Skip to content

Hide Navigation Hide TOC

Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31)

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures:

Remove Legacy Software:

  • Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash).
  • Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.

Disable Unused Features:

  • Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required.
  • Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.

Control Applications Installed by Users:

  • Use Case: Prevent users from installing unauthorized software via group policies or other management tools.
  • Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.

Remove Unnecessary Services:

  • Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices.
  • Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.

Restrict Add-ons and Plugins:

  • Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes.
  • Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.
Cluster A Galaxy A Cluster B Galaxy B Level
InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Emond - T1546.014 (9c45eaa3-8604-4780-8988-b5074dbb9ecd) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Wordlist Scanning - T1595.003 (bed04f7d-e48a-4e76-bd0f-4c57fe31fc46) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Exfiltration Over Physical Medium - T1052 (e6415f09-df0e-48de-9aba-928c902b7549) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Communication Through Removable Media - T1092 (64196062-5210-42c3-9a02-563a0d1797ef) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 1
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071) Attack Pattern 1
Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action JamPlus - T1127.003 (7d356151-a69d-404e-896b-71618952702a) Attack Pattern 1
ARP Cache Poisoning - T1557.002 (cabe189c-a0e3-4965-a473-dcff00f17213) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action MMC - T1218.014 (ffbcfdb0-de22-4106-9ed3-fc23c8a01407) Attack Pattern 1
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Regsvcs/Regasm - T1218.009 (c48a67ee-b657-45c1-91bf-6cdbe27205f8) Attack Pattern 1
Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
VBA Stomping - T1564.007 (c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Downgrade Attack - T1562.010 (824add00-99a1-4b15-9a2d-6c5683b7b497) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 1
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961) Attack Pattern 1
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Cloud Application Integration - T1671 (c31aebd6-c9b5-420f-ba2a-5853bbf897fa) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Screensaver - T1546.002 (ce4b7013-640e-48a9-b501-d0025a95f4bf) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Container Administration Command - T1609 (7b50a1d3-4ca7-45d1-989d-a6503f04bfe1) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern 1
SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Direct Cloud VM Connections - T1021.008 (45241b9e-9bbc-4826-a2cc-78855e51ca09) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Electron Applications - T1218.015 (561ae9aa-c28a-4144-9eec-e7027a14c8c3) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 1
Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Escape to Host - T1611 (4a5b7ade-8bb5-4853-84ed-23f262002665) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Re-opened Applications - T1547.007 (e5cc9e7a-e61a-46a1-b869-55fb6eab058e) Attack Pattern 1
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Exploitation of Remote Services - T1210 (9db0cf3a-a3c9-4012-8268-123b9db6fd82) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 1
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Verclsid - T1218.012 (808e6329-ca91-4b87-ac2d-8eadc5f8f327) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action ClickOnce - T1127.002 (cc279e50-df85-4c8e-be80-6dc2eda8849c) Attack Pattern 1
Mavinject - T1218.013 (1bae753e-8e52-4055-a66d-2ead90303ca9) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern 1
InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Emond - T1546.014 (9c45eaa3-8604-4780-8988-b5074dbb9ecd) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829) Attack Pattern Exfiltration Over Physical Medium - T1052 (e6415f09-df0e-48de-9aba-928c902b7549) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 2
Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b) Attack Pattern Wordlist Scanning - T1595.003 (bed04f7d-e48a-4e76-bd0f-4c57fe31fc46) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 2
Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 2
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 2
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern JamPlus - T1127.003 (7d356151-a69d-404e-896b-71618952702a) Attack Pattern 2
ARP Cache Poisoning - T1557.002 (cabe189c-a0e3-4965-a473-dcff00f17213) Attack Pattern Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern 2
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern 2
MMC - T1218.014 (ffbcfdb0-de22-4106-9ed3-fc23c8a01407) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Regsvcs/Regasm - T1218.009 (c48a67ee-b657-45c1-91bf-6cdbe27205f8) Attack Pattern 2
Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern VBA Stomping - T1564.007 (c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Downgrade Attack - T1562.010 (824add00-99a1-4b15-9a2d-6c5683b7b497) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 2
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern 2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961) Attack Pattern 2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern Screensaver - T1546.002 (ce4b7013-640e-48a9-b501-d0025a95f4bf) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern 2
SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Direct Cloud VM Connections - T1021.008 (45241b9e-9bbc-4826-a2cc-78855e51ca09) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern 2
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 2
Electron Applications - T1218.015 (561ae9aa-c28a-4144-9eec-e7027a14c8c3) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 2
Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2
Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Re-opened Applications - T1547.007 (e5cc9e7a-e61a-46a1-b869-55fb6eab058e) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern 2
SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd) Attack Pattern Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87) Attack Pattern 2
Verclsid - T1218.012 (808e6329-ca91-4b87-ac2d-8eadc5f8f327) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern ClickOnce - T1127.002 (cc279e50-df85-4c8e-be80-6dc2eda8849c) Attack Pattern 2
Mavinject - T1218.013 (1bae753e-8e52-4055-a66d-2ead90303ca9) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 2
CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2