- T1134 Access Token Manipulation
- Atomic Test #1: Access Token Manipulation [windows]
- T1197 BITS Jobs
- Atomic Test #1: Download & Execute [windows]
- Atomic Test #2: Download & Execute via PowerShell BITS [windows]
- T1009 Binary Padding
- T1088 Bypass User Account Control
- T1191 CMSTP
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- T1116 Code Signing
- T1109 Component Firmware
- T1122 Component Object Model Hijacking
- Atomic Test #1: PowerShell UAC Bypass [windows]
- T1196 Control Panel Items
- T1207 DCShadow
- Atomic Test #1: DCShadow - Mimikatz [windows]
- T1038 DLL Search Order Hijacking
- T1073 DLL Side-Loading
- T1140 Deobfuscate/Decode Files or Information
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
- T1089 Disabling Security Tools
- T1211 Exploitation for Defense Evasion
- T1181 Extra Window Memory Injection
- T1107 File Deletion
- Atomic Test #5: Victim configuration [windows]
- Atomic Test #6: Delete a single file - cmd [windows]
- Atomic Test #7: Delete an entire folder - cmd [windows]
- Atomic Test #8: Delete a single file - ps [windows]
- Atomic Test #9: Delete an entire folder - ps [windows]
- Atomic Test #10: Delete VSS - vssadmin [windows]
- Atomic Test #11: Delete VSS - wmic [windows]
- Atomic Test #12: bcdedit [windows]
- Atomic Test #13: wbadmin [windows]
- T1006 File System Logical Offsets
- T1158 Hidden Files and Directories
- T1183 Image File Execution Options Injection
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO GLobal Flags [windows]
- T1054 Indicator Blocking
- T1066 Indicator Removal from Tools
- T1070 Indicator Removal on Host
- Atomic Test #1: Clear Logs [windows]
- Atomic Test #2: FSUtil [windows]
- T1202 Indirect Command Execution
- Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
- Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
- T1130 Install Root Certificate
- T1118 InstallUtil
- Atomic Test #1: InstallUtil uninstall method call [windows]
- T1036 Masquerading
- T1112 Modify Registry
- T1170 Mshta
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- T1096 NTFS File Attributes
- Atomic Test #1: Alternate Data Streams (ADS) [windows]
- T1126 Network Share Connection Removal
- T1027 Obfuscated Files or Information
- T1186 Process Doppelgänging
- T1093 Process Hollowing
- T1055 Process Injection
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
- T1108 Redundant Access
- T1121 Regsvcs/Regasm
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
- T1117 Regsvr32
- Atomic Test #1: Regsvr32 local COM scriptlet execution [windows]
- Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
- Atomic Test #3: Regsvr32 local DLL execution [windows]
- T1014 Rootkit
- T1085 Rundll32
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
- T1198 SIP and Trust Provider Hijacking
- T1064 Scripting
- T1218 Signed Binary Proxy Execution
- T1216 Signed Script Proxy Execution
- T1045 Software Packing
- T1099 Timestomp
- T1127 Trusted Developer Utilities
- Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
- T1078 Valid Accounts
- T1102 Web Service
- T1134 Access Token Manipulation
- Atomic Test #1: Access Token Manipulation [windows]
- T1015 Accessibility Features
- Atomic Test #1: Attaches Command Prompt As Debugger To Process - osk [windows]
- Atomic Test #2: Attaches Command Prompt As Debugger To Process - sethc [windows]
- Atomic Test #3: Attaches Command Prompt As Debugger To Process - utilman [windows]
- Atomic Test #4: Attaches Command Prompt As Debugger To Process - magnify [windows]
- Atomic Test #5: Attaches Command Prompt As Debugger To Process - narrator [windows]
- Atomic Test #6: Attaches Command Prompt As Debugger To Process - DisplaySwitch [windows]
- Atomic Test #7: Attaches Command Prompt As Debugger To Process - AtBroker [windows]
- T1182 AppCert DLLs
- T1103 AppInit DLLs
- Atomic Test #1: Install AppInit Shim [windows]
- T1138 Application Shimming
- Atomic Test #1: Application Shim Installation [windows]
- T1088 Bypass User Account Control
- T1038 DLL Search Order Hijacking
- T1068 Exploitation for Privilege Escalation
- T1181 Extra Window Memory Injection
- T1044 File System Permissions Weakness
- T1179 Hooking
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- T1183 Image File Execution Options Injection
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO GLobal Flags [windows]
- T1050 New Service
- Atomic Test #1: Service Installation [windows]
- Atomic Test #2: Service Installation PowerShell Installs A Local Service using PowerShell [windows]
- T1034 Path Interception
- T1013 Port Monitors
- T1055 Process Injection
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
- T1178 SID-History Injection
- T1053 Scheduled Task
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- T1058 Service Registry Permissions Weakness
- T1078 Valid Accounts
- T1100 Web Shell
- T1015 Accessibility Features
- Atomic Test #1: Attaches Command Prompt As Debugger To Process - osk [windows]
- Atomic Test #2: Attaches Command Prompt As Debugger To Process - sethc [windows]
- Atomic Test #3: Attaches Command Prompt As Debugger To Process - utilman [windows]
- Atomic Test #4: Attaches Command Prompt As Debugger To Process - magnify [windows]
- Atomic Test #5: Attaches Command Prompt As Debugger To Process - narrator [windows]
- Atomic Test #6: Attaches Command Prompt As Debugger To Process - DisplaySwitch [windows]
- Atomic Test #7: Attaches Command Prompt As Debugger To Process - AtBroker [windows]
- T1182 AppCert DLLs
- T1103 AppInit DLLs
- Atomic Test #1: Install AppInit Shim [windows]
- T1138 Application Shimming
- Atomic Test #1: Application Shim Installation [windows]
- T1131 Authentication Package
- T1197 BITS Jobs
- Atomic Test #1: Download & Execute [windows]
- Atomic Test #2: Download & Execute via PowerShell BITS [windows]
- T1067 Bootkit
- T1176 Browser Extensions
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- T1042 Change Default File Association
- Atomic Test #1: Change Default File Association [windows]
- T1109 Component Firmware
- T1122 Component Object Model Hijacking
- Atomic Test #1: PowerShell UAC Bypass [windows]
- T1136 Create Account
- T1038 DLL Search Order Hijacking
- T1133 External Remote Services
- T1044 File System Permissions Weakness
- T1158 Hidden Files and Directories
- T1179 Hooking
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- T1062 Hypervisor
- T1183 Image File Execution Options Injection
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO GLobal Flags [windows]
- T1177 LSASS Driver
- T1037 Logon Scripts
- Atomic Test #1: Logon Scripts [windows]
- T1031 Modify Existing Service
- T1128 Netsh Helper DLL
- Atomic Test #1: Netsh Helper DLL Registration [windows]
- T1050 New Service
- Atomic Test #1: Service Installation [windows]
- Atomic Test #2: Service Installation PowerShell Installs A Local Service using PowerShell [windows]
- T1137 Office Application Startup
- Atomic Test #1: DDEAUTO [windows]
- T1034 Path Interception
- T1013 Port Monitors
- T1108 Redundant Access
- T1060 Registry Run Keys / Start Folder
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
- Atomic Test #3: PowerShell Registry RunOnce [windows]
- Atomic Test #4: Startup Folder [windows]
- T1198 SIP and Trust Provider Hijacking
- T1053 Scheduled Task
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- T1180 Screensaver
- T1101 Security Support Provider
- T1058 Service Registry Permissions Weakness
- T1023 Shortcut Modification
- T1019 System Firmware
- T1209 Time Providers
- T1078 Valid Accounts
- T1100 Web Shell
- T1084 Windows Management Instrumentation Event Subscription
- Atomic Test #1: Persistence [windows]
- Atomic Test #2: Persistence Cleanup [windows]
- T1004 Winlogon Helper DLL
- T1087 Account Discovery
- T1010 Application Window Discovery
- T1217 Browser Bookmark Discovery
- T1083 File and Directory Discovery
- Atomic Test #1: File and Directory Discovery [windows]
- T1046 Network Service Scanning
- T1135 Network Share Discovery
- T1201 Password Policy Discovery
- T1120 Peripheral Device Discovery
- T1069 Permission Groups Discovery
- T1057 Process Discovery
- T1012 Query Registry
- Atomic Test #1: Query Registry [windows]
- T1018 Remote System Discovery
- Atomic Test #1: Remote System Discovery - net [windows]
- Atomic Test #2: Remote System Discover - ping sweep [windows]
- Atomic Test #3: Remote System Discover - arp [windows]
- T1063 Security Software Discovery
- Atomic Test #1: Security Software Discovery [windows]
- Atomic Test #2: Security Software Discovery - powershell [windows]
- T1082 System Information Discovery
- Atomic Test #1: System Information Discovery [windows]
- T1016 System Network Configuration Discovery
- Atomic Test #1: System Network Configuration Discovery [windows]
- T1049 System Network Connections Discovery
- T1033 System Owner/User Discovery
- Atomic Test #1: System Owner/User Discovery [windows]
- T1007 System Service Discovery
- Atomic Test #1: System Service Discovery [windows]
- T1124 System Time Discovery
- Atomic Test #1: System Time Discovery - PowerShell [windows]
- T1098 Account Manipulation
- Atomic Test #1: Admin Account Manipulate [windows]
- T1110 Brute Force
- Atomic Test #1: Brute Force Credentials [windows]
- T1003 Credential Dumping
- Atomic Test #1: Powershell Mimikatz [windows]
- Atomic Test #2: Gsecdump [windows]
- Atomic Test #3: Windows Credential Editor [windows]
- Atomic Test #4: Registry dump of SAM, creds, and secrets [windows]
- T1081 Credentials in Files
- T1214 Credentials in Registry
- T1212 Exploitation for Credential Access
- T1187 Forced Authentication
- T1179 Hooking
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- T1056 Input Capture
- Atomic Test #1: Input Capture [windows]
- T1208 Kerberoasting
- T1171 LLMNR/NBT-NS Poisoning
- T1040 Network Sniffing
- T1174 Password Filter DLL
- T1145 Private Keys
- Atomic Test #1: Private Keys [windows]
- T1091 Replication Through Removable Media
- T1111 Two-Factor Authentication Interception
- T1017 Application Deployment Software
- T1175 Distributed Component Object Model
- T1210 Exploitation of Remote Services
- T1037 Logon Scripts
- Atomic Test #1: Logon Scripts [windows]
- T1075 Pass the Hash
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: Mimikatz Kerberos Ticket Attack [windows]
- T1097 Pass the Ticket
- T1076 Remote Desktop Protocol
- Atomic Test #1: RDP [windows]
- T1105 Remote File Copy
- T1021 Remote Services
- T1091 Replication Through Removable Media
- T1051 Shared Webroot
- T1080 Taint Shared Content
- T1072 Third-party Software
- T1077 Windows Admin Shares
- Atomic Test #1: TODO [windows]
- T1028 Windows Remote Management
- Atomic Test #1: Enable Windows Remote Management [windows]
- Atomic Test #2: PowerShell Lateral Movement [windows]
- Atomic Test #3: WMIC Process Call Create [windows]
- Atomic Test #4: Psexec [windows]
- T1123 Audio Capture
- Atomic Test #1: SourceRecorder via Windows command prompt [windows]
- Atomic Test #2: PowerShell Cmdlet via Windows command prompt [windows]
- T1119 Automated Collection
- Atomic Test #1: Automated Collection Command Prompt [windows]
- Atomic Test #2: Automated Collection PowerShell [windows]
- T1115 Clipboard Data
- Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
- Atomic Test #2: PowerShell [windows]
- T1074 Data Staged
- Atomic Test #1: Stage data from Discovery.bat [windows]
- T1213 Data from Information Repositories
- T1005 Data from Local System
- T1039 Data from Network Shared Drive
- T1025 Data from Removable Media
- T1114 Email Collection
- T1056 Input Capture
- Atomic Test #1: Input Capture [windows]
- T1185 Man in the Browser
- T1113 Screen Capture
- T1125 Video Capture
- T1020 Automated Exfiltration
- T1002 Data Compressed
- Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
- Atomic Test #2: Compress Data for Exfiltration With Rar [windows]
- T1022 Data Encrypted
- T1030 Data Transfer Size Limits
- T1048 Exfiltration Over Alternative Protocol
- T1041 Exfiltration Over Command and Control Channel
- T1011 Exfiltration Over Other Network Medium
- T1052 Exfiltration Over Physical Medium
- T1029 Scheduled Transfer
- T1191 CMSTP
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- T1059 Command-Line Interface
- T1196 Control Panel Items
- T1173 Dynamic Data Exchange
- Atomic Test #1: Execute Commands [windows]
- T1106 Execution through API
- T1129 Execution through Module Load
- T1203 Exploitation for Client Execution
- T1061 Graphical User Interface
- T1118 InstallUtil
- Atomic Test #1: InstallUtil uninstall method call [windows]
- T1177 LSASS Driver
- T1170 Mshta
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- T1086 PowerShell
- Atomic Test #1: Mimikatz [windows]
- Atomic Test #2: BloodHound [windows]
- Atomic Test #3: Obfuscation Tests [windows]
- Atomic Test #4: Mimikatz - Cradlecraft PsSendKeys [windows]
- Atomic Test #5: Invoke-AppPathBypass [windows]
- Atomic Test #6: PowerShell Add User [windows]
- T1121 Regsvcs/Regasm
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
- T1117 Regsvr32
- Atomic Test #1: Regsvr32 local COM scriptlet execution [windows]
- Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
- Atomic Test #3: Regsvr32 local DLL execution [windows]
- T1085 Rundll32
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
- T1053 Scheduled Task
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- T1064 Scripting
- T1035 Service Execution
- T1218 Signed Binary Proxy Execution
- T1216 Signed Script Proxy Execution
- T1072 Third-party Software
- T1127 Trusted Developer Utilities
- Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
- T1204 User Execution
- T1047 Windows Management Instrumentation
- Atomic Test #1: WMI Reconnaissance Users [windows]
- Atomic Test #2: WMI Reconnaissance Processes [windows]
- Atomic Test #3: WMI Reconnaissance Software [windows]
- Atomic Test #4: WMI Reconnaissance List Remote Services [windows]
- T1028 Windows Remote Management
- Atomic Test #1: Enable Windows Remote Management [windows]
- Atomic Test #2: PowerShell Lateral Movement [windows]
- Atomic Test #3: WMIC Process Call Create [windows]
- Atomic Test #4: Psexec [windows]
- T1043 Commonly Used Port
- T1092 Communication Through Removable Media
- T1090 Connection Proxy
- T1094 Custom Command and Control Protocol
- T1024 Custom Cryptographic Protocol
- T1132 Data Encoding
- T1001 Data Obfuscation
- T1172 Domain Fronting
- T1008 Fallback Channels
- T1104 Multi-Stage Channels
- T1188 Multi-hop Proxy
- T1026 Multiband Communication
- T1079 Multilayer Encryption
- T1219 Remote Access Tools
- T1105 Remote File Copy
- T1071 Standard Application Layer Protocol
- T1032 Standard Cryptographic Protocol
- T1095 Standard Non-Application Layer Protocol
- T1065 Uncommonly Used Port
- T1102 Web Service