Malware-as-a-Service Registry
- T1134.004 Parent PID Spoofing - Spawn from Current Process
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
- T1134.004 Parent PID Spoofing - Spawn from svchost.exe
- T1218.001 Invoke CHM with Script Engine and Help Topic
- T1218 Invoke-ATHRemoteFXvGPUDisablementCommand base test
- T1218.005 Invoke HTML Application - Jscript Engine Simulating Double Click
- T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
- T1218.001 Invoke CHM Shortcut Command with ITS and Help Topic
- T1218.005 Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement
posh_ps_susp_zip_compress.yml
- T1074.001 Zip a Folder with PowerShell for Staging in Temp
- T1555.003 Stage Popular Credential Files for Exfiltration
posh_ps_tamper_windows_defender_set_mp.yml
- T1562.001 Tamper with Windows Defender ATP PowerShell
- T1562.001 Tamper with Windows Defender ATP using Aliases - PowerShell
posh_ps_test_netconnection.yml
- T1573 OpenSSL C2
- T1571 Testing usage of uncommonly used port with PowerShell
posh_ps_timestomp.yml
- T1558.003 WinPwn - Kerberoasting
- T1552.001 WinPwn - SessionGopher
- T1082 WinPwn - itm4nprivesc
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1046 WinPwn - bluekeep
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1120 WinPwn - printercheck
- T1087.002 WinPwn - generaldomaininfo
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1070.006 Windows - Modify file creation timestamp with PowerShell
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1046 WinPwn - fruit
- T1070.006 Windows - Timestomp a File
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1082 WinPwn - GeneralRecon
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1070.006 Windows - Modify file last modified timestamp with PowerShell
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1070.006 Windows - Modify file last access timestamp with PowerShell
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1548.002 WinPwn - UAC Magic
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
posh_ps_user_profile_tampering.yml
- T1546.013 Append malicious start-process cmdlet
posh_ps_web_request_cmd_and_cmdlets.yml
- T1558.003 WinPwn - Kerberoasting
- T1082 WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors
- T1105 File Download via PowerShell
- T1204.002 LNK Payload Download
- T1033 Find computers where user has session - Stealth mode (PowerView)
- T1552.001 WinPwn - SessionGopher
- T1218.005 Mshta Executes Remote HTML Application (HTA)
- T1558.003 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1082 WinPwn - itm4nprivesc
- T1069.002 Get-DomainGroupMember with PowerView
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1055.001 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
- T1046 WinPwn - bluekeep
- T1558.004 Get-DomainUser with PowerView
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1041 C2 Data Exfiltration
- T1557.001 LLMNR Poisoning with Inveigh (PowerShell)
- T1071.001 Malicious User Agents - Powershell
- T1219 TeamViewer Files Detected Test on Windows
- T1187 WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
- T1120 WinPwn - printercheck
- T1558.004 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1087.002 WinPwn - generaldomaininfo
- T1572 DNS over HTTPS Long Domain Query
- T1201 Get-DomainPolicy with PowerView
- T1134.002 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique
- T1048.003 MAZE FTP Upload
- T1204.002 Potentially Unwanted Applications (PUA)
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1003.002 PowerDump Hashes and Usernames from Registry
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1204.002 Office Generic Payload Download
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1048.003 Exfiltration Over Alternative Protocol - HTTP
- T1046 WinPwn - fruit
- T1095 ICMP C2
- T1105 Windows - PowerShell Download
- T1071.004 DNS C2
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1555.003 WinPwn - PowerSharpPack - Sharpweb for Browser Credentials
- T1082 WinPwn - GeneralRecon
- T1555.004 WinPwn - Loot local Credentials - Invoke-WCMDump
- T1548.002 WinPwn - UAC Bypass DccwBypassUAC technique
- T1069.002 Get-DomainGroup with PowerView
- T1087.002 Get-DomainUser with PowerView
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1553.004 Add Root Certificate to CurrentUser Certificate Store
- T1059.001 PowerUp Invoke-AllChecks
- T1059.001 Run Bloodhound from Memory using Download Cradle
- T1550.002 Invoke-WMIExec Pass the Hash
- T1552.004 CertUtil ExportPFX
- T1552.004 ADFS token signing and encryption certificates theft - Remote
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1105 iwr or Invoke Web-Request download
- T1106 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
- T1082 WinPwn - PowerSharpPack - Seatbelt
- T1552.004 ADFS token signing and encryption certificates theft - Local
- T1059.001 Mimikatz
- T1566.001 Download Macro-Enabled Phishing Attachment
- T1027 DLP Evasion via Sensitive Data in VBA Macro over HTTP
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1491.001 Replace Desktop Wallpaper
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1020 IcedID Botnet HTTP PUT
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1059.001 Invoke-AppPathBypass
- T1095 Powercat C2
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1082 WinPwn - PowerSharpPack - Watson searching for missing windows patches
- T1548.002 WinPwn - UAC Magic
- T1615 Get-DomainGPO to display group policy information via PowerView
- T1572 DNS over HTTPS Large Query Volume
- T1132.001 XOR Encoded data.
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1197 Bitsadmin Download (PowerShell)
- T1074.001 Stage data from Discovery.bat
- T1552.001 WinPwn - powershellsensitive
posh_ps_win32_product_install_msi.yml
- T1218.007 WMI Win32_Product Class - Execute Local MSI file with embedded JScript
- T1218.007 WMI Win32_Product Class - Execute Local MSI file with embedded VBScript
- T1218.007 WMI Win32_Product Class - Execute Local MSI file with an embedded EXE
- T1218.007 WMI Win32_Product Class - Execute Local MSI file with an embedded DLL
posh_ps_win_api_susp_access.yml
- T1558.003 WinPwn - Kerberoasting
- T1033 Find computers where user has session - Stealth mode (PowerView)
- T1552.001 WinPwn - SessionGopher
- T1069.002 Find local admins on all machines in domain (PowerView)
- T1082 WinPwn - itm4nprivesc
- T1069.002 Get-DomainGroupMember with PowerView
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1055.001 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
- T1046 WinPwn - bluekeep
- T1558.004 Get-DomainUser with PowerView
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1557.001 LLMNR Poisoning with Inveigh (PowerShell)
- T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
- T1120 WinPwn - printercheck
- T1218.004 InstallUtil Uninstall method call - /U variant
- T1069.002 Find machines where user has local admin access (PowerView)
- T1134.001 Named pipe client impersonation
- T1218.004 InstallUtil evasive invocation
- T1069.002 Find Local Admins via Group Policy (PowerView)
- T1087.002 WinPwn - generaldomaininfo
- T1201 Get-DomainPolicy with PowerView
- T1134.002 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique
- T1218.005 Invoke HTML Application - JScript Engine with Inline Protocol Handler
- T1562.002 Kill Event Log Service Threads
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1003.002 PowerDump Hashes and Usernames from Registry
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1482 Get-ForestTrust with PowerView
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1003.001 Powershell Mimikatz
- T1113 Windows Screencapture
- T1046 WinPwn - fruit
- T1134.004 Parent PID Spoofing - Spawn from Specified Process
- T1552.001 WinPwn - sensitivefiles
- T1134.004 Parent PID Spoofing - Spawn from New Process
- T1218.005 Invoke HTML Application - Direct download from URI
- T1218.004 InstallHelper method call
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1003.001 Dump LSASS.exe Memory using Out-Minidump.ps1
- T1218.005 Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1134.002 Access Token Manipulation
- T1135 Share Discovery with PowerView
- T1615 WinPwn - GPORemoteAccessPolicy
- T1082 WinPwn - GeneralRecon
- T1555.004 WinPwn - Loot local Credentials - Invoke-WCMDump
- T1548.002 WinPwn - UAC Bypass DccwBypassUAC technique
- T1218.004 InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant
- T1069.002 Get-DomainGroup with PowerView
- T1087.002 Get-DomainUser with PowerView
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1218.005 Invoke HTML Application - Simulate Lateral Movement over UNC Path
- T1046 WinPwn - spoolvulnscan
- T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
- T1059.001 PowerUp Invoke-AllChecks
- T1552.004 ADFS token signing and encryption certificates theft - Remote
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1106 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
- T1552.004 ADFS token signing and encryption certificates theft - Local
- T1059.001 Mimikatz
- T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
- T1558.003 Request for service tickets
- T1134.004 Parent PID Spoofing - Spawn from Current Process
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1134.004 Parent PID Spoofing using PowerShell
- T1491.001 Replace Desktop Wallpaper
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
- T1134.004 Parent PID Spoofing - Spawn from svchost.exe
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1218 Invoke-ATHRemoteFXvGPUDisablementCommand base test
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1218.004 CheckIfInstallable method call
- T1218.004 InstallUtil HelpText method call
- T1482 Get-DomainTrust with PowerView
- T1548.002 WinPwn - UAC Magic
- T1218.005 Invoke HTML Application - Jscript Engine Simulating Double Click
- T1218.004 InstallUtil Install method call
- T1055.012 Process Hollowing using PowerShell
- T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
- T1134.001 SeDebugPrivilege token duplication
- T1218.004 InstallUtil class constructor method call
- T1082 WinPwn - RBCD-Check
- T1218.005 Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
posh_ps_winlogon_helper_dll.yml
- T1547.004 Winlogon HKLM Userinit Key Persistence - PowerShell
- T1547.004 Winlogon Notify Key Logon Persistence - PowerShell
- T1547.001 HKLM - Append Command to Winlogon Userinit KEY Value
- T1547.004 Winlogon Shell Key Persistence - PowerShell
- T1547.004 Winlogon Userinit Key Persistence - PowerShell
- T1547.001 HKLM - Modify default System Shell - Winlogon Shell KEY Value
- T1562.001 Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell
- T1547.004 Winlogon HKLM Shell Key Persistence - PowerShell
posh_ps_wmi_persistence.yml
- T1546.003 Persistence via WMI Event Subscription - CommandLineEventConsumer
posh_ps_xml_iex.yml
- T1059.001 Powershell XML requests
proc_access_win_lsass_dump_comsvcs_dll.yml
- T1003.001 Dump LSASS.exe Memory using comsvcs.dll
proc_access_win_lsass_memdump.yml
- T1003.001 Dump LSASS.exe using imported Microsoft DLLs
- T1003.001 Dump LSASS.exe Memory using Windows Task Manager
- T1003.001 Create Mini Dump of LSASS.exe using ProcDump
- T1003.001 Dump LSASS.exe Memory using direct system calls and API unhooking
- T1003.001 Dump LSASS.exe Memory using ProcDump
- T1003.001 Dump LSASS.exe Memory using comsvcs.dll
proc_access_win_lsass_susp_access_flag.yml
- T1003 Gsecdump
- T1550.002 Mimikatz Pass the Hash
- T1003.001 Dump LSASS.exe Memory using NanoDump
- T1003.001 Create Mini Dump of LSASS.exe using ProcDump
- T1003.001 Dump LSASS.exe Memory using ProcDump
proc_access_win_lsass_susp_source_process.yml
- T1204.002 Excel 4 Macro
- T1555 WinPwn - Loot local Credentials - lazagne
- T1003.001 Dump LSASS.exe using imported Microsoft DLLs
- T1003 Gsecdump
- T1550.002 Mimikatz Pass the Hash
- T1134.001 Launch NSudo Executable
- T1003.001 Dump LSASS.exe Memory using NanoDump
- T1562.001 Disable Defender Using NirSoft AdvancedRun
proc_access_win_lsass_uncommon_access_flag.yml
- T1555 WinPwn - Loot local Credentials - lazagne
- T1555.003 WebBrowserPassView - Credentials from Browser
- T1562.001 Disable Defender Using NirSoft AdvancedRun
proc_access_win_susp_shellcode_injection.yml
- T1082 WinPwn - winPEAS
- T1187 WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1106 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
- T1055.003 Thread Execution Hijacking
proc_creation_win_7zip_password_compression.yml
- T1560.001 Compress Data and lock with password for Exfiltration with 7zip
proc_creation_win_apt_aptc12_bluemushroom.yml
- T1218.010 Regsvr32 Registering Non DLL
proc_creation_win_apt_unc2452_cmds.yml
- T1218.002 Control Panel Items
proc_creation_win_apt_wocao.yml
- T1036.004 Creating W32Time similar named service using sc
- T1036.004 Creating W32Time similar named service using schtasks
proc_creation_win_at_interactive_execution.yml
- T1053.002 At.exe Scheduled task
proc_creation_win_atbroker_uncommon_ats_execution.yml
- T1546.008 Atbroker.exe (AT) Executes Arbitrary Command via Registry Key
proc_creation_win_attrib_hiding_files.yml
- T1222.001 attrib - hide file
- T1564.001 Create Windows Hidden File with Attrib
proc_creation_win_attrib_system.yml
- T1564.001 Create Windows System File with Attrib
proc_creation_win_auditpol_susp_execution.yml
- T1562.002 Clear Windows Audit Policy Config
- T1562.002 Impair Windows Audit Log Policy
proc_creation_win_bcdedit_boot_conf_tamper.yml
- T1490 Windows - Disable Windows Recovery Console Repair
proc_creation_win_bcdedit_susp_execution.yml
- T1562.009 Safe Mode Boot
proc_creation_win_bitsadmin_download.yml
- T1105 Windows - BITSAdmin BITS Download
- T1197 Bitsadmin Download (cmd)
- T1197 Persist, Download, & Execute
proc_creation_win_bitsadmin_potential_persistence.yml
- T1197 Persist, Download, & Execute
proc_creation_win_browsers_chromium_headless_exec.yml
- T1564.003 Headless Browser Accessing Mockbin
proc_creation_win_browsers_chromium_mockbin_abuse.yml
- T1564.003 Headless Browser Accessing Mockbin
proc_creation_win_browsers_chromium_susp_load_extension.yml
- T1176 Google Chrome Load Unpacked Extension With Command Line
proc_creation_win_browsers_tor_execution.yml
- T1090.003 Tor Proxy Usage - Debian/Ubuntu/FreeBSD
- T1090.003 Tor Proxy Usage - Windows
proc_creation_win_calc_uncommon_exec.yml
- T1216 manage-bde.wsf Signed Script Command Execution
- T1218 LOLBAS Msedge to Spawn Process
- T1036.003 File Extension Masquerading
- T1140 Deobfuscate/Decode Files Or Information
- T1547.005 Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry
- T1202 Indirect Command Execution - pcalua.exe
- T1140 Certutil Rename and Decode
- T1218.011 Rundll32 with desk.cpl
proc_creation_win_certutil_encode.yml
- T1003.002 dump volume shadow copy hives with certutil
proc_creation_win_certutil_export_pfx.yml
- T1552.004 CertUtil ExportPFX
proc_creation_win_chcp_codepage_lookup.yml
- T1614.001 Discover System Language by Registry Query
- T1614.001 Discover System Language with chcp
proc_creation_win_cipher_overwrite_deleted_data.yml
- T1485 Overwrite deleted data on C drive
proc_creation_win_clip_execution.yml
- T1115 Utilize Clipboard to store or execute commands from
proc_creation_win_cmd_assoc_execution.yml
- T1546.001 Change Default File Association
proc_creation_win_cmd_del_execution.yml
- T1070.004 Delete a single file - Windows cmd
- T1070.004 Delete an entire folder - Windows cmd
proc_creation_win_cmd_dir_execution.yml
- T1217 List Internet Explorer Bookmarks using the command prompt
- T1552.004 Private Keys
proc_creation_win_cmd_mklink_osk_cmd.yml
- T1546.008 Create Symbolic Link From osk.exe to cmd.exe
proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml
- T1003.003 Create Symlink to Volume Shadow Copy
proc_creation_win_cmd_redirect.yml
- T1564.004 Create ADS command prompt
- T1059.003 Suspicious Execution via Windows Command Shell
- T1071.001 Malicious User Agents - CMD
- T1105 Lolbas replace.exe use to copy file
- T1059.003 Writes text to a file and displays it.
- T1105 Printer Migration Command-Line Tool UNC share folder into a zip file
- T1105 Lolbas replace.exe use to copy UNC file
- T1105 Download a file with Microsoft Connection Manager Auto-Download
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
proc_creation_win_cmd_shadowcopy_access.yml
- T1003.003 Copy NTDS.dit from Volume Shadow Copy
proc_creation_win_cmd_stdin_redirect.yml
- T1059.003 Command Prompt read contents from CMD file and execute
proc_creation_win_cmdkey_recon.yml
- T1087.001 Enumerate all accounts via PowerShell (Local)
- T1087.001 Enumerate all accounts on Windows (Local)
- T1003.005 Cached Credential Dump via Cmdkey
proc_creation_win_cmdl32_arbitrary_file_download.yml
- T1105 Download a file with Microsoft Connection Manager Auto-Download
proc_creation_win_conhost_susp_child_process.yml
- T1202 Indirect Command Execution - conhost.exe
proc_creation_win_control_panel_item.yml
- T1218.002 Control Panel Items
proc_creation_win_createdump_lolbin_execution.yml
- T1003.001 Dump LSASS with createdump.exe from .Net v5
proc_creation_win_csc_susp_dynamic_compilation.yml
- T1046 WinPwn - bluekeep
- T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
- T1218.004 InstallUtil Uninstall method call - /U variant
- T1218.004 InstallUtil evasive invocation
- T1218.005 Invoke HTML Application - JScript Engine with Inline Protocol Handler
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1027.004 Compile After Delivery using csc.exe
- T1134.004 Parent PID Spoofing - Spawn from Specified Process
- T1218.009 Regasm Uninstall Method Call Test
- T1071.004 DNS C2
- T1219 ScreenConnect Application Download and Install on Windows
- T1134.004 Parent PID Spoofing - Spawn from New Process
- T1218.005 Invoke HTML Application - Direct download from URI
- T1218.004 InstallHelper method call
- T1010 List Process Main Windows - C# .NET
- T1218.005 Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler
- T1134.002 Access Token Manipulation
- T1555.004 WinPwn - Loot local Credentials - Invoke-WCMDump
- T1218.004 InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1218.005 Invoke HTML Application - Simulate Lateral Movement over UNC Path
- T1046 WinPwn - spoolvulnscan
- T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
- T1127.001 MSBuild Bypass Using Inline Tasks (C#)
- T1552.004 ADFS token signing and encryption certificates theft - Remote
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1106 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
- T1552.004 ADFS token signing and encryption certificates theft - Local
- T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations
- T1574.008 powerShell Persistence via hijacking default modules - Get-Variable.exe
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
- T1134.004 Parent PID Spoofing - Spawn from Current Process
- T1134.004 Parent PID Spoofing using PowerShell
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
- T1106 Execution through API - CreateProcess
- T1134.004 Parent PID Spoofing - Spawn from svchost.exe
- T1218 Invoke-ATHRemoteFXvGPUDisablementCommand base test
- T1218.004 CheckIfInstallable method call
- T1218.004 InstallUtil HelpText method call
- T1218.009 Regsvcs Uninstall Method Call Test
- T1027.004 Dynamic C# Compile
- T1548.002 WinPwn - UAC Magic
- T1218.005 Invoke HTML Application - Jscript Engine Simulating Double Click
- T1218.004 InstallUtil Install method call
- T1055.012 Process Hollowing using PowerShell
- T1036.005 Masquerade as a built-in system executable
- T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
- T1218.004 InstallUtil class constructor method call
- T1218.005 Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - powershellsensitive
proc_creation_win_curl_fileupload.yml
- T1048.002 Exfiltrate data HTTPS using curl windows
- T1105 Curl Upload File
proc_creation_win_curl_susp_download.yml
- T1105 Curl Download File
proc_creation_win_curl_useragent.yml
- T1071.001 Malicious User Agents - CMD
proc_creation_win_desktopimgdownldr_susp_execution.yml
- T1197 Bits download using desktopimgdownldr.exe (cmd)
proc_creation_win_dirlister_execution.yml
- T1083 Launch DirLister Executable
proc_creation_win_diskshadow_script_mode.yml
- T1218 DiskShadow Command Execution
proc_creation_win_dsim_remove.yml
- T1562.001 Disable Windows Defender with DISM
proc_creation_win_dsquery_domain_trust_discovery.yml
- T1016 System Network Configuration Discovery (TrickBot Style)
- T1482 Windows - Discover domain trusts with nltest
- T1482 Windows - Discover domain trusts with dsquery
- T1018 Remote System Discovery - nltest
proc_creation_win_esentutl_sensitive_file_copy.yml
- T1003.002 esentutl.exe SAM copy
- T1564.004 Alternate Data Streams (ADS)
- T1003.003 Create Volume Shadow Copy remotely (WMI) with esentutl
- T1003.002 dump volume shadow copy hives with System.IO.File
- T1003.003 Copy NTDS.dit from Volume Shadow Copy
- T1003.002 dump volume shadow copy hives with certutil
proc_creation_win_findstr_download.yml
- T1564.004 Alternate Data Streams (ADS)
proc_creation_win_findstr_gpp_passwords.yml
- T1552.006 GPP Passwords (findstr)
proc_creation_win_findstr_subfolder_search.yml
- T1564.004 Alternate Data Streams (ADS)
proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml
- T1518.001 Security Software Discovery - Sysmon Service
proc_creation_win_finger_usage.yml
- T1105 File download with finger.exe on Windows
proc_creation_win_fltmc_unload_driver_sysmon.yml
- T1562.001 Unload Sysmon Filter Driver
proc_creation_win_forfiles_proxy_execution_.yml
- T1202 Indirect Command Execution - forfiles.exe
- T1202 Indirect Command Execution - pcalua.exe
proc_creation_win_fsutil_symlinkevaluation.yml
- T1569.002 BlackCat pre-encryption cmds with Lateral Movement
proc_creation_win_fsutil_usage.yml
- T1070 Indicator Removal using FSUtil
proc_creation_win_gpresult_execution.yml
- T1615 Display group policy information via gpresult
proc_creation_win_gup_suspicious_execution.yml
- T1574.002 DLL Side-Loading using the Notepad++ GUP.exe binary
proc_creation_win_hh_chm_execution.yml
- T1218.001 Compiled HTML Help Local Payload
- T1218.001 Decompile Local CHM File
- T1218.001 Invoke CHM Simulate Double click
- T1218.001 Invoke CHM with InfoTech Storage Protocol Handler
- T1218.001 Compiled HTML Help Remote Payload
- T1218.001 Invoke CHM with default Shortcut Command Execution
- T1218.001 Invoke CHM with Script Engine and Help Topic
- T1218.001 Invoke CHM Shortcut Command with ITS and Help Topic
proc_creation_win_hh_html_help_susp_child_process.yml
- T1218.001 Compiled HTML Help Local Payload
- T1218.001 Invoke CHM Simulate Double click
- T1218.001 Invoke CHM with InfoTech Storage Protocol Handler
- T1218.001 Invoke CHM with default Shortcut Command Execution
- T1218.001 Invoke CHM with Script Engine and Help Topic
- T1218.001 Invoke CHM Shortcut Command with ITS and Help Topic
proc_creation_win_hktl_bloodhound_sharphound.yml
- T1069.001 SharpHound3 - LocalAdmin
- T1059.001 Run BloodHound from local disk
- T1059.001 Run Bloodhound from Memory using Download Cradle
proc_creation_win_hktl_cobaltstrike_process_patterns.yml
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
proc_creation_win_hktl_dinjector.yml
- T1550.003 Rubeus Kerberos Pass The Ticket
proc_creation_win_hktl_dumpert.yml
- T1003.001 Dump LSASS.exe Memory using direct system calls and API unhooking
proc_creation_win_hktl_evil_winrm.yml
- T1021.006 WinRM Access with Evil-WinRM
proc_creation_win_hktl_execution_via_imphashes.yml
- T1558.002 Crafting Active Directory silver tickets with mimikatz
proc_creation_win_hktl_hashcat.yml
- T1110.002 Password Cracking with Hashcat
proc_creation_win_hktl_meterpreter_getsystem.yml
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
proc_creation_win_hktl_mimikatz_command_line.yml
- T1558.002 Crafting Active Directory silver tickets with mimikatz
- T1204.002 LNK Payload Download
- T1558.001 Crafting Active Directory golden tickets with mimikatz
- T1003.001 Offline Credential Theft With Mimikatz
- T1134.005 Injection SID-History with mimikatz
- T1059.001 Mimikatz - Cradlecraft PsSendKeys
- T1216 SyncAppvPublishingServer Signed Script PowerShell Command Execution
- T1059.001 PowerShell Invoke Known Malicious Cmdlets
- T1550.003 Mimikatz Kerberos Ticket Attack
- T1110.003 Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)
- T1552.004 Export Certificates with Mimikatz
- T1550.002 Mimikatz Pass the Hash
- T1110.001 Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)
- T1003.001 Dump LSASS.exe Memory using Out-Minidump.ps1
- T1207 DCShadow (Active Directory)
- T1003.006 DCSync (Active Directory)
- T1552.004 ADFS token signing and encryption certificates theft - Remote
proc_creation_win_hktl_pypykatz.yml
- T1003.002 Registry parse with pypykatz
proc_creation_win_hktl_relay_attacks_tools.yml
- T1187 PetitPotam
proc_creation_win_hktl_rubeus.yml
- T1558.001 Crafting Active Directory golden tickets with Rubeus
- T1550.003 Rubeus Kerberos Pass The Ticket
- T1558.004 Rubeus asreproast
proc_creation_win_hktl_sharpview.yml
- T1049 System Discovery using SharpView
proc_creation_win_hktl_trufflesnout.yml
- T1482 TruffleSnout - Listing AD Infrastructure
proc_creation_win_hktl_uacme.yml
- T1548.002 UACME Bypass Method 61
- T1548.002 UACME Bypass Method 33
- T1548.002 UACME Bypass Method 34
- T1548.002 UACME Bypass Method 31
- T1548.002 UACME Bypass Method 59
- T1548.002 UACME Bypass Method 23
- T1548.002 UACME Bypass Method 56
- T1548.002 UACME Bypass Method 39
proc_creation_win_hostname_execution.yml
- T1558.004 Get-DomainUser with PowerView
- T1036.003 File Extension Masquerading
- T1033 System Discovery - SocGholish whoami
- T1082 Hostname Discovery (Windows)
proc_creation_win_iis_appcmd_http_logging.yml
- T1562.002 Disable Windows IIS HTTP Logging
proc_creation_win_iis_appcmd_service_account_password_dumped.yml
- T1003 Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
- T1003 Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)
proc_creation_win_infdefaultinstall_execute_sct_scripts.yml
- T1218 InfDefaultInstall.exe .inf Execution
proc_creation_win_jsc_execution.yml
- T1127 Lolbin Jsc.exe compile javascript to exe
- T1127 Lolbin Jsc.exe compile javascript to dll
proc_creation_win_ldifde_export.yml
- T1069.002 Active Directory Enumeration with LDIFDE
proc_creation_win_lolbin_gpscript.yml
- T1218 Lolbin Gpscript logon option
- T1218 Lolbin Gpscript startup option
proc_creation_win_lolbin_ie4uinit.yml
- T1218 Lolbas ie4uinit.exe use as proxy
proc_creation_win_lolbin_manage_bde.yml
- T1216 manage-bde.wsf Signed Script Command Execution
proc_creation_win_lolbin_mavinject_process_injection.yml
- T1056.004 Hook PowerShell TLS Encrypt/Decrypt Messages
- T1218 mavinject - Inject DLL into running process
- T1055.001 Process Injection via mavinject.exe
proc_creation_win_lolbin_pcwutl.yml
- T1218.011 Launches an executable using Rundll32 and pcwutl.dll
proc_creation_win_lolbin_printbrm.yml
- T1105 Printer Migration Command-Line Tool UNC share folder into a zip file
proc_creation_win_lolbin_pubprn.yml
- T1216.001 PubPrn.vbs Signed Script Bypass
proc_creation_win_lolbin_replace.yml
- T1558.002 Crafting Active Directory silver tickets with mimikatz
- T1105 Lolbas replace.exe use to copy file
- T1105 Lolbas replace.exe use to copy UNC file
proc_creation_win_lolbin_susp_certreq_download.yml
- T1105 certreq download
proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml
- T1547 Add a driver
proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml
- T1216 SyncAppvPublishingServer Signed Script PowerShell Command Execution
proc_creation_win_lolbin_visual_basic_compiler.yml
- T1127.001 MSBuild Bypass Using Inline Tasks (VB)
proc_creation_win_lolbin_workflow_compiler.yml
- T1218 Renamed Microsoft.Workflow.Compiler.exe Payload Executions
- T1218 Microsoft.Workflow.Compiler.exe Payload Execution
proc_creation_win_malware_blackbyte_ransomware.yml
- T1059.003 Simulate BlackByte Ransomware Print Bombing
proc_creation_win_malware_wannacry.yml
- T1490 Windows - Disable Windows Recovery Console Repair
- T1222.001 Grant Full Access to folder for Everyone - Ryuk Ransomware Style
- T1490 Windows - wbadmin Delete Windows Backup Catalog
proc_creation_win_mmc_mmc20_lateral_movement.yml
- T1021.003 PowerShell Lateral Movement using MMC20
proc_creation_win_mofcomp_execution.yml
- T1546.003 Windows MOFComp.exe Load MOF File
proc_creation_win_mpcmdrun_download_arbitrary_file.yml
- T1105 Download a File with Windows Defender MpCmdRun.exe
proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml
- T1562.001 Remove Windows Defender Definition Files
proc_creation_win_mshta_inline_vbscript.yml
- T1218.011 Rundll32 execute VBscript command using Ordinal number
proc_creation_win_mshta_javascript.yml
- T1059.001 Powershell invoke mshta.exe download
- T1218.005 Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
proc_creation_win_mshta_lethalhta_technique.yml
- T1218.005 Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement
proc_creation_win_mshta_susp_child_processes.yml
- T1218.005 Mshta Executes Remote HTML Application (HTA)
- T1218.005 Mshta used to Execute PowerShell
- T1218.005 Invoke HTML Application - JScript Engine with Inline Protocol Handler
- T1059.001 Powershell invoke mshta.exe download
- T1218.005 Invoke HTML Application - Simulate Lateral Movement over UNC Path
- T1218.005 Mshta executes VBScript to execute malicious command
- T1218.005 Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement
proc_creation_win_mshta_susp_execution.yml
- T1218.005 Mshta Executes Remote HTML Application (HTA)
- T1218.005 Mshta used to Execute PowerShell
- T1204.002 Headless Chrome code execution via VBA
- T1218.005 Invoke HTML Application - JScript Engine with Inline Protocol Handler
- T1059.001 Powershell invoke mshta.exe download
- T1218.005 Invoke HTML Application - Direct download from URI
- T1218.005 Invoke HTML Application - Simulate Lateral Movement over UNC Path
- T1218.005 Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
- T1218.005 Mshta executes VBScript to execute malicious command
- T1218.005 Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement
- T1059.005 Encoded VBS code execution
proc_creation_win_mshta_susp_pattern.yml
- T1218.005 Mshta Executes Remote HTML Application (HTA)
- T1218.005 Mshta used to Execute PowerShell
- T1204.002 Headless Chrome code execution via VBA
- T1218.005 Invoke HTML Application - JScript Engine with Inline Protocol Handler
- T1059.001 Powershell invoke mshta.exe download
- T1218.005 Invoke HTML Application - Direct download from URI
- T1218.005 Invoke HTML Application - Simulate Lateral Movement over UNC Path
- T1218.005 Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
- T1218.005 Mshta executes VBScript to execute malicious command
- T1218.005 Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement
- T1059.005 Encoded VBS code execution
proc_creation_win_msiexec_dll.yml
- T1218.007 Msiexec.exe - Execute the DllUnregisterServer function of a DLL
proc_creation_win_msiexec_embedding.yml
- T1218.007 Msiexec.exe - Execute Local MSI file with embedded JScript
- T1218.007 Msiexec.exe - Execute Local MSI file with embedded VBScript
- T1218.007 Msiexec.exe - Execute Local MSI file with an embedded DLL
proc_creation_win_msiexec_execute_dll.yml
- T1218.007 Msiexec.exe - Execute the DllRegisterServer function of a DLL
proc_creation_win_msiexec_install_quiet.yml
- T1218.007 Msiexec.exe - Execute Local MSI file with an embedded EXE
- T1218.007 Msiexec.exe - Execute Local MSI file with embedded JScript
- T1219 ScreenConnect Application Download and Install on Windows
- T1218.007 Msiexec.exe - Execute Remote MSI file
- T1218.007 Msiexec.exe - Execute Local MSI file with embedded VBScript
- T1219 LogMeIn Files Detected Test on Windows
- T1218.007 Msiexec.exe - Execute Local MSI file with an embedded DLL
proc_creation_win_mstsc_remote_connection.yml
- T1021.001 RDP to DomainController
proc_creation_win_net_execution.yml
- T1110.003 Password Spray (DomainPasswordSpray)
- T1135 Network Share Discovery command prompt
- T1078.001 Enable Guest account with RDP capability and admin privileges
- T1087.002 Enumerate Default Domain Admin Details (Domain)
- T1069.002 Elevated group enumeration using net group (Domain)
- T1069.002 Basic Permission Groups Discovery Windows (Domain)
- T1070.005 Remove Administrative Shares
- T1531 Delete User - Windows
- T1016 System Network Configuration Discovery (TrickBot Style)
- T1087.001 Enumerate all accounts via PowerShell (Local)
- T1069.001 Basic Permission Groups Discovery Windows (Local)
- T1018 Remote System Discovery - net group Domain Computers
- T1563.002 RDP hijacking
- T1016 Qakbot Recon
- T1531 Change User Password - Windows
- T1136.001 Create a new user in a command prompt
- T1018 Remote System Discovery - net
- T1018 Remote System Discovery - net group Domain Controller
- T1136.002 Create a new account similar to ANONYMOUS LOGON
- T1070.005 Remove Network Share
- T1078.003 Create local account with admin privileges
- T1564.002 Create Hidden User in Registry
- T1201 Examine local password policy - Windows
- T1078.001 Activate Guest Account
- T1082 WinPwn - GeneralRecon
- T1136.002 Create a new Windows domain admin user
- T1070.005 Add Network Share
- T1007 System Service Discovery - net.exe
- T1135 View available share drives
- T1564 Create a Hidden User Called “$”
- T1562.001 Disable Arbitrary Security Windows Service
- T1547.003 Edit an existing time provider
- T1489 Windows - Stop service using net.exe
- T1087.002 Enumerate all accounts (Domain)
- T1087.001 Enumerate all accounts on Windows (Local)
- T1136.001 Create a new Windows admin user
- T1547.003 Create a new time provider
- T1201 Examine domain password policy - Windows
proc_creation_win_net_groups_and_accounts_recon.yml
- T1018 Remote System Discovery - net group Domain Controller
proc_creation_win_net_share_unmount.yml
- T1070.005 Remove Administrative Shares
- T1070.005 Remove Network Share
proc_creation_win_net_start_service.yml
- T1563.002 RDP hijacking
- T1007 System Service Discovery - net.exe
- T1547.003 Edit an existing time provider
- T1547.003 Create a new time provider
proc_creation_win_net_use_network_connections_discovery.yml
- T1016 Qakbot Recon
- T1021.002 Map admin share
- T1110.001 Brute Force Credentials of single Active Directory domain users via SMB
- T1049 System Network Connections Discovery
- T1082 WinPwn - GeneralRecon
- T1070.005 Add Network Share
proc_creation_win_net_user_add.yml
- T1078.001 Enable Guest account with RDP capability and admin privileges
- T1136.001 Create a new user in a command prompt
- T1136.002 Create a new account similar to ANONYMOUS LOGON
- T1078.003 Create local account with admin privileges
- T1564.002 Create Hidden User in Registry
- T1136.002 Create a new Windows domain admin user
- T1564 Create a Hidden User Called “$”
- T1136.001 Create a new Windows admin user
proc_creation_win_net_user_add_never_expire.yml
- T1564.002 Create Hidden User in Registry
proc_creation_win_net_view_share_and_sessions_enum.yml
- T1016 System Network Configuration Discovery (TrickBot Style)
- T1016 Qakbot Recon
- T1018 Remote System Discovery - net
proc_creation_win_netsh_fw_add_rule.yml
- T1562.004 Opening ports for proxy - HARDRAIN
- T1021.001 Changing RDP Port to Non Standard Port via Command_Prompt
- T1562.004 Allow Executable Through Firewall Located in Non-Standard Location
- T1562.004 Open a local port through Windows Firewall to any profile
proc_creation_win_netsh_fw_allow_rdp.yml
- T1562.004 Open a local port through Windows Firewall to any profile
proc_creation_win_netsh_fw_disable.yml
- T1562.004 Disable Microsoft Defender Firewall
- T1562.004 Blackbit - Disable Windows Firewall using netsh firewall
proc_creation_win_netsh_fw_enable_group_rule.yml
- T1562.004 Allow SMB and RDP on Microsoft Defender Firewall
proc_creation_win_netsh_fw_rules_discovery.yml
- T1016 List Windows Firewall Rules
proc_creation_win_netsh_helper_dll_persistence.yml
- T1546.007 Netsh Helper DLL Registration
proc_creation_win_netsh_packet_capture.yml
- T1040 Windows Internal Packet Capture
proc_creation_win_netsh_port_forwarding.yml
- T1090.001 portproxy reg key
proc_creation_win_nltest_recon.yml
- T1016 System Network Configuration Discovery (TrickBot Style)
- T1018 Remote System Discovery - nltest
proc_creation_win_nslookup_domain_discovery.yml
- T1016 DNS Server Discovery Using nslookup
proc_creation_win_nslookup_poweshell_download.yml
- T1059.001 Abuse Nslookup with DNS Records
proc_creation_win_ntdsutil_usage.yml
- T1098 Password Change on Directory Service Restore Mode (DSRM) Account
- T1003.003 Dump Active Directory Database with NTDSUtil
proc_creation_win_odbcconf_response_file.yml
- T1218.008 Odbcconf.exe - Load Response File
- T1218.008 Odbcconf.exe - Execute Arbitrary DLL
proc_creation_win_office_arbitrary_cli_download.yml
- T1218 ProtocolHandler.exe Downloaded a Suspicious File
proc_creation_win_office_spawn_exe_from_users_directory.yml
- T1564 Extract binary files via VBA
proc_creation_win_office_susp_child_processes.yml
- T1204.002 Office launching .bat file from AppData
- T1204.002 OSTap Style Macro Execution
- T1559.002 Execute PowerShell script via Word DDE
- T1204.002 Headless Chrome code execution via VBA
- T1204.002 Office Generic Payload Download
- T1204.002 Maldoc choice flags command execution
- T1204.002 OSTAP JS version
- T1055 Shellcode execution via VBA
- T1059.005 Encoded VBS code execution
proc_creation_win_office_svchost_parent.yml
- T1137.006 Persistent Code Execution Via Word Add-in File (WLL)
proc_creation_win_pdqdeploy_execution.yml
- T1072 PDQ Deploy RAT
proc_creation_win_pktmon_execution.yml
- T1040 Windows Internal pktmon capture
- T1040 Windows Internal pktmon set filter
proc_creation_win_powershell_abnormal_commandline_size.yml
- T1059.001 Mimikatz - Cradlecraft PsSendKeys
- T1036.003 File Extension Masquerading
- T1106 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
proc_creation_win_powershell_amsi_init_failed_bypass.yml
- T1562.001 AMSI Bypass - AMSI InitFailed
proc_creation_win_powershell_audio_capture.yml
- T1123 using device audio capture commandlet
proc_creation_win_powershell_base64_encoded_cmd.yml
- T1106 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
proc_creation_win_powershell_base64_encoded_cmd_patterns.yml
- T1106 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
proc_creation_win_powershell_cmdline_convertto_securestring.yml
- T1552.004 Export Root Certificate with Export-PFXCertificate
- T1098 Domain Password Policy Check: Short Password
- T1546 WMI Invoke-CimMethod Start Process
proc_creation_win_powershell_cmdline_special_characters.yml
- T1204.002 Excel 4 Macro
- T1059.001 Mimikatz - Cradlecraft PsSendKeys
- T1562.001 Uninstall Crowdstrike Falcon on Windows
- T1207 DCShadow (Active Directory)
- T1204.002 OSTAP JS version
- T1087.002 Enumerate Linked Policies In ADSISearcher Discovery
- T1027 Obfuscated Command in PowerShell
- T1218.009 Regsvcs Uninstall Method Call Test
- T1087.002 Enumerate Root Domain linked policies Discovery
proc_creation_win_powershell_create_service.yml
- T1543.003 Service Installation PowerShell
proc_creation_win_powershell_defender_exclusion.yml
- T1562.001 Tamper with Windows Defender Evade Scanning -Folder
- T1562.001 Tamper with Windows Defender Evade Scanning -Extension
- T1562.001 Tamper with Windows Defender Evade Scanning -Process
proc_creation_win_powershell_disable_defender_av_security_monitoring.yml
- T1562.001 Tamper with Windows Defender Command Prompt
- T1562.001 Disable Defender Using NirSoft AdvancedRun
proc_creation_win_powershell_downgrade_attack.yml
- T1562.010 PowerShell Version 2 Downgrade
proc_creation_win_powershell_download_cradles.yml
- T1558.003 WinPwn - Kerberoasting
- T1082 WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors
- T1552.001 WinPwn - SessionGopher
- T1558.003 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1082 WinPwn - itm4nprivesc
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1055.001 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
- T1046 WinPwn - bluekeep
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1187 WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
- T1120 WinPwn - printercheck
- T1558.004 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1087.002 WinPwn - generaldomaininfo
- T1134.002 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1046 WinPwn - fruit
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1555.003 WinPwn - PowerSharpPack - Sharpweb for Browser Credentials
- T1082 WinPwn - GeneralRecon
- T1555.004 WinPwn - Loot local Credentials - Invoke-WCMDump
- T1548.002 WinPwn - UAC Bypass DccwBypassUAC technique
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1552.004 CertUtil ExportPFX
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1106 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
- T1082 WinPwn - PowerSharpPack - Seatbelt
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1082 WinPwn - PowerSharpPack - Watson searching for missing windows patches
- T1548.002 WinPwn - UAC Magic
- T1615 Get-DomainGPO to display group policy information via PowerView
- T1572 DNS over HTTPS Large Query Volume
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
proc_creation_win_powershell_download_iex.yml
- T1558.003 WinPwn - Kerberoasting
- T1082 WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors
- T1552.001 WinPwn - SessionGopher
- T1558.003 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1082 WinPwn - itm4nprivesc
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1055.001 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
- T1046 WinPwn - bluekeep
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1187 WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
- T1120 WinPwn - printercheck
- T1558.004 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1087.002 WinPwn - generaldomaininfo
- T1134.002 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1046 WinPwn - fruit
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1555.003 WinPwn - PowerSharpPack - Sharpweb for Browser Credentials
- T1082 WinPwn - GeneralRecon
- T1555.004 WinPwn - Loot local Credentials - Invoke-WCMDump
- T1548.002 WinPwn - UAC Bypass DccwBypassUAC technique
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1552.004 CertUtil ExportPFX
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1106 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
- T1082 WinPwn - PowerSharpPack - Seatbelt
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1082 WinPwn - PowerSharpPack - Watson searching for missing windows patches
- T1548.002 WinPwn - UAC Magic
- T1615 Get-DomainGPO to display group policy information via PowerView
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
proc_creation_win_powershell_download_patterns.yml
- T1558.003 WinPwn - Kerberoasting
- T1082 WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors
- T1105 File Download via PowerShell
- T1552.001 WinPwn - SessionGopher
- T1558.003 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1082 WinPwn - itm4nprivesc
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1055.001 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
- T1046 WinPwn - bluekeep
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1187 WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
- T1120 WinPwn - printercheck
- T1558.004 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1087.002 WinPwn - generaldomaininfo
- T1134.002 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1046 WinPwn - fruit
- T1095 ICMP C2
- T1105 Windows - PowerShell Download
- T1071.004 DNS C2
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1555.003 WinPwn - PowerSharpPack - Sharpweb for Browser Credentials
- T1082 WinPwn - GeneralRecon
- T1555.004 WinPwn - Loot local Credentials - Invoke-WCMDump
- T1548.002 WinPwn - UAC Bypass DccwBypassUAC technique
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1059.001 Run Bloodhound from Memory using Download Cradle
- T1547.001 PowerShell Registry RunOnce
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1106 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
- T1082 WinPwn - PowerSharpPack - Seatbelt
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1059.001 Invoke-AppPathBypass
- T1095 Powercat C2
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1082 WinPwn - PowerSharpPack - Watson searching for missing windows patches
- T1548.002 WinPwn - UAC Magic
- T1615 Get-DomainGPO to display group policy information via PowerView
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
proc_creation_win_powershell_encode.yml
- T1059.001 PowerShell Command Execution
- T1218.001 Invoke CHM Simulate Double click
- T1027 Execute base64-encoded PowerShell
- T1218.001 Invoke CHM with InfoTech Storage Protocol Handler
- T1106 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
- T1218.001 Invoke CHM with default Shortcut Command Execution
- T1218.001 Invoke CHM with Script Engine and Help Topic
- T1218.009 Regsvcs Uninstall Method Call Test
- T1218.001 Invoke CHM Shortcut Command with ITS and Help Topic
proc_creation_win_powershell_encoding_patterns.yml
- T1136.002 Create a new Domain Account using PowerShell
- T1033 System Discovery - SocGholish whoami
- T1552.004 ADFS token signing and encryption certificates theft - Remote
proc_creation_win_powershell_export_certificate.yml
- T1552.004 Export Root Certificate with Export-PFXCertificate
- T1552.004 Export Root Certificate with Export-Certificate
- T1649 Staging Local Certificates via Export-Certificate
proc_creation_win_powershell_frombase64string.yml
- T1059.001 PowerShell Fileless Script Execution
- T1053.005 Scheduled Task Executing Base64 Encoded Commands From Registry
- T1218.009 Regsvcs Uninstall Method Call Test
- T1027 Execute base64-encoded PowerShell from Windows Registry
proc_creation_win_powershell_getprocess_lsass.yml
- T1003.001 Dump LSASS.exe Memory using Out-Minidump.ps1
- T1003.001 Dump LSASS.exe Memory using comsvcs.dll
proc_creation_win_powershell_invoke_webrequest_direct_ip.yml
- T1572 DNS over HTTPS Large Query Volume
proc_creation_win_powershell_invoke_webrequest_download.yml
- T1105 iwr or Invoke Web-Request download
proc_creation_win_powershell_msexchange_transport_agent.yml
- T1505.002 Install MS Exchange Transport Agent Persistence
proc_creation_win_powershell_non_interactive_execution.yml
- T1558.002 Crafting Active Directory silver tickets with mimikatz
- T1558.003 WinPwn - Kerberoasting
- T1018 Get-DomainController with PowerView
- T1204.002 LNK Payload Download
- T1558.003 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1558.004 Get-DomainUser with PowerView
- T1135 WinPwn - shareenumeration
- T1069.002 Enumerate Active Directory Groups with Get-AdGroup
- T1559.002 Execute PowerShell script via Word DDE
- T1557.001 LLMNR Poisoning with Inveigh (PowerShell)
- T1216 SyncAppvPublishingServer Signed Script PowerShell Command Execution
- T1562.006 Disable Powershell ETW Provider - Windows
- T1218.005 Mshta used to Execute PowerShell
- T1546.009 Create registry persistence via AppCert DLL
- T1087.002 WinPwn - generaldomaininfo
- T1110.003 Password Spray Invoke-DomainPasswordSpray Light
- T1048.003 MAZE FTP Upload
- T1550.003 Rubeus Kerberos Pass The Ticket
- T1204.002 Office Generic Payload Download
- T1036.003 File Extension Masquerading
- T1105 Windows - PowerShell Download
- T1134.001 Launch NSudo Executable
- T1552.001 WinPwn - sensitivefiles
- T1218.007 Msiexec.exe - Execute Remote MSI file
- T1033 System Discovery - SocGholish whoami
- T1082 WinPwn - GeneralRecon
- T1069.002 Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
- T1207 DCShadow (Active Directory)
- T1069.002 Get-DomainGroup with PowerView
- T1087.002 Get-DomainUser with PowerView
- T1218.005 Mshta executes VBScript to execute malicious command
- T1550.002 Invoke-WMIExec Pass the Hash
- T1003.006 Run DSInternals Get-ADReplAccount
- T1027 Obfuscated Command in PowerShell
- T1553.005 Execute LNK file from ISO
- T1547.001 SystemBC Malware-as-a-Service Registry
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1059.001 Invoke-AppPathBypass
- T1003.001 Dump LSASS.exe Memory using comsvcs.dll
- T1615 Get-DomainGPO to display group policy information via PowerView
proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml
- T1218 Invoke-ATHRemoteFXvGPUDisablementCommand base test
proc_creation_win_powershell_reverse_shell_connection.yml
- T1016 List Open Egress Ports
proc_creation_win_powershell_run_script_from_ads.yml
- T1059.001 NTFS Alternate Data Stream Access
proc_creation_win_powershell_sam_access.yml
- T1003.002 dump volume shadow copy hives with System.IO.File
proc_creation_win_powershell_script_engine_parent.yml
- T1216 SyncAppvPublishingServer Signed Script PowerShell Command Execution
proc_creation_win_powershell_set_acl.yml
- T1505.005 Modify Terminal Services DLL Path
- T1505.005 Simulate Patching termsrv.dll
proc_creation_win_powershell_set_policies_to_unsecure_level.yml
- T1216 SyncAppvPublishingServer Signed Script PowerShell Command Execution
- T1112 Change Powershell Execution Policy to Bypass
- T1547.001 SystemBC Malware-as-a-Service Registry
- T1615 Get-DomainGPO to display group policy information via PowerView
proc_creation_win_powershell_stop_service.yml
- T1562.001 Stop and Remove Arbitrary Security Windows Service
proc_creation_win_powershell_susp_child_processes.yml
- T1546.015 COM hijacking via TreatAs
- T1087.002 Wevtutil - Discover NTLM Users Remote
- T1082 WinPwn - General privesc checks
- T1082 WinPwn - GeneralRecon
- T1003 Dump Credential Manager using keymgr.dll and rundll32.exe
- T1552.004 CertUtil ExportPFX
- T1105 MAZE Propagation Script
- T1082 Griffon Recon
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1546.015 COM Hijacking with RunDLL32 (Local Server Switch)
proc_creation_win_powershell_susp_download_patterns.yml
- T1558.003 WinPwn - Kerberoasting
- T1082 WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors
- T1552.001 WinPwn - SessionGopher
- T1558.003 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1082 WinPwn - itm4nprivesc
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1055.001 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
- T1046 WinPwn - bluekeep
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1187 WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
- T1120 WinPwn - printercheck
- T1558.004 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1087.002 WinPwn - generaldomaininfo
- T1134.002 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1046 WinPwn - fruit
- T1552.001 WinPwn - sensitivefiles
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1555.003 WinPwn - PowerSharpPack - Sharpweb for Browser Credentials
- T1082 WinPwn - GeneralRecon
- T1555.004 WinPwn - Loot local Credentials - Invoke-WCMDump
- T1548.002 WinPwn - UAC Bypass DccwBypassUAC technique
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1106 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
- T1082 WinPwn - PowerSharpPack - Seatbelt
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1082 WinPwn - PowerSharpPack - Watson searching for missing windows patches
- T1548.002 WinPwn - UAC Magic
- T1615 Get-DomainGPO to display group policy information via PowerView
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1552.001 WinPwn - powershellsensitive
proc_creation_win_powershell_susp_parameter_variation.yml
- T1615 Get-DomainGPO to display group policy information via PowerView
proc_creation_win_powershell_susp_parent_process.yml
- T1559.002 Execute PowerShell script via Word DDE
- T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
- T1218.005 Mshta used to Execute PowerShell
- T1218.005 Invoke HTML Application - JScript Engine with Inline Protocol Handler
- T1569.002 Execute a Command as a Service
- T1059.001 Powershell invoke mshta.exe download
- T1204.002 Office Generic Payload Download
- T1218.005 Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler
- T1218.005 Invoke HTML Application - Simulate Lateral Movement over UNC Path
- T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
- T1218.005 Mshta executes VBScript to execute malicious command
- T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations
- T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
- T1218.005 Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement
proc_creation_win_powershell_susp_ps_downloadfile.yml
- T1105 Windows - PowerShell Download
proc_creation_win_powershell_xor_commandline.yml
- T1027 Obfuscated Command in PowerShell
- T1132.001 XOR Encoded data.
proc_creation_win_powershell_zip_compress.yml
- T1074.001 Zip a Folder with PowerShell for Staging in Temp
- T1555.003 Stage Popular Credential Files for Exfiltration
proc_creation_win_print_remote_file_copy.yml
- T1564.004 Alternate Data Streams (ADS)
proc_creation_win_protocolhandler_download.yml
- T1218 ProtocolHandler.exe Downloaded a Suspicious File
proc_creation_win_provlaunch_susp_child_process.yml
- T1218 Provlaunch.exe Executes Arbitrary Command via Registry Key
proc_creation_win_psr_capture_screenshots.yml
- T1113 Windows Screencapture
proc_creation_win_pua_adfind_enumeration.yml
- T1087.002 Adfind -Listing password policy
- T1087.002 Adfind - Enumerate Active Directory Exchange AD Objects
- T1087.002 Adfind - Enumerate Active Directory Admins
proc_creation_win_pua_adfind_susp_usage.yml
- T1018 Enumerate Active Directory Computers with ADSISearcher
- T1087.002 Enumerate Active Directory Users with ADSISearcher
- T1018 Adfind - Enumerate Active Directory Domain Controller Objects
- T1482 Adfind - Enumerate Active Directory OUs
- T1016 Adfind - Enumerate Active Directory Subnet Objects
- T1018 Adfind - Enumerate Active Directory Computer Objects
- T1482 Adfind - Enumerate Active Directory Trusts
- T1087.002 Enumerate Linked Policies In ADSISearcher Discovery
- T1018 Enumerate domain computers within Active Directory using DirectorySearcher
- T1069.002 Enumerate Active Directory Groups with ADSISearcher
- T1087.002 Adfind - Enumerate Active Directory User Objects
- T1069.002 Adfind - Query Active Directory Groups
proc_creation_win_pua_advancedrun.yml
- T1562.001 Disable Defender Using NirSoft AdvancedRun
proc_creation_win_pua_advancedrun_priv_user.yml
- T1562.001 Disable Defender Using NirSoft AdvancedRun
proc_creation_win_pua_netcat.yml
- T1095 Netcat C2
proc_creation_win_pua_ngrok.yml
- T1572 run ngrok
proc_creation_win_pua_nimgrab.yml
- T1105 Nimgrab - Transfer Files
proc_creation_win_pua_nmap_zenmap.yml
- T1046 Port Scan NMap for Windows
- T1046 Port Scan Nmap
proc_creation_win_pua_nsudo.yml
- T1134.001 Launch NSudo Executable
proc_creation_win_pua_radmin.yml
- T1072 Radmin Viewer Utility
proc_creation_win_pua_rclone_execution.yml
- T1048.003 Exfiltration Over Alternative Protocol - FTP - Rclone
- T1567.002 Exfiltrate data with rclone to cloud Storage - Mega (Windows)
proc_creation_win_pua_webbrowserpassview.yml
- T1555.003 WebBrowserPassView - Credentials from Browser
proc_creation_win_python_adidnsdump.yml
- T1018 Remote System Discovery - adidnsdump
proc_creation_win_rar_compress_data.yml
- T1560.001 Compress Data for Exfiltration With Rar
- T1560.001 Compress Data and lock with password for Exfiltration with winrar
proc_creation_win_reg_add_run_key.yml
- T1547.001 Reg Key RunOnce
- T1112 NetWire RAT Registry Key Creation
- T1112 Modify Registry of Local Machine - cmd
- T1547.001 Reg Key Run
proc_creation_win_reg_direct_asep_registry_keys_modification.yml
- T1547.001 Reg Key RunOnce
- T1112 NetWire RAT Registry Key Creation
- T1112 Modify Registry of Local Machine - cmd
- T1547.001 Reg Key Run
proc_creation_win_reg_disable_sec_services.yml
- T1112 Disable Windows Error Reporting Settings
proc_creation_win_reg_dumping_sensitive_hives.yml
- T1547.001 Modify BootExecute Value
- T1003.002 Registry dump of SAM, creds, and secrets
proc_creation_win_reg_enumeration_for_credentials_in_registry.yml
- T1552.002 Enumeration for Credentials in Registry
- T1552.002 Enumeration for PuTTY Credentials in Registry
proc_creation_win_reg_lsa_ppl_protection_disabled.yml
- T1562 Windows Disable LSA Protection
proc_creation_win_reg_machineguid.yml
- T1082 Windows MachineGUID Discovery
proc_creation_win_reg_modify_group_policy_settings.yml
- T1484.001 LockBit Black - Modify Group policy settings -cmd
proc_creation_win_reg_open_command.yml
- T1548.002 Bypass UAC using Fodhelper
proc_creation_win_reg_query_registry.yml
- T1012 Query Registry
- T1082 System Information Discovery
proc_creation_win_reg_rdp_keys_tamper.yml
- T1112 Mimic Ransomware - Allow Multiple RDP Sessions per User
- T1112 Enabling Remote Desktop Protocol via Remote Registry
proc_creation_win_reg_screensaver.yml
- T1546.002 Set Arbitrary Binary as Screensaver
proc_creation_win_reg_service_imagepath_change.yml
- T1574.011 Service ImagePath Change with reg.exe
proc_creation_win_reg_software_discovery.yml
- T1518 Find and Display Internet Explorer Browser Version
proc_creation_win_reg_susp_paths.yml
- T1562.001 Tamper with Windows Defender Registry - Reg.exe
- T1562.001 LockBit Black - Disable Privacy Settings Experience Using Registry -cmd
- T1562.001 LockBit Black - Use Registry Editor to turn on automatic logon -cmd
- T1112 Ursnif Malware Registry Key Creation
- T1112 Tamper Win Defender Protection
proc_creation_win_reg_windows_defender_tamper.yml
- T1112 Tamper Win Defender Protection
proc_creation_win_regedit_export_keys.yml
- T1564.004 Alternate Data Streams (ADS)
proc_creation_win_regedit_import_keys.yml
- T1219 RemotePC Software Execution
proc_creation_win_registry_cimprovider_dll_load.yml
- T1218 Register-CimProvider - Execute evil dll
proc_creation_win_registry_install_reg_debugger_backdoor.yml
- T1546.008 Attaches Command Prompt as a Debugger to a List of Target Processes
proc_creation_win_registry_provlaunch_provisioning_command.yml
- T1218 Provlaunch.exe Executes Arbitrary Command via Registry Key
proc_creation_win_regsvr32_flags_anomaly.yml
- T1218.010 Regsvr32 remote COM scriptlet execution
- T1218.010 Regsvr32 local COM scriptlet execution
proc_creation_win_regsvr32_susp_exec_path_2.yml
- T1553.003 SIP (Subject Interface Package) Hijacking via Custom DLL
proc_creation_win_regsvr32_susp_extensions.yml
- T1218.010 Regsvr32 Silent DLL Install Call DllRegisterServer
- T1218.010 Regsvr32 local DLL execution
- T1218.010 Regsvr32 remote COM scriptlet execution
- T1564.006 Register Portable Virtualbox
- T1218.010 Regsvr32 Registering Non DLL
- T1218.010 Regsvr32 local COM scriptlet execution
proc_creation_win_regsvr32_susp_parent.yml
- T1553.003 SIP (Subject Interface Package) Hijacking via Custom DLL
proc_creation_win_regsvr32_uncommon_extension.yml
- T1218.010 Regsvr32 Registering Non DLL
proc_creation_win_remote_access_tools_anydesk.yml
- T1219 AnyDesk Files Detected Test on Windows
proc_creation_win_remote_access_tools_gotoopener.yml
- T1219 GoToAssist Files Detected Test on Windows
- T1219 LogMeIn Files Detected Test on Windows
proc_creation_win_remote_access_tools_logmein.yml
- T1219 LogMeIn Files Detected Test on Windows
proc_creation_win_remote_access_tools_netsupport.yml
- T1219 NetSupport - RAT Execution
proc_creation_win_remote_access_tools_netsupport_susp_exec.yml
- T1219 NetSupport - RAT Execution
proc_creation_win_remote_access_tools_ultraviewer.yml
- T1219 UltraViewer - RAT Execution
proc_creation_win_remote_time_discovery.yml
- T1124 System Time Discovery - PowerShell
- T1059.001 Powershell invoke mshta.exe download
- T1105 certutil download (verifyctl)
- T1547.003 Edit an existing time provider
- T1124 System Time Discovery
- T1547.003 Create a new time provider
proc_creation_win_renamed_binary.yml
- T1036.003 Masquerading - powershell.exe running as taskhostw.exe
- T1036.003 Masquerading - wscript.exe running as svchost.exe
- T1036.003 Malicious process Masquerading as LSM.exe
- T1036.003 Masquerading as Windows LSASS process
- T1036.003 Masquerading - windows exe running as different windows exe
- T1140 Certutil Rename and Decode
- T1105 svchost writing a file to a UNC path
- T1036.003 Masquerading - cscript.exe running as notepad.exe
proc_creation_win_renamed_binary_highly_relevant.yml
- T1036.003 Masquerading - powershell.exe running as taskhostw.exe
- T1036.003 Masquerading - powershell.exe running as taskhostw.exe
- T1036.003 Masquerading - wscript.exe running as svchost.exe
- T1140 Certutil Rename and Decode
- T1036.003 Masquerading - cscript.exe running as notepad.exe
proc_creation_win_renamed_netsupport_rat.yml
- T1219 NetSupport - RAT Execution
proc_creation_win_renamed_sysinternals_procdump.yml
- T1003.001 Dump LSASS.exe Memory using ProcDump
- T1003.001 Dump LSASS.exe Memory using ProcDump
proc_creation_win_rundll32_by_ordinal.yml
- T1218.002 Control Panel Items
- T1218.011 Rundll32 execute VBscript command using Ordinal number
- T1218.011 Rundll32 with Ordinal Value
- T1553.005 Execute LNK file from ISO
proc_creation_win_rundll32_installscreensaver.yml
- T1218.011 Rundll32 with desk.cpl
proc_creation_win_rundll32_keymgr.yml
- T1003 Dump Credential Manager using keymgr.dll and rundll32.exe
proc_creation_win_rundll32_process_dump_via_comsvcs.yml
- T1003 Dump svchost.exe to gather RDP credentials
- T1003.001 Dump LSASS.exe Memory using comsvcs.dll
proc_creation_win_rundll32_registered_com_objects.yml
- T1546.015 COM Hijacking - InprocServer32
proc_creation_win_rundll32_run_locations.yml
- T1218.004 InstallUtil evasive invocation
proc_creation_win_rundll32_susp_activity.yml
- T1218.011 Execution of HTA and VBS Files using Rundll32 and URL.dll
- T1218.002 Control Panel Items
- T1218.011 Rundll32 advpack.dll Execution
- T1218.011 Rundll32 setupapi.dll Execution
- T1218.011 Rundll32 ieadvpack.dll Execution
- T1218.011 Rundll32 with Control_RunDLL
- T1218.011 Rundll32 syssetup.dll Execution
- T1218.011 Launches an executable using Rundll32 and pcwutl.dll
- T1218.011 Rundll32 execute command via FileProtocolHandler
proc_creation_win_rundll32_uncommon_dll_extension.yml
- T1218.011 Rundll32 execute VBscript command
- T1218.011 Running DLL with .init extension and function
- T1546.015 COM Hijacking - InprocServer32
- T1218.011 Rundll32 execute VBscript command using Ordinal number
- T1546.015 COM hijacking via TreatAs
- T1219 ScreenConnect Application Download and Install on Windows
- T1003 Dump Credential Manager using keymgr.dll and rundll32.exe
- T1218.011 Execution of non-dll using rundll32.exe
- T1218.011 Rundll32 execute JavaScript Remote Payload With GetObject
- T1218.011 Rundll32 with desk.cpl
- T1546.015 COM Hijacking with RunDLL32 (Local Server Switch)
proc_creation_win_rundll32_webdav_client_execution.yml
- T1110.003 Password Spray all Domain Users
proc_creation_win_runonce_execution.yml
- T1547.014 HKLM - Add malicious StubPath value to existing Active Setup Entry
- T1547.014 HKLM - re-execute ‘Internet Explorer Core Fonts’ StubPath payload by decreasing version number
- T1547.014 HKLM - Add atomic_test key to launch executable as part of user setup
proc_creation_win_sc_create_service.yml
- T1569.002 Snake Malware Service Create
- T1543.003 Service Installation CMD
- T1543.003 Remote Service Installation CMD
proc_creation_win_sc_query.yml
- T1562.001 Tamper with Windows Defender Command Prompt
- T1119 Recon information for export with Command Prompt
- T1007 System Service Discovery
proc_creation_win_sc_sdset_allow_service_changes.yml
- T1569.002 Modifying ACL of Service Control Manager via SDET
proc_creation_win_sc_sdset_deny_service_access.yml
- T1564 Create and Hide a Service with sc.exe
proc_creation_win_sc_sdset_hide_sevices.yml
- T1564 Create and Hide a Service with sc.exe
proc_creation_win_sc_sdset_modification.yml
- T1569.002 Modifying ACL of Service Control Manager via SDET
proc_creation_win_sc_service_path_modification.yml
- T1543.003 Modify Fax service to run PowerShell
proc_creation_win_sc_service_tamper_for_persistence.yml
- T1543.003 Modify Fax service to run PowerShell
proc_creation_win_sc_stop_service.yml
- T1489 Windows - Stop service using Service Controller
proc_creation_win_schtasks_creation.yml
- T1053.005 Scheduled Task Startup Script
- T1219 TeamViewer Files Detected Test on Windows
- T1053.005 Scheduled Task Executing Base64 Encoded Commands From Registry
- T1036.004 Creating W32Time similar named service using schtasks
- T1053.005 Scheduled task Local
- T1053.005 Scheduled task Remote
- T1195 Octopus Scanner Malware Open Source Supply Chain
proc_creation_win_schtasks_delete.yml
- T1562.001 Delete Windows Defender Scheduled Tasks
proc_creation_win_schtasks_disable.yml
- T1490 Windows - Disable the SR scheduled task
proc_creation_win_schtasks_env_folder.yml
- T1195 Octopus Scanner Malware Open Source Supply Chain
proc_creation_win_sdbinst_shim_persistence.yml
- T1546.011 Application Shim Installation
proc_creation_win_sdclt_child_process.yml
- T1548.002 Bypass UAC using sdclt DelegateExecute
- T1059.001 Invoke-AppPathBypass
proc_creation_win_secedit_execution.yml
- T1547.001 secedit used to create a Run key in the HKLM Hive
- T1201 Use of SecEdit.exe to export the local security policy (including the password policy)
proc_creation_win_setspn_spn_enumeration.yml
- T1558.003 Request All Tickets via PowerShell
- T1558.003 Extract all accounts in use as SPN using setspn
proc_creation_win_shutdown_execution.yml
- T1529 Restart System - Windows
- T1529 Shutdown System - Windows
proc_creation_win_shutdown_logoff.yml
- T1529 Logoff System - Windows
proc_creation_win_sqlite_firefox_gecko_profile_data.yml
- T1539 Steal Firefox Cookies (Windows)
proc_creation_win_susp_abusing_debug_privilege.yml
- T1563.002 RDP hijacking
- T1569.002 Execute a Command as a Service
- T1106 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
proc_creation_win_susp_add_user_remote_desktop_group.yml
- T1078.001 Enable Guest account with RDP capability and admin privileges
proc_creation_win_susp_alternate_data_streams.yml
- T1564.004 Alternate Data Streams (ADS)
proc_creation_win_susp_always_install_elevated_windows_installer.yml
- T1219 LogMeIn Files Detected Test on Windows
- T1219 RemotePC Software Execution
proc_creation_win_susp_automated_collection.yml
- T1119 Automated Collection Command Prompt
- T1552.001 Extracting passwords with findstr
proc_creation_win_susp_bad_opsec_sacrificial_processes.yml
- T1055 Shellcode execution via VBA
proc_creation_win_susp_cli_obfuscation_unicode.yml
- T1027 Obfuscated Command Line using special Unicode characters
proc_creation_win_susp_compression_params.yml
- T1560.001 Compress Data and lock with password for Exfiltration with 7zip
proc_creation_win_susp_copy_lateral_movement.yml
- T1039 Copy a sensitive File over Administrative share with copy
- T1003.002 dump volume shadow copy hives with System.IO.File
- T1555.003 BrowserStealer (Chrome / Firefox / Microsoft Edge)
- T1547.001 Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value
- T1569.002 BlackCat pre-encryption cmds with Lateral Movement
- T1555.003 Stage Popular Credential Files for Exfiltration
- T1039 Copy a sensitive File over Administrative share with Powershell
- T1105 MAZE Propagation Script
- T1105 svchost writing a file to a UNC path
- T1003.002 dump volume shadow copy hives with certutil
proc_creation_win_susp_copy_system_dir.yml
- T1543.003 TinyTurla backdoor service w64time
- T1546.008 Create Symbolic Link From osk.exe to cmd.exe
- T1036.003 Masquerading - powershell.exe running as taskhostw.exe
- T1547.001 Change Startup Folder - HKCU Modify User Shell Folders Startup Value
- T1547.001 Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value
- T1036.003 File Extension Masquerading
- T1036.003 Masquerading - wscript.exe running as svchost.exe
- T1548.002 Bypass UAC by Mocking Trusted Directories
- T1036 System File Copied to Unusual Location
- T1036.003 Malicious process Masquerading as LSM.exe
- T1003.003 Copy NTDS.dit from Volume Shadow Copy
- T1036.003 Masquerading as Windows LSASS process
- T1505.005 Simulate Patching termsrv.dll
- T1140 Certutil Rename and Decode
- T1105 MAZE Propagation Script
- T1546.008 Replace binary of sticky keys
- T1574.001 DLL Search Order Hijacking - amsi.dll
- T1105 svchost writing a file to a UNC path
- T1036.003 Masquerading - cscript.exe running as notepad.exe
- T1218 LOLBAS CustomShellHost to Spawn Process
- T1218 Lolbas ie4uinit.exe use as proxy
- T1546.002 Set Arbitrary Binary as Screensaver
- T1218.011 Rundll32 with desk.cpl
proc_creation_win_susp_copy_system_dir_lolbin.yml
- T1218 LOLBAS CustomShellHost to Spawn Process
proc_creation_win_susp_double_extension.yml
- T1036.003 File Extension Masquerading
proc_creation_win_susp_electron_execution_proxy.yml
- T1218 LOLBAS Msedge to Spawn Process
proc_creation_win_susp_etw_trace_evasion.yml
- T1562.006 Disable Powershell ETW Provider - Windows
- T1562.002 Disable Event Logging with wevtutil
proc_creation_win_susp_eventlog_clear.yml
- T1562.002 Disable Event Logging with wevtutil
- T1070.001 Clear Logs
- T1070.001 Delete System Logs Using Clear-EventLog
proc_creation_win_susp_execution_path.yml
- T1048.003 Exfiltration Over Alternative Protocol - FTP - Rclone
- T1218.004 InstallUtil evasive invocation
- T1572 run ngrok
proc_creation_win_susp_file_permission_modifications.yml
- T1222.001 attrib - Remove read-only attribute
- T1546.008 Create Symbolic Link From osk.exe to cmd.exe
- T1222.001 cacls - Grant permission to specified user or group recursively
- T1546.008 Replace binary of sticky keys
- T1222.001 Grant Full Access to folder for Everyone - Ryuk Ransomware Style
proc_creation_win_susp_local_system_owner_account_discovery.yml
- T1087.002 Enumerate logged on users via CMD (Domain)
- T1078.001 Enable Guest account with RDP capability and admin privileges
- T1558.004 Get-DomainUser with PowerView
- T1110.003 Password Spray all Domain Users
- T1563.002 RDP hijacking
- T1036.003 File Extension Masquerading
- T1083 File and Directory Discovery (cmd.exe)
- T1552.001 WinPwn - sensitivefiles
- T1078.003 Create local account with admin privileges
- T1110.001 Brute Force Credentials of single Active Directory domain users via SMB
- T1087.001 Enumerate logged on users via CMD (Local)
- T1033 System Discovery - SocGholish whoami
- T1033 System Owner/User Discovery Using Command Prompt
- T1033 System Owner/User Discovery
- T1047 WMI Reconnaissance Users
- T1003.005 Cached Credential Dump via Cmdkey
proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml
- T1553.005 Execute LNK file from ISO
proc_creation_win_susp_lsass_dmp_cli_keywords.yml
- T1003.001 Offline Credential Theft With Mimikatz
- T1003.001 Dump LSASS.exe using imported Microsoft DLLs
- T1003.001 Dump LSASS with createdump.exe from .Net v5
- T1003.001 Create Mini Dump of LSASS.exe using ProcDump
- T1003.001 Dump LSASS.exe Memory using ProcDump
- T1003.001 Dump LSASS.exe Memory using comsvcs.dll
proc_creation_win_susp_network_command.yml
- T1016 System Network Configuration Discovery (TrickBot Style)
- T1016 System Network Configuration Discovery on Windows
- T1018 Remote System Discovery - arp
proc_creation_win_susp_network_scan_loop.yml
- T1018 Remote System Discovery - nslookup
- T1018 Remote System Discovery - ping sweep
- T1059.001 Abuse Nslookup with DNS Records
proc_creation_win_susp_network_sniffing.yml
- T1040 Packet Capture Windows Command Prompt
proc_creation_win_susp_non_exe_image.yml
- T1569.002 Use RemCom to execute a command on a remote host
- T1140 Certutil Rename and Decode
proc_creation_win_susp_ntfs_short_name_path_use_cli.yml
- T1592.002 Enumerate COM Objects in Registry with Powershell
- T1569.002 Use RemCom to execute a command on a remote host
- T1569.002 BlackCat pre-encryption cmds with Lateral Movement
- T1567.002 Exfiltrate data with rclone to cloud Storage - Mega (Windows)
proc_creation_win_susp_ntfs_short_name_path_use_image.yml
- T1592.002 Enumerate COM Objects in Registry with Powershell
- T1569.002 BlackCat pre-encryption cmds with Lateral Movement
- T1105 Nimgrab - Transfer Files
proc_creation_win_susp_private_keys_recon.yml
- T1552.004 Export Root Certificate with Export-PFXCertificate
- T1552.004 Private Keys
proc_creation_win_susp_progname.yml
- T1018 Get-DomainController with PowerView
- T1069.002 Get-DomainGroupMember with PowerView
- T1558.004 Get-DomainUser with PowerView
- T1201 Get-DomainPolicy with PowerView
- T1071.004 DNS Regular Beaconing
- T1069.002 Get-DomainGroup with PowerView
- T1087.002 Get-DomainUser with PowerView
- T1572 DNS over HTTPS Regular Beaconing
- T1615 Get-DomainGPO to display group policy information via PowerView
proc_creation_win_susp_recon.yml
- T1119 Recon information for export with Command Prompt
proc_creation_win_susp_script_exec_from_temp.yml
- T1204.002 Excel 4 Macro
- T1552.001 WinPwn - passhunt
- T1036.003 File Extension Masquerading
- T1137.006 Code Executed Via Excel Add-in File (XLL)
- T1003.001 Dump LSASS with createdump.exe from .Net v5
- T1218.005 Invoke HTML Application - Simulate Lateral Movement over UNC Path
- T1039 Copy a sensitive File over Administrative share with Powershell
- T1105 iwr or Invoke Web-Request download
- T1114.001 Email Collection with PowerShell Get-Inbox
- T1204.002 OSTap Payload Download
proc_creation_win_susp_sensitive_file_access_shadowcopy.yml
- T1003.002 dump volume shadow copy hives with System.IO.File
- T1003.003 Create Symlink to Volume Shadow Copy
- T1003.003 Copy NTDS.dit from Volume Shadow Copy
- T1003.002 dump volume shadow copy hives with certutil
proc_creation_win_susp_service_creation.yml
- T1543.003 Service Installation CMD
- T1543.003 Remote Service Installation CMD
- T1543.003 Service Installation PowerShell
proc_creation_win_susp_service_tamper.yml
- T1562.001 Stop and Remove Arbitrary Security Windows Service
proc_creation_win_susp_shadow_copies_creation.yml
- T1003.003 Create Volume Shadow Copy with vssadmin
- T1003.003 Create Volume Shadow Copy with WMI
- T1003.003 Create Symlink to Volume Shadow Copy
- T1003.003 Create Volume Shadow Copy remotely with WMI
proc_creation_win_susp_shadow_copies_deletion.yml
- T1490 Windows - Delete Volume Shadow Copies via WMI
- T1207 DCShadow (Active Directory)
- T1490 Windows - Delete Volume Shadow Copies
- T1490 Windows - wbadmin Delete Windows Backup Catalog
proc_creation_win_susp_shell_spawn_susp_program.yml
- T1218.005 Mshta Executes Remote HTML Application (HTA)
- T1218.005 Invoke HTML Application - JScript Engine with Inline Protocol Handler
- T1071.004 DNS C2
- T1218.005 Invoke HTML Application - Direct download from URI
- T1105 certutil download (verifyctl)
- T1218.005 Invoke HTML Application - Simulate Lateral Movement over UNC Path
- T1552.004 CertUtil ExportPFX
- T1059.001 Abuse Nslookup with DNS Records
- T1553.004 Install root CA on Windows with certutil
- T1003.002 dump volume shadow copy hives with certutil
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
proc_creation_win_susp_system_exe_anomaly.yml
- T1218 Renamed Microsoft.Workflow.Compiler.exe Payload Executions
- T1036.003 Masquerading - wscript.exe running as svchost.exe
- T1036.003 Malicious process Masquerading as LSM.exe
- T1036.003 Masquerading as Windows LSASS process
- T1036.003 Masquerading - windows exe running as different windows exe
- T1036.003 Masquerading - non-windows exe running as windows exe
- T1105 svchost writing a file to a UNC path
- T1036.005 Masquerade as a built-in system executable
- T1218 LOLBAS CustomShellHost to Spawn Process
proc_creation_win_susp_system_user_anomaly.yml
- T1106 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
proc_creation_win_susp_weak_or_abused_passwords.yml
- T1033 System Discovery - SocGholish whoami
proc_creation_win_susp_web_request_cmd_and_cmdlets.yml
- T1558.003 WinPwn - Kerberoasting
- T1082 WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors
- T1018 Get-DomainController with PowerView
- T1105 File Download via PowerShell
- T1204.002 LNK Payload Download
- T1552.001 WinPwn - SessionGopher
- T1218.005 Mshta Executes Remote HTML Application (HTA)
- T1558.003 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1082 WinPwn - itm4nprivesc
- T1069.002 Get-DomainGroupMember with PowerView
- T1082 WinPwn - winPEAS
- T1555 WinPwn - Loot local Credentials - lazagne
- T1055.001 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
- T1046 WinPwn - bluekeep
- T1558.004 Get-DomainUser with PowerView
- T1518 WinPwn - powerSQL
- T1135 WinPwn - shareenumeration
- T1559.002 Execute PowerShell script via Word DDE
- T1557.001 LLMNR Poisoning with Inveigh (PowerShell)
- T1071.001 Malicious User Agents - Powershell
- T1219 TeamViewer Files Detected Test on Windows
- T1187 WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
- T1120 WinPwn - printercheck
- T1558.004 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
- T1087.002 WinPwn - generaldomaininfo
- T1201 Get-DomainPolicy with PowerView
- T1056.004 Hook PowerShell TLS Encrypt/Decrypt Messages
- T1134.002 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique
- T1048.003 MAZE FTP Upload
- T1204.002 Potentially Unwanted Applications (PUA)
- T1552.001 WinPwn - passhunt
- T1078.003 WinPwn - Loot local Credentials - Safetykatz
- T1082 WinPwn - Powersploits privesc checks
- T1620 WinPwn - Reflectively load Mimik@tz into memory
- T1082 WinPwn - Morerecon
- T1555.003 WinPwn - BrowserPwn
- T1204.002 Office Generic Payload Download
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1046 WinPwn - fruit
- T1095 ICMP C2
- T1105 Windows - PowerShell Download
- T1071.004 DNS C2
- T1552.001 WinPwn - sensitivefiles
- T1219 ScreenConnect Application Download and Install on Windows
- T1615 WinPwn - GPOAudit
- T1082 WinPwn - General privesc checks
- T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- T1615 WinPwn - GPORemoteAccessPolicy
- T1555.003 WinPwn - PowerSharpPack - Sharpweb for Browser Credentials
- T1082 WinPwn - GeneralRecon
- T1555.004 WinPwn - Loot local Credentials - Invoke-WCMDump
- T1548.002 WinPwn - UAC Bypass DccwBypassUAC technique
- T1069.002 Get-DomainGroup with PowerView
- T1087.002 Get-DomainUser with PowerView
- T1555.003 WinPwn - Loot local Credentials - mimi-kittenz
- T1046 WinPwn - spoolvulnscan
- T1553.004 Add Root Certificate to CurrentUser Certificate Store
- T1219 GoToAssist Files Detected Test on Windows
- T1059.001 Run Bloodhound from Memory using Download Cradle
- T1550.002 Invoke-WMIExec Pass the Hash
- T1552.004 CertUtil ExportPFX
- T1003.002 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- T1105 iwr or Invoke Web-Request download
- T1106 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
- T1082 WinPwn - PowerSharpPack - Seatbelt
- T1566.001 Download Macro-Enabled Phishing Attachment
- T1027 DLP Evasion via Sensitive Data in VBA Macro over HTTP
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
- T1219 LogMeIn Files Detected Test on Windows
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
- T1562.001 WinPwn - Kill the event log services for stealth
- T1555 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- T1110.003 WinPwn - DomainPasswordSpray Attacks
- T1059.001 Invoke-AppPathBypass
- T1095 Powercat C2
- T1555 WinPwn - Loot local Credentials - Wifi Credentials
- T1082 WinPwn - PowerSharpPack - Watson searching for missing windows patches
- T1548.002 WinPwn - UAC Magic
- T1615 Get-DomainGPO to display group policy information via PowerView
- T1572 DNS over HTTPS Large Query Volume
- T1132.001 XOR Encoded data.
- T1082 WinPwn - RBCD-Check
- T1518 WinPwn - DotNet
- T1548.002 WinPwn - UAC Bypass DiskCleanup technique
- T1518 WinPwn - Dotnetsearch
- T1046 WinPwn - MS17-10
- T1552.001 WinPwn - Snaffler
- T1197 Bitsadmin Download (PowerShell)
- T1552.001 WinPwn - powershellsensitive
proc_creation_win_svchost_uncommon_parent_process.yml
- T1218 Renamed Microsoft.Workflow.Compiler.exe Payload Executions
- T1036.003 Masquerading - wscript.exe running as svchost.exe
- T1036.003 Masquerading - windows exe running as different windows exe
- T1036.003 Masquerading - non-windows exe running as windows exe
- T1105 svchost writing a file to a UNC path
- T1036.005 Masquerade as a built-in system executable
proc_creation_win_sysinternals_eula_accepted.yml
- T1021.002 Copy and Execute File with PsExec
- T1562.006 Disable Powershell ETW Provider - Windows
- T1569.002 Use PsExec to execute a command on a remote host
- T1550.003 Rubeus Kerberos Pass The Ticket
- T1569.002 BlackCat pre-encryption cmds with Lateral Movement
- T1003.004 Dumping LSA Secrets
- T1003.001 Create Mini Dump of LSASS.exe using ProcDump
- T1003.001 Dump LSASS.exe Memory using ProcDump
proc_creation_win_sysinternals_procdump.yml
- T1003.001 Create Mini Dump of LSASS.exe using ProcDump
- T1003.001 Dump LSASS.exe Memory using ProcDump
proc_creation_win_sysinternals_procdump_lsass.yml
- T1003.001 Dump LSASS.exe Memory using ProcDump
proc_creation_win_sysinternals_psexec_execution.yml
- T1021.002 Copy and Execute File with PsExec
- T1562.006 Disable Powershell ETW Provider - Windows
- T1569.002 Use PsExec to execute a command on a remote host
- T1055 Remote Process Injection in LSASS via mimikatz
- T1550.003 Rubeus Kerberos Pass The Ticket
- T1569.002 BlackCat pre-encryption cmds with Lateral Movement
- T1003.004 Dumping LSA Secrets
- T1207 DCShadow (Active Directory)
proc_creation_win_sysinternals_psloglist.yml
- T1003.004 Dumping LSA Secrets
proc_creation_win_sysinternals_sdelete.yml
- T1485 Windows - Overwrite file with SysInternals SDelete
proc_creation_win_sysinternals_sysmon_uninstall.yml
- T1562.001 Uninstall Sysmon
proc_creation_win_sysinternals_tools_masquerading.yml
- T1555.003 Run Chrome-password Collector
proc_creation_win_systeminfo_execution.yml
- T1082 WinPwn - GeneralRecon
- T1082 System Information Discovery
proc_creation_win_takeown_recursive_own.yml
- T1222.001 Take ownership using takeown utility
proc_creation_win_taskkill_execution.yml
- T1090.003 Psiphon
- T1204.002 LNK Payload Download
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1105 Download a file with Microsoft Connection Manager Auto-Download
- T1219 RemotePC Software Execution
proc_creation_win_tasklist_basic_execution.yml
- T1003.001 Dump LSASS with createdump.exe from .Net v5
- T1518.001 Security Software Discovery
- T1057 Process Discovery - tasklist
- T1007 System Service Discovery
proc_creation_win_tscon_localsystem.yml
- T1563.002 RDP hijacking
proc_creation_win_uac_bypass_cmstp.yml
- T1548.002 WinPwn - UAC Bypass ccmstp technique
- T1218.003 CMSTP Executing Remote Scriptlet
- T1218.003 CMSTP Executing UAC Bypass
proc_creation_win_uac_bypass_cmstp_com_object_access.yml
- T1548.002 WinPwn - UAC Bypass ccmstp technique
proc_creation_win_uac_bypass_fodhelper.yml
- T1548.002 Bypass UAC using Fodhelper
- T1548.002 Bypass UAC using Fodhelper - PowerShell
proc_creation_win_uac_bypass_sdclt.yml
- T1548.002 Bypass UAC using sdclt DelegateExecute
- T1059.001 Invoke-AppPathBypass
proc_creation_win_uac_bypass_wsreset_integrity_level.yml
- T1548.002 UAC Bypass with WSReset Registry Modification
proc_creation_win_ultravnc.yml
- T1219 UltraVNC Execution
proc_creation_win_uninstall_crowdstrike_falcon.yml
- T1562.001 Uninstall Crowdstrike Falcon on Windows
proc_creation_win_userinit_uncommon_child_processes.yml
- T1037.001 Logon Scripts
proc_creation_win_vaultcmd_list_creds.yml
- T1555.004 Access Saved Credentials via VaultCmd
proc_creation_win_virtualbox_execution.yml
- T1564.006 Create and start VirtualBox virtual machine
- T1564.006 Register Portable Virtualbox
proc_creation_win_w32tm.yml
- T1124 System Time Discovery W32tm as a Delay
proc_creation_win_wbadmin_delete_backups.yml
- T1490 Windows - wbadmin Delete systemstatebackup
proc_creation_win_where_browser_data_recon.yml
- T1217 List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt
- T1217 List Mozilla Firefox bookmarks on Windows with command prompt
proc_creation_win_whoami_execution.yml
- T1558.004 Get-DomainUser with PowerView
- T1036.003 File Extension Masquerading
- T1552.001 WinPwn - sensitivefiles
- T1033 System Discovery - SocGholish whoami
proc_creation_win_whoami_output.yml
- T1033 System Discovery - SocGholish whoami
proc_creation_win_whoami_priv_discovery.yml
- T1082 WinPwn - General privesc checks
- T1082 WinPwn - GeneralRecon
proc_creation_win_winrm_remote_powershell_session_process.yml
- T1059.001 PowerShell Session Creation and Use
- T1021.006 Remote Code Execution with PS Credentials Using Invoke-Command
proc_creation_win_winzip_password_compression.yml
- T1560.001 Compress Data and lock with password for Exfiltration with winzip
proc_creation_win_wmic_namespace_defender.yml
- T1562.001 WMIC Tamper with Windows Defender Evade Scanning Folder
proc_creation_win_wmic_process_creation.yml
- T1047 WMI Execute rundll32
- T1003.003 Create Volume Shadow Copy remotely (WMI) with esentutl
- T1047 WMI Execute Local Process
- T1087.002 Wevtutil - Discover NTLM Users Remote
- T1047 WMI Execute Remote Process
- T1105 MAZE Propagation Script
- T1518.001 Security Software Discovery - AV Discovery via WMI
proc_creation_win_wmic_recon_group.yml
- T1069.001 Wmic Group Discovery
proc_creation_win_wmic_recon_process.yml
- T1220 WMIC bypass using local XSL file
- T1047 WMI Reconnaissance Software
- T1220 WMIC bypass using remote XSL file
- T1082 WinPwn - General privesc checks
- T1082 WinPwn - GeneralRecon
- T1047 WMI Reconnaissance Processes
- T1057 Process Discovery - wmic process
proc_creation_win_wmic_recon_system_info_uncommon.yml
- T1082 System Information Discovery with WMIC
proc_creation_win_wmic_remote_execution.yml
- T1087.002 Wevtutil - Discover NTLM Users Remote
proc_creation_win_wmic_squiblytwo_bypass.yml
- T1220 WMIC bypass using remote XSL file
proc_creation_win_wmic_susp_process_creation.yml
- T1087.002 Wevtutil - Discover NTLM Users Remote
proc_creation_win_wmic_uninstall_application.yml
- T1087.002 Wevtutil - Discover NTLM Users Remote
- T1047 Application uninstall using WMIC
proc_creation_win_wmic_xsl_script_processing.yml
- T1220 WMIC bypass using local XSL file
- T1220 MSXSL Bypass using local files
- T1220 WMIC bypass using remote XSL file
- T1220 MSXSL Bypass using remote files
proc_creation_win_wmiprvse_spawning_process.yml
- T1047 Create a Process using WMI Query and an Encoded Command
- T1047 WMI Execute rundll32
- T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
- T1003.003 Create Volume Shadow Copy remotely (WMI) with esentutl
- T1218.001 Invoke CHM Simulate Double click
- T1218.005 Invoke HTML Application - JScript Engine with Inline Protocol Handler
- T1047 WMI Execute Local Process
- T1218.001 Invoke CHM with InfoTech Storage Protocol Handler
- T1218.005 Invoke HTML Application - Direct download from URI
- T1218.005 Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler
- T1218.005 Invoke HTML Application - Simulate Lateral Movement over UNC Path
- T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
- T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations
- T1218.001 Invoke CHM with default Shortcut Command Execution
- T1047 Create a Process using obfuscated Win32_Process
- T1218.001 Invoke CHM with Script Engine and Help Topic
- T1218.005 Invoke HTML Application - Jscript Engine Simulating Double Click
- T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
- T1218.001 Invoke CHM Shortcut Command with ITS and Help Topic
proc_creation_win_wmiprvse_spawns_powershell.yml
- T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
- T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
- T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations
- T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
proc_creation_win_wmiprvse_susp_child_processes.yml
- T1218.005 Invoke HTML Application - JScript Engine with Inline Protocol Handler
- T1218.005 Invoke HTML Application - Direct download from URI
- T1218.005 Invoke HTML Application - Simulate Lateral Movement over UNC Path
proc_creation_win_wscript_cscript_dropper.yml
- T1204.002 Excel 4 Macro
- T1547.001 Suspicious vbs file run from startup Folder
- T1204.002 OSTap Style Macro Execution
- T1036.003 File Extension Masquerading
- T1204.002 OSTAP JS version
- T1547.001 Suspicious jse file run from startup Folder
- T1204.002 OSTap Payload Download
proc_creation_win_wscript_cscript_script_exec.yml
- T1216.001 PubPrn.vbs Signed Script Bypass
- T1204.002 OSTap Style Macro Execution
- T1059.007 JScript execution to gather local computer information via wscript
- T1105 OSTAP Worming Activity
- T1204.002 OSTAP JS version
- T1547.001 Suspicious jse file run from startup Folder
- T1204.002 OSTap Payload Download
- T1082 Griffon Recon
proc_creation_win_wuauclt_dll_loading.yml
- T1218 Load Arbitrary DLL via Wuauclt (Windows Update Client)
raw_access_thread_susp_disk_access_using_uncommon_tools.yml
- T1569.002 Use RemCom to execute a command on a remote host
registry_add_persistence_logon_scripts_userinitmprlogonscript.yml
- T1037.001 Logon Scripts
registry_add_pua_sysinternals_execution_via_eula.yml
- T1204.002 Excel 4 Macro
- T1021.002 Copy and Execute File with PsExec
- T1569.002 Use PsExec to execute a command on a remote host
- T1055 Remote Process Injection in LSASS via mimikatz
- T1550.003 Rubeus Kerberos Pass The Ticket
- T1003.004 Dumping LSA Secrets
- T1207 DCShadow (Active Directory)
- T1485 Windows - Overwrite file with SysInternals SDelete
- T1003.001 Create Mini Dump of LSASS.exe using ProcDump
- T1003.001 Dump LSASS.exe Memory using ProcDump
registry_delete_mstsc_history_cleared.yml
- T1112 Terminal Server Client Connection History Cleared
registry_delete_removal_amsi_registry_key.yml
- T1562.001 AMSI Bypass - Remove AMSI Provider Reg Key
registry_event_cmstp_execution_by_registry.yml
- T1548.002 WinPwn - UAC Bypass ccmstp technique
registry_event_net_ntlm_downgrade.yml
- T1187 WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
registry_event_office_trust_record_modification.yml
- T1218 ProtocolHandler.exe Downloaded a Suspicious File
registry_event_persistence_recycle_bin.yml
- T1547.001 Add persistance via Recycle bin
registry_event_shell_open_keys_manipulation.yml
- T1548.002 Bypass UAC using ComputerDefaults (PowerShell)
- T1548.002 Bypass UAC using Fodhelper
- T1548.002 Bypass UAC using Fodhelper - PowerShell
registry_event_ssp_added_lsa_config.yml
- T1547.005 Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry
registry_event_stickykey_like_backdoor.yml
- T1546.008 Attaches Command Prompt as a Debugger to a List of Target Processes
registry_event_susp_atbroker_change.yml
- T1546.008 Atbroker.exe (AT) Executes Arbitrary Command via Registry Key
registry_event_susp_lsass_dll_load.yml
- T1547.008 Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt
registry_event_susp_mic_cam_access.yml
- T1125 Registry artefact when application use webcam
- T1123 Registry artefact when application use microphone
registry_set_add_load_service_in_safe_mode.yml
- T1219 Ammyy Admin Software Execution
- T1112 Windows Add Registry Value to Load Service in Safe Mode with Network
- T1112 Windows Add Registry Value to Load Service in Safe Mode without Network
registry_set_add_port_monitor.yml
- T1547.010 Add Port Monitor persistence in Registry
- T1547.012 Print Processors
registry_set_allow_rdp_remote_assistance_feature.yml
- T1112 Allow RDP Remote Assistance Feature
registry_set_amsi_com_hijack.yml
- T1562.001 AMSI Bypass - Override AMSI via COM
registry_set_asep_reg_keys_modification_common.yml
- T1546 HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)
- T1546 HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
registry_set_asep_reg_keys_modification_currentcontrolset.yml
- T1547.010 Add Port Monitor persistence in Registry
- T1547.002 Authentication Package
- T1003 Credential Dumping with NPPSpy
- T1556.002 Install and Register Password Filter DLL
registry_set_asep_reg_keys_modification_currentversion.yml
- T1547.001 HKLM - Policy Settings Explorer Run Key
- T1218 InfDefaultInstall.exe .inf Execution
- T1547.001 HKCU - Policy Settings Explorer Run Key
- T1547.001 Reg Key RunOnce
- T1112 NetWire RAT Registry Key Creation
- T1547.001 PowerShell Registry RunOnce
- T1112 Modify Registry of Local Machine - cmd
- T1547.001 secedit used to create a Run key in the HKLM Hive
- T1547.001 SystemBC Malware-as-a-Service Registry
- T1036.003 Masquerading - non-windows exe running as windows exe
- T1219 RemotePC Software Execution
- T1547.001 Reg Key Run
registry_set_asep_reg_keys_modification_currentversion_nt.yml
- T1547.004 Winlogon HKLM Userinit Key Persistence - PowerShell
- T1547.001 HKLM - Append Command to Winlogon Userinit KEY Value
- T1547.004 Winlogon Shell Key Persistence - PowerShell
- T1546.012 GlobalFlags in Image File Execution Options
- T1546.012 IFEO Add Debugger
- T1547.001 HKLM - Modify default System Shell - Winlogon Shell KEY Value
- T1546.012 IFEO Global Flags
- T1546.010 Install AppInit Shim
- T1546.008 Attaches Command Prompt as a Debugger to a List of Target Processes
- T1547.004 Winlogon HKLM Shell Key Persistence - PowerShell
registry_set_asep_reg_keys_modification_office.yml
- T1219 TeamViewer Files Detected Test on Windows
- T1592.002 Enumerate COM Objects in Registry with Powershell
- T1137.002 Office Application Startup Test Persistence (HKCU)
registry_set_asep_reg_keys_modification_session_manager.yml
- T1546.009 Create registry persistence via AppCert DLL
registry_set_blackbyte_ransomware.yml
- T1112 BlackByte Ransomware Registry Changes - Powershell
- T1112 BlackByte Ransomware Registry Changes - CMD
registry_set_bypass_uac_using_delegateexecute.yml
- T1548.002 Bypass UAC using sdclt DelegateExecute
registry_set_bypass_uac_using_eventviewer.yml
- T1548.002 Bypass UAC using Event Viewer (PowerShell)
- T1548.002 Bypass UAC using Event Viewer (cmd)
registry_set_bypass_uac_using_silentcleanup_task.yml
- T1548.002 Bypass UAC using SilentCleanup task
registry_set_change_rdp_port.yml
- T1021.001 Changing RDP Port to Non Standard Port via Powershell
- T1021.001 Changing RDP Port to Non Standard Port via Command_Prompt
registry_set_change_security_zones.yml
- T1112 Add domain to Trusted sites Zone
registry_set_chrome_extension.yml
- T1133 Running Chrome VPN Extensions via the Registry 2 vpn extension
registry_set_creation_service_susp_folder.yml
- T1562.001 Kill antimalware protected processes using Backstab
registry_set_defender_exclusions.yml
- T1562.001 WMIC Tamper with Windows Defender Evade Scanning Folder
- T1562.001 Tamper with Windows Defender Evade Scanning -Folder
- T1562.001 Tamper with Windows Defender Evade Scanning -Extension
- T1562.001 Tamper with Windows Defender Evade Scanning -Process
registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml
- T1562.001 Disable Hypervisor-Enforced Code Integrity (HVCI)
registry_set_disable_administrative_share.yml
- T1070.005 Disable Administrative Share Creation at Startup
registry_set_disable_defender_firewall.yml
- T1562.004 Disable Microsoft Defender Firewall
- T1562.004 Disable Microsoft Defender Firewall via Registry
- T1562.004 Blackbit - Disable Windows Firewall using netsh firewall
registry_set_disable_function_user.yml
- T1112 Disable Windows Notification Center
- T1548.002 Disable ConsentPromptBehaviorAdmin via registry keys
- T1112 Disable Windows Change Password Feature
- T1112 Disable Windows Shutdown Button
- T1112 Disable Windows CMD application
- T1548.002 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key
- T1112 Disable Windows Toast Notifications
- T1112 Disable Windows Lock Workstation Feature
- T1112 Disable Windows LogOff Button
- T1112 Disable Windows Task Manager application
- T1112 Disable Windows Registry Tool
registry_set_disable_privacy_settings_experience.yml
- T1562.001 LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell
registry_set_disable_security_center_notifications.yml
- T1112 Disable Windows Security Center Notifications
registry_set_disable_system_restore.yml
- T1490 Disable System Restore Through Registry
registry_set_disable_windows_firewall.yml
- T1562.004 LockBit Black - Unusual Windows firewall registry modification -cmd
- T1562.004 LockBit Black - Unusual Windows firewall registry modification -Powershell
registry_set_disable_winevt_logging.yml
- T1562.006 LockBit Black - Disable the ETW Provider of Windows Defender -Powershell
- T1562.006 LockBit Black - Disable the ETW Provider of Windows Defender -cmd
registry_set_disallowrun_execution.yml
- T1112 DisallowRun Execution Of Certain Applications
registry_set_dot_net_etw_tamper.yml
- T1562.006 Disable .NET Event Tracing for Windows Via Registry (powershell)
- T1562.006 Disable .NET Event Tracing for Windows Via Registry (cmd)
registry_set_enabling_cor_profiler_env_variables.yml
- T1574.012 User scope COR_PROFILER
- T1574.012 System Scope COR_PROFILER
registry_set_hidden_extention.yml
- T1112 Modify Registry of Current User Profile - cmd
registry_set_hide_file.yml
- T1564.001 Hide Files Through Registry
registry_set_hide_function_user.yml
- T1112 Hide Windows Clock Group Policy Feature
- T1112 Windows HideSCAPower Group Policy Feature
- T1112 Windows HideSCANetwork Group Policy Feature
- T1112 Windows Modify Show Compress Color And Info Tip Registry
- T1112 Windows HideSCAVolume Group Policy Feature
- T1112 Windows HideSCAHealth Group Policy Feature
registry_set_install_root_or_ca_certificat.yml
- T1552.004 Export Root Certificate with Export-PFXCertificate
- T1552.004 Export Root Certificate with Export-Certificate
- T1553.004 Add Root Certificate to CurrentUser Certificate Store
- T1552.004 CertUtil ExportPFX
registry_set_legalnotice_susp_message.yml
- T1491.001 Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message
registry_set_lsa_disablerestrictedadmin.yml
- T1112 Enabling Restricted Admin Mode via Command_Prompt
registry_set_office_disable_protected_view_features.yml
- T1204.002 Mirror Blast Emulation
- T1562.001 Disable Microsoft Office Security Features
registry_set_office_outlook_security_settings.yml
- T1137 Office Application Startup - Outlook as a C2
registry_set_office_trust_record_susp_location.yml
- T1564 Extract binary files via VBA
- T1204.002 Office Generic Payload Download
- T1204.002 Mirror Blast Emulation
- T1562.001 Disable Microsoft Office Security Features
registry_set_persistence_autodial_dll.yml
- T1546 Persistence with Custom AutodialDLL
registry_set_persistence_event_viewer_events_asp.yml
- T1112 Event Viewer Registry Modification - Redirection Program
- T1112 Event Viewer Registry Modification - Redirection URL
registry_set_persistence_globalflags.yml
- T1546.012 GlobalFlags in Image File Execution Options
- T1546.012 IFEO Global Flags
registry_set_persistence_ie.yml
- T1090.003 Psiphon
- T1219 TeamViewer Files Detected Test on Windows
- T1220 MSXSL Bypass using local files
- T1112 Javascript in registry
- T1220 MSXSL Bypass using remote files
registry_set_persistence_office_vsto.yml
- T1219 TeamViewer Files Detected Test on Windows
- T1592.002 Enumerate COM Objects in Registry with Powershell
registry_set_persistence_outlook_homepage.yml
- T1137.004 Install Outlook Home Page Persistence
registry_set_persistence_scrobj_dll.yml
- T1546.015 COM hijacking via TreatAs
registry_set_persistence_search_order.yml
- T1219 TeamViewer Files Detected Test on Windows
registry_set_persistence_shim_database.yml
- T1546.011 Registry key creation and/or modification events for SDB
registry_set_powershell_as_service.yml
- T1569.002 Execute a Command as a Service
registry_set_powershell_in_run_keys.yml
- T1547.001 SystemBC Malware-as-a-Service Registry
registry_set_powershell_logging_disabled.yml
- T1112 Windows Powershell Logging Disabled
registry_set_service_image_path_user_controlled_folder.yml
- T1562.001 Kill antimalware protected processes using Backstab
registry_set_servicedll_hijack.yml
- T1543.003 TinyTurla backdoor service w64time
- T1505.005 Modify Terminal Services DLL Path
registry_set_set_nopolicies_user.yml
- T1112 Activate Windows NoSetTaskbar Group Policy Feature
- T1112 Activate Windows NoClose Group Policy Feature
- T1112 Activate Windows NoDesktop Group Policy Feature
- T1112 Activate Windows NoPropertiesMyDocuments Group Policy Feature
- T1112 Activate Windows NoRun Group Policy Feature
- T1112 Activate Windows NoControlPanel Group Policy Feature
- T1112 Disable Windows LogOff Button
- T1112 Activate Windows NoFileMenu Group Policy Feature
- T1112 Activate Windows NoFind Group Policy Feature
- T1112 Activate Windows NoTrayContextMenu Group Policy Feature
registry_set_sip_persistence.yml
- T1553.003 SIP (Subject Interface Package) Hijacking via Custom DLL
registry_set_special_accounts.yml
- T1564.002 Create Hidden User in Registry
- T1564.002 Create Hidden User in Registry
registry_set_suppress_defender_notifications.yml
- T1112 Suppress Win Defender Notifications
registry_set_susp_run_key_img_folder.yml
- T1036.003 Masquerading - non-windows exe running as windows exe
registry_set_susp_user_shell_folders.yml
- T1547.001 Change Startup Folder - HKCU Modify User Shell Folders Startup Value
- T1547.001 Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value
registry_set_terminal_server_suspicious.yml
- T1112 Mimic Ransomware - Allow Multiple RDP Sessions per User
registry_set_terminal_server_tampering.yml
- T1078.001 Enable Guest account with RDP capability and admin privileges
- T1505.005 Modify Terminal Services DLL Path
registry_set_timeproviders_dllname.yml
- T1547.003 Edit an existing time provider
- T1547.003 Create a new time provider
registry_set_treatas_persistence.yml
- T1546.015 COM hijacking via TreatAs
- T1546.015 COM hijacking via TreatAs
registry_set_uac_disable.yml
- T1548.002 Disable UAC using reg.exe
registry_set_uac_disable_notification.yml
- T1548.002 Disable UAC notification via registry keys
registry_set_wdigest_enable_uselogoncredential.yml
- T1112 Modify registry to store logon credentials
registry_set_windows_defender_tamper.yml
- T1562.001 Tamper with Windows Defender Registry - Reg.exe
- T1562.001 Tamper with Windows Defender Registry - Powershell
- T1562.001 Tamper with Windows Defender Registry
- T1562.001 Tamper with Windows Defender ATP using Aliases - PowerShell
registry_set_winlogon_notify_key.yml
- T1547.004 Winlogon Notify Key Logon Persistence - PowerShell
sysmon_wmi_event_subscription.yml
- T1546.003 Persistence via WMI Event Subscription - ActiveScriptEventConsumer
- T1546.003 Persistence via WMI Event Subscription - ActiveScriptEventConsumer
- T1546.003 Persistence via WMI Event Subscription - CommandLineEventConsumer
sysmon_wmi_susp_scripting.yml
- T1546.003 Persistence via WMI Event Subscription - ActiveScriptEventConsumer
win_alert_mimikatz_keywords.yml
- T1558.002 Crafting Active Directory silver tickets with mimikatz
- T1558.001 Crafting Active Directory golden tickets with mimikatz
- T1003.001 Offline Credential Theft With Mimikatz
- T1134.005 Injection SID-History with mimikatz
- T1558.001 Crafting Active Directory golden tickets with Rubeus
- T1550.003 Mimikatz Kerberos Ticket Attack
- T1550.002 crackmapexec Pass the Hash
- T1550.003 Rubeus Kerberos Pass The Ticket
- T1550.002 Mimikatz Pass the Hash
- T1207 DCShadow (Active Directory)
- T1550.002 Invoke-WMIExec Pass the Hash
- T1059.001 Mimikatz
- T1003.006 Run DSInternals Get-ADReplAccount
- T1078.003 WinPwn - Loot local Credentials - powerhell kittie
win_av_relevant_match.yml
- T1550.002 crackmapexec Pass the Hash
win_builtin_remove_application.yml
- T1047 Application uninstall using WMIC
win_firewall_as_add_rule.yml
- T1562.004 Set a firewall rule using New-NetFirewallRule
win_firewall_as_add_rule_wmiprvse.yml
- T1562.004 Set a firewall rule using New-NetFirewallRule
win_ldap_recon.yml
- T1018 Get-WmiObject to Enumerate Domain Controllers
win_security_audit_log_cleared.yml
- T1070.001 Clear Event Logs via VBA
- T1070.001 Delete System Logs Using Clear-EventLog
win_security_disable_event_auditing.yml
- T1562.002 Clear Windows Audit Policy Config
win_security_iso_mount.yml
- T1204.003 Malicious Execution from Mounted ISO Image
win_security_overpass_the_hash.yml
- T1558.001 Crafting Active Directory golden tickets with mimikatz
- T1558.001 Crafting Active Directory golden tickets with Rubeus
win_security_pass_the_hash_2.yml
- T1558.001 Crafting Active Directory golden tickets with mimikatz
- T1558.001 Crafting Active Directory golden tickets with Rubeus
win_security_susp_logon_explicit_credentials.yml
- T1110.003 Password Spray Invoke-DomainPasswordSpray Light
- T1110.001 Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)
win_security_susp_outbound_kerberos_connection.yml
- T1098 Domain Password Policy Check: Short Password
win_system_eventlog_cleared.yml
- T1070.001 Clear Event Logs via VBA
- T1070.001 Clear Logs
- T1070.001 Delete System Logs Using Clear-EventLog
win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
win_system_service_install_susp.yml
- T1106 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
win_system_service_install_sysinternals_psexec.yml
- T1562.006 Disable Powershell ETW Provider - Windows
win_system_susp_service_installation_folder.yml
- T1219 Ammyy Admin Software Execution
win_taskscheduler_susp_schtasks_delete.yml
- T1562.001 Delete Windows Defender Scheduled Tasks
win_wmi_persistence.yml
- T1546.003 Persistence via WMI Event Subscription - ActiveScriptEventConsumer
- T1546.003 Persistence via WMI Event Subscription - CommandLineEventConsumer