This artifact allows you to run Atomic Red Team tests on Windows endpoints using Invoke-AtomicRedTeam. Linux and MacOS endpoints will soon be supported.
NOTE: All tests may not work out OOB. You may notice interference or inoperability of some tests with Windows Defender/antivirus/EDR enabled. Best-effort checks are made using the built-in -GetPreReqs flag. This is an initial PoC, and as such, much testing is needed, and feedback is welcome.
Reference:
https://github.com/redcanaryco/invoke-atomicredteam
Description:
Invoke-AtomicRedTeam is a PowerShell module to execute tests as defined in the atomics folder of Red Canary’s Atomic Red Team project. The “atomics folder” contains a folder for each Technique defined by the MITRE ATT&CK™ Framework. Inside of each of these “T#” folders you’ll find a yaml file that defines the attack procedures for each atomic test as well as an easier to read markdown (md) version of the same data.
Executing atomic tests may leave your system in an undesirable state. You are responsible for understanding what a test does before executing.
Ensure you have permission to test before you begin.
It is recommended to set up a test machine for atomic test execution that is similar to the build in your environment. Be sure you have your collection/EDR solution in place, and that the endpoint is checking in and active.
name: Windows.AttackSimulation.AtomicRedTeam
author: Wes Lambert -- @therealwlambert
description: |
This artifact allows you to run Atomic Red Team tests on Windows
endpoints using Invoke-AtomicRedTeam. Linux and MacOS endpoints
will soon be supported.
NOTE: All tests may not work out OOB. You may notice interference
or inoperability of some tests with Windows Defender/antivirus/EDR
enabled. Best-effort checks are made using the built-in
**-GetPreReqs** flag. This is an initial PoC, and as such, much
testing is needed, and feedback is welcome.
**Reference:**
https://github.com/redcanaryco/invoke-atomicredteam
**Description:**
Invoke-AtomicRedTeam is a PowerShell module to execute tests as
defined in the atomics folder of Red Canary's Atomic Red Team
project. The "atomics folder" contains a folder for each Technique
defined by the MITRE ATT&CK™ Framework. Inside of each of these
"T#" folders you'll find a yaml file that defines the attack
procedures for each atomic test as well as an easier to read
markdown (md) version of the same data.
- Executing atomic tests may leave your system in an undesirable
state. You are responsible for understanding what a test does
before executing.
- Ensure you have permission to test before you begin.
- It is recommended to set up a test machine for atomic test
execution that is similar to the build in your environment. Be
sure you have your collection/EDR solution in place, and that
the endpoint is checking in and active.
type: CLIENT
column_types:
- name: Technique
type: safe_url
parameters:
- name: InstallART
description: Install AtomicRedTeam Execution Framework (Choose this for the first run, then de-select thereafter)
default: Y
type: bool
- name: ExecutionLogFile
description: Path to log file (CSV) for executions by ART tests
default: C:\Windows\Temp\ARTExec.csv
- name: RemoveExecLog
description: Remove execution log before running artifact (in the event we don't want to intertwine results from previous tests)
default: Y
type: bool
- name: Cleanup
description: Clean up execution artifacts
default: Y
type: bool
- name: RunAll
description: NOT RECOMMENDED...USE WITH CAUTION - Run all ART tests
default: N
type: bool
- name: T1558.004 - 1
description: AS-REP Roasting - Rubeus asreproast
type: bool
- name: T1056.004 - 1
description: Credential API Hooking - Hook PowerShell TLS Encrypt/Decrypt Messages
type: bool
- name: T1552.001 - 3
description: Credentials In Files - Extracting passwords with findstr
type: bool
- name: T1552.001 - 4
description: Credentials In Files - Access unattend.xml
type: bool
- name: T1555 - 1
description: Credentials from Password Stores - Extract Windows Credential Manager via VBA
type: bool
- name: T1555 - 2
description: Credentials from Password Stores - Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]
type: bool
- name: T1555 - 3
description: Credentials from Password Stores - Dump credentials from Windows Credential Manager With PowerShell [web Credentials]
type: bool
- name: T1555 - 4
description: Credentials from Password Stores - Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]
type: bool
- name: T1555 - 5
description: Credentials from Password Stores - Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]
type: bool
- name: T1555.003 - 1
description: Credentials from Web Browsers - Run Chrome-password Collector
type: bool
- name: T1555.003 - 3
description: Credentials from Web Browsers - LaZagne - Credentials from Browser
type: bool
- name: T1555.003 - 4
description: Credentials from Web Browsers - Simulating access to Chrome Login Data
type: bool
- name: T1552.002 - 1
description: Credentials in Registry - Enumeration for Credentials in Registry
type: bool
- name: T1552.002 - 2
description: Credentials in Registry - Enumeration for PuTTY Credentials in Registry
type: bool
- name: T1003.006 - 1
description: DCSync - DCSync (Active Directory)
type: bool
- name: T1187 - 1
description: Forced Authentication - PetitPotam
type: bool
- name: T1056.002 - 2
description: GUI Input Capture - PowerShell - Prompt User for Password
type: bool
- name: T1558.001 - 1
description: Golden Ticket - Crafting Active Directory golden tickets with mimikatz
type: bool
- name: T1552.006 - 1
description: Group Policy Preferences - GPP Passwords (findstr)
type: bool
- name: T1552.006 - 2
description: Group Policy Preferences - GPP Passwords (Get-GPPPassword)
type: bool
- name: T1558.003 - 1
description: Kerberoasting - Request for service tickets
type: bool
- name: T1558.003 - 2
description: Kerberoasting - Rubeus kerberoast
type: bool
- name: T1558.003 - 3
description: Kerberoasting - Extract all accounts in use as SPN using setspn
type: bool
- name: T1558.003 - 4
description: Kerberoasting - Request A Single Ticket via PowerShell
type: bool
- name: T1558.003 - 5
description: Kerberoasting - Request All Tickets via PowerShell
type: bool
- name: T1056.001 - 1
description: Keylogging - Input Capture
type: bool
- name: T1003.004 - 1
description: LSA Secrets - Dumping LSA Secrets
type: bool
- name: T1003.001 - 1
description: LSASS Memory - Windows Credential Editor
type: bool
- name: T1003.001 - 2
description: LSASS Memory - Dump LSASS.exe Memory using ProcDump
type: bool
- name: T1003.001 - 3
description: LSASS Memory - Dump LSASS.exe Memory using comsvcs.dll
type: bool
- name: T1003.001 - 4
description: LSASS Memory - Dump LSASS.exe Memory using direct system calls and API unhooking
type: bool
- name: T1003.001 - 5
description: LSASS Memory - Dump LSASS.exe Memory using Windows Task Manager
type: bool
- name: T1003.001 - 6
description: LSASS Memory - Offline Credential Theft With Mimikatz
type: bool
- name: T1003.001 - 7
description: LSASS Memory - LSASS read with pypykatz
type: bool
- name: T1003.001 - 8
description: LSASS Memory - Dump LSASS.exe Memory using Out-Minidump.ps1
type: bool
- name: T1003.001 - 9
description: LSASS Memory - Create Mini Dump of LSASS.exe using ProcDump
type: bool
- name: T1003.001 - 10
description: LSASS Memory - Powershell Mimikatz
type: bool
- name: T1003.001 - 11
description: LSASS Memory - Dump LSASS with .Net 5 createdump.exe
type: bool
- name: T1003.001 - 12
description: LSASS Memory - Dump LSASS.exe using imported Microsoft DLLs
type: bool
- name: T1003.003 - 1
description: NTDS - Create Volume Shadow Copy with vssadmin
type: bool
- name: T1003.003 - 2
description: NTDS - Copy NTDS.dit from Volume Shadow Copy
type: bool
- name: T1003.003 - 3
description: NTDS - Dump Active Directory Database with NTDSUtil
type: bool
- name: T1003.003 - 4
description: NTDS - Create Volume Shadow Copy with WMI
type: bool
- name: T1003.003 - 5
description: NTDS - Create Volume Shadow Copy remotely with WMI
type: bool
- name: T1003.003 - 6
description: NTDS - Create Volume Shadow Copy with Powershell
type: bool
- name: T1003.003 - 7
description: NTDS - Create Symlink to Volume Shadow Copy
type: bool
- name: T1040 - 3
description: Network Sniffing - Packet Capture Windows Command Prompt
type: bool
- name: T1040 - 4
description: Network Sniffing - Windows Internal Packet Capture
type: bool
- name: T1003 - 1
description: OS Credential Dumping - Gsecdump
type: bool
- name: T1003 - 2
description: OS Credential Dumping - Credential Dumping with NPPSpy
type: bool
- name: T1003 - 3
description: OS Credential Dumping - Dump svchost.exe to gather RDP credentials
type: bool
- name: T1110.002 - 1
description: Password Cracking - Password Cracking with Hashcat
type: bool
- name: T1556.002 - 1
description: Password Filter DLL - Install and Register Password Filter DLL
type: bool
- name: T1110.001 - 1
description: Password Guessing - Brute Force Credentials of all Active Directory domain users via SMB
type: bool
- name: T1110.001 - 2
description: Password Guessing - Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)
type: bool
- name: T1110.003 - 1
description: Password Spraying - Password Spray all Domain Users
type: bool
- name: T1110.003 - 2
description: Password Spraying - Password Spray (DomainPasswordSpray)
type: bool
- name: T1110.003 - 3
description: Password Spraying - Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)
type: bool
- name: T1552.004 - 1
description: Private Keys - Private Keys
type: bool
- name: T1552.004 - 6
description: Private Keys - ADFS token signing and encryption certificates theft - Local
type: bool
- name: T1552.004 - 7
description: Private Keys - ADFS token signing and encryption certificates theft - Remote
type: bool
- name: T1003.002 - 1
description: Security Account Manager - Registry dump of SAM, creds, and secrets
type: bool
- name: T1003.002 - 2
description: Security Account Manager - Registry parse with pypykatz
type: bool
- name: T1003.002 - 3
description: Security Account Manager - esentutl.exe SAM copy
type: bool
- name: T1003.002 - 4
description: Security Account Manager - PowerDump Registry dump of SAM for hashes and usernames
type: bool
- name: T1003.002 - 5
description: Security Account Manager - dump volume shadow copy hives with certutil
type: bool
- name: T1003.002 - 6
description: Security Account Manager - dump volume shadow copy hives with System.IO.File
type: bool
- name: T1560 - 1
description: Archive Collected Data - Compress Data for Exfiltration With PowerShell
type: bool
- name: T1560.001 - 1
description: Archive via Utility - Compress Data for Exfiltration With Rar
type: bool
- name: T1560.001 - 2
description: Archive via Utility - Compress Data and lock with password for Exfiltration with winrar
type: bool
- name: T1560.001 - 3
description: Archive via Utility - Compress Data and lock with password for Exfiltration with winzip
type: bool
- name: T1560.001 - 4
description: Archive via Utility - Compress Data and lock with password for Exfiltration with 7zip
type: bool
- name: T1123 - 1
description: Audio Capture - using device audio capture commandlet
type: bool
- name: T1119 - 1
description: Automated Collection - Automated Collection Command Prompt
type: bool
- name: T1119 - 2
description: Automated Collection - Automated Collection PowerShell
type: bool
- name: T1119 - 3
description: Automated Collection - Recon information for export with PowerShell
type: bool
- name: T1119 - 4
description: Automated Collection - Recon information for export with Command Prompt
type: bool
- name: T1115 - 1
description: Clipboard Data - Utilize Clipboard to store or execute commands from
type: bool
- name: T1115 - 2
description: Clipboard Data - Execute Commands from Clipboard using PowerShell
type: bool
- name: T1115 - 4
description: Clipboard Data - Collect Clipboard Data via VBA
type: bool
- name: T1056.004 - 1
description: Credential API Hooking - Hook PowerShell TLS Encrypt/Decrypt Messages
type: bool
- name: T1056.002 - 2
description: GUI Input Capture - PowerShell - Prompt User for Password
type: bool
- name: T1056.001 - 1
description: Keylogging - Input Capture
type: bool
- name: T1074.001 - 1
description: Local Data Staging - Stage data from Discovery.bat
type: bool
- name: T1074.001 - 3
description: Local Data Staging - Zip a Folder with PowerShell for Staging in Temp
type: bool
- name: T1114.001 - 1
description: Local Email Collection - Email Collection with PowerShell Get-Inbox
type: bool
- name: T1113 - 5
description: Screen Capture - Windows Screencapture
type: bool
- name: T1113 - 6
description: Screen Capture - Windows Screen Capture (CopyFromScreen)
type: bool
- name: T1546.008 - 1
description: Accessibility Features - Attaches Command Prompt as a Debugger to a List of Target Processes
type: bool
- name: T1546.008 - 2
description: Accessibility Features - Replace binary of sticky keys
type: bool
- name: T1546.010 - 1
description: AppInit DLLs - Install AppInit Shim
type: bool
- name: T1546.011 - 1
description: Application Shimming - Application Shim Installation
type: bool
- name: T1546.011 - 2
description: Application Shimming - New shim database files created in the default shim database directory
type: bool
- name: T1546.011 - 3
description: Application Shimming - Registry key creation and/or modification events for SDB
type: bool
- name: T1055.004 - 1
description: Asynchronous Procedure Call - Process Injection via C#
type: bool
- name: T1053.002 - 1
description: At (Windows) - At.exe Scheduled task
type: bool
- name: T1548.002 - 1
description: Bypass User Account Control - Bypass UAC using Event Viewer (cmd)
type: bool
- name: T1548.002 - 2
description: Bypass User Account Control - Bypass UAC using Event Viewer (PowerShell)
type: bool
- name: T1548.002 - 3
description: Bypass User Account Control - Bypass UAC using Fodhelper
type: bool
- name: T1548.002 - 4
description: Bypass User Account Control - Bypass UAC using Fodhelper - PowerShell
type: bool
- name: T1548.002 - 5
description: Bypass User Account Control - Bypass UAC using ComputerDefaults (PowerShell)
type: bool
- name: T1548.002 - 6
description: Bypass User Account Control - Bypass UAC by Mocking Trusted Directories
type: bool
- name: T1548.002 - 7
description: Bypass User Account Control - Bypass UAC using sdclt DelegateExecute
type: bool
- name: T1548.002 - 8
description: Bypass User Account Control - Disable UAC using reg.exe
type: bool
- name: T1548.002 - 9
description: Bypass User Account Control - Bypass UAC using SilentCleanup task
type: bool
- name: T1548.002 - 10
description: Bypass User Account Control - UACME Bypass Method 23
type: bool
- name: T1548.002 - 11
description: Bypass User Account Control - UACME Bypass Method 31
type: bool
- name: T1548.002 - 12
description: Bypass User Account Control - UACME Bypass Method 33
type: bool
- name: T1548.002 - 13
description: Bypass User Account Control - UACME Bypass Method 34
type: bool
- name: T1548.002 - 14
description: Bypass User Account Control - UACME Bypass Method 39
type: bool
- name: T1548.002 - 15
description: Bypass User Account Control - UACME Bypass Method 56
type: bool
- name: T1548.002 - 16
description: Bypass User Account Control - UACME Bypass Method 59
type: bool
- name: T1548.002 - 17
description: Bypass User Account Control - UACME Bypass Method 61
type: bool
- name: T1574.012 - 1
description: COR_PROFILER - User scope COR_PROFILER
type: bool
- name: T1574.012 - 2
description: COR_PROFILER - System Scope COR_PROFILER
type: bool
- name: T1574.012 - 3
description: COR_PROFILER - Registry-free process scope COR_PROFILER
type: bool
- name: T1546.001 - 1
description: Change Default File Association - Change Default File Association
type: bool
- name: T1134.002 - 1
description: Create Process with Token - Access Token Manipulation
type: bool
- name: T1574.001 - 1
description: DLL Search Order Hijacking - DLL Search Order Hijacking - amsi.dll
type: bool
- name: T1574.002 - 1
description: DLL Side-Loading - DLL Side-Loading using the Notepad++ GUP.exe binary
type: bool
- name: T1078.001 - 1
description: Default Accounts - Enable Guest account with RDP capability and admin privileges
type: bool
- name: T1078.001 - 2
description: Default Accounts - Activate Guest Account
type: bool
- name: T1055.001 - 1
description: Dynamic-link Library Injection - Process Injection via mavinject.exe
type: bool
- name: T1546.012 - 1
description: Image File Execution Options Injection - IFEO Add Debugger
type: bool
- name: T1546.012 - 2
description: Image File Execution Options Injection - IFEO Global Flags
type: bool
- name: T1078.003 - 1
description: Local Accounts - Create local account with admin privileges
type: bool
- name: T1037.001 - 1
description: Logon Script (Windows) - Logon Scripts
type: bool
- name: T1546.007 - 1
description: Netsh Helper DLL - Netsh Helper DLL Registration
type: bool
- name: T1134.004 - 1
description: Parent PID Spoofing - Parent PID Spoofing using PowerShell
type: bool
- name: T1134.004 - 2
description: Parent PID Spoofing - Parent PID Spoofing - Spawn from Current Process
type: bool
- name: T1134.004 - 3
description: Parent PID Spoofing - Parent PID Spoofing - Spawn from Specified Process
type: bool
- name: T1134.004 - 4
description: Parent PID Spoofing - Parent PID Spoofing - Spawn from svchost.exe
type: bool
- name: T1134.004 - 5
description: Parent PID Spoofing - Parent PID Spoofing - Spawn from New Process
type: bool
- name: T1574.009 - 1
description: Path Interception by Unquoted Path - Execution of program.exe as service with unquoted service path
type: bool
- name: T1547.010 - 1
description: Port Monitors - Add Port Monitor persistence in Registry
type: bool
- name: T1546.013 - 1
description: PowerShell Profile - Append malicious start-process cmdlet
type: bool
- name: T1055.012 - 1
description: Process Hollowing - Process Hollowing using PowerShell
type: bool
- name: T1055.012 - 2
description: Process Hollowing - RunPE via VBA
type: bool
- name: T1055 - 1
description: Process Injection - Shellcode execution via VBA
type: bool
- name: T1055 - 2
description: Process Injection - Remote Process Injection in LSASS via mimikatz
type: bool
- name: T1547.001 - 1
description: Registry Run Keys / Startup Folder - Reg Key Run
type: bool
- name: T1547.001 - 2
description: Registry Run Keys / Startup Folder - Reg Key RunOnce
type: bool
- name: T1547.001 - 3
description: Registry Run Keys / Startup Folder - PowerShell Registry RunOnce
type: bool
- name: T1547.001 - 4
description: Registry Run Keys / Startup Folder - Suspicious vbs file run from startup Folder
type: bool
- name: T1547.001 - 5
description: Registry Run Keys / Startup Folder - Suspicious jse file run from startup Folder
type: bool
- name: T1547.001 - 6
description: Registry Run Keys / Startup Folder - Suspicious bat file run from startup Folder
type: bool
- name: T1547.001 - 7
description: Registry Run Keys / Startup Folder - Add Executable Shortcut Link to User Startup Folder
type: bool
- name: T1053.005 - 1
description: Scheduled Task - Scheduled Task Startup Script
type: bool
- name: T1053.005 - 2
description: Scheduled Task - Scheduled task Local
type: bool
- name: T1053.005 - 3
description: Scheduled Task - Scheduled task Remote
type: bool
- name: T1053.005 - 4
description: Scheduled Task - Powershell Cmdlet Scheduled Task
type: bool
- name: T1053.005 - 5
description: Scheduled Task - Task Scheduler via VBA
type: bool
- name: T1053.005 - 6
description: Scheduled Task - WMI Invoke-CimMethod Scheduled Task
type: bool
- name: T1546.002 - 1
description: Screensaver - Set Arbitrary Binary as Screensaver
type: bool
- name: T1547.005 - 1
description: Security Support Provider - Modify SSP configuration in registry
type: bool
- name: T1574.011 - 1
description: Services Registry Permissions Weakness - Service Registry Permissions Weakness
type: bool
- name: T1574.011 - 2
description: Services Registry Permissions Weakness - Service ImagePath Change with reg.exe
type: bool
- name: T1547.009 - 1
description: Shortcut Modification - Shortcut Modification
type: bool
- name: T1547.009 - 2
description: Shortcut Modification - Create shortcut to cmd in startup folders
type: bool
- name: T1134.001 - 1
description: Token Impersonation/Theft - Named pipe client impersonation
type: bool
- name: T1134.001 - 2
description: Token Impersonation/Theft - `SeDebugPrivilege` token duplication
type: bool
- name: T1546.003 - 1
description: Windows Management Instrumentation Event Subscription - Persistence via WMI Event Subscription
type: bool
- name: T1543.003 - 1
description: Windows Service - Modify Fax service to run PowerShell
type: bool
- name: T1543.003 - 2
description: Windows Service - Service Installation CMD
type: bool
- name: T1543.003 - 3
description: Windows Service - Service Installation PowerShell
type: bool
- name: T1547.004 - 1
description: Winlogon Helper DLL - Winlogon Shell Key Persistence - PowerShell
type: bool
- name: T1547.004 - 2
description: Winlogon Helper DLL - Winlogon Userinit Key Persistence - PowerShell
type: bool
- name: T1547.004 - 3
description: Winlogon Helper DLL - Winlogon Notify Key Logon Persistence - PowerShell
type: bool
- name: T1055.004 - 1
description: Asynchronous Procedure Call - Process Injection via C#
type: bool
- name: T1197 - 1
description: BITS Jobs - Bitsadmin Download (cmd)
type: bool
- name: T1197 - 2
description: BITS Jobs - Bitsadmin Download (PowerShell)
type: bool
- name: T1197 - 3
description: BITS Jobs - Persist, Download, & Execute
type: bool
- name: T1197 - 4
description: BITS Jobs - Bits download using desktopimgdownldr.exe (cmd)
type: bool
- name: T1548.002 - 1
description: Bypass User Account Control - Bypass UAC using Event Viewer (cmd)
type: bool
- name: T1548.002 - 2
description: Bypass User Account Control - Bypass UAC using Event Viewer (PowerShell)
type: bool
- name: T1548.002 - 3
description: Bypass User Account Control - Bypass UAC using Fodhelper
type: bool
- name: T1548.002 - 4
description: Bypass User Account Control - Bypass UAC using Fodhelper - PowerShell
type: bool
- name: T1548.002 - 5
description: Bypass User Account Control - Bypass UAC using ComputerDefaults (PowerShell)
type: bool
- name: T1548.002 - 6
description: Bypass User Account Control - Bypass UAC by Mocking Trusted Directories
type: bool
- name: T1548.002 - 7
description: Bypass User Account Control - Bypass UAC using sdclt DelegateExecute
type: bool
- name: T1548.002 - 8
description: Bypass User Account Control - Disable UAC using reg.exe
type: bool
- name: T1548.002 - 9
description: Bypass User Account Control - Bypass UAC using SilentCleanup task
type: bool
- name: T1548.002 - 10
description: Bypass User Account Control - UACME Bypass Method 23
type: bool
- name: T1548.002 - 11
description: Bypass User Account Control - UACME Bypass Method 31
type: bool
- name: T1548.002 - 12
description: Bypass User Account Control - UACME Bypass Method 33
type: bool
- name: T1548.002 - 13
description: Bypass User Account Control - UACME Bypass Method 34
type: bool
- name: T1548.002 - 14
description: Bypass User Account Control - UACME Bypass Method 39
type: bool
- name: T1548.002 - 15
description: Bypass User Account Control - UACME Bypass Method 56
type: bool
- name: T1548.002 - 16
description: Bypass User Account Control - UACME Bypass Method 59
type: bool
- name: T1548.002 - 17
description: Bypass User Account Control - UACME Bypass Method 61
type: bool
- name: T1218.003 - 1
description: CMSTP - CMSTP Executing Remote Scriptlet
type: bool
- name: T1218.003 - 2
description: CMSTP - CMSTP Executing UAC Bypass
type: bool
- name: T1574.012 - 1
description: COR_PROFILER - User scope COR_PROFILER
type: bool
- name: T1574.012 - 2
description: COR_PROFILER - System Scope COR_PROFILER
type: bool
- name: T1574.012 - 3
description: COR_PROFILER - Registry-free process scope COR_PROFILER
type: bool
- name: T1070.003 - 10
description: Clear Command History - Prevent Powershell History Logging
type: bool
- name: T1070.003 - 11
description: Clear Command History - Clear Powershell History by Deleting History File
type: bool
- name: T1070.001 - 1
description: Clear Windows Event Logs - Clear Logs
type: bool
- name: T1070.001 - 2
description: Clear Windows Event Logs - Delete System Logs Using Clear-EventLog
type: bool
- name: T1070.001 - 3
description: Clear Windows Event Logs - Clear Event Logs via VBA
type: bool
- name: T1027.004 - 1
description: Compile After Delivery - Compile After Delivery using csc.exe
type: bool
- name: T1027.004 - 2
description: Compile After Delivery - Dynamic C# Compile
type: bool
- name: T1218.001 - 1
description: Compiled HTML File - Compiled HTML Help Local Payload
type: bool
- name: T1218.001 - 2
description: Compiled HTML File - Compiled HTML Help Remote Payload
type: bool
- name: T1218.001 - 3
description: Compiled HTML File - Invoke CHM with default Shortcut Command Execution
type: bool
- name: T1218.001 - 4
description: Compiled HTML File - Invoke CHM with InfoTech Storage Protocol Handler
type: bool
- name: T1218.001 - 5
description: Compiled HTML File - Invoke CHM Simulate Double click
type: bool
- name: T1218.001 - 6
description: Compiled HTML File - Invoke CHM with Script Engine and Help Topic
type: bool
- name: T1218.001 - 7
description: Compiled HTML File - Invoke CHM Shortcut Command with ITS and Help Topic
type: bool
- name: T1218.002 - 1
description: Control Panel - Control Panel Items
type: bool
- name: T1134.002 - 1
description: Create Process with Token - Access Token Manipulation
type: bool
- name: T1574.001 - 1
description: DLL Search Order Hijacking - DLL Search Order Hijacking - amsi.dll
type: bool
- name: T1574.002 - 1
description: DLL Side-Loading - DLL Side-Loading using the Notepad++ GUP.exe binary
type: bool
- name: T1078.001 - 1
description: Default Accounts - Enable Guest account with RDP capability and admin privileges
type: bool
- name: T1078.001 - 2
description: Default Accounts - Activate Guest Account
type: bool
- name: T1140 - 1
description: Deobfuscate/Decode Files or Information - Deobfuscate/Decode Files Or Information
type: bool
- name: T1140 - 2
description: Deobfuscate/Decode Files or Information - Certutil Rename and Decode
type: bool
- name: T1006 - 1
description: Direct Volume Access - Read volume boot sector via DOS device path (PowerShell)
type: bool
- name: T1562.002 - 1
description: Disable Windows Event Logging - Disable Windows IIS HTTP Logging
type: bool
- name: T1562.002 - 2
description: Disable Windows Event Logging - Kill Event Log Service Threads
type: bool
- name: T1562.002 - 3
description: Disable Windows Event Logging - Impair Windows Audit Log Policy
type: bool
- name: T1562.002 - 4
description: Disable Windows Event Logging - Clear Windows Audit Policy Config
type: bool
- name: T1562.002 - 5
description: Disable Windows Event Logging - Disable Event Logging with wevtutil
type: bool
- name: T1562.004 - 1
description: Disable or Modify System Firewall - Disable Microsoft Defender Firewall
type: bool
- name: T1562.004 - 2
description: Disable or Modify System Firewall - Disable Microsoft Defender Firewall via Registry
type: bool
- name: T1562.004 - 3
description: Disable or Modify System Firewall - Allow SMB and RDP on Microsoft Defender Firewall
type: bool
- name: T1562.004 - 4
description: Disable or Modify System Firewall - Opening ports for proxy - HARDRAIN
type: bool
- name: T1562.004 - 5
description: Disable or Modify System Firewall - Open a local port through Windows Firewall to any profile
type: bool
- name: T1562.004 - 6
description: Disable or Modify System Firewall - Allow Executable Through Firewall Located in Non-Standard Location
type: bool
- name: T1562.001 - 10
description: Disable or Modify Tools - Unload Sysmon Filter Driver
type: bool
- name: T1562.001 - 11
description: Disable or Modify Tools - Uninstall Sysmon
type: bool
- name: T1562.001 - 12
description: Disable or Modify Tools - AMSI Bypass - AMSI InitFailed
type: bool
- name: T1562.001 - 13
description: Disable or Modify Tools - AMSI Bypass - Remove AMSI Provider Reg Key
type: bool
- name: T1562.001 - 14
description: Disable or Modify Tools - Disable Arbitrary Security Windows Service
type: bool
- name: T1562.001 - 15
description: Disable or Modify Tools - Tamper with Windows Defender ATP PowerShell
type: bool
- name: T1562.001 - 16
description: Disable or Modify Tools - Tamper with Windows Defender Command Prompt
type: bool
- name: T1562.001 - 17
description: Disable or Modify Tools - Tamper with Windows Defender Registry
type: bool
- name: T1562.001 - 18
description: Disable or Modify Tools - Disable Microsoft Office Security Features
type: bool
- name: T1562.001 - 19
description: Disable or Modify Tools - Remove Windows Defender Definition Files
type: bool
- name: T1562.001 - 20
description: Disable or Modify Tools - Stop and Remove Arbitrary Security Windows Service
type: bool
- name: T1562.001 - 21
description: Disable or Modify Tools - Uninstall Crowdstrike Falcon on Windows
type: bool
- name: T1562.001 - 22
description: Disable or Modify Tools - Tamper with Windows Defender Evade Scanning -Folder
type: bool
- name: T1562.001 - 23
description: Disable or Modify Tools - Tamper with Windows Defender Evade Scanning -Extension
type: bool
- name: T1562.001 - 24
description: Disable or Modify Tools - Tamper with Windows Defender Evade Scanning -Process
type: bool
- name: T1055.001 - 1
description: Dynamic-link Library Injection - Process Injection via mavinject.exe
type: bool
- name: T1070.004 - 4
description: File Deletion - Delete a single file - Windows cmd
type: bool
- name: T1070.004 - 5
description: File Deletion - Delete an entire folder - Windows cmd
type: bool
- name: T1070.004 - 6
description: File Deletion - Delete a single file - Windows PowerShell
type: bool
- name: T1070.004 - 7
description: File Deletion - Delete an entire folder - Windows PowerShell
type: bool
- name: T1070.004 - 9
description: File Deletion - Delete Prefetch File
type: bool
- name: T1070.004 - 10
description: File Deletion - Delete TeamViewer Log Files
type: bool
- name: T1564.001 - 3
description: Hidden Files and Directories - Create Windows System File with Attrib
type: bool
- name: T1564.001 - 4
description: Hidden Files and Directories - Create Windows Hidden File with Attrib
type: bool
- name: T1564.003 - 1
description: Hidden Window - Hidden Window
type: bool
- name: T1564 - 1
description: Hide Artifacts - Extract binary files via VBA
type: bool
- name: T1564 - 2
description: Hide Artifacts - Create a Hidden User Called "$"
type: bool
- name: T1564 - 3
description: Hide Artifacts - Create an "Administrator " user (with a space on the end)
type: bool
- name: T1070 - 1
description: Indicator Removal on Host - Indicator Removal using FSUtil
type: bool
- name: T1202 - 1
description: Indirect Command Execution - Indirect Command Execution - pcalua.exe
type: bool
- name: T1202 - 2
description: Indirect Command Execution - Indirect Command Execution - forfiles.exe
type: bool
- name: T1202 - 3
description: Indirect Command Execution - Indirect Command Execution - conhost.exe
type: bool
- name: T1553.004 - 4
description: Install Root Certificate - Install root CA on Windows
type: bool
- name: T1553.004 - 5
description: Install Root Certificate - Install root CA on Windows with certutil
type: bool
- name: T1218.004 - 1
description: InstallUtil - CheckIfInstallable method call
type: bool
- name: T1218.004 - 2
description: InstallUtil - InstallHelper method call
type: bool
- name: T1218.004 - 3
description: InstallUtil - InstallUtil class constructor method call
type: bool
- name: T1218.004 - 4
description: InstallUtil - InstallUtil Install method call
type: bool
- name: T1218.004 - 5
description: InstallUtil - InstallUtil Uninstall method call - /U variant
type: bool
- name: T1218.004 - 6
description: InstallUtil - InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant
type: bool
- name: T1218.004 - 7
description: InstallUtil - InstallUtil HelpText method call
type: bool
- name: T1218.004 - 8
description: InstallUtil - InstallUtil evasive invocation
type: bool
- name: T1078.003 - 1
description: Local Accounts - Create local account with admin privileges
type: bool
- name: T1127.001 - 1
description: MSBuild - MSBuild Bypass Using Inline Tasks (C#)
type: bool
- name: T1127.001 - 2
description: MSBuild - MSBuild Bypass Using Inline Tasks (VB)
type: bool
- name: T1553.005 - 1
description: Mark-of-the-Web Bypass - Mount ISO image
type: bool
- name: T1553.005 - 2
description: Mark-of-the-Web Bypass - Mount an ISO image and run executable from the ISO
type: bool
- name: T1553.005 - 3
description: Mark-of-the-Web Bypass - Remove the Zone.Identifier alternate data stream
type: bool
- name: T1036.004 - 1
description: Masquerade Task or Service - Creating W32Time similar named service using schtasks
type: bool
- name: T1036.004 - 2
description: Masquerade Task or Service - Creating W32Time similar named service using sc
type: bool
- name: T1036 - 1
description: Masquerading - System File Copied to Unusual Location
type: bool
- name: T1112 - 1
description: Modify Registry - Modify Registry of Current User Profile - cmd
type: bool
- name: T1112 - 2
description: Modify Registry - Modify Registry of Local Machine - cmd
type: bool
- name: T1112 - 3
description: Modify Registry - Modify registry to store logon credentials
type: bool
- name: T1112 - 4
description: Modify Registry - Add domain to Trusted sites Zone
type: bool
- name: T1112 - 5
description: Modify Registry - Javascript in registry
type: bool
- name: T1112 - 6
description: Modify Registry - Change Powershell Execution Policy to Bypass
type: bool
- name: T1218.005 - 1
description: Mshta - Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
type: bool
- name: T1218.005 - 2
description: Mshta - Mshta executes VBScript to execute malicious command
type: bool
- name: T1218.005 - 3
description: Mshta - Mshta Executes Remote HTML Application (HTA)
type: bool
- name: T1218.005 - 4
description: Mshta - Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement
type: bool
- name: T1218.005 - 5
description: Mshta - Invoke HTML Application - Jscript Engine Simulating Double Click
type: bool
- name: T1218.005 - 6
description: Mshta - Invoke HTML Application - Direct download from URI
type: bool
- name: T1218.005 - 7
description: Mshta - Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler
type: bool
- name: T1218.005 - 8
description: Mshta - Invoke HTML Application - JScript Engine with Inline Protocol Handler
type: bool
- name: T1218.005 - 9
description: Mshta - Invoke HTML Application - Simulate Lateral Movement over UNC Path
type: bool
- name: T1218.005 - 10
description: Mshta - Mshta used to Execute PowerShell
type: bool
- name: T1218.007 - 1
description: Msiexec - Msiexec.exe - Execute Local MSI file
type: bool
- name: T1218.007 - 2
description: Msiexec - Msiexec.exe - Execute Remote MSI file
type: bool
- name: T1218.007 - 3
description: Msiexec - Msiexec.exe - Execute Arbitrary DLL
type: bool
- name: T1564.004 - 1
description: NTFS File Attributes - Alternate Data Streams (ADS)
type: bool
- name: T1564.004 - 2
description: NTFS File Attributes - Store file in Alternate Data Stream (ADS)
type: bool
- name: T1564.004 - 3
description: NTFS File Attributes - Create ADS command prompt
type: bool
- name: T1564.004 - 4
description: NTFS File Attributes - Create ADS PowerShell
type: bool
- name: T1070.005 - 1
description: Network Share Connection Removal - Add Network Share
type: bool
- name: T1070.005 - 2
description: Network Share Connection Removal - Remove Network Share
type: bool
- name: T1070.005 - 3
description: Network Share Connection Removal - Remove Network Share PowerShell
type: bool
- name: T1027 - 2
description: Obfuscated Files or Information - Execute base64-encoded PowerShell
type: bool
- name: T1027 - 3
description: Obfuscated Files or Information - Execute base64-encoded PowerShell from Windows Registry
type: bool
- name: T1027 - 4
description: Obfuscated Files or Information - Execution from Compressed File
type: bool
- name: T1027 - 5
description: Obfuscated Files or Information - DLP Evasion via Sensitive Data in VBA Macro over email
type: bool
- name: T1027 - 6
description: Obfuscated Files or Information - DLP Evasion via Sensitive Data in VBA Macro over HTTP
type: bool
- name: T1027 - 7
description: Obfuscated Files or Information - Obfuscated Command in PowerShell
type: bool
- name: T1027 - 8
description: Obfuscated Files or Information - Obfuscated Command Line using special Unicode characters
type: bool
- name: T1218.008 - 1
description: Odbcconf - Odbcconf.exe - Execute Arbitrary DLL
type: bool
- name: T1134.004 - 1
description: Parent PID Spoofing - Parent PID Spoofing using PowerShell
type: bool
- name: T1134.004 - 2
description: Parent PID Spoofing - Parent PID Spoofing - Spawn from Current Process
type: bool
- name: T1134.004 - 3
description: Parent PID Spoofing - Parent PID Spoofing - Spawn from Specified Process
type: bool
- name: T1134.004 - 4
description: Parent PID Spoofing - Parent PID Spoofing - Spawn from svchost.exe
type: bool
- name: T1134.004 - 5
description: Parent PID Spoofing - Parent PID Spoofing - Spawn from New Process
type: bool
- name: T1550.002 - 1
description: Pass the Hash - Mimikatz Pass the Hash
type: bool
- name: T1550.002 - 2
description: Pass the Hash - crackmapexec Pass the Hash
type: bool
- name: T1550.003 - 1
description: Pass the Ticket - Mimikatz Kerberos Ticket Attack
type: bool
- name: T1556.002 - 1
description: Password Filter DLL - Install and Register Password Filter DLL
type: bool
- name: T1574.009 - 1
description: Path Interception by Unquoted Path - Execution of program.exe as service with unquoted service path
type: bool
- name: T1055.012 - 1
description: Process Hollowing - Process Hollowing using PowerShell
type: bool
- name: T1055.012 - 2
description: Process Hollowing - RunPE via VBA
type: bool
- name: T1055 - 1
description: Process Injection - Shellcode execution via VBA
type: bool
- name: T1055 - 2
description: Process Injection - Remote Process Injection in LSASS via mimikatz
type: bool
- name: T1216.001 - 1
description: PubPrn - PubPrn.vbs Signed Script Bypass
type: bool
- name: T1218.009 - 1
description: Regsvcs/Regasm - Regasm Uninstall Method Call Test
type: bool
- name: T1218.009 - 2
description: Regsvcs/Regasm - Regsvcs Uninstall Method Call Test
type: bool
- name: T1218.010 - 1
description: Regsvr32 - Regsvr32 local COM scriptlet execution
type: bool
- name: T1218.010 - 2
description: Regsvr32 - Regsvr32 remote COM scriptlet execution
type: bool
- name: T1218.010 - 3
description: Regsvr32 - Regsvr32 local DLL execution
type: bool
- name: T1218.010 - 4
description: Regsvr32 - Regsvr32 Registering Non DLL
type: bool
- name: T1218.010 - 5
description: Regsvr32 - Regsvr32 Silent DLL Install Call DllRegisterServer
type: bool
- name: T1036.003 - 1
description: Rename System Utilities - Masquerading as Windows LSASS process
type: bool
- name: T1036.003 - 3
description: Rename System Utilities - Masquerading - cscript.exe running as notepad.exe
type: bool
- name: T1036.003 - 4
description: Rename System Utilities - Masquerading - wscript.exe running as svchost.exe
type: bool
- name: T1036.003 - 5
description: Rename System Utilities - Masquerading - powershell.exe running as taskhostw.exe
type: bool
- name: T1036.003 - 6
description: Rename System Utilities - Masquerading - non-windows exe running as windows exe
type: bool
- name: T1036.003 - 7
description: Rename System Utilities - Masquerading - windows exe running as different windows exe
type: bool
- name: T1036.003 - 8
description: Rename System Utilities - Malicious process Masquerading as LSM.exe
type: bool
- name: T1036.003 - 9
description: Rename System Utilities - File Extension Masquerading
type: bool
- name: T1207 - 1
description: Rogue Domain Controller - DCShadow (Active Directory)
type: bool
- name: T1014 - 3
description: Rootkit - Windows Signed Driver Rootkit Test
type: bool
- name: T1218.011 - 1
description: Rundll32 - Rundll32 execute JavaScript Remote Payload With GetObject
type: bool
- name: T1218.011 - 2
description: Rundll32 - Rundll32 execute VBscript command
type: bool
- name: T1218.011 - 3
description: Rundll32 - Rundll32 advpack.dll Execution
type: bool
- name: T1218.011 - 4
description: Rundll32 - Rundll32 ieadvpack.dll Execution
type: bool
- name: T1218.011 - 5
description: Rundll32 - Rundll32 syssetup.dll Execution
type: bool
- name: T1218.011 - 6
description: Rundll32 - Rundll32 setupapi.dll Execution
type: bool
- name: T1218.011 - 7
description: Rundll32 - Execution of HTA and VBS Files using Rundll32 and URL.dll
type: bool
- name: T1218.011 - 8
description: Rundll32 - Launches an executable using Rundll32 and pcwutl.dll
type: bool
- name: T1574.011 - 1
description: Services Registry Permissions Weakness - Service Registry Permissions Weakness
type: bool
- name: T1574.011 - 2
description: Services Registry Permissions Weakness - Service ImagePath Change with reg.exe
type: bool
- name: T1218 - 1
description: Signed Binary Proxy Execution - mavinject - Inject DLL into running process
type: bool
- name: T1218 - 2
description: Signed Binary Proxy Execution - SyncAppvPublishingServer - Execute arbitrary PowerShell code
type: bool
- name: T1218 - 3
description: Signed Binary Proxy Execution - Register-CimProvider - Execute evil dll
type: bool
- name: T1218 - 4
description: Signed Binary Proxy Execution - InfDefaultInstall.exe .inf Execution
type: bool
- name: T1218 - 5
description: Signed Binary Proxy Execution - ProtocolHandler.exe Downloaded a Suspicious File
type: bool
- name: T1218 - 6
description: Signed Binary Proxy Execution - Microsoft.Workflow.Compiler.exe Payload Execution
type: bool
- name: T1218 - 7
description: Signed Binary Proxy Execution - Renamed Microsoft.Workflow.Compiler.exe Payload Executions
type: bool
- name: T1218 - 8
description: Signed Binary Proxy Execution - Invoke-ATHRemoteFXvGPUDisablementCommand base test
type: bool
- name: T1216 - 1
description: Signed Script Proxy Execution - SyncAppvPublishingServer Signed Script PowerShell Command Execution
type: bool
- name: T1216 - 2
description: Signed Script Proxy Execution - manage-bde.wsf Signed Script Command Execution
type: bool
- name: T1497.001 - 2
description: System Checks - Detect Virtualization Environment (Windows)
type: bool
- name: T1221 - 1
description: Template Injection - WINWORD Remote Template Injection
type: bool
- name: T1070.006 - 5
description: Timestomp - Windows - Modify file creation timestamp with PowerShell
type: bool
- name: T1070.006 - 6
description: Timestomp - Windows - Modify file last modified timestamp with PowerShell
type: bool
- name: T1070.006 - 7
description: Timestomp - Windows - Modify file last access timestamp with PowerShell
type: bool
- name: T1070.006 - 8
description: Timestomp - Windows - Timestomp a File
type: bool
- name: T1134.001 - 1
description: Token Impersonation/Theft - Named pipe client impersonation
type: bool
- name: T1134.001 - 2
description: Token Impersonation/Theft - `SeDebugPrivilege` token duplication
type: bool
- name: T1222.001 - 1
description: Windows File and Directory Permissions Modification - Take ownership using takeown utility
type: bool
- name: T1222.001 - 2
description: Windows File and Directory Permissions Modification - cacls - Grant permission to specified user or group recursively
type: bool
- name: T1222.001 - 3
description: Windows File and Directory Permissions Modification - attrib - Remove read-only attribute
type: bool
- name: T1222.001 - 4
description: Windows File and Directory Permissions Modification - attrib - hide file
type: bool
- name: T1222.001 - 5
description: Windows File and Directory Permissions Modification - Grant Full Access to folder for Everyone - Ryuk Ransomware Style
type: bool
- name: T1220 - 1
description: XSL Script Processing - MSXSL Bypass using local files
type: bool
- name: T1220 - 2
description: XSL Script Processing - MSXSL Bypass using remote files
type: bool
- name: T1220 - 3
description: XSL Script Processing - WMIC bypass using local XSL file
type: bool
- name: T1220 - 4
description: XSL Script Processing - WMIC bypass using remote XSL file
type: bool
- name: T1546.008 - 1
description: Accessibility Features - Attaches Command Prompt as a Debugger to a List of Target Processes
type: bool
- name: T1546.008 - 2
description: Accessibility Features - Replace binary of sticky keys
type: bool
- name: T1098 - 1
description: Account Manipulation - Admin Account Manipulate
type: bool
- name: T1098 - 2
description: Account Manipulation - Domain Account and Group Manipulate
type: bool
- name: T1137.006 - 1
description: Add-ins - Code Executed Via Excel Add-in File (Xll)
type: bool
- name: T1546.010 - 1
description: AppInit DLLs - Install AppInit Shim
type: bool
- name: T1546.011 - 1
description: Application Shimming - Application Shim Installation
type: bool
- name: T1546.011 - 2
description: Application Shimming - New shim database files created in the default shim database directory
type: bool
- name: T1546.011 - 3
description: Application Shimming - Registry key creation and/or modification events for SDB
type: bool
- name: T1053.002 - 1
description: At (Windows) - At.exe Scheduled task
type: bool
- name: T1197 - 1
description: BITS Jobs - Bitsadmin Download (cmd)
type: bool
- name: T1197 - 2
description: BITS Jobs - Bitsadmin Download (PowerShell)
type: bool
- name: T1197 - 3
description: BITS Jobs - Persist, Download, & Execute
type: bool
- name: T1197 - 4
description: BITS Jobs - Bits download using desktopimgdownldr.exe (cmd)
type: bool
- name: T1176 - 1
description: Browser Extensions - Chrome (Developer Mode)
type: bool
- name: T1176 - 2
description: Browser Extensions - Chrome (Chrome Web Store)
type: bool
- name: T1176 - 3
description: Browser Extensions - Firefox
type: bool
- name: T1176 - 4
description: Browser Extensions - Edge Chromium Addon - VPN
type: bool
- name: T1574.012 - 1
description: COR_PROFILER - User scope COR_PROFILER
type: bool
- name: T1574.012 - 2
description: COR_PROFILER - System Scope COR_PROFILER
type: bool
- name: T1574.012 - 3
description: COR_PROFILER - Registry-free process scope COR_PROFILER
type: bool
- name: T1546.001 - 1
description: Change Default File Association - Change Default File Association
type: bool
- name: T1574.001 - 1
description: DLL Search Order Hijacking - DLL Search Order Hijacking - amsi.dll
type: bool
- name: T1574.002 - 1
description: DLL Side-Loading - DLL Side-Loading using the Notepad++ GUP.exe binary
type: bool
- name: T1078.001 - 1
description: Default Accounts - Enable Guest account with RDP capability and admin privileges
type: bool
- name: T1078.001 - 2
description: Default Accounts - Activate Guest Account
type: bool
- name: T1136.002 - 1
description: Domain Account - Create a new Windows domain admin user
type: bool
- name: T1136.002 - 2
description: Domain Account - Create a new account similar to ANONYMOUS LOGON
type: bool
- name: T1136.002 - 3
description: Domain Account - Create a new Domain Account using PowerShell
type: bool
- name: T1133 - 1
description: External Remote Services - Running Chrome VPN Extensions via the Registry 2 vpn extension
type: bool
- name: T1546.012 - 1
description: Image File Execution Options Injection - IFEO Add Debugger
type: bool
- name: T1546.012 - 2
description: Image File Execution Options Injection - IFEO Global Flags
type: bool
- name: T1136.001 - 3
description: Local Account - Create a new user in a command prompt
type: bool
- name: T1136.001 - 4
description: Local Account - Create a new user in PowerShell
type: bool
- name: T1136.001 - 6
description: Local Account - Create a new Windows admin user
type: bool
- name: T1078.003 - 1
description: Local Accounts - Create local account with admin privileges
type: bool
- name: T1037.001 - 1
description: Logon Script (Windows) - Logon Scripts
type: bool
- name: T1546.007 - 1
description: Netsh Helper DLL - Netsh Helper DLL Registration
type: bool
- name: T1137 - 1
description: Office Application Startup - Office Application Startup - Outlook as a C2
type: bool
- name: T1137.002 - 1
description: Office Test - Office Application Startup Test Persistence
type: bool
- name: T1137.004 - 1
description: Outlook Home Page - Install Outlook Home Page Persistence
type: bool
- name: T1556.002 - 1
description: Password Filter DLL - Install and Register Password Filter DLL
type: bool
- name: T1574.009 - 1
description: Path Interception by Unquoted Path - Execution of program.exe as service with unquoted service path
type: bool
- name: T1547.010 - 1
description: Port Monitors - Add Port Monitor persistence in Registry
type: bool
- name: T1546.013 - 1
description: PowerShell Profile - Append malicious start-process cmdlet
type: bool
- name: T1547.001 - 1
description: Registry Run Keys / Startup Folder - Reg Key Run
type: bool
- name: T1547.001 - 2
description: Registry Run Keys / Startup Folder - Reg Key RunOnce
type: bool
- name: T1547.001 - 3
description: Registry Run Keys / Startup Folder - PowerShell Registry RunOnce
type: bool
- name: T1547.001 - 4
description: Registry Run Keys / Startup Folder - Suspicious vbs file run from startup Folder
type: bool
- name: T1547.001 - 5
description: Registry Run Keys / Startup Folder - Suspicious jse file run from startup Folder
type: bool
- name: T1547.001 - 6
description: Registry Run Keys / Startup Folder - Suspicious bat file run from startup Folder
type: bool
- name: T1547.001 - 7
description: Registry Run Keys / Startup Folder - Add Executable Shortcut Link to User Startup Folder
type: bool
- name: T1053.005 - 1
description: Scheduled Task - Scheduled Task Startup Script
type: bool
- name: T1053.005 - 2
description: Scheduled Task - Scheduled task Local
type: bool
- name: T1053.005 - 3
description: Scheduled Task - Scheduled task Remote
type: bool
- name: T1053.005 - 4
description: Scheduled Task - Powershell Cmdlet Scheduled Task
type: bool
- name: T1053.005 - 5
description: Scheduled Task - Task Scheduler via VBA
type: bool
- name: T1053.005 - 6
description: Scheduled Task - WMI Invoke-CimMethod Scheduled Task
type: bool
- name: T1546.002 - 1
description: Screensaver - Set Arbitrary Binary as Screensaver
type: bool
- name: T1547.005 - 1
description: Security Support Provider - Modify SSP configuration in registry
type: bool
- name: T1574.011 - 1
description: Services Registry Permissions Weakness - Service Registry Permissions Weakness
type: bool
- name: T1574.011 - 2
description: Services Registry Permissions Weakness - Service ImagePath Change with reg.exe
type: bool
- name: T1547.009 - 1
description: Shortcut Modification - Shortcut Modification
type: bool
- name: T1547.009 - 2
description: Shortcut Modification - Create shortcut to cmd in startup folders
type: bool
- name: T1505.002 - 1
description: Transport Agent - Install MS Exchange Transport Agent Persistence
type: bool
- name: T1505.003 - 1
description: Web Shell - Web Shell Written to Disk
type: bool
- name: T1546.003 - 1
description: Windows Management Instrumentation Event Subscription - Persistence via WMI Event Subscription
type: bool
- name: T1543.003 - 1
description: Windows Service - Modify Fax service to run PowerShell
type: bool
- name: T1543.003 - 2
description: Windows Service - Service Installation CMD
type: bool
- name: T1543.003 - 3
description: Windows Service - Service Installation PowerShell
type: bool
- name: T1547.004 - 1
description: Winlogon Helper DLL - Winlogon Shell Key Persistence - PowerShell
type: bool
- name: T1547.004 - 2
description: Winlogon Helper DLL - Winlogon Userinit Key Persistence - PowerShell
type: bool
- name: T1547.004 - 3
description: Winlogon Helper DLL - Winlogon Notify Key Logon Persistence - PowerShell
type: bool
- name: T1531 - 1
description: Account Access Removal - Change User Password - Windows
type: bool
- name: T1531 - 2
description: Account Access Removal - Delete User - Windows
type: bool
- name: T1531 - 3
description: Account Access Removal - Remove Account From Domain Admin Group
type: bool
- name: T1485 - 1
description: Data Destruction - Windows - Overwrite file with Sysinternals SDelete
type: bool
- name: T1486 - 5
description: Data Encrypted for Impact - PureLocker Ransom Note
type: bool
- name: T1490 - 1
description: Inhibit System Recovery - Windows - Delete Volume Shadow Copies
type: bool
- name: T1490 - 2
description: Inhibit System Recovery - Windows - Delete Volume Shadow Copies via WMI
type: bool
- name: T1490 - 3
description: Inhibit System Recovery - Windows - wbadmin Delete Windows Backup Catalog
type: bool
- name: T1490 - 4
description: Inhibit System Recovery - Windows - Disable Windows Recovery Console Repair
type: bool
- name: T1490 - 5
description: Inhibit System Recovery - Windows - Delete Volume Shadow Copies via WMI with PowerShell
type: bool
- name: T1490 - 6
description: Inhibit System Recovery - Windows - Delete Backup Files
type: bool
- name: T1490 - 7
description: Inhibit System Recovery - Windows - wbadmin Delete systemstatebackup
type: bool
- name: T1490 - 8
description: Inhibit System Recovery - Windows - Disable the SR scheduled task
type: bool
- name: T1491.001 - 1
description: Internal Defacement - Replace Desktop Wallpaper
type: bool
- name: T1489 - 1
description: Service Stop - Windows - Stop service using Service Controller
type: bool
- name: T1489 - 2
description: Service Stop - Windows - Stop service using net.exe
type: bool
- name: T1489 - 3
description: Service Stop - Windows - Stop service by killing process
type: bool
- name: T1529 - 1
description: System Shutdown/Reboot - Shutdown System - Windows
type: bool
- name: T1529 - 2
description: System Shutdown/Reboot - Restart System - Windows
type: bool
- name: T1010 - 1
description: Application Window Discovery - List Process Main Windows - C# .NET
type: bool
- name: T1217 - 4
description: Browser Bookmark Discovery - List Google Chrome Bookmarks on Windows with powershell
type: bool
- name: T1217 - 5
description: Browser Bookmark Discovery - List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt
type: bool
- name: T1217 - 6
description: Browser Bookmark Discovery - List Mozilla Firefox bookmarks on Windows with command prompt
type: bool
- name: T1217 - 7
description: Browser Bookmark Discovery - List Internet Explorer Bookmarks using the command prompt
type: bool
- name: T1087.002 - 1
description: Domain Account - Enumerate all accounts (Domain)
type: bool
- name: T1087.002 - 2
description: Domain Account - Enumerate all accounts via PowerShell (Domain)
type: bool
- name: T1087.002 - 3
description: Domain Account - Enumerate logged on users via CMD (Domain)
type: bool
- name: T1087.002 - 4
description: Domain Account - Automated AD Recon (ADRecon)
type: bool
- name: T1087.002 - 5
description: Domain Account - Adfind -Listing password policy
type: bool
- name: T1087.002 - 6
description: Domain Account - Adfind - Enumerate Active Directory Admins
type: bool
- name: T1087.002 - 7
description: Domain Account - Adfind - Enumerate Active Directory User Objects
type: bool
- name: T1087.002 - 8
description: Domain Account - Adfind - Enumerate Active Directory Exchange AD Objects
type: bool
- name: T1087.002 - 9
description: Domain Account - Enumerate Default Domain Admin Details (Domain)
type: bool
- name: T1087.002 - 10
description: Domain Account - Enumerate Active Directory for Unconstrained Delegation
type: bool
- name: T1069.002 - 1
description: Domain Groups - Basic Permission Groups Discovery Windows (Domain)
type: bool
- name: T1069.002 - 2
description: Domain Groups - Permission Groups Discovery PowerShell (Domain)
type: bool
- name: T1069.002 - 3
description: Domain Groups - Elevated group enumeration using net group (Domain)
type: bool
- name: T1069.002 - 4
description: Domain Groups - Find machines where user has local admin access (PowerView)
type: bool
- name: T1069.002 - 5
description: Domain Groups - Find local admins on all machines in domain (PowerView)
type: bool
- name: T1069.002 - 6
description: Domain Groups - Find Local Admins via Group Policy (PowerView)
type: bool
- name: T1069.002 - 7
description: Domain Groups - Enumerate Users Not Requiring Pre Auth (ASRepRoast)
type: bool
- name: T1069.002 - 8
description: Domain Groups - Adfind - Query Active Directory Groups
type: bool
- name: T1482 - 1
description: Domain Trust Discovery - Windows - Discover domain trusts with dsquery
type: bool
- name: T1482 - 2
description: Domain Trust Discovery - Windows - Discover domain trusts with nltest
type: bool
- name: T1482 - 3
description: Domain Trust Discovery - Powershell enumerate domains and forests
type: bool
- name: T1482 - 4
description: Domain Trust Discovery - Adfind - Enumerate Active Directory OUs
type: bool
- name: T1482 - 5
description: Domain Trust Discovery - Adfind - Enumerate Active Directory Trusts
type: bool
- name: T1482 - 6
description: Domain Trust Discovery - Get-DomainTrust with PowerView
type: bool
- name: T1482 - 7
description: Domain Trust Discovery - Get-ForestTrust with PowerView
type: bool
- name: T1083 - 1
description: File and Directory Discovery - File and Directory Discovery (cmd.exe)
type: bool
- name: T1083 - 2
description: File and Directory Discovery - File and Directory Discovery (PowerShell)
type: bool
- name: T1087.001 - 8
description: Local Account - Enumerate all accounts on Windows (Local)
type: bool
- name: T1087.001 - 9
description: Local Account - Enumerate all accounts via PowerShell (Local)
type: bool
- name: T1087.001 - 10
description: Local Account - Enumerate logged on users via CMD (Local)
type: bool
- name: T1069.001 - 2
description: Local Groups - Basic Permission Groups Discovery Windows (Local)
type: bool
- name: T1069.001 - 3
description: Local Groups - Permission Groups Discovery PowerShell (Local)
type: bool
- name: T1069.001 - 4
description: Local Groups - SharpHound3 - LocalAdmin
type: bool
- name: T1069.001 - 5
description: Local Groups - Wmic Group Discovery
type: bool
- name: T1069.001 - 6
description: Local Groups - WMIObject Group Discovery
type: bool
- name: T1046 - 3
description: Network Service Scanning - Port Scan NMap for Windows
type: bool
- name: T1046 - 4
description: Network Service Scanning - Port Scan using python
type: bool
- name: T1135 - 3
description: Network Share Discovery - Network Share Discovery command prompt
type: bool
- name: T1135 - 4
description: Network Share Discovery - Network Share Discovery PowerShell
type: bool
- name: T1135 - 5
description: Network Share Discovery - View available share drives
type: bool
- name: T1135 - 6
description: Network Share Discovery - Share Discovery with PowerView
type: bool
- name: T1040 - 3
description: Network Sniffing - Packet Capture Windows Command Prompt
type: bool
- name: T1040 - 4
description: Network Sniffing - Windows Internal Packet Capture
type: bool
- name: T1201 - 5
description: Password Policy Discovery - Examine local password policy - Windows
type: bool
- name: T1201 - 6
description: Password Policy Discovery - Examine domain password policy - Windows
type: bool
- name: T1120 - 1
description: Peripheral Device Discovery - Win32_PnPEntity Hardware Inventory
type: bool
- name: T1057 - 2
description: Process Discovery - Process Discovery - tasklist
type: bool
- name: T1012 - 1
description: Query Registry - Query Registry
type: bool
- name: T1018 - 1
description: Remote System Discovery - Remote System Discovery - net
type: bool
- name: T1018 - 2
description: Remote System Discovery - Remote System Discovery - net group Domain Computers
type: bool
- name: T1018 - 3
description: Remote System Discovery - Remote System Discovery - nltest
type: bool
- name: T1018 - 4
description: Remote System Discovery - Remote System Discovery - ping sweep
type: bool
- name: T1018 - 5
description: Remote System Discovery - Remote System Discovery - arp
type: bool
- name: T1018 - 8
description: Remote System Discovery - Remote System Discovery - nslookup
type: bool
- name: T1018 - 9
description: Remote System Discovery - Remote System Discovery - adidnsdump
type: bool
- name: T1018 - 10
description: Remote System Discovery - Adfind - Enumerate Active Directory Computer Objects
type: bool
- name: T1018 - 11
description: Remote System Discovery - Adfind - Enumerate Active Directory Domain Controller Objects
type: bool
- name: T1518.001 - 1
description: Security Software Discovery - Security Software Discovery
type: bool
- name: T1518.001 - 2
description: Security Software Discovery - Security Software Discovery - powershell
type: bool
- name: T1518.001 - 5
description: Security Software Discovery - Security Software Discovery - Sysmon Service
type: bool
- name: T1518.001 - 6
description: Security Software Discovery - Security Software Discovery - AV Discovery via WMI
type: bool
- name: T1518 - 1
description: Software Discovery - Find and Display Internet Explorer Browser Version
type: bool
- name: T1518 - 2
description: Software Discovery - Applications Installed
type: bool
- name: T1497.001 - 2
description: System Checks - Detect Virtualization Environment (Windows)
type: bool
- name: T1082 - 1
description: System Information Discovery - System Information Discovery
type: bool
- name: T1082 - 6
description: System Information Discovery - Hostname Discovery (Windows)
type: bool
- name: T1082 - 8
description: System Information Discovery - Windows MachineGUID Discovery
type: bool
- name: T1082 - 9
description: System Information Discovery - Griffon Recon
type: bool
- name: T1082 - 10
description: System Information Discovery - Environment variables discovery on windows
type: bool
- name: T1016 - 1
description: System Network Configuration Discovery - System Network Configuration Discovery on Windows
type: bool
- name: T1016 - 2
description: System Network Configuration Discovery - List Windows Firewall Rules
type: bool
- name: T1016 - 4
description: System Network Configuration Discovery - System Network Configuration Discovery (TrickBot Style)
type: bool
- name: T1016 - 5
description: System Network Configuration Discovery - List Open Egress Ports
type: bool
- name: T1016 - 6
description: System Network Configuration Discovery - Adfind - Enumerate Active Directory Subnet Objects
type: bool
- name: T1016 - 7
description: System Network Configuration Discovery - Qakbot Recon
type: bool
- name: T1049 - 1
description: System Network Connections Discovery - System Network Connections Discovery
type: bool
- name: T1049 - 2
description: System Network Connections Discovery - System Network Connections Discovery with PowerShell
type: bool
- name: T1049 - 4
description: System Network Connections Discovery - System Discovery using SharpView
type: bool
- name: T1033 - 1
description: System Owner/User Discovery - System Owner/User Discovery
type: bool
- name: T1033 - 3
description: System Owner/User Discovery - Find computers where user has session - Stealth mode (PowerView)
type: bool
- name: T1007 - 1
description: System Service Discovery - System Service Discovery
type: bool
- name: T1007 - 2
description: System Service Discovery - System Service Discovery - net.exe
type: bool
- name: T1124 - 1
description: System Time Discovery - System Time Discovery
type: bool
- name: T1124 - 2
description: System Time Discovery - System Time Discovery - PowerShell
type: bool
- name: T1071.004 - 1
description: DNS - DNS Large Query Volume
type: bool
- name: T1071.004 - 2
description: DNS - DNS Regular Beaconing
type: bool
- name: T1071.004 - 3
description: DNS - DNS Long Domain Query
type: bool
- name: T1071.004 - 4
description: DNS - DNS C2
type: bool
- name: T1573 - 1
description: Encrypted Channel - OpenSSL C2
type: bool
- name: T1105 - 7
description: Ingress Tool Transfer - certutil download (urlcache)
type: bool
- name: T1105 - 8
description: Ingress Tool Transfer - certutil download (verifyctl)
type: bool
- name: T1105 - 9
description: Ingress Tool Transfer - Windows - BITSAdmin BITS Download
type: bool
- name: T1105 - 10
description: Ingress Tool Transfer - Windows - PowerShell Download
type: bool
- name: T1105 - 11
description: Ingress Tool Transfer - OSTAP Worming Activity
type: bool
- name: T1105 - 12
description: Ingress Tool Transfer - svchost writing a file to a UNC path
type: bool
- name: T1105 - 13
description: Ingress Tool Transfer - Download a File with Windows Defender MpCmdRun.exe
type: bool
- name: T1105 - 15
description: Ingress Tool Transfer - File Download via PowerShell
type: bool
- name: T1105 - 16
description: Ingress Tool Transfer - File download with finger.exe on Windows
type: bool
- name: T1105 - 17
description: Ingress Tool Transfer - Download a file with IMEWDBLD.exe
type: bool
- name: T1105 - 18
description: Ingress Tool Transfer - Curl Download File
type: bool
- name: T1090.001 - 3
description: Internal Proxy - portproxy reg key
type: bool
- name: T1095 - 1
description: Non-Application Layer Protocol - ICMP C2
type: bool
- name: T1095 - 2
description: Non-Application Layer Protocol - Netcat C2
type: bool
- name: T1095 - 3
description: Non-Application Layer Protocol - Powercat C2
type: bool
- name: T1571 - 1
description: Non-Standard Port - Testing usage of uncommonly used port with PowerShell
type: bool
- name: T1572 - 1
description: Protocol Tunneling - DNS over HTTPS Large Query Volume
type: bool
- name: T1572 - 2
description: Protocol Tunneling - DNS over HTTPS Regular Beaconing
type: bool
- name: T1572 - 3
description: Protocol Tunneling - DNS over HTTPS Long Domain Query
type: bool
- name: T1219 - 1
description: Remote Access Software - TeamViewer Files Detected Test on Windows
type: bool
- name: T1219 - 2
description: Remote Access Software - AnyDesk Files Detected Test on Windows
type: bool
- name: T1219 - 3
description: Remote Access Software - LogMeIn Files Detected Test on Windows
type: bool
- name: T1219 - 4
description: Remote Access Software - GoToAssist Files Detected Test on Windows
type: bool
- name: T1219 - 5
description: Remote Access Software - ScreenConnect Application Download and Install on Windows
type: bool
- name: T1132.001 - 2
description: Standard Encoding - XOR Encoded data.
type: bool
- name: T1071.001 - 1
description: Web Protocols - Malicious User Agents - Powershell
type: bool
- name: T1071.001 - 2
description: Web Protocols - Malicious User Agents - CMD
type: bool
- name: T1053.002 - 1
description: At (Windows) - At.exe Scheduled task
type: bool
- name: T1559.002 - 1
description: Dynamic Data Exchange - Execute Commands
type: bool
- name: T1559.002 - 2
description: Dynamic Data Exchange - Execute PowerShell script via Word DDE
type: bool
- name: T1559.002 - 3
description: Dynamic Data Exchange - DDEAUTO
type: bool
- name: T1204.002 - 1
description: Malicious File - OSTap Style Macro Execution
type: bool
- name: T1204.002 - 2
description: Malicious File - OSTap Payload Download
type: bool
- name: T1204.002 - 3
description: Malicious File - Maldoc choice flags command execution
type: bool
- name: T1204.002 - 4
description: Malicious File - OSTAP JS version
type: bool
- name: T1204.002 - 5
description: Malicious File - Office launching .bat file from AppData
type: bool
- name: T1204.002 - 6
description: Malicious File - Excel 4 Macro
type: bool
- name: T1204.002 - 7
description: Malicious File - Headless Chrome code execution via VBA
type: bool
- name: T1204.002 - 8
description: Malicious File - Potentially Unwanted Applications (PUA)
type: bool
- name: T1204.002 - 9
description: Malicious File - Office Generic Payload Download
type: bool
- name: T1106 - 1
description: Native API - Execution through API - CreateProcess
type: bool
- name: T1059.001 - 1
description: PowerShell - Mimikatz
type: bool
- name: T1059.001 - 2
description: PowerShell - Run BloodHound from local disk
type: bool
- name: T1059.001 - 3
description: PowerShell - Run Bloodhound from Memory using Download Cradle
type: bool
- name: T1059.001 - 4
description: PowerShell - Obfuscation Tests
type: bool
- name: T1059.001 - 5
description: PowerShell - Mimikatz - Cradlecraft PsSendKeys
type: bool
- name: T1059.001 - 6
description: PowerShell - Invoke-AppPathBypass
type: bool
- name: T1059.001 - 7
description: PowerShell - Powershell MsXml COM object - with prompt
type: bool
- name: T1059.001 - 8
description: PowerShell - Powershell XML requests
type: bool
- name: T1059.001 - 9
description: PowerShell - Powershell invoke mshta.exe download
type: bool
- name: T1059.001 - 10
description: PowerShell - Powershell Invoke-DownloadCradle
type: bool
- name: T1059.001 - 11
description: PowerShell - PowerShell Fileless Script Execution
type: bool
- name: T1059.001 - 12
description: PowerShell - PowerShell Downgrade Attack
type: bool
- name: T1059.001 - 13
description: PowerShell - NTFS Alternate Data Stream Access
type: bool
- name: T1059.001 - 14
description: PowerShell - PowerShell Session Creation and Use
type: bool
- name: T1059.001 - 15
description: PowerShell - ATHPowerShellCommandLineParameter -Command parameter variations
type: bool
- name: T1059.001 - 16
description: PowerShell - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
type: bool
- name: T1059.001 - 17
description: PowerShell - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
type: bool
- name: T1059.001 - 18
description: PowerShell - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
type: bool
- name: T1059.001 - 19
description: PowerShell - PowerShell Command Execution
type: bool
- name: T1059.001 - 20
description: PowerShell - PowerShell Invoke Known Malicious Cmdlets
type: bool
- name: T1059.001 - 21
description: PowerShell - PowerUp Invoke-AllChecks
type: bool
- name: T1053.005 - 1
description: Scheduled Task - Scheduled Task Startup Script
type: bool
- name: T1053.005 - 2
description: Scheduled Task - Scheduled task Local
type: bool
- name: T1053.005 - 3
description: Scheduled Task - Scheduled task Remote
type: bool
- name: T1053.005 - 4
description: Scheduled Task - Powershell Cmdlet Scheduled Task
type: bool
- name: T1053.005 - 5
description: Scheduled Task - Task Scheduler via VBA
type: bool
- name: T1053.005 - 6
description: Scheduled Task - WMI Invoke-CimMethod Scheduled Task
type: bool
- name: T1569.002 - 1
description: Service Execution - Execute a Command as a Service
type: bool
- name: T1569.002 - 2
description: Service Execution - Use PsExec to execute a command on a remote host
type: bool
- name: T1072 - 1
description: Software Deployment Tools - Radmin Viewer Utility
type: bool
- name: T1059.005 - 1
description: Visual Basic - Visual Basic script execution to gather local computer information
type: bool
- name: T1059.005 - 2
description: Visual Basic - Encoded VBS code execution
type: bool
- name: T1059.005 - 3
description: Visual Basic - Extract Memory via VBA
type: bool
- name: T1059.003 - 1
description: Windows Command Shell - Create and Execute Batch Script
type: bool
- name: T1059.003 - 2
description: Windows Command Shell - Writes text to a file and displays it.
type: bool
- name: T1059.003 - 3
description: Windows Command Shell - Suspicious Execution via Windows Command Shell
type: bool
- name: T1047 - 1
description: Windows Management Instrumentation - WMI Reconnaissance Users
type: bool
- name: T1047 - 2
description: Windows Management Instrumentation - WMI Reconnaissance Processes
type: bool
- name: T1047 - 3
description: Windows Management Instrumentation - WMI Reconnaissance Software
type: bool
- name: T1047 - 4
description: Windows Management Instrumentation - WMI Reconnaissance List Remote Services
type: bool
- name: T1047 - 5
description: Windows Management Instrumentation - WMI Execute Local Process
type: bool
- name: T1047 - 6
description: Windows Management Instrumentation - WMI Execute Remote Process
type: bool
- name: T1047 - 7
description: Windows Management Instrumentation - Create a Process using WMI Query and an Encoded Command
type: bool
- name: T1047 - 8
description: Windows Management Instrumentation - Create a Process using obfuscated Win32_Process
type: bool
- name: T1047 - 9
description: Windows Management Instrumentation - WMI Execute rundll32
type: bool
- name: T1020 - 1
description: Automated Exfiltration - IcedID Botnet HTTP PUT
type: bool
- name: T1048 - 3
description: Exfiltration Over Alternative Protocol - DNSExfiltration (doh)
type: bool
- name: T1041 - 1
description: Exfiltration Over C2 Channel - C2 Data Exfiltration
type: bool
- name: T1048.003 - 2
description: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - Exfiltration Over Alternative Protocol - ICMP
type: bool
- name: T1048.003 - 4
description: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - Exfiltration Over Alternative Protocol - HTTP
type: bool
- name: T1048.003 - 5
description: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - Exfiltration Over Alternative Protocol - SMTP
type: bool
- name: T1567 - 1
description: Exfiltration Over Web Service - Data Exfiltration with ConfigSecurityPolicy
type: bool
- name: T1021.003 - 1
description: Distributed Component Object Model - PowerShell Lateral Movement using MMC20
type: bool
- name: T1550.002 - 1
description: Pass the Hash - Mimikatz Pass the Hash
type: bool
- name: T1550.002 - 2
description: Pass the Hash - crackmapexec Pass the Hash
type: bool
- name: T1550.003 - 1
description: Pass the Ticket - Mimikatz Kerberos Ticket Attack
type: bool
- name: T1563.002 - 1
description: RDP Hijacking - RDP hijacking
type: bool
- name: T1021.001 - 1
description: Remote Desktop Protocol - RDP to DomainController
type: bool
- name: T1021.001 - 2
description: Remote Desktop Protocol - RDP to Server
type: bool
- name: T1021.001 - 3
description: Remote Desktop Protocol - Changing RDP Port to Non Standard Port via Powershell
type: bool
- name: T1021.001 - 4
description: Remote Desktop Protocol - Changing RDP Port to Non Standard Port via Command_Prompt
type: bool
- name: T1021.002 - 1
description: SMB/Windows Admin Shares - Map admin share
type: bool
- name: T1021.002 - 2
description: SMB/Windows Admin Shares - Map Admin Share PowerShell
type: bool
- name: T1021.002 - 3
description: SMB/Windows Admin Shares - Copy and Execute File with PsExec
type: bool
- name: T1021.002 - 4
description: SMB/Windows Admin Shares - Execute command writing output to local Admin Share
type: bool
- name: T1072 - 1
description: Software Deployment Tools - Radmin Viewer Utility
type: bool
- name: T1021.006 - 1
description: Windows Remote Management - Enable Windows Remote Management
type: bool
- name: T1021.006 - 2
description: Windows Remote Management - Invoke-Command
type: bool
- name: T1021.006 - 3
description: Windows Remote Management - WinRM Access with Evil-WinRM
type: bool
- name: T1078.001 - 1
description: Default Accounts - Enable Guest account with RDP capability and admin privileges
type: bool
- name: T1078.001 - 2
description: Default Accounts - Activate Guest Account
type: bool
- name: T1133 - 1
description: External Remote Services - Running Chrome VPN Extensions via the Registry 2 vpn extension
type: bool
- name: T1078.003 - 1
description: Local Accounts - Create local account with admin privileges
type: bool
- name: T1566.001 - 1
description: Spearphishing Attachment - Download Phishing Attachment - VBScript
type: bool
- name: T1566.001 - 2
description: Spearphishing Attachment - Word spawned a command shell and used an IP address in the command line
type: bool
precondition: SELECT OS From info() where OS = 'windows'
sources:
- query: |
LET CommandTable = SELECT * FROM parse_csv(accessor="data", filename='''
Flag,Command
T1558.004 - 1,Invoke-AtomicTest T1558.004 -TestNumbers 1
T1056.004 - 1,Invoke-AtomicTest T1056.004 -TestNumbers 1
T1552.001 - 3,Invoke-AtomicTest T1552.001 -TestNumbers 3
T1552.001 - 4,Invoke-AtomicTest T1552.001 -TestNumbers 4
T1555 - 1,Invoke-AtomicTest T1555 -TestNumbers 1
T1555 - 2,Invoke-AtomicTest T1555 -TestNumbers 2
T1555 - 3,Invoke-AtomicTest T1555 -TestNumbers 3
T1555 - 4,Invoke-AtomicTest T1555 -TestNumbers 4
T1555 - 5,Invoke-AtomicTest T1555 -TestNumbers 5
T1555.003 - 1,Invoke-AtomicTest T1555.003 -TestNumbers 1
T1555.003 - 3,Invoke-AtomicTest T1555.003 -TestNumbers 3
T1555.003 - 4,Invoke-AtomicTest T1555.003 -TestNumbers 4
T1552.002 - 1,Invoke-AtomicTest T1552.002 -TestNumbers 1
T1552.002 - 2,Invoke-AtomicTest T1552.002 -TestNumbers 2
T1003.006 - 1,Invoke-AtomicTest T1003.006 -TestNumbers 1
T1187 - 1,Invoke-AtomicTest T1187 -TestNumbers 1
T1056.002 - 2,Invoke-AtomicTest T1056.002 -TestNumbers 2
T1558.001 - 1,Invoke-AtomicTest T1558.001 -TestNumbers 1
T1552.006 - 1,Invoke-AtomicTest T1552.006 -TestNumbers 1
T1552.006 - 2,Invoke-AtomicTest T1552.006 -TestNumbers 2
T1558.003 - 1,Invoke-AtomicTest T1558.003 -TestNumbers 1
T1558.003 - 2,Invoke-AtomicTest T1558.003 -TestNumbers 2
T1558.003 - 3,Invoke-AtomicTest T1558.003 -TestNumbers 3
T1558.003 - 4,Invoke-AtomicTest T1558.003 -TestNumbers 4
T1558.003 - 5,Invoke-AtomicTest T1558.003 -TestNumbers 5
T1056.001 - 1,Invoke-AtomicTest T1056.001 -TestNumbers 1
T1003.004 - 1,Invoke-AtomicTest T1003.004 -TestNumbers 1
T1003.001 - 1,Invoke-AtomicTest T1003.001 -TestNumbers 1
T1003.001 - 2,Invoke-AtomicTest T1003.001 -TestNumbers 2
T1003.001 - 3,Invoke-AtomicTest T1003.001 -TestNumbers 3
T1003.001 - 4,Invoke-AtomicTest T1003.001 -TestNumbers 4
T1003.001 - 5,Invoke-AtomicTest T1003.001 -TestNumbers 5
T1003.001 - 6,Invoke-AtomicTest T1003.001 -TestNumbers 6
T1003.001 - 7,Invoke-AtomicTest T1003.001 -TestNumbers 7
T1003.001 - 8,Invoke-AtomicTest T1003.001 -TestNumbers 8
T1003.001 - 9,Invoke-AtomicTest T1003.001 -TestNumbers 9
T1003.001 - 10,Invoke-AtomicTest T1003.001 -TestNumbers 10
T1003.001 - 11,Invoke-AtomicTest T1003.001 -TestNumbers 11
T1003.001 - 12,Invoke-AtomicTest T1003.001 -TestNumbers 12
T1003.003 - 1,Invoke-AtomicTest T1003.003 -TestNumbers 1
T1003.003 - 2,Invoke-AtomicTest T1003.003 -TestNumbers 2
T1003.003 - 3,Invoke-AtomicTest T1003.003 -TestNumbers 3
T1003.003 - 4,Invoke-AtomicTest T1003.003 -TestNumbers 4
T1003.003 - 5,Invoke-AtomicTest T1003.003 -TestNumbers 5
T1003.003 - 6,Invoke-AtomicTest T1003.003 -TestNumbers 6
T1003.003 - 7,Invoke-AtomicTest T1003.003 -TestNumbers 7
T1040 - 3,Invoke-AtomicTest T1040 -TestNumbers 3
T1040 - 4,Invoke-AtomicTest T1040 -TestNumbers 4
T1003 - 1,Invoke-AtomicTest T1003 -TestNumbers 1
T1003 - 2,Invoke-AtomicTest T1003 -TestNumbers 2
T1003 - 3,Invoke-AtomicTest T1003 -TestNumbers 3
T1110.002 - 1,Invoke-AtomicTest T1110.002 -TestNumbers 1
T1556.002 - 1,Invoke-AtomicTest T1556.002 -TestNumbers 1
T1110.001 - 1,Invoke-AtomicTest T1110.001 -TestNumbers 1
T1110.001 - 2,Invoke-AtomicTest T1110.001 -TestNumbers 2
T1110.003 - 1,Invoke-AtomicTest T1110.003 -TestNumbers 1
T1110.003 - 2,Invoke-AtomicTest T1110.003 -TestNumbers 2
T1110.003 - 3,Invoke-AtomicTest T1110.003 -TestNumbers 3
T1552.004 - 1,Invoke-AtomicTest T1552.004 -TestNumbers 1
T1552.004 - 6,Invoke-AtomicTest T1552.004 -TestNumbers 6
T1552.004 - 7,Invoke-AtomicTest T1552.004 -TestNumbers 7
T1003.002 - 1,Invoke-AtomicTest T1003.002 -TestNumbers 1
T1003.002 - 2,Invoke-AtomicTest T1003.002 -TestNumbers 2
T1003.002 - 3,Invoke-AtomicTest T1003.002 -TestNumbers 3
T1003.002 - 4,Invoke-AtomicTest T1003.002 -TestNumbers 4
T1003.002 - 5,Invoke-AtomicTest T1003.002 -TestNumbers 5
T1003.002 - 6,Invoke-AtomicTest T1003.002 -TestNumbers 6
T1560 - 1,Invoke-AtomicTest T1560 -TestNumbers 1
T1560.001 - 1,Invoke-AtomicTest T1560.001 -TestNumbers 1
T1560.001 - 2,Invoke-AtomicTest T1560.001 -TestNumbers 2
T1560.001 - 3,Invoke-AtomicTest T1560.001 -TestNumbers 3
T1560.001 - 4,Invoke-AtomicTest T1560.001 -TestNumbers 4
T1123 - 1,Invoke-AtomicTest T1123 -TestNumbers 1
T1119 - 1,Invoke-AtomicTest T1119 -TestNumbers 1
T1119 - 2,Invoke-AtomicTest T1119 -TestNumbers 2
T1119 - 3,Invoke-AtomicTest T1119 -TestNumbers 3
T1119 - 4,Invoke-AtomicTest T1119 -TestNumbers 4
T1115 - 1,Invoke-AtomicTest T1115 -TestNumbers 1
T1115 - 2,Invoke-AtomicTest T1115 -TestNumbers 2
T1115 - 4,Invoke-AtomicTest T1115 -TestNumbers 4
T1056.004 - 1,Invoke-AtomicTest T1056.004 -TestNumbers 1
T1056.002 - 2,Invoke-AtomicTest T1056.002 -TestNumbers 2
T1056.001 - 1,Invoke-AtomicTest T1056.001 -TestNumbers 1
T1074.001 - 1,Invoke-AtomicTest T1074.001 -TestNumbers 1
T1074.001 - 3,Invoke-AtomicTest T1074.001 -TestNumbers 3
T1114.001 - 1,Invoke-AtomicTest T1114.001 -TestNumbers 1
T1113 - 5,Invoke-AtomicTest T1113 -TestNumbers 5
T1113 - 6,Invoke-AtomicTest T1113 -TestNumbers 6
T1546.008 - 1,Invoke-AtomicTest T1546.008 -TestNumbers 1
T1546.008 - 2,Invoke-AtomicTest T1546.008 -TestNumbers 2
T1546.010 - 1,Invoke-AtomicTest T1546.010 -TestNumbers 1
T1546.011 - 1,Invoke-AtomicTest T1546.011 -TestNumbers 1
T1546.011 - 2,Invoke-AtomicTest T1546.011 -TestNumbers 2
T1546.011 - 3,Invoke-AtomicTest T1546.011 -TestNumbers 3
T1055.004 - 1,Invoke-AtomicTest T1055.004 -TestNumbers 1
T1053.002 - 1,Invoke-AtomicTest T1053.002 -TestNumbers 1
T1548.002 - 1,Invoke-AtomicTest T1548.002 -TestNumbers 1
T1548.002 - 2,Invoke-AtomicTest T1548.002 -TestNumbers 2
T1548.002 - 3,Invoke-AtomicTest T1548.002 -TestNumbers 3
T1548.002 - 4,Invoke-AtomicTest T1548.002 -TestNumbers 4
T1548.002 - 5,Invoke-AtomicTest T1548.002 -TestNumbers 5
T1548.002 - 6,Invoke-AtomicTest T1548.002 -TestNumbers 6
T1548.002 - 7,Invoke-AtomicTest T1548.002 -TestNumbers 7
T1548.002 - 8,Invoke-AtomicTest T1548.002 -TestNumbers 8
T1548.002 - 9,Invoke-AtomicTest T1548.002 -TestNumbers 9
T1548.002 - 10,Invoke-AtomicTest T1548.002 -TestNumbers 10
T1548.002 - 11,Invoke-AtomicTest T1548.002 -TestNumbers 11
T1548.002 - 12,Invoke-AtomicTest T1548.002 -TestNumbers 12
T1548.002 - 13,Invoke-AtomicTest T1548.002 -TestNumbers 13
T1548.002 - 14,Invoke-AtomicTest T1548.002 -TestNumbers 14
T1548.002 - 15,Invoke-AtomicTest T1548.002 -TestNumbers 15
T1548.002 - 16,Invoke-AtomicTest T1548.002 -TestNumbers 16
T1548.002 - 17,Invoke-AtomicTest T1548.002 -TestNumbers 17
T1574.012 - 1,Invoke-AtomicTest T1574.012 -TestNumbers 1
T1574.012 - 2,Invoke-AtomicTest T1574.012 -TestNumbers 2
T1574.012 - 3,Invoke-AtomicTest T1574.012 -TestNumbers 3
T1546.001 - 1,Invoke-AtomicTest T1546.001 -TestNumbers 1
T1134.002 - 1,Invoke-AtomicTest T1134.002 -TestNumbers 1
T1574.001 - 1,Invoke-AtomicTest T1574.001 -TestNumbers 1
T1574.002 - 1,Invoke-AtomicTest T1574.002 -TestNumbers 1
T1078.001 - 1,Invoke-AtomicTest T1078.001 -TestNumbers 1
T1078.001 - 2,Invoke-AtomicTest T1078.001 -TestNumbers 2
T1055.001 - 1,Invoke-AtomicTest T1055.001 -TestNumbers 1
T1546.012 - 1,Invoke-AtomicTest T1546.012 -TestNumbers 1
T1546.012 - 2,Invoke-AtomicTest T1546.012 -TestNumbers 2
T1078.003 - 1,Invoke-AtomicTest T1078.003 -TestNumbers 1
T1037.001 - 1,Invoke-AtomicTest T1037.001 -TestNumbers 1
T1546.007 - 1,Invoke-AtomicTest T1546.007 -TestNumbers 1
T1134.004 - 1,Invoke-AtomicTest T1134.004 -TestNumbers 1
T1134.004 - 2,Invoke-AtomicTest T1134.004 -TestNumbers 2
T1134.004 - 3,Invoke-AtomicTest T1134.004 -TestNumbers 3
T1134.004 - 4,Invoke-AtomicTest T1134.004 -TestNumbers 4
T1134.004 - 5,Invoke-AtomicTest T1134.004 -TestNumbers 5
T1574.009 - 1,Invoke-AtomicTest T1574.009 -TestNumbers 1
T1547.010 - 1,Invoke-AtomicTest T1547.010 -TestNumbers 1
T1546.013 - 1,Invoke-AtomicTest T1546.013 -TestNumbers 1
T1055.012 - 1,Invoke-AtomicTest T1055.012 -TestNumbers 1
T1055.012 - 2,Invoke-AtomicTest T1055.012 -TestNumbers 2
T1055 - 1,Invoke-AtomicTest T1055 -TestNumbers 1
T1055 - 2,Invoke-AtomicTest T1055 -TestNumbers 2
T1547.001 - 1,Invoke-AtomicTest T1547.001 -TestNumbers 1
T1547.001 - 2,Invoke-AtomicTest T1547.001 -TestNumbers 2
T1547.001 - 3,Invoke-AtomicTest T1547.001 -TestNumbers 3
T1547.001 - 4,Invoke-AtomicTest T1547.001 -TestNumbers 4
T1547.001 - 5,Invoke-AtomicTest T1547.001 -TestNumbers 5
T1547.001 - 6,Invoke-AtomicTest T1547.001 -TestNumbers 6
T1547.001 - 7,Invoke-AtomicTest T1547.001 -TestNumbers 7
T1053.005 - 1,Invoke-AtomicTest T1053.005 -TestNumbers 1
T1053.005 - 2,Invoke-AtomicTest T1053.005 -TestNumbers 2
T1053.005 - 3,Invoke-AtomicTest T1053.005 -TestNumbers 3
T1053.005 - 4,Invoke-AtomicTest T1053.005 -TestNumbers 4
T1053.005 - 5,Invoke-AtomicTest T1053.005 -TestNumbers 5
T1053.005 - 6,Invoke-AtomicTest T1053.005 -TestNumbers 6
T1546.002 - 1,Invoke-AtomicTest T1546.002 -TestNumbers 1
T1547.005 - 1,Invoke-AtomicTest T1547.005 -TestNumbers 1
T1574.011 - 1,Invoke-AtomicTest T1574.011 -TestNumbers 1
T1574.011 - 2,Invoke-AtomicTest T1574.011 -TestNumbers 2
T1547.009 - 1,Invoke-AtomicTest T1547.009 -TestNumbers 1
T1547.009 - 2,Invoke-AtomicTest T1547.009 -TestNumbers 2
T1134.001 - 1,Invoke-AtomicTest T1134.001 -TestNumbers 1
T1134.001 - 2,Invoke-AtomicTest T1134.001 -TestNumbers 2
T1546.003 - 1,Invoke-AtomicTest T1546.003 -TestNumbers 1
T1543.003 - 1,Invoke-AtomicTest T1543.003 -TestNumbers 1
T1543.003 - 2,Invoke-AtomicTest T1543.003 -TestNumbers 2
T1543.003 - 3,Invoke-AtomicTest T1543.003 -TestNumbers 3
T1547.004 - 1,Invoke-AtomicTest T1547.004 -TestNumbers 1
T1547.004 - 2,Invoke-AtomicTest T1547.004 -TestNumbers 2
T1547.004 - 3,Invoke-AtomicTest T1547.004 -TestNumbers 3
T1055.004 - 1,Invoke-AtomicTest T1055.004 -TestNumbers 1
T1197 - 1,Invoke-AtomicTest T1197 -TestNumbers 1
T1197 - 2,Invoke-AtomicTest T1197 -TestNumbers 2
T1197 - 3,Invoke-AtomicTest T1197 -TestNumbers 3
T1197 - 4,Invoke-AtomicTest T1197 -TestNumbers 4
T1548.002 - 1,Invoke-AtomicTest T1548.002 -TestNumbers 1
T1548.002 - 2,Invoke-AtomicTest T1548.002 -TestNumbers 2
T1548.002 - 3,Invoke-AtomicTest T1548.002 -TestNumbers 3
T1548.002 - 4,Invoke-AtomicTest T1548.002 -TestNumbers 4
T1548.002 - 5,Invoke-AtomicTest T1548.002 -TestNumbers 5
T1548.002 - 6,Invoke-AtomicTest T1548.002 -TestNumbers 6
T1548.002 - 7,Invoke-AtomicTest T1548.002 -TestNumbers 7
T1548.002 - 8,Invoke-AtomicTest T1548.002 -TestNumbers 8
T1548.002 - 9,Invoke-AtomicTest T1548.002 -TestNumbers 9
T1548.002 - 10,Invoke-AtomicTest T1548.002 -TestNumbers 10
T1548.002 - 11,Invoke-AtomicTest T1548.002 -TestNumbers 11
T1548.002 - 12,Invoke-AtomicTest T1548.002 -TestNumbers 12
T1548.002 - 13,Invoke-AtomicTest T1548.002 -TestNumbers 13
T1548.002 - 14,Invoke-AtomicTest T1548.002 -TestNumbers 14
T1548.002 - 15,Invoke-AtomicTest T1548.002 -TestNumbers 15
T1548.002 - 16,Invoke-AtomicTest T1548.002 -TestNumbers 16
T1548.002 - 17,Invoke-AtomicTest T1548.002 -TestNumbers 17
T1218.003 - 1,Invoke-AtomicTest T1218.003 -TestNumbers 1
T1218.003 - 2,Invoke-AtomicTest T1218.003 -TestNumbers 2
T1574.012 - 1,Invoke-AtomicTest T1574.012 -TestNumbers 1
T1574.012 - 2,Invoke-AtomicTest T1574.012 -TestNumbers 2
T1574.012 - 3,Invoke-AtomicTest T1574.012 -TestNumbers 3
T1070.003 - 10,Invoke-AtomicTest T1070.003 -TestNumbers 10
T1070.003 - 11,Invoke-AtomicTest T1070.003 -TestNumbers 11
T1070.001 - 1,Invoke-AtomicTest T1070.001 -TestNumbers 1
T1070.001 - 2,Invoke-AtomicTest T1070.001 -TestNumbers 2
T1070.001 - 3,Invoke-AtomicTest T1070.001 -TestNumbers 3
T1027.004 - 1,Invoke-AtomicTest T1027.004 -TestNumbers 1
T1027.004 - 2,Invoke-AtomicTest T1027.004 -TestNumbers 2
T1218.001 - 1,Invoke-AtomicTest T1218.001 -TestNumbers 1
T1218.001 - 2,Invoke-AtomicTest T1218.001 -TestNumbers 2
T1218.001 - 3,Invoke-AtomicTest T1218.001 -TestNumbers 3
T1218.001 - 4,Invoke-AtomicTest T1218.001 -TestNumbers 4
T1218.001 - 5,Invoke-AtomicTest T1218.001 -TestNumbers 5
T1218.001 - 6,Invoke-AtomicTest T1218.001 -TestNumbers 6
T1218.001 - 7,Invoke-AtomicTest T1218.001 -TestNumbers 7
T1218.002 - 1,Invoke-AtomicTest T1218.002 -TestNumbers 1
T1134.002 - 1,Invoke-AtomicTest T1134.002 -TestNumbers 1
T1574.001 - 1,Invoke-AtomicTest T1574.001 -TestNumbers 1
T1574.002 - 1,Invoke-AtomicTest T1574.002 -TestNumbers 1
T1078.001 - 1,Invoke-AtomicTest T1078.001 -TestNumbers 1
T1078.001 - 2,Invoke-AtomicTest T1078.001 -TestNumbers 2
T1140 - 1,Invoke-AtomicTest T1140 -TestNumbers 1
T1140 - 2,Invoke-AtomicTest T1140 -TestNumbers 2
T1006 - 1,Invoke-AtomicTest T1006 -TestNumbers 1
T1562.002 - 1,Invoke-AtomicTest T1562.002 -TestNumbers 1
T1562.002 - 2,Invoke-AtomicTest T1562.002 -TestNumbers 2
T1562.002 - 3,Invoke-AtomicTest T1562.002 -TestNumbers 3
T1562.002 - 4,Invoke-AtomicTest T1562.002 -TestNumbers 4
T1562.002 - 5,Invoke-AtomicTest T1562.002 -TestNumbers 5
T1562.004 - 1,Invoke-AtomicTest T1562.004 -TestNumbers 1
T1562.004 - 2,Invoke-AtomicTest T1562.004 -TestNumbers 2
T1562.004 - 3,Invoke-AtomicTest T1562.004 -TestNumbers 3
T1562.004 - 4,Invoke-AtomicTest T1562.004 -TestNumbers 4
T1562.004 - 5,Invoke-AtomicTest T1562.004 -TestNumbers 5
T1562.004 - 6,Invoke-AtomicTest T1562.004 -TestNumbers 6
T1562.001 - 10,Invoke-AtomicTest T1562.001 -TestNumbers 10
T1562.001 - 11,Invoke-AtomicTest T1562.001 -TestNumbers 11
T1562.001 - 12,Invoke-AtomicTest T1562.001 -TestNumbers 12
T1562.001 - 13,Invoke-AtomicTest T1562.001 -TestNumbers 13
T1562.001 - 14,Invoke-AtomicTest T1562.001 -TestNumbers 14
T1562.001 - 15,Invoke-AtomicTest T1562.001 -TestNumbers 15
T1562.001 - 16,Invoke-AtomicTest T1562.001 -TestNumbers 16
T1562.001 - 17,Invoke-AtomicTest T1562.001 -TestNumbers 17
T1562.001 - 18,Invoke-AtomicTest T1562.001 -TestNumbers 18
T1562.001 - 19,Invoke-AtomicTest T1562.001 -TestNumbers 19
T1562.001 - 20,Invoke-AtomicTest T1562.001 -TestNumbers 20
T1562.001 - 21,Invoke-AtomicTest T1562.001 -TestNumbers 21
T1562.001 - 22,Invoke-AtomicTest T1562.001 -TestNumbers 22
T1562.001 - 23,Invoke-AtomicTest T1562.001 -TestNumbers 23
T1562.001 - 24,Invoke-AtomicTest T1562.001 -TestNumbers 24
T1055.001 - 1,Invoke-AtomicTest T1055.001 -TestNumbers 1
T1070.004 - 4,Invoke-AtomicTest T1070.004 -TestNumbers 4
T1070.004 - 5,Invoke-AtomicTest T1070.004 -TestNumbers 5
T1070.004 - 6,Invoke-AtomicTest T1070.004 -TestNumbers 6
T1070.004 - 7,Invoke-AtomicTest T1070.004 -TestNumbers 7
T1070.004 - 9,Invoke-AtomicTest T1070.004 -TestNumbers 9
T1070.004 - 10,Invoke-AtomicTest T1070.004 -TestNumbers 10
T1564.001 - 3,Invoke-AtomicTest T1564.001 -TestNumbers 3
T1564.001 - 4,Invoke-AtomicTest T1564.001 -TestNumbers 4
T1564.003 - 1,Invoke-AtomicTest T1564.003 -TestNumbers 1
T1564 - 1,Invoke-AtomicTest T1564 -TestNumbers 1
T1564 - 2,Invoke-AtomicTest T1564 -TestNumbers 2
T1564 - 3,Invoke-AtomicTest T1564 -TestNumbers 3
T1070 - 1,Invoke-AtomicTest T1070 -TestNumbers 1
T1202 - 1,Invoke-AtomicTest T1202 -TestNumbers 1
T1202 - 2,Invoke-AtomicTest T1202 -TestNumbers 2
T1202 - 3,Invoke-AtomicTest T1202 -TestNumbers 3
T1553.004 - 4,Invoke-AtomicTest T1553.004 -TestNumbers 4
T1553.004 - 5,Invoke-AtomicTest T1553.004 -TestNumbers 5
T1218.004 - 1,Invoke-AtomicTest T1218.004 -TestNumbers 1
T1218.004 - 2,Invoke-AtomicTest T1218.004 -TestNumbers 2
T1218.004 - 3,Invoke-AtomicTest T1218.004 -TestNumbers 3
T1218.004 - 4,Invoke-AtomicTest T1218.004 -TestNumbers 4
T1218.004 - 5,Invoke-AtomicTest T1218.004 -TestNumbers 5
T1218.004 - 6,Invoke-AtomicTest T1218.004 -TestNumbers 6
T1218.004 - 7,Invoke-AtomicTest T1218.004 -TestNumbers 7
T1218.004 - 8,Invoke-AtomicTest T1218.004 -TestNumbers 8
T1078.003 - 1,Invoke-AtomicTest T1078.003 -TestNumbers 1
T1127.001 - 1,Invoke-AtomicTest T1127.001 -TestNumbers 1
T1127.001 - 2,Invoke-AtomicTest T1127.001 -TestNumbers 2
T1553.005 - 1,Invoke-AtomicTest T1553.005 -TestNumbers 1
T1553.005 - 2,Invoke-AtomicTest T1553.005 -TestNumbers 2
T1553.005 - 3,Invoke-AtomicTest T1553.005 -TestNumbers 3
T1036.004 - 1,Invoke-AtomicTest T1036.004 -TestNumbers 1
T1036.004 - 2,Invoke-AtomicTest T1036.004 -TestNumbers 2
T1036 - 1,Invoke-AtomicTest T1036 -TestNumbers 1
T1112 - 1,Invoke-AtomicTest T1112 -TestNumbers 1
T1112 - 2,Invoke-AtomicTest T1112 -TestNumbers 2
T1112 - 3,Invoke-AtomicTest T1112 -TestNumbers 3
T1112 - 4,Invoke-AtomicTest T1112 -TestNumbers 4
T1112 - 5,Invoke-AtomicTest T1112 -TestNumbers 5
T1112 - 6,Invoke-AtomicTest T1112 -TestNumbers 6
T1218.005 - 1,Invoke-AtomicTest T1218.005 -TestNumbers 1
T1218.005 - 2,Invoke-AtomicTest T1218.005 -TestNumbers 2
T1218.005 - 3,Invoke-AtomicTest T1218.005 -TestNumbers 3
T1218.005 - 4,Invoke-AtomicTest T1218.005 -TestNumbers 4
T1218.005 - 5,Invoke-AtomicTest T1218.005 -TestNumbers 5
T1218.005 - 6,Invoke-AtomicTest T1218.005 -TestNumbers 6
T1218.005 - 7,Invoke-AtomicTest T1218.005 -TestNumbers 7
T1218.005 - 8,Invoke-AtomicTest T1218.005 -TestNumbers 8
T1218.005 - 9,Invoke-AtomicTest T1218.005 -TestNumbers 9
T1218.005 - 10,Invoke-AtomicTest T1218.005 -TestNumbers 10
T1218.007 - 1,Invoke-AtomicTest T1218.007 -TestNumbers 1
T1218.007 - 2,Invoke-AtomicTest T1218.007 -TestNumbers 2
T1218.007 - 3,Invoke-AtomicTest T1218.007 -TestNumbers 3
T1564.004 - 1,Invoke-AtomicTest T1564.004 -TestNumbers 1
T1564.004 - 2,Invoke-AtomicTest T1564.004 -TestNumbers 2
T1564.004 - 3,Invoke-AtomicTest T1564.004 -TestNumbers 3
T1564.004 - 4,Invoke-AtomicTest T1564.004 -TestNumbers 4
T1070.005 - 1,Invoke-AtomicTest T1070.005 -TestNumbers 1
T1070.005 - 2,Invoke-AtomicTest T1070.005 -TestNumbers 2
T1070.005 - 3,Invoke-AtomicTest T1070.005 -TestNumbers 3
T1027 - 2,Invoke-AtomicTest T1027 -TestNumbers 2
T1027 - 3,Invoke-AtomicTest T1027 -TestNumbers 3
T1027 - 4,Invoke-AtomicTest T1027 -TestNumbers 4
T1027 - 5,Invoke-AtomicTest T1027 -TestNumbers 5
T1027 - 6,Invoke-AtomicTest T1027 -TestNumbers 6
T1027 - 7,Invoke-AtomicTest T1027 -TestNumbers 7
T1027 - 8,Invoke-AtomicTest T1027 -TestNumbers 8
T1218.008 - 1,Invoke-AtomicTest T1218.008 -TestNumbers 1
T1134.004 - 1,Invoke-AtomicTest T1134.004 -TestNumbers 1
T1134.004 - 2,Invoke-AtomicTest T1134.004 -TestNumbers 2
T1134.004 - 3,Invoke-AtomicTest T1134.004 -TestNumbers 3
T1134.004 - 4,Invoke-AtomicTest T1134.004 -TestNumbers 4
T1134.004 - 5,Invoke-AtomicTest T1134.004 -TestNumbers 5
T1550.002 - 1,Invoke-AtomicTest T1550.002 -TestNumbers 1
T1550.002 - 2,Invoke-AtomicTest T1550.002 -TestNumbers 2
T1550.003 - 1,Invoke-AtomicTest T1550.003 -TestNumbers 1
T1556.002 - 1,Invoke-AtomicTest T1556.002 -TestNumbers 1
T1574.009 - 1,Invoke-AtomicTest T1574.009 -TestNumbers 1
T1055.012 - 1,Invoke-AtomicTest T1055.012 -TestNumbers 1
T1055.012 - 2,Invoke-AtomicTest T1055.012 -TestNumbers 2
T1055 - 1,Invoke-AtomicTest T1055 -TestNumbers 1
T1055 - 2,Invoke-AtomicTest T1055 -TestNumbers 2
T1216.001 - 1,Invoke-AtomicTest T1216.001 -TestNumbers 1
T1218.009 - 1,Invoke-AtomicTest T1218.009 -TestNumbers 1
T1218.009 - 2,Invoke-AtomicTest T1218.009 -TestNumbers 2
T1218.010 - 1,Invoke-AtomicTest T1218.010 -TestNumbers 1
T1218.010 - 2,Invoke-AtomicTest T1218.010 -TestNumbers 2
T1218.010 - 3,Invoke-AtomicTest T1218.010 -TestNumbers 3
T1218.010 - 4,Invoke-AtomicTest T1218.010 -TestNumbers 4
T1218.010 - 5,Invoke-AtomicTest T1218.010 -TestNumbers 5
T1036.003 - 1,Invoke-AtomicTest T1036.003 -TestNumbers 1
T1036.003 - 3,Invoke-AtomicTest T1036.003 -TestNumbers 3
T1036.003 - 4,Invoke-AtomicTest T1036.003 -TestNumbers 4
T1036.003 - 5,Invoke-AtomicTest T1036.003 -TestNumbers 5
T1036.003 - 6,Invoke-AtomicTest T1036.003 -TestNumbers 6
T1036.003 - 7,Invoke-AtomicTest T1036.003 -TestNumbers 7
T1036.003 - 8,Invoke-AtomicTest T1036.003 -TestNumbers 8
T1036.003 - 9,Invoke-AtomicTest T1036.003 -TestNumbers 9
T1207 - 1,Invoke-AtomicTest T1207 -TestNumbers 1
T1014 - 3,Invoke-AtomicTest T1014 -TestNumbers 3
T1218.011 - 1,Invoke-AtomicTest T1218.011 -TestNumbers 1
T1218.011 - 2,Invoke-AtomicTest T1218.011 -TestNumbers 2
T1218.011 - 3,Invoke-AtomicTest T1218.011 -TestNumbers 3
T1218.011 - 4,Invoke-AtomicTest T1218.011 -TestNumbers 4
T1218.011 - 5,Invoke-AtomicTest T1218.011 -TestNumbers 5
T1218.011 - 6,Invoke-AtomicTest T1218.011 -TestNumbers 6
T1218.011 - 7,Invoke-AtomicTest T1218.011 -TestNumbers 7
T1218.011 - 8,Invoke-AtomicTest T1218.011 -TestNumbers 8
T1574.011 - 1,Invoke-AtomicTest T1574.011 -TestNumbers 1
T1574.011 - 2,Invoke-AtomicTest T1574.011 -TestNumbers 2
T1218 - 1,Invoke-AtomicTest T1218 -TestNumbers 1
T1218 - 2,Invoke-AtomicTest T1218 -TestNumbers 2
T1218 - 3,Invoke-AtomicTest T1218 -TestNumbers 3
T1218 - 4,Invoke-AtomicTest T1218 -TestNumbers 4
T1218 - 5,Invoke-AtomicTest T1218 -TestNumbers 5
T1218 - 6,Invoke-AtomicTest T1218 -TestNumbers 6
T1218 - 7,Invoke-AtomicTest T1218 -TestNumbers 7
T1218 - 8,Invoke-AtomicTest T1218 -TestNumbers 8
T1216 - 1,Invoke-AtomicTest T1216 -TestNumbers 1
T1216 - 2,Invoke-AtomicTest T1216 -TestNumbers 2
T1497.001 - 2,Invoke-AtomicTest T1497.001 -TestNumbers 2
T1221 - 1,Invoke-AtomicTest T1221 -TestNumbers 1
T1070.006 - 5,Invoke-AtomicTest T1070.006 -TestNumbers 5
T1070.006 - 6,Invoke-AtomicTest T1070.006 -TestNumbers 6
T1070.006 - 7,Invoke-AtomicTest T1070.006 -TestNumbers 7
T1070.006 - 8,Invoke-AtomicTest T1070.006 -TestNumbers 8
T1134.001 - 1,Invoke-AtomicTest T1134.001 -TestNumbers 1
T1134.001 - 2,Invoke-AtomicTest T1134.001 -TestNumbers 2
T1222.001 - 1,Invoke-AtomicTest T1222.001 -TestNumbers 1
T1222.001 - 2,Invoke-AtomicTest T1222.001 -TestNumbers 2
T1222.001 - 3,Invoke-AtomicTest T1222.001 -TestNumbers 3
T1222.001 - 4,Invoke-AtomicTest T1222.001 -TestNumbers 4
T1222.001 - 5,Invoke-AtomicTest T1222.001 -TestNumbers 5
T1220 - 1,Invoke-AtomicTest T1220 -TestNumbers 1
T1220 - 2,Invoke-AtomicTest T1220 -TestNumbers 2
T1220 - 3,Invoke-AtomicTest T1220 -TestNumbers 3
T1220 - 4,Invoke-AtomicTest T1220 -TestNumbers 4
T1546.008 - 1,Invoke-AtomicTest T1546.008 -TestNumbers 1
T1546.008 - 2,Invoke-AtomicTest T1546.008 -TestNumbers 2
T1098 - 1,Invoke-AtomicTest T1098 -TestNumbers 1
T1098 - 2,Invoke-AtomicTest T1098 -TestNumbers 2
T1137.006 - 1,Invoke-AtomicTest T1137.006 -TestNumbers 1
T1546.010 - 1,Invoke-AtomicTest T1546.010 -TestNumbers 1
T1546.011 - 1,Invoke-AtomicTest T1546.011 -TestNumbers 1
T1546.011 - 2,Invoke-AtomicTest T1546.011 -TestNumbers 2
T1546.011 - 3,Invoke-AtomicTest T1546.011 -TestNumbers 3
T1053.002 - 1,Invoke-AtomicTest T1053.002 -TestNumbers 1
T1197 - 1,Invoke-AtomicTest T1197 -TestNumbers 1
T1197 - 2,Invoke-AtomicTest T1197 -TestNumbers 2
T1197 - 3,Invoke-AtomicTest T1197 -TestNumbers 3
T1197 - 4,Invoke-AtomicTest T1197 -TestNumbers 4
T1176 - 1,Invoke-AtomicTest T1176 -TestNumbers 1
T1176 - 2,Invoke-AtomicTest T1176 -TestNumbers 2
T1176 - 3,Invoke-AtomicTest T1176 -TestNumbers 3
T1176 - 4,Invoke-AtomicTest T1176 -TestNumbers 4
T1574.012 - 1,Invoke-AtomicTest T1574.012 -TestNumbers 1
T1574.012 - 2,Invoke-AtomicTest T1574.012 -TestNumbers 2
T1574.012 - 3,Invoke-AtomicTest T1574.012 -TestNumbers 3
T1546.001 - 1,Invoke-AtomicTest T1546.001 -TestNumbers 1
T1574.001 - 1,Invoke-AtomicTest T1574.001 -TestNumbers 1
T1574.002 - 1,Invoke-AtomicTest T1574.002 -TestNumbers 1
T1078.001 - 1,Invoke-AtomicTest T1078.001 -TestNumbers 1
T1078.001 - 2,Invoke-AtomicTest T1078.001 -TestNumbers 2
T1136.002 - 1,Invoke-AtomicTest T1136.002 -TestNumbers 1
T1136.002 - 2,Invoke-AtomicTest T1136.002 -TestNumbers 2
T1136.002 - 3,Invoke-AtomicTest T1136.002 -TestNumbers 3
T1133 - 1,Invoke-AtomicTest T1133 -TestNumbers 1
T1546.012 - 1,Invoke-AtomicTest T1546.012 -TestNumbers 1
T1546.012 - 2,Invoke-AtomicTest T1546.012 -TestNumbers 2
T1136.001 - 3,Invoke-AtomicTest T1136.001 -TestNumbers 3
T1136.001 - 4,Invoke-AtomicTest T1136.001 -TestNumbers 4
T1136.001 - 6,Invoke-AtomicTest T1136.001 -TestNumbers 6
T1078.003 - 1,Invoke-AtomicTest T1078.003 -TestNumbers 1
T1037.001 - 1,Invoke-AtomicTest T1037.001 -TestNumbers 1
T1546.007 - 1,Invoke-AtomicTest T1546.007 -TestNumbers 1
T1137 - 1,Invoke-AtomicTest T1137 -TestNumbers 1
T1137.002 - 1,Invoke-AtomicTest T1137.002 -TestNumbers 1
T1137.004 - 1,Invoke-AtomicTest T1137.004 -TestNumbers 1
T1556.002 - 1,Invoke-AtomicTest T1556.002 -TestNumbers 1
T1574.009 - 1,Invoke-AtomicTest T1574.009 -TestNumbers 1
T1547.010 - 1,Invoke-AtomicTest T1547.010 -TestNumbers 1
T1546.013 - 1,Invoke-AtomicTest T1546.013 -TestNumbers 1
T1547.001 - 1,Invoke-AtomicTest T1547.001 -TestNumbers 1
T1547.001 - 2,Invoke-AtomicTest T1547.001 -TestNumbers 2
T1547.001 - 3,Invoke-AtomicTest T1547.001 -TestNumbers 3
T1547.001 - 4,Invoke-AtomicTest T1547.001 -TestNumbers 4
T1547.001 - 5,Invoke-AtomicTest T1547.001 -TestNumbers 5
T1547.001 - 6,Invoke-AtomicTest T1547.001 -TestNumbers 6
T1547.001 - 7,Invoke-AtomicTest T1547.001 -TestNumbers 7
T1053.005 - 1,Invoke-AtomicTest T1053.005 -TestNumbers 1
T1053.005 - 2,Invoke-AtomicTest T1053.005 -TestNumbers 2
T1053.005 - 3,Invoke-AtomicTest T1053.005 -TestNumbers 3
T1053.005 - 4,Invoke-AtomicTest T1053.005 -TestNumbers 4
T1053.005 - 5,Invoke-AtomicTest T1053.005 -TestNumbers 5
T1053.005 - 6,Invoke-AtomicTest T1053.005 -TestNumbers 6
T1546.002 - 1,Invoke-AtomicTest T1546.002 -TestNumbers 1
T1547.005 - 1,Invoke-AtomicTest T1547.005 -TestNumbers 1
T1574.011 - 1,Invoke-AtomicTest T1574.011 -TestNumbers 1
T1574.011 - 2,Invoke-AtomicTest T1574.011 -TestNumbers 2
T1547.009 - 1,Invoke-AtomicTest T1547.009 -TestNumbers 1
T1547.009 - 2,Invoke-AtomicTest T1547.009 -TestNumbers 2
T1505.002 - 1,Invoke-AtomicTest T1505.002 -TestNumbers 1
T1505.003 - 1,Invoke-AtomicTest T1505.003 -TestNumbers 1
T1546.003 - 1,Invoke-AtomicTest T1546.003 -TestNumbers 1
T1543.003 - 1,Invoke-AtomicTest T1543.003 -TestNumbers 1
T1543.003 - 2,Invoke-AtomicTest T1543.003 -TestNumbers 2
T1543.003 - 3,Invoke-AtomicTest T1543.003 -TestNumbers 3
T1547.004 - 1,Invoke-AtomicTest T1547.004 -TestNumbers 1
T1547.004 - 2,Invoke-AtomicTest T1547.004 -TestNumbers 2
T1547.004 - 3,Invoke-AtomicTest T1547.004 -TestNumbers 3
T1531 - 1,Invoke-AtomicTest T1531 -TestNumbers 1
T1531 - 2,Invoke-AtomicTest T1531 -TestNumbers 2
T1531 - 3,Invoke-AtomicTest T1531 -TestNumbers 3
T1485 - 1,Invoke-AtomicTest T1485 -TestNumbers 1
T1486 - 5,Invoke-AtomicTest T1486 -TestNumbers 5
T1490 - 1,Invoke-AtomicTest T1490 -TestNumbers 1
T1490 - 2,Invoke-AtomicTest T1490 -TestNumbers 2
T1490 - 3,Invoke-AtomicTest T1490 -TestNumbers 3
T1490 - 4,Invoke-AtomicTest T1490 -TestNumbers 4
T1490 - 5,Invoke-AtomicTest T1490 -TestNumbers 5
T1490 - 6,Invoke-AtomicTest T1490 -TestNumbers 6
T1490 - 7,Invoke-AtomicTest T1490 -TestNumbers 7
T1490 - 8,Invoke-AtomicTest T1490 -TestNumbers 8
T1491.001 - 1,Invoke-AtomicTest T1491.001 -TestNumbers 1
T1489 - 1,Invoke-AtomicTest T1489 -TestNumbers 1
T1489 - 2,Invoke-AtomicTest T1489 -TestNumbers 2
T1489 - 3,Invoke-AtomicTest T1489 -TestNumbers 3
T1529 - 1,Invoke-AtomicTest T1529 -TestNumbers 1
T1529 - 2,Invoke-AtomicTest T1529 -TestNumbers 2
T1010 - 1,Invoke-AtomicTest T1010 -TestNumbers 1
T1217 - 4,Invoke-AtomicTest T1217 -TestNumbers 4
T1217 - 5,Invoke-AtomicTest T1217 -TestNumbers 5
T1217 - 6,Invoke-AtomicTest T1217 -TestNumbers 6
T1217 - 7,Invoke-AtomicTest T1217 -TestNumbers 7
T1087.002 - 1,Invoke-AtomicTest T1087.002 -TestNumbers 1
T1087.002 - 2,Invoke-AtomicTest T1087.002 -TestNumbers 2
T1087.002 - 3,Invoke-AtomicTest T1087.002 -TestNumbers 3
T1087.002 - 4,Invoke-AtomicTest T1087.002 -TestNumbers 4
T1087.002 - 5,Invoke-AtomicTest T1087.002 -TestNumbers 5
T1087.002 - 6,Invoke-AtomicTest T1087.002 -TestNumbers 6
T1087.002 - 7,Invoke-AtomicTest T1087.002 -TestNumbers 7
T1087.002 - 8,Invoke-AtomicTest T1087.002 -TestNumbers 8
T1087.002 - 9,Invoke-AtomicTest T1087.002 -TestNumbers 9
T1087.002 - 10,Invoke-AtomicTest T1087.002 -TestNumbers 10
T1069.002 - 1,Invoke-AtomicTest T1069.002 -TestNumbers 1
T1069.002 - 2,Invoke-AtomicTest T1069.002 -TestNumbers 2
T1069.002 - 3,Invoke-AtomicTest T1069.002 -TestNumbers 3
T1069.002 - 4,Invoke-AtomicTest T1069.002 -TestNumbers 4
T1069.002 - 5,Invoke-AtomicTest T1069.002 -TestNumbers 5
T1069.002 - 6,Invoke-AtomicTest T1069.002 -TestNumbers 6
T1069.002 - 7,Invoke-AtomicTest T1069.002 -TestNumbers 7
T1069.002 - 8,Invoke-AtomicTest T1069.002 -TestNumbers 8
T1482 - 1,Invoke-AtomicTest T1482 -TestNumbers 1
T1482 - 2,Invoke-AtomicTest T1482 -TestNumbers 2
T1482 - 3,Invoke-AtomicTest T1482 -TestNumbers 3
T1482 - 4,Invoke-AtomicTest T1482 -TestNumbers 4
T1482 - 5,Invoke-AtomicTest T1482 -TestNumbers 5
T1482 - 6,Invoke-AtomicTest T1482 -TestNumbers 6
T1482 - 7,Invoke-AtomicTest T1482 -TestNumbers 7
T1083 - 1,Invoke-AtomicTest T1083 -TestNumbers 1
T1083 - 2,Invoke-AtomicTest T1083 -TestNumbers 2
T1087.001 - 8,Invoke-AtomicTest T1087.001 -TestNumbers 8
T1087.001 - 9,Invoke-AtomicTest T1087.001 -TestNumbers 9
T1087.001 - 10,Invoke-AtomicTest T1087.001 -TestNumbers 10
T1069.001 - 2,Invoke-AtomicTest T1069.001 -TestNumbers 2
T1069.001 - 3,Invoke-AtomicTest T1069.001 -TestNumbers 3
T1069.001 - 4,Invoke-AtomicTest T1069.001 -TestNumbers 4
T1069.001 - 5,Invoke-AtomicTest T1069.001 -TestNumbers 5
T1069.001 - 6,Invoke-AtomicTest T1069.001 -TestNumbers 6
T1046 - 3,Invoke-AtomicTest T1046 -TestNumbers 3
T1046 - 4,Invoke-AtomicTest T1046 -TestNumbers 4
T1135 - 3,Invoke-AtomicTest T1135 -TestNumbers 3
T1135 - 4,Invoke-AtomicTest T1135 -TestNumbers 4
T1135 - 5,Invoke-AtomicTest T1135 -TestNumbers 5
T1135 - 6,Invoke-AtomicTest T1135 -TestNumbers 6
T1040 - 3,Invoke-AtomicTest T1040 -TestNumbers 3
T1040 - 4,Invoke-AtomicTest T1040 -TestNumbers 4
T1201 - 5,Invoke-AtomicTest T1201 -TestNumbers 5
T1201 - 6,Invoke-AtomicTest T1201 -TestNumbers 6
T1120 - 1,Invoke-AtomicTest T1120 -TestNumbers 1
T1057 - 2,Invoke-AtomicTest T1057 -TestNumbers 2
T1012 - 1,Invoke-AtomicTest T1012 -TestNumbers 1
T1018 - 1,Invoke-AtomicTest T1018 -TestNumbers 1
T1018 - 2,Invoke-AtomicTest T1018 -TestNumbers 2
T1018 - 3,Invoke-AtomicTest T1018 -TestNumbers 3
T1018 - 4,Invoke-AtomicTest T1018 -TestNumbers 4
T1018 - 5,Invoke-AtomicTest T1018 -TestNumbers 5
T1018 - 8,Invoke-AtomicTest T1018 -TestNumbers 8
T1018 - 9,Invoke-AtomicTest T1018 -TestNumbers 9
T1018 - 10,Invoke-AtomicTest T1018 -TestNumbers 10
T1018 - 11,Invoke-AtomicTest T1018 -TestNumbers 11
T1518.001 - 1,Invoke-AtomicTest T1518.001 -TestNumbers 1
T1518.001 - 2,Invoke-AtomicTest T1518.001 -TestNumbers 2
T1518.001 - 5,Invoke-AtomicTest T1518.001 -TestNumbers 5
T1518.001 - 6,Invoke-AtomicTest T1518.001 -TestNumbers 6
T1518 - 1,Invoke-AtomicTest T1518 -TestNumbers 1
T1518 - 2,Invoke-AtomicTest T1518 -TestNumbers 2
T1497.001 - 2,Invoke-AtomicTest T1497.001 -TestNumbers 2
T1082 - 1,Invoke-AtomicTest T1082 -TestNumbers 1
T1082 - 6,Invoke-AtomicTest T1082 -TestNumbers 6
T1082 - 8,Invoke-AtomicTest T1082 -TestNumbers 8
T1082 - 9,Invoke-AtomicTest T1082 -TestNumbers 9
T1082 - 10,Invoke-AtomicTest T1082 -TestNumbers 10
T1016 - 1,Invoke-AtomicTest T1016 -TestNumbers 1
T1016 - 2,Invoke-AtomicTest T1016 -TestNumbers 2
T1016 - 4,Invoke-AtomicTest T1016 -TestNumbers 4
T1016 - 5,Invoke-AtomicTest T1016 -TestNumbers 5
T1016 - 6,Invoke-AtomicTest T1016 -TestNumbers 6
T1016 - 7,Invoke-AtomicTest T1016 -TestNumbers 7
T1049 - 1,Invoke-AtomicTest T1049 -TestNumbers 1
T1049 - 2,Invoke-AtomicTest T1049 -TestNumbers 2
T1049 - 4,Invoke-AtomicTest T1049 -TestNumbers 4
T1033 - 1,Invoke-AtomicTest T1033 -TestNumbers 1
T1033 - 3,Invoke-AtomicTest T1033 -TestNumbers 3
T1007 - 1,Invoke-AtomicTest T1007 -TestNumbers 1
T1007 - 2,Invoke-AtomicTest T1007 -TestNumbers 2
T1124 - 1,Invoke-AtomicTest T1124 -TestNumbers 1
T1124 - 2,Invoke-AtomicTest T1124 -TestNumbers 2
T1071.004 - 1,Invoke-AtomicTest T1071.004 -TestNumbers 1
T1071.004 - 2,Invoke-AtomicTest T1071.004 -TestNumbers 2
T1071.004 - 3,Invoke-AtomicTest T1071.004 -TestNumbers 3
T1071.004 - 4,Invoke-AtomicTest T1071.004 -TestNumbers 4
T1573 - 1,Invoke-AtomicTest T1573 -TestNumbers 1
T1105 - 7,Invoke-AtomicTest T1105 -TestNumbers 7
T1105 - 8,Invoke-AtomicTest T1105 -TestNumbers 8
T1105 - 9,Invoke-AtomicTest T1105 -TestNumbers 9
T1105 - 10,Invoke-AtomicTest T1105 -TestNumbers 10
T1105 - 11,Invoke-AtomicTest T1105 -TestNumbers 11
T1105 - 12,Invoke-AtomicTest T1105 -TestNumbers 12
T1105 - 13,Invoke-AtomicTest T1105 -TestNumbers 13
T1105 - 15,Invoke-AtomicTest T1105 -TestNumbers 15
T1105 - 16,Invoke-AtomicTest T1105 -TestNumbers 16
T1105 - 17,Invoke-AtomicTest T1105 -TestNumbers 17
T1105 - 18,Invoke-AtomicTest T1105 -TestNumbers 18
T1090.001 - 3,Invoke-AtomicTest T1090.001 -TestNumbers 3
T1095 - 1,Invoke-AtomicTest T1095 -TestNumbers 1
T1095 - 2,Invoke-AtomicTest T1095 -TestNumbers 2
T1095 - 3,Invoke-AtomicTest T1095 -TestNumbers 3
T1571 - 1,Invoke-AtomicTest T1571 -TestNumbers 1
T1572 - 1,Invoke-AtomicTest T1572 -TestNumbers 1
T1572 - 2,Invoke-AtomicTest T1572 -TestNumbers 2
T1572 - 3,Invoke-AtomicTest T1572 -TestNumbers 3
T1219 - 1,Invoke-AtomicTest T1219 -TestNumbers 1
T1219 - 2,Invoke-AtomicTest T1219 -TestNumbers 2
T1219 - 3,Invoke-AtomicTest T1219 -TestNumbers 3
T1219 - 4,Invoke-AtomicTest T1219 -TestNumbers 4
T1219 - 5,Invoke-AtomicTest T1219 -TestNumbers 5
T1132.001 - 2,Invoke-AtomicTest T1132.001 -TestNumbers 2
T1071.001 - 1,Invoke-AtomicTest T1071.001 -TestNumbers 1
T1071.001 - 2,Invoke-AtomicTest T1071.001 -TestNumbers 2
T1053.002 - 1,Invoke-AtomicTest T1053.002 -TestNumbers 1
T1559.002 - 1,Invoke-AtomicTest T1559.002 -TestNumbers 1
T1559.002 - 2,Invoke-AtomicTest T1559.002 -TestNumbers 2
T1559.002 - 3,Invoke-AtomicTest T1559.002 -TestNumbers 3
T1204.002 - 1,Invoke-AtomicTest T1204.002 -TestNumbers 1
T1204.002 - 2,Invoke-AtomicTest T1204.002 -TestNumbers 2
T1204.002 - 3,Invoke-AtomicTest T1204.002 -TestNumbers 3
T1204.002 - 4,Invoke-AtomicTest T1204.002 -TestNumbers 4
T1204.002 - 5,Invoke-AtomicTest T1204.002 -TestNumbers 5
T1204.002 - 6,Invoke-AtomicTest T1204.002 -TestNumbers 6
T1204.002 - 7,Invoke-AtomicTest T1204.002 -TestNumbers 7
T1204.002 - 8,Invoke-AtomicTest T1204.002 -TestNumbers 8
T1204.002 - 9,Invoke-AtomicTest T1204.002 -TestNumbers 9
T1106 - 1,Invoke-AtomicTest T1106 -TestNumbers 1
T1059.001 - 1,Invoke-AtomicTest T1059.001 -TestNumbers 1
T1059.001 - 2,Invoke-AtomicTest T1059.001 -TestNumbers 2
T1059.001 - 3,Invoke-AtomicTest T1059.001 -TestNumbers 3
T1059.001 - 4,Invoke-AtomicTest T1059.001 -TestNumbers 4
T1059.001 - 5,Invoke-AtomicTest T1059.001 -TestNumbers 5
T1059.001 - 6,Invoke-AtomicTest T1059.001 -TestNumbers 6
T1059.001 - 7,Invoke-AtomicTest T1059.001 -TestNumbers 7
T1059.001 - 8,Invoke-AtomicTest T1059.001 -TestNumbers 8
T1059.001 - 9,Invoke-AtomicTest T1059.001 -TestNumbers 9
T1059.001 - 10,Invoke-AtomicTest T1059.001 -TestNumbers 10
T1059.001 - 11,Invoke-AtomicTest T1059.001 -TestNumbers 11
T1059.001 - 12,Invoke-AtomicTest T1059.001 -TestNumbers 12
T1059.001 - 13,Invoke-AtomicTest T1059.001 -TestNumbers 13
T1059.001 - 14,Invoke-AtomicTest T1059.001 -TestNumbers 14
T1059.001 - 15,Invoke-AtomicTest T1059.001 -TestNumbers 15
T1059.001 - 16,Invoke-AtomicTest T1059.001 -TestNumbers 16
T1059.001 - 17,Invoke-AtomicTest T1059.001 -TestNumbers 17
T1059.001 - 18,Invoke-AtomicTest T1059.001 -TestNumbers 18
T1059.001 - 19,Invoke-AtomicTest T1059.001 -TestNumbers 19
T1059.001 - 20,Invoke-AtomicTest T1059.001 -TestNumbers 20
T1059.001 - 21,Invoke-AtomicTest T1059.001 -TestNumbers 21
T1053.005 - 1,Invoke-AtomicTest T1053.005 -TestNumbers 1
T1053.005 - 2,Invoke-AtomicTest T1053.005 -TestNumbers 2
T1053.005 - 3,Invoke-AtomicTest T1053.005 -TestNumbers 3
T1053.005 - 4,Invoke-AtomicTest T1053.005 -TestNumbers 4
T1053.005 - 5,Invoke-AtomicTest T1053.005 -TestNumbers 5
T1053.005 - 6,Invoke-AtomicTest T1053.005 -TestNumbers 6
T1569.002 - 1,Invoke-AtomicTest T1569.002 -TestNumbers 1
T1569.002 - 2,Invoke-AtomicTest T1569.002 -TestNumbers 2
T1072 - 1,Invoke-AtomicTest T1072 -TestNumbers 1
T1059.005 - 1,Invoke-AtomicTest T1059.005 -TestNumbers 1
T1059.005 - 2,Invoke-AtomicTest T1059.005 -TestNumbers 2
T1059.005 - 3,Invoke-AtomicTest T1059.005 -TestNumbers 3
T1059.003 - 1,Invoke-AtomicTest T1059.003 -TestNumbers 1
T1059.003 - 2,Invoke-AtomicTest T1059.003 -TestNumbers 2
T1059.003 - 3,Invoke-AtomicTest T1059.003 -TestNumbers 3
T1047 - 1,Invoke-AtomicTest T1047 -TestNumbers 1
T1047 - 2,Invoke-AtomicTest T1047 -TestNumbers 2
T1047 - 3,Invoke-AtomicTest T1047 -TestNumbers 3
T1047 - 4,Invoke-AtomicTest T1047 -TestNumbers 4
T1047 - 5,Invoke-AtomicTest T1047 -TestNumbers 5
T1047 - 6,Invoke-AtomicTest T1047 -TestNumbers 6
T1047 - 7,Invoke-AtomicTest T1047 -TestNumbers 7
T1047 - 8,Invoke-AtomicTest T1047 -TestNumbers 8
T1047 - 9,Invoke-AtomicTest T1047 -TestNumbers 9
T1020 - 1,Invoke-AtomicTest T1020 -TestNumbers 1
T1048 - 3,Invoke-AtomicTest T1048 -TestNumbers 3
T1041 - 1,Invoke-AtomicTest T1041 -TestNumbers 1
T1048.003 - 2,Invoke-AtomicTest T1048.003 -TestNumbers 2
T1048.003 - 4,Invoke-AtomicTest T1048.003 -TestNumbers 4
T1048.003 - 5,Invoke-AtomicTest T1048.003 -TestNumbers 5
T1567 - 1,Invoke-AtomicTest T1567 -TestNumbers 1
T1021.003 - 1,Invoke-AtomicTest T1021.003 -TestNumbers 1
T1550.002 - 1,Invoke-AtomicTest T1550.002 -TestNumbers 1
T1550.002 - 2,Invoke-AtomicTest T1550.002 -TestNumbers 2
T1550.003 - 1,Invoke-AtomicTest T1550.003 -TestNumbers 1
T1563.002 - 1,Invoke-AtomicTest T1563.002 -TestNumbers 1
T1021.001 - 1,Invoke-AtomicTest T1021.001 -TestNumbers 1
T1021.001 - 2,Invoke-AtomicTest T1021.001 -TestNumbers 2
T1021.001 - 3,Invoke-AtomicTest T1021.001 -TestNumbers 3
T1021.001 - 4,Invoke-AtomicTest T1021.001 -TestNumbers 4
T1021.002 - 1,Invoke-AtomicTest T1021.002 -TestNumbers 1
T1021.002 - 2,Invoke-AtomicTest T1021.002 -TestNumbers 2
T1021.002 - 3,Invoke-AtomicTest T1021.002 -TestNumbers 3
T1021.002 - 4,Invoke-AtomicTest T1021.002 -TestNumbers 4
T1072 - 1,Invoke-AtomicTest T1072 -TestNumbers 1
T1021.006 - 1,Invoke-AtomicTest T1021.006 -TestNumbers 1
T1021.006 - 2,Invoke-AtomicTest T1021.006 -TestNumbers 2
T1021.006 - 3,Invoke-AtomicTest T1021.006 -TestNumbers 3
T1078.001 - 1,Invoke-AtomicTest T1078.001 -TestNumbers 1
T1078.001 - 2,Invoke-AtomicTest T1078.001 -TestNumbers 2
T1133 - 1,Invoke-AtomicTest T1133 -TestNumbers 1
T1078.003 - 1,Invoke-AtomicTest T1078.003 -TestNumbers 1
T1566.001 - 1,Invoke-AtomicTest T1566.001 -TestNumbers 1
T1566.001 - 2,Invoke-AtomicTest T1566.001 -TestNumbers 2
''')
LET CommandsToRun <= if(condition=RunAll, then='''Invoke-AtomicTest All -Confirm:$false''', else={ SELECT Command FROM CommandTable WHERE get(field=Flag)})
LET RemoveLog <= if(condition=RemoveExecLog, then={ SELECT * FROM execve(argv=["powershell.exe", "Remove-Item", ExecutionLogFile])})
LET InstallART <= if(condition=InstallART, then={ SELECT * FROM execve(argv=[ 'powershell.exe', '-exec', 'bypass',
'-Command', "IEX (IWR https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1 -UseBasicParsing); Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope CurrentUser; Install-AtomicRedTeam -getAtomics -F"
])})
LET JustDoIt <= SELECT * FROM foreach(row=CommandsToRun, query={
SELECT * FROM execve(argv=[ 'powershell.exe', '-exec', 'bypass',
'-Command', '''Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force; ''' + Command + ''' -GetPreReqs; ''' + Command + ''' -ExecutionLogPath ''' + ExecutionLogFile + ''';''' + if(condition=Cleanup, then=Command + ''' -Cleanup''', else='''''')
])}
)
SELECT `Execution Time (UTC)`, `Execution Time (Local)`, '[' + Technique + '](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/' + Technique + '/' + Technique + '.md)' AS Technique, `Test Number`, `Test Name`, Hostname, Username, GUID FROM parse_csv(accessor="file", filename=ExecutionLogFile)