Some scripts useful for red team activities
Covered MITRE ATT&CK Tactics & Techniques (https://attack.mitre.org/):
Initial Access:
T1192 - Spearphishing Link - https://attack.mitre.org/techniques/T1192/
T1193 - Spearphishing Attachment - https://attack.mitre.org/techniques/T1193/
Execution:
T1047 - Windows Management Instrumentation - https://attack.mitre.org/techniques/T1047/
T1059 - Command-Line Interface - https://attack.mitre.org/techniques/T1059/
T1061 - Graphical User Interface - https://attack.mitre.org/techniques/T1061/
T1064 - Scripting https://attack.mitre.org/techniques/T1064/
T1085 - Rundll32 - https://attack.mitre.org/techniques/T1085/
T1086 - PowerShell - https://attack.mitre.org/techniques/T1086/
T1127 - Trusted Developer Utilities - https://attack.mitre.org/techniques/T1127/
T1170 - Mshta (TBD) - https://attack.mitre.org/techniques/T1170/
Persistence:
T1060 - Registry Run Keys / Startup Folder - https://attack.mitre.org/techniques/T1060/
Defense Evasion:
T1027 - Obfuscated Files or Information - https://attack.mitre.org/techniques/T1027/
T1107 - File Deletion - https://attack.mitre.org/techniques/T1107/
T1140 - Deobfuscate/Decode Files or Information - https://attack.mitre.org/techniques/T1140/
T1143 - Hidden Window - https://attack.mitre.org/techniques/T1143/
Credential Access:
T1003 - Credential Dumping - https://attack.mitre.org/techniques/T1003/
T1081 - Credentials in Files - https://attack.mitre.org/techniques/T1081/
T1214 - Credentials in Registry (TBD) - https://attack.mitre.org/techniques/T1214/
T1503 - Credentials from Web Browsers - https://attack.mitre.org/techniques/T1503/
Discovery:
T1007 - System Service Discovery - https://attack.mitre.org/techniques/T1007/
T1010 - Application Window Discovery - https://attack.mitre.org/techniques/T1010/
T1016 - System Network Configuration Discovery - https://attack.mitre.org/techniques/T1016/
T1018 - Remote System Discovery - https://attack.mitre.org/techniques/T1018/
T1033 - System Owner/User Discovery - https://attack.mitre.org/techniques/T1033/
T1049 - System Network Connections Discovery - https://attack.mitre.org/techniques/T1049/
T1057 - Process Discovery - https://attack.mitre.org/techniques/T1057/
T1063 - Security Software Discovery - https://attack.mitre.org/techniques/T1063/
T1069 - Permission Groups Discovery - https://attack.mitre.org/techniques/T1069/
T1082 - System Information Discovery - https://attack.mitre.org/techniques/T1082/
T1083 - File and Directory Discovery - https://attack.mitre.org/techniques/T1083/
T1087 - Account Discovery - https://attack.mitre.org/techniques/T1087/
T1135 - Network Share Discovery - https://attack.mitre.org/techniques/T1135/
T1217 - Browser Bookmark Discovery - https://attack.mitre.org/techniques/T1217/
T1201 - Password Policy Discovery - https://attack.mitre.org/techniques/T1201/
T1518 - Software Discovery - https://attack.mitre.org/techniques/T1518/
Collection:
T1005 - Data from Local System - https://attack.mitre.org/techniques/T1005/
T1056 - Input Capture - https://attack.mitre.org/techniques/T1056/
T1074 - Data Staged - https://attack.mitre.org/techniques/T1074/
T1113 - Screen Capture - https://attack.mitre.org/techniques/T1113/
T1119 - Automated Collection - https://attack.mitre.org/techniques/T1119/
T1123 - Audio Capture - https://attack.mitre.org/techniques/T1123/
T1125 - Video Capture (TBD) - https://attack.mitre.org/techniques/T1125/
Command and Control & Exfiltration:
T1020 - Automated Exfiltration - https://attack.mitre.org/techniques/T1020/
T1043 - Commonly Used Port - https://attack.mitre.org/tactics/TA0011/
T1537 - Transfer Data to Cloud Account - https://attack.mitre.org/techniques/T1537/