All Atomic Tests by ATT&CK Tactic & Technique

persistence

T1156 .bash_profile and .bashrc
- Atomic Test #1: .bash_profile and .bashrc [macos, linux]
T1015 Accessibility Features
- Atomic Test #1: Attaches Command Prompt As Debugger To Process - osk [windows]
- Atomic Test #2: Attaches Command Prompt As Debugger To Process - sethc [windows]
- Atomic Test #3: Attaches Command Prompt As Debugger To Process - utilman [windows]
- Atomic Test #4: Attaches Command Prompt As Debugger To Process - magnify [windows]
- Atomic Test #5: Attaches Command Prompt As Debugger To Process - narrator [windows]
- Atomic Test #6: Attaches Command Prompt As Debugger To Process - DisplaySwitch [windows]
- Atomic Test #7: Attaches Command Prompt As Debugger To Process - AtBroker [windows]
T1182 AppCert DLLs
T1103 AppInit DLLs
- Atomic Test #1: Install AppInit Shim [windows]
T1138 Application Shimming
- Atomic Test #1: Application Shim Installation [windows]
T1131 Authentication Package
T1197 BITS Jobs
- Atomic Test #1: Download & Execute [windows]
- Atomic Test #2: Download & Execute via PowerShell BITS [windows]
T1067 Bootkit
T1176 Browser Extensions
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
T1042 Change Default File Association
- Atomic Test #1: Change Default File Association [windows]
T1109 Component Firmware
T1122 Component Object Model Hijacking
- Atomic Test #1: PowerShell UAC Bypass [windows]
T1136 Create Account
- Atomic Test #1: Create a user account on a Linux system [linux]
- Atomic Test #2: Create a user account on a MacOS system [macos]
T1038 DLL Search Order Hijacking
T1157 Dylib Hijacking
T1133 External Remote Services
T1044 File System Permissions Weakness
T1158 Hidden Files and Directories
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #2: Mac Hidden file [macos]
- Atomic Test #3: Hidden file [macos, linux]
- Atomic Test #4: Hidden files [macos]
- Atomic Test #5: Hide a Directory [macos]
- Atomic Test #6: Show all hidden files [macos]
- Atomic Test #7: Create visible Directories [macos, linux]
- Atomic Test #8: Create hidden directories and files [macos, linux]
T1179 Hooking
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
T1062 Hypervisor
T1183 Image File Execution Options Injection
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO GLobal Flags [windows]
T1215 Kernel Modules and Extensions
T1161 LC_LOAD_DYLIB Addition
T1177 LSASS Driver
T1159 Launch Agent
- Atomic Test #1: Launch Agent [macos]
T1160 Launch Daemon
- Atomic Test #1: Launch Daemon [macos]
T1152 Launchctl
- Atomic Test #1: Launchctl [macos]
T1168 Local Job Scheduling
- Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron Job [macos, centos, ubuntu, linux]
T1162 Login Item
T1037 Logon Scripts
- Atomic Test #1: Logon Scripts [windows]
- Atomic Test #2: Logon Scripts - Mac [macos]
T1031 Modify Existing Service
T1128 Netsh Helper DLL
- Atomic Test #1: Netsh Helper DLL Registration [windows]
T1050 New Service
- Atomic Test #1: Service Installation [windows]
- Atomic Test #2: Service Installation PowerShell Installs A Local Service using PowerShell [windows]
T1137 Office Application Startup
- Atomic Test #1: DDEAUTO [windows]
T1034 Path Interception
T1150 Plist Modification
- Atomic Test #1: Plist Modification [macos]
T1205 Port Knocking
T1013 Port Monitors
T1163 Rc.common
- Atomic Test #1: rc.common [macos]
T1164 Re-opened Applications
- Atomic Test #1: Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications [macos]
T1108 Redundant Access
T1060 Registry Run Keys / Start Folder
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
- Atomic Test #3: PowerShell Registry RunOnce [windows]
- Atomic Test #4: Startup Folder [windows]
T1198 SIP and Trust Provider Hijacking
T1053 Scheduled Task
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
T1180 Screensaver
T1101 Security Support Provider
T1058 Service Registry Permissions Weakness
T1023 Shortcut Modification
T1165 Startup Items
- Atomic Test #1: Startup Items [macos]
T1019 System Firmware
T1209 Time Providers
T1154 Trap
- Atomic Test #1: Trap [macos, centos, ubuntu, linux]
T1078 Valid Accounts
T1100 Web Shell
T1084 Windows Management Instrumentation Event Subscription
- Atomic Test #1: Persistence [windows]
- Atomic Test #2: Persistence Cleanup [windows]
T1004 Winlogon Helper DLL

defense-evasion

T1134 Access Token Manipulation
- Atomic Test #1: Access Token Manipulation [windows]
T1197 BITS Jobs
- Atomic Test #1: Download & Execute [windows]
- Atomic Test #2: Download & Execute via PowerShell BITS [windows]
T1009 Binary Padding
T1088 Bypass User Account Control
T1191 CMSTP
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
T1146 Clear Command History
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #2: Clear Bash history (echo) [linux, macos]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #5: Clear Bash history (truncate) [linux]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
T1116 Code Signing
T1109 Component Firmware
T1122 Component Object Model Hijacking
- Atomic Test #1: PowerShell UAC Bypass [windows]
T1196 Control Panel Items
T1207 DCShadow
- Atomic Test #1: DCShadow - Mimikatz [windows]
T1038 DLL Search Order Hijacking
T1073 DLL Side-Loading
T1140 Deobfuscate/Decode Files or Information
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
T1089 Disabling Security Tools
- Atomic Test #1: Disable iptables firewall [linux]
- Atomic Test #2: Disable syslog [linux]
- Atomic Test #3: Disable Cb Response [linux]
- Atomic Test #4: Disable SELinux [linux]
- Atomic Test #5: Disable Carbon Black Response [macos]
- Atomic Test #6: Disable LittleSnitch [macos]
- Atomic Test #7: Disable OpenDNS Umbrella [macos]
T1211 Exploitation for Defense Evasion
T1181 Extra Window Memory Injection
T1107 File Deletion
- Atomic Test #1: Victim configuration [linux]
- Atomic Test #2: Delete a single file [linux]
- Atomic Test #3: Delete an entire folder [linux]
- Atomic Test #4: Overwrite and delete a file with shred [linux]
- Atomic Test #5: Victim configuration [windows]
- Atomic Test #6: Delete a single file - cmd [windows]
- Atomic Test #7: Delete an entire folder - cmd [windows]
- Atomic Test #8: Delete a single file - ps [windows]
- Atomic Test #9: Delete an entire folder - ps [windows]
- Atomic Test #10: Delete VSS - vssadmin [windows]
- Atomic Test #11: Delete VSS - wmic [windows]
- Atomic Test #12: bcdedit [windows]
- Atomic Test #13: wbadmin [windows]
T1006 File System Logical Offsets
T1144 Gatekeeper Bypass
- Atomic Test #1: Gatekeeper Bypass [macos]
T1148 HISTCONTROL
T1158 Hidden Files and Directories
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #2: Mac Hidden file [macos]
- Atomic Test #3: Hidden file [macos, linux]
- Atomic Test #4: Hidden files [macos]
- Atomic Test #5: Hide a Directory [macos]
- Atomic Test #6: Show all hidden files [macos]
- Atomic Test #7: Create visible Directories [macos, linux]
- Atomic Test #8: Create hidden directories and files [macos, linux]
T1147 Hidden Users
- Atomic Test #1: Hidden Users [macos]
T1143 Hidden Window
T1183 Image File Execution Options Injection
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO GLobal Flags [windows]
T1054 Indicator Blocking
T1066 Indicator Removal from Tools
T1070 Indicator Removal on Host
- Atomic Test #1: Clear Logs [windows]
- Atomic Test #2: FSUtil [windows]
- Atomic Test #3: rm -rf [macos, linux]
T1202 Indirect Command Execution
- Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
- Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
T1130 Install Root Certificate
- Atomic Test #1: Install root CA on CentOS/RHEL [linux]
T1118 InstallUtil
- Atomic Test #1: InstallUtil uninstall method call [windows]
T1149 LC_MAIN Hijacking
T1152 Launchctl
- Atomic Test #1: Launchctl [macos]
T1036 Masquerading
T1112 Modify Registry
T1170 Mshta
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
T1096 NTFS File Attributes
- Atomic Test #1: Alternate Data Streams (ADS) [windows]
T1126 Network Share Connection Removal
T1027 Obfuscated Files or Information
T1150 Plist Modification
- Atomic Test #1: Plist Modification [macos]
T1205 Port Knocking
T1186 Process Doppelgänging
T1093 Process Hollowing
T1055 Process Injection
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
T1108 Redundant Access
T1121 Regsvcs/Regasm
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
T1117 Regsvr32
- Atomic Test #1: Regsvr32 local COM scriptlet execution [windows]
- Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
- Atomic Test #3: Regsvr32 local DLL execution [windows]
T1014 Rootkit
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #3: LD_PRELOAD based Rootkit [linux]
T1085 Rundll32
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
T1198 SIP and Trust Provider Hijacking
T1064 Scripting
T1218 Signed Binary Proxy Execution
T1216 Signed Script Proxy Execution
T1045 Software Packing
T1151 Space after Filename
- Atomic Test #1: Space After Filename [macos]
T1099 Timestomp
- Atomic Test #1: Set a file's access timestamp [linux, macos]
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
T1127 Trusted Developer Utilities
- Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
T1078 Valid Accounts
T1102 Web Service

privilege-escalation

T1134 Access Token Manipulation
- Atomic Test #1: Access Token Manipulation [windows]
T1015 Accessibility Features
- Atomic Test #1: Attaches Command Prompt As Debugger To Process - osk [windows]
- Atomic Test #2: Attaches Command Prompt As Debugger To Process - sethc [windows]
- Atomic Test #3: Attaches Command Prompt As Debugger To Process - utilman [windows]
- Atomic Test #4: Attaches Command Prompt As Debugger To Process - magnify [windows]
- Atomic Test #5: Attaches Command Prompt As Debugger To Process - narrator [windows]
- Atomic Test #6: Attaches Command Prompt As Debugger To Process - DisplaySwitch [windows]
- Atomic Test #7: Attaches Command Prompt As Debugger To Process - AtBroker [windows]
T1182 AppCert DLLs
T1103 AppInit DLLs
- Atomic Test #1: Install AppInit Shim [windows]
T1138 Application Shimming
- Atomic Test #1: Application Shim Installation [windows]
T1088 Bypass User Account Control
T1038 DLL Search Order Hijacking
T1157 Dylib Hijacking
T1068 Exploitation for Privilege Escalation
T1181 Extra Window Memory Injection
T1044 File System Permissions Weakness
T1179 Hooking
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
T1183 Image File Execution Options Injection
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO GLobal Flags [windows]
T1160 Launch Daemon
- Atomic Test #1: Launch Daemon [macos]
T1050 New Service
- Atomic Test #1: Service Installation [windows]
- Atomic Test #2: Service Installation PowerShell Installs A Local Service using PowerShell [windows]
T1034 Path Interception
T1150 Plist Modification
- Atomic Test #1: Plist Modification [macos]
T1013 Port Monitors
T1055 Process Injection
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
T1178 SID-History Injection
T1053 Scheduled Task
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
T1058 Service Registry Permissions Weakness
T1166 Setuid and Setgid
- Atomic Test #1: Setuid and Setgid [macos, centos, ubuntu, linux]
T1165 Startup Items
- Atomic Test #1: Startup Items [macos]
T1169 Sudo
T1206 Sudo Caching
T1078 Valid Accounts
T1100 Web Shell

discovery

T1087 Account Discovery
- Atomic Test #1: List all accounts [linux, macos]
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- Atomic Test #4: List opened files by user [linux, macos]
- Atomic Test #5: Show if a user account has ever logger in remotely [linux, macos]
- Atomic Test #6: Enumerate Groups and users [linux, macos]
T1010 Application Window Discovery
T1217 Browser Bookmark Discovery
T1083 File and Directory Discovery
- Atomic Test #1: File and Directory Discovery [windows]
- Atomic Test #2: nix file and diectory discovery [macos, linux]
- Atomic Test #3: nix file and diectory discovery [macos, linux]
T1046 Network Service Scanning
- Atomic Test #1: Scan a bunch of ports to see if they are open [linux, macos]
T1135 Network Share Discovery
- Atomic Test #1: Network Share Discovery [macos, linux]
T1201 Password Policy Discovery
T1120 Peripheral Device Discovery
T1069 Permission Groups Discovery
- Atomic Test #1: Permission Groups Discovery [macos, linux]
T1057 Process Discovery
- Atomic Test #1: Process Discovery - ps [macos, centos, ubuntu, linux]
T1012 Query Registry
- Atomic Test #1: Query Registry [windows]
T1018 Remote System Discovery
- Atomic Test #1: Remote System Discovery - net [windows]
- Atomic Test #2: Remote System Discover - ping sweep [windows]
- Atomic Test #3: Remote System Discover - arp [windows]
- Atomic Test #4: Remote System Discovery - arp nix [linux, macos]
- Atomic Test #5: Remote System Discovery - sweep [linux, macos]
T1063 Security Software Discovery
- Atomic Test #1: Security Software Discovery [windows]
- Atomic Test #2: Security Software Discovery - powershell [windows]
- Atomic Test #3: Security Software Discovery - ps [linux, macos]
T1082 System Information Discovery
- Atomic Test #1: System Information Discovery [windows]
- Atomic Test #2: System Information Discovery [linux, macos]
- Atomic Test #3: List OS Information [linux, macos]
T1016 System Network Configuration Discovery
- Atomic Test #1: System Network Configuration Discovery [windows]
- Atomic Test #2: System Network Configuration Discovery [macos, linux]
T1049 System Network Connections Discovery
T1033 System Owner/User Discovery
- Atomic Test #1: System Owner/User Discovery [windows]
- Atomic Test #2: System Owner/User Discovery [linux, macos]
T1007 System Service Discovery
- Atomic Test #1: System Service Discovery [windows]
T1124 System Time Discovery
- Atomic Test #1: System Time Discovery - PowerShell [windows]

credential-access

T1098 Account Manipulation
- Atomic Test #1: Admin Account Manipulate [windows]
T1139 Bash History
- Atomic Test #1: xxxx [linux, macos]
T1110 Brute Force
- Atomic Test #1: Brute Force Credentials [windows]
T1003 Credential Dumping
- Atomic Test #1: Powershell Mimikatz [windows]
- Atomic Test #2: Gsecdump [windows]
- Atomic Test #3: Windows Credential Editor [windows]
- Atomic Test #4: Registry dump of SAM, creds, and secrets [windows]
T1081 Credentials in Files
- Atomic Test #1: Browser and System credentials [macos]
T1214 Credentials in Registry
T1212 Exploitation for Credential Access
T1187 Forced Authentication
T1179 Hooking
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
T1056 Input Capture
- Atomic Test #1: Input Capture [windows]
T1141 Input Prompt
- Atomic Test #1: Prompt User for Password [macos]
T1208 Kerberoasting
T1142 Keychain
- Atomic Test #1: Keychain [macos]
T1171 LLMNR/NBT-NS Poisoning
T1040 Network Sniffing
T1174 Password Filter DLL
T1145 Private Keys
- Atomic Test #1: Private Keys [windows]
T1091 Replication Through Removable Media
T1167 Securityd Memory
T1111 Two-Factor Authentication Interception

execution

T1155 AppleScript
- Atomic Test #1: AppleScript [macos]
T1191 CMSTP
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
T1059 Command-Line Interface
- Atomic Test #1: Command-Line Interface [macos, centos, ubuntu, linux]
T1196 Control Panel Items
T1173 Dynamic Data Exchange
- Atomic Test #1: Execute Commands [windows]
T1106 Execution through API
T1129 Execution through Module Load
T1203 Exploitation for Client Execution
T1061 Graphical User Interface
T1118 InstallUtil
- Atomic Test #1: InstallUtil uninstall method call [windows]
T1177 LSASS Driver
T1152 Launchctl
- Atomic Test #1: Launchctl [macos]
T1168 Local Job Scheduling
- Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron Job [macos, centos, ubuntu, linux]
T1170 Mshta
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
T1086 PowerShell
- Atomic Test #1: Mimikatz [windows]
- Atomic Test #2: BloodHound [windows]
- Atomic Test #3: Obfuscation Tests [windows]
- Atomic Test #4: Mimikatz - Cradlecraft PsSendKeys [windows]
- Atomic Test #5: Invoke-AppPathBypass [windows]
T1121 Regsvcs/Regasm
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
T1117 Regsvr32
- Atomic Test #1: Regsvr32 local COM scriptlet execution [windows]
- Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
- Atomic Test #3: Regsvr32 local DLL execution [windows]
T1085 Rundll32
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
T1053 Scheduled Task
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
T1064 Scripting
T1035 Service Execution
T1218 Signed Binary Proxy Execution
T1216 Signed Script Proxy Execution
T1153 Source
T1151 Space after Filename
- Atomic Test #1: Space After Filename [macos]
T1072 Third-party Software
T1154 Trap
- Atomic Test #1: Trap [macos, centos, ubuntu, linux]
T1127 Trusted Developer Utilities
- Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
T1204 User Execution
T1047 Windows Management Instrumentation
- Atomic Test #1: WMI Reconnaissance Users [windows]
- Atomic Test #2: WMI Reconnaissance Processes [windows]
- Atomic Test #3: WMI Reconnaissance Software [windows]
- Atomic Test #4: WMI Reconnaissance List Remote Services [windows]
T1028 Windows Remote Management
- Atomic Test #1: Enable Windows Remote Management [windows]
- Atomic Test #2: PowerShell Lateral Movement [windows]
- Atomic Test #3: WMIC Process Call Create [windows]
- Atomic Test #4: Psexec [windows]

lateral-movement

T1155 AppleScript
- Atomic Test #1: AppleScript [macos]
T1017 Application Deployment Software
T1175 Distributed Component Object Model
T1210 Exploitation of Remote Services
T1037 Logon Scripts
- Atomic Test #1: Logon Scripts [windows]
- Atomic Test #2: Logon Scripts - Mac [macos]
T1075 Pass the Hash
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: Mimikatz Kerberos Ticket Attack [windows]
T1097 Pass the Ticket
T1076 Remote Desktop Protocol
- Atomic Test #1: RDP [windows]
T1105 Remote File Copy
- Atomic Test #1: xxxx [linux, macos]
T1021 Remote Services
T1091 Replication Through Removable Media
T1184 SSH Hijacking
T1051 Shared Webroot
T1080 Taint Shared Content
T1072 Third-party Software
T1077 Windows Admin Shares
- Atomic Test #1: TODO [windows]
T1028 Windows Remote Management
- Atomic Test #1: Enable Windows Remote Management [windows]
- Atomic Test #2: PowerShell Lateral Movement [windows]
- Atomic Test #3: WMIC Process Call Create [windows]
- Atomic Test #4: Psexec [windows]

collection

T1123 Audio Capture
- Atomic Test #1: SourceRecorder via Windows command prompt [windows]
- Atomic Test #2: PowerShell Cmdlet via Windows command prompt [windows]
T1119 Automated Collection
- Atomic Test #1: Automated Collection Command Prompt [windows]
- Atomic Test #2: Automated Collection PowerShell [windows]
T1115 Clipboard Data
- Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
- Atomic Test #2: PowerShell [windows]
T1074 Data Staged
- Atomic Test #1: Stage data from Discovery.bat [windows]
T1213 Data from Information Repositories
T1005 Data from Local System
T1039 Data from Network Shared Drive
T1025 Data from Removable Media
T1114 Email Collection
T1056 Input Capture
- Atomic Test #1: Input Capture [windows]
T1185 Man in the Browser
T1113 Screen Capture
- Atomic Test #1: Screencapture [macos]
- Atomic Test #2: Screencapture (silent) [macos]
- Atomic Test #3: X Windows Capture [linux]
- Atomic Test #4: Import [linux]
T1125 Video Capture

exfiltration

T1020 Automated Exfiltration
T1002 Data Compressed
- Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
- Atomic Test #2: Compress Data for Exfiltration With Rar [windows]
- Atomic Test #3: Data Compressed - nix [linux, macos]
T1022 Data Encrypted
- Atomic Test #1: Data Encrypted [macos, centos, ubuntu, linux]
T1030 Data Transfer Size Limits
- Atomic Test #1: Data Transfer Size Limits [macos, centos, ubuntu, linux]
T1048 Exfiltration Over Alternative Protocol
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, centos, ubuntu, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, centos, ubuntu, linux]
- Atomic Test #3: Exfiltration Over Alternative Protocol - HTTP [macos, centos, ubuntu, linux]
T1041 Exfiltration Over Command and Control Channel
T1011 Exfiltration Over Other Network Medium
T1052 Exfiltration Over Physical Medium
T1029 Scheduled Transfer

command-and-control

T1043 Commonly Used Port
T1092 Communication Through Removable Media
T1090 Connection Proxy
T1094 Custom Command and Control Protocol
T1024 Custom Cryptographic Protocol
T1132 Data Encoding
T1001 Data Obfuscation
T1172 Domain Fronting
T1008 Fallback Channels
T1104 Multi-Stage Channels
T1188 Multi-hop Proxy
T1026 Multiband Communication
T1079 Multilayer Encryption
T1205 Port Knocking
T1219 Remote Access Tools
T1105 Remote File Copy
- Atomic Test #1: xxxx [linux, macos]
T1071 Standard Application Layer Protocol
T1032 Standard Cryptographic Protocol
T1095 Standard Non-Application Layer Protocol
T1065 Uncommonly Used Port
T1102 Web Service

initial-access

T1189 Drive-by Compromise
T1190 Exploit Public-Facing Application
T1200 Hardware Additions
T1091 Replication Through Removable Media
T1193 Spearphishing Attachment
T1192 Spearphishing Link
T1194 Spearphishing via Service
T1195 Supply Chain Compromise
T1199 Trusted Relationship
T1078 Valid Accounts

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

index.md

index.md

All Atomic Tests by ATT&CK Tactic & Technique

persistence

defense-evasion

privilege-escalation

discovery

credential-access

execution

lateral-movement

collection

exfiltration

command-and-control

initial-access

Files

index.md

Latest commit

History

index.md

File metadata and controls

All Atomic Tests by ATT&CK Tactic & Technique

persistence

defense-evasion

privilege-escalation

discovery

credential-access

execution

lateral-movement

collection

exfiltration

command-and-control

initial-access