Refine SearchATT&CK Database
| Name | ATT&CK Tactics & Techniques | Status | Update | ATT&CK Version |
|---|---|---|---|---|
| Add command to .bashrc |
Persistence: Event Triggered Execution: .bash_profile and .bashrc Privilege Escalation: Event Triggered Execution: .bash_profile and .bashrc |
Add
|
This ability adds a command to the .bashrc file of the current user. | V10 |
| Archive Collected Credentials |
Collection: Archive Collected Data |
Add
|
This ability archives collected credentials. | V10 |
| Create a Run Key in the HKLM Hive |
Persistence: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Privilege Escalation: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Add
|
This ability creates a HTTP server on port 9090. | V10 |
| Delete Prefetch File |
Defense Evasion: Indicator Removal: File Deletion |
Add
|
This ability deletes a single prefetch file.. | V10 |
| Delete System Log Files |
Defense Evasion: Indicator Removal on Host: Clear Linux or Mac System Logs |
Add
|
This ability deletes the system log file using unlink utility. Elevation Required. | V10 |
| Disable LSA Protection |
Defense Evasion: Impair Defenses |
Add
|
This ability adds a registry entry to disable LSA Protection. | V10 |
| Discover NTLM Users Remote |
Discovery: Account Discovery: Domain Account |
Add
|
This ability discovers users who have authenticated against a Domain Controller via NTLM. | V10 |
| Enabling Restricted Admin Mode |
Defense Evasion: Modify Registry |
Add
|
This ability enables restricted administrative mode. | V10 |
| Enumerate COM Objects in Registry |
Discovery: Query Registry |
Add
|
This ability enumerates the COM objects listed in HKCR. | V10 |
| Execute base64 encoded commands |
Defense Evasion: Deobfuscate/Decode Files or Information |
Add
|
This ability decodes the encoded text using Base64 and passes it to the bash shell interpreter to execute the shell script. | V10 |
| Forcing WDigest to Store Credentials in Plaintext |
Defense Evasion: Modify Registry |
Add
|
This ability modifies the registry key to force the WDigest to store credentials in plaintext. | V10 |
| Identify Domain Trusts |
Discovery: Domain Trust Discovery |
Add
|
This ability identifies domain trusts with PowerView. | V10 |
| Install agent as domain administrator |
Persistence: Create or Modify System Process: Windows Service |
Add
|
This ability uses the credentials collected by Powerkatz to install agent as a domain administrator. | V10 |
| Install agent in remote host |
Lateral Movement: Remote Services: SMB/Windows Admin Shares |
Add
|
This ability copies agent to remote host and start it. | V10 |
| List macOS Firewall Rules |
Discovery: System Network Configuration Discovery |
Add
|
This ability tests if the macOS firewall is enabled and/or show what rules are configured. | V10 |
| Listing AD Infrastructure |
Discovery: Domain Trust Discovery |
Add
|
Iterative AD discovery toolkit for offensive operators. | V10 |
| Mount Share and Copy File |
Lateral Movement: Remote Services: SMB/Windows Admin Shares |
Add
|
This ability mounts a windows share in remote host and copy files to it. | V10 |
| Pad Binary to Change Hash using truncate command |
Defense Evasion: Obfuscated Files or Information: Binary Padding |
Add
|
This ability uses truncate to add a byte to the binary to change the hash. | V10 |
| Persistence using CommandProcessor AutoRun key |
Persistence: Event Triggered Execution Privilege Escalation: Event Triggered Execution |
Add
|
This ability uses the CommandProcessor AutoRun registry key to persist. | V10 |
| Remote Host Ping |
Persistence: Create or Modify System Process: Windows Service |
Add
|
This ability to ping a remote host to see if it is accessible. | V10 |
| Setting the HISTFILESIZE environment variable |
Defense Evasion: Impair Defenses: Impair Command History Logging |
Add
|
This ability sets HISTFILESIZE to 0 and then restore it. | V10 |
| Tamper with Windows Defender Registry |
Defense Evasion: Impair Defenses: Disable or Modify Tools |
Add
|
This ability disables Windows Defender from starting after a reboot. | V10 |
| 1 min Sleep |
Defense Evasion: Virtualization/Sandbox Evasion: Time Based Evasion |
Mod
|
This ability pauses all operations to avoid making noise. | V10 |
| Add Command to .bashrc |
Persistence: Event Triggered Execution: Unix Shell Configuration Modification Privilege Escalation: Event Triggered Execution: Unix Shell Configuration Modification |
Mod
|
This ability adds a command to the .bashrc file of the current user. | V10 |
| Add Command to .bash_profile |
Persistence: Event Triggered Execution: Unix Shell Configuration Modification Privilege Escalation: Event Triggered Execution: Unix Shell Configuration Modification |
Mod
|
This ability adds a command to the .bash_profile file of the current user. | V10 |
| Add Malicious StubPath Value to Existing Active Setup Entry |
Persistence: Boot or Logon Autostart Execution: Active Setup Privilege Escalation: Boot or Logon Autostart Execution: Active Setup |
Mod
|
This ability adds a StubPath entry to the Active Setup native registry key. | V10 |
| Add Port Monitor Persistence in Registry |
Persistence: Boot or Logon Autostart Execution: Port Monitors Privilege Escalation: Boot or Logon Autostart Execution: Port Monitors |
Mod
|
This ability adds key-value pair to a Windows Port Monitor registry. | V10 |
| Add Script to Cron Subfolders |
Execution: Scheduled Task/Job: Cron Persistence: Scheduled Task/Job: Cron Privilege Escalation: Scheduled Task/Job: Cron |
Mod
|
This ability adds a script to /etc/cron.daily folder configured to execute on a schedule. | V10 |
| Append Malicious Start-Process Cmdlet |
Persistence: Event Triggered Execution: PowerShell Profile Privilege Escalation: Event Triggered Execution: PowerShell Profile |
Mod
|
This ability appends a start process cmdlet to the current user's powershell profile. | V10 |
| Avoid Logs |
Defense Evasion: Indicator Removal on Host: Clear Command History |
Mod
|
This ability prevents terminal from logging history. | V10 |
| Base64 Decoding with Shell Utilities |
Defense Evasion: Deobfuscate/Decode Files or Information |
Mod
|
This ability uses common shell utilities to decode a base64-encoded text string. | V10 |
| Base64 Encoded Data |
Command and Control: Data Encoding: Standard Encoding |
Mod
|
This ability creates a test file with base64-encoded content. | V10 |
| Binary Packed by UPX |
Defense Evasion: Obfuscated Files or Information: Software Packing |
Mod
|
This ability copies and then runs a simple binary packed by UPX. | V10 |
| Bits Download using desktopimgdownldr.exe |
Persistence: BITS Jobs Defense Evasion: BITS Jobs |
Mod
|
This ability simulates using desktopimgdownldr.exe to download a malicious file. | V10 |
| Brute Force Credentials of Single Active Directory Domain User |
Credential Access: Brute Force: Password Guessing |
Mod
|
This ability attempts to brute force Active Directory domain user on a domain controller. | V10 |
| Change File Mode |
Defense Evasion: File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
Mod
|
This ability changes a file's permissions using chmod and a specified numeric mode. | V10 |
| Check Analysis Environment Processes |
Defense Evasion: File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
Mod
|
This ability checks for analysis/sandbox environment processes. | V10 |
| Copy File To Removable Media |
Initial Access: Replication Through Removable Media Lateral Movement: Replication Through Removable Media |
Mod
|
This ability simulates an adversary copying malware to all connected removable drives. | V10 |
| Discover Local Hosts |
Discovery: Remote System Discovery |
Mod
|
This ability reboot system. Note that running this ability will REBOOT THE SYSTEM. | V10 |
| Get credentials with Powerkatz |
Credential Access: OS Credential Dumping: LSASS Memory |
Mod
|
This ability uses Invoke-Mimikatz to collect credentials on the target machine. | V10 |
| Reboot System |
Impact: System Shutdown/Reboot |
Mod
|
This ability reboot system. Note that running this ability will REBOOT THE SYSTEM. | V10 |