Hide Navigation Hide TOC

Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)

Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as cmd.exe, bash, zsh, PowerShell, or programmatic execution. Examples:

• Windows Command Prompt
  • dir – Lists directory contents.
  • net user – Queries or manipulates user accounts.
  • tasklist – Lists running processes.
• PowerShell
  • Get-Process – Retrieves processes running on a system.
  • Set-ExecutionPolicy – Changes PowerShell script execution policies.
  • Invoke-WebRequest – Downloads remote resources.
• Linux Shell
  • ls – Lists files in a directory.
  • cat /etc/passwd – Reads the user accounts file.
  • curl http://malicious-site.com – Retrieves content from a malicious URL.
• Container Environments
  • docker exec – Executes a command inside a running container.
  • kubectl exec – Runs commands in Kubernetes pods.
• macOS Terminal
  • open – Opens files or URLs.
  • dscl . -list /Users – Lists all users on the system.
  • osascript -e – Executes AppleScript commands.

This data component can be collected through the following measures:

Enable Command Logging

• Windows:
  • Enable PowerShell logging: Set-ExecutionPolicy Bypass, Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1
  • Enable Windows Event Logging:
    • Event ID 4688: Tracks process creation, including command-line arguments.
    • Event ID 4104: Logs PowerShell script block execution.
• Linux/macOS:
  • Enable shell history logging in .bashrc or .zshrc: export HISTTIMEFORMAT="%d/%m/%y %T ", export PROMPT_COMMAND='history -a; history -w'
  • Use audit frameworks (e.g., auditd) to log command executions. Example rule to log all execve syscalls: -a always,exit -F arch=b64 -S execve -k cmd_exec
• Containers:
  • Use runtime-specific tools like Docker’s --log-driver or Kubernetes Audit Logs to capture exec commands.

Integrate with Centralized Logging

• Collect logs using a SIEM (e.g., Splunk) or cloud-based log aggregation tools like AWS CloudWatch or Azure Monitor. Example Splunk Search for Windows Event 4688: index=windows EventID=4688 CommandLine=*

Use Endpoint Detection and Response (EDR) Tools

• Monitor command executions via EDR solutions

Deploy Sysmon for Advanced Logging (Windows)

• Use Sysmon's Event ID 1 to log process creation with command-line arguments

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Login Hook - T1037.002 (43ba2b05-cf72-4b6c-8243-03a4aba41ee0)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Compiled HTML File - T1218.001 (a6937325-9321-4e2e-bb2b-3ed2d40b2a9d)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0)	Attack Pattern	1
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	System Shutdown/Reboot - T1529 (ff73aa03-0090-4464-83ac-f89e233c02bc)	Attack Pattern	1
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Exclusive Control - T1668 (dff263cc-328e-42b4-afbc-1fee8b6a8913)	Attack Pattern	1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Add-ins - T1137.006 (34f1d81d-fe88-4f97-bd3b-a3164536255d)	Attack Pattern	1
Regsvcs/Regasm - T1218.009 (c48a67ee-b657-45c1-91bf-6cdbe27205f8)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac)	Attack Pattern	1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Cloud Administration Command - T1651 (d94b3ae9-8059-4989-8e9f-ea0f601f80a7)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Group Policy Discovery - T1615 (1b20efbf-8063-4fc3-a07d-b575318a301b)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	1
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	RC Scripts - T1037.004 (dca670cf-eeec-438f-8185-fd959d9ef211)	Attack Pattern	1
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Systemd Timers - T1053.006 (a542bac9-7bc1-4da7-9a09-96f69e23cc21)	Attack Pattern	1
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Startup Items - T1037.005 (c0dfe7b0-b873-4618-9ff8-53e31f70907f)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Cloud Groups - T1069.003 (16e94db9-b5b1-4cd0-b851-f38fbd0a70f2)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	1
Disk Structure Wipe - T1561.002 (0af0ca99-357d-4ba1-805f-674fdfb7bef9)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Email Account - T1087.003 (4bc31b94-045b-4752-8920-aebaebdb6470)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	IIS Components - T1505.004 (b46a801b-fd98-491c-a25a-bca25d6e3001)	Attack Pattern	1
AppleScript - T1059.002 (37b11151-1776-4f8f-b328-30939fbf2ceb)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c)	Attack Pattern	1
Cloud Account - T1087.004 (8f104855-e5b7-4077-b1f5-bc3103b41abe)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Outlook Home Page - T1137.004 (bf147104-abf9-4221-95d1-e81585859441)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	1
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
PubPrn - T1216.001 (09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Setuid and Setgid - T1548.001 (6831414d-bb70-42b7-8030-d4e06b2660c9)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Cloud API - T1059.009 (55bb4471-ff1f-43b4-88c1-c9384ec47abf)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	System Script Proxy Execution - T1216 (f6fe9070-7a65-49ea-ae72-76292f42cebe)	Attack Pattern	1
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Lua - T1059.011 (afddee82-3385-4682-ad90-eeced33f2d07)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	1
SyncAppvPublishingServer - T1216.002 (e6f19759-dde3-47fc-99cc-d9f5fa4ade60)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
ClickOnce - T1127.002 (cc279e50-df85-4c8e-be80-6dc2eda8849c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	1
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Image File Execution Options Injection - T1546.012 (6d4a7fb3-5a24-42be-ae61-6728a2b581f6)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107)	Attack Pattern	1
Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Control Panel - T1218.002 (4ff5d6a8-c062-4c68-a778-36fc5edd564f)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	1
Unix Shell - T1623.001 (693cdbff-ea73-49c6-ac3f-91e7285c31d1)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Office Test - T1137.002 (ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Command and Scripting Interpreter - T1623 (29f1f56c-7b7a-4c14-9e39-59577ea2743c)	Attack Pattern	1
Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803)	Attack Pattern	1
Device Driver Discovery - T1652 (215d9700-5881-48b8-8265-6449dbb7195d)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Launchctl - T1569.001 (810aa4ad-61c9-49cb-993f-daa06199421d)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	1
Downgrade Attack - T1562.010 (824add00-99a1-4b15-9a2d-6c5683b7b497)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Data from Network Shared Drive - T1039 (ae676644-d2d2-41b7-af7e-9bed1b55898c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Hypervisor CLI - T1059.012 (d2d642da-61ff-4211-b4df-7923c9ca220c)	Attack Pattern	1
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Screensaver - T1546.002 (ce4b7013-640e-48a9-b501-d0025a95f4bf)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Outlook Forms - T1137.003 (a9e2cea0-c805-4bf8-9e31-f5f0513a3634)	Attack Pattern	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Gatekeeper Bypass - T1553.001 (31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5)	Attack Pattern	1
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Systemctl - T1569.003 (4b46767d-4a61-4f30-995e-c19a75c2e536)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8)	Attack Pattern	1
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Outlook Rules - T1137.005 (3d1b9d7e-3921-4d25-845a-7d9f15c0da44)	Attack Pattern	1
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Trap - T1546.005 (63220765-d418-44de-8fae-694b3912317d)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Netsh Helper DLL - T1546.007 (f63fe421-b1d1-45c0-b8a7-02cd16ff2bed)	Attack Pattern	1
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
AppInit DLLs - T1546.010 (cc89ecbd-3d33-4a41-bcca-001e702d18fd)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Exfiltration Over Webhook - T1567.004 (43f2776f-b4bd-4118-94b8-fee47e69676d)	Attack Pattern	1
Email Hiding Rules - T1564.008 (0cf55441-b176-4332-89e7-2c4c7799d0ff)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	1
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Verclsid - T1218.012 (808e6329-ca91-4b87-ac2d-8eadc5f8f327)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Mavinject - T1218.013 (1bae753e-8e52-4055-a66d-2ead90303ca9)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Virtual Machine Discovery - T1673 (6bc7f9aa-b91f-4b23-84b8-5e756eba68eb)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Ignore Process Interrupts - T1564.011 (4a2975db-414e-4c0c-bd92-775987514b4b)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	MMC - T1218.014 (ffbcfdb0-de22-4106-9ed3-fc23c8a01407)	Attack Pattern	1
Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
XDG Autostart Entries - T1547.013 (e0232cb0-ded5-4c2e-9dc7-2893142a5c11)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
COR_PROFILER - T1574.012 (ffeb0780-356e-4261-b036-cfb6bd234335)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Emond - T1546.014 (9c45eaa3-8604-4780-8988-b5074dbb9ecd)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	1
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Bash History - T1552.003 (8187bd2a-866f-4457-9009-86b0ddedffa3)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c)	Attack Pattern	1
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	1
Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Plist File Modification - T1647 (7d20fff9-8751-404e-badd-ccd71bda0236)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Trust Modification - T1484.002 (24769ab5-14bd-4f4e-a752-cfb185da53ee)	Attack Pattern	1
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	1
Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d)	Attack Pattern	1
AutoHotKey & AutoIT - T1059.010 (3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Authentication Package - T1547.002 (b8cfed42-6a8a-4989-ad72-541af74475ec)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3)	Attack Pattern	1
Direct Volume Access - T1006 (0c8ab3eb-df48-4b9c-ace7-beacaac81cc5)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Bandwidth Hijacking - T1496.002 (718cb208-6446-4572-a2f0-9c799c60091e)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Securityd Memory - T1555.002 (1a80d097-54df-41d8-9d33-34e755ec5e72)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Container API - T1552.007 (f8ef3a62-3f44-40a4-abca-761ab235c436)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Password Policy Discovery - T1201 (b6075259-dba3-44e9-87c7-e954f37ec0d5)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Wi-Fi Discovery - T1016.002 (494ab9f0-36e0-4b06-b10d-57285b040a06)	Attack Pattern	1
Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	/etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf)	Attack Pattern	1
Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	1
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Indirect Command Execution - T1202 (3b0e52ce-517a-4614-a523-1bd5deef6c5e)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Re-opened Applications - T1547.007 (e5cc9e7a-e61a-46a1-b869-55fb6eab058e)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Launch Daemon - T1543.004 (573ad264-1371-4ae0-8482-d2673b719dba)	Attack Pattern	1
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Container Service - T1543.005 (b0e54bf7-835e-4f44-bd8e-62f431b9b76a)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Clear Mailbox Data - T1070.008 (438c967d-3996-4870-bfc2-3954752a1927)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Time Providers - T1547.003 (61afc315-860c-4364-825d-0d62b2e91edc)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	1
Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Software Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8)	Attack Pattern	1
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819)	Attack Pattern	1
Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Exfiltration to Code Repository - T1567.001 (86a96bf6-cf8b-411c-aaeb-8959944d64f7)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Impair Command History Logging - T1562.003 (8f504411-cb96-4dac-a537-8d2bb7679c59)	Attack Pattern	1
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	LC_LOAD_DYLIB Addition - T1546.006 (10ff21b9-5a01-4268-a1b5-3b55015f1847)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	1
User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	1
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Data Destruction - T1662 (9ef14445-6f35-4ed0-a042-5024f13a9242)	Attack Pattern	1
Remote Data Staging - T1074.002 (359b00ad-9425-420b-bba5-6de8d600cbc0)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	1
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Compile After Delivery - T1027.004 (c726e0a2-a57a-4b7b-a973-d0f013246617)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0)	Attack Pattern	1
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	TCC Manipulation - T1548.006 (e8a0a025-3601-4755-abfb-8d08283329fb)	Attack Pattern	1
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
AppCert DLLs - T1546.009 (7d57b371-10c2-45e5-b3cc-83a8fb380e4c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Resource Forking - T1564.009 (b22e5153-ac28-4cc6-865c-2054e36285cb)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	GUI Input Capture - T1056.002 (a2029942-0a85-4947-b23c-ca434698171d)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Unix Shell Configuration Modification - T1546.004 (b63a34e8-0a61-4c97-a23b-bf8a2ed812e2)	Attack Pattern	1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Network Logon Script - T1037.003 (c63a348e-ffc2-486a-b9d9-d7f11ec54d99)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Kernel Modules and Extensions - T1547.006 (a1b52199-c8c5-438a-9ded-656f1d0888c6)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Power Settings - T1653 (ea071aa0-8f17-416f-ab0d-2bab7e79003d)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21)	Attack Pattern	1
Container Administration Command - T1609 (7b50a1d3-4ca7-45d1-989d-a6503f04bfe1)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Reversible Encryption - T1556.005 (d50955c2-272d-4ac8-95da-10c29dda1c48)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Services Registry Permissions Weakness - T1574.011 (17cc750b-e95b-4d7d-9dde-49e0de24148c)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001 (79a4052e-1a89-4b09-aea6-51f1d11fe19c)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae)	Attack Pattern	1
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Log Enumeration - T1654 (866d0d6d-02c6-42bd-aa2f-02907fdc0969)	Attack Pattern	1
Electron Applications - T1218.015 (561ae9aa-c28a-4144-9eec-e7027a14c8c3)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Application Shimming - T1546.011 (42fe883a-21ea-4cfb-b94a-78b6476dcc83)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Bind Mounts - T1564.013 (5bd41255-a224-4425-a2e2-e9d293eafe1c)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Clear Network Connection History and Configurations - T1070.007 (3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	PowerShell Profile - T1546.013 (0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995)	Attack Pattern	1
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Extended Attributes - T1564.014 (762e6f29-a62f-4d96-91ed-d0073181431f)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	1
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Windows File and Directory Permissions Modification - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee)	Attack Pattern	1
Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4)	Attack Pattern	1
Terminal Services DLL - T1505.005 (379809f6-2fac-42c1-bd2e-e9dee70b27f8)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Installer Packages - T1546.016 (da051493-ae9c-4b1b-9760-c009c46c9b56)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6)	Attack Pattern	1
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
vSphere Installation Bundles - T1505.006 (f8ba7d61-11c5-4130-bafd-7c3ff5fbf4b5)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Disable or Modify Linux Audit System - T1562.012 (562e9b64-7239-493d-80f4-2bff900d9054)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Exfiltration Over Physical Medium - T1052 (e6415f09-df0e-48de-9aba-928c902b7549)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	1
Network Device CLI - T1059.008 (818302b2-d640-477b-bf88-873120ce85c4)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	1
Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a)	Attack Pattern	1
Login Hook - T1037.002 (43ba2b05-cf72-4b6c-8243-03a4aba41ee0)	Attack Pattern	Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Compiled HTML File - T1218.001 (a6937325-9321-4e2e-bb2b-3ed2d40b2a9d)	Attack Pattern	2
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0)	Attack Pattern	2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21)	Attack Pattern	2
System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	2
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	Add-ins - T1137.006 (34f1d81d-fe88-4f97-bd3b-a3164536255d)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Regsvcs/Regasm - T1218.009 (c48a67ee-b657-45c1-91bf-6cdbe27205f8)	Attack Pattern	2
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	2
Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967)	Attack Pattern	Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac)	Attack Pattern	2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	2
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	2
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	RC Scripts - T1037.004 (dca670cf-eeec-438f-8185-fd959d9ef211)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec)	Attack Pattern	2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	Systemd Timers - T1053.006 (a542bac9-7bc1-4da7-9a09-96f69e23cc21)	Attack Pattern	2
Startup Items - T1037.005 (c0dfe7b0-b873-4618-9ff8-53e31f70907f)	Attack Pattern	Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	2
Cloud Groups - T1069.003 (16e94db9-b5b1-4cd0-b851-f38fbd0a70f2)	Attack Pattern	Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	2
Disk Structure Wipe - T1561.002 (0af0ca99-357d-4ba1-805f-674fdfb7bef9)	Attack Pattern	Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967)	Attack Pattern	2
Email Account - T1087.003 (4bc31b94-045b-4752-8920-aebaebdb6470)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb)	Attack Pattern	IIS Components - T1505.004 (b46a801b-fd98-491c-a25a-bca25d6e3001)	Attack Pattern	2
AppleScript - T1059.002 (37b11151-1776-4f8f-b328-30939fbf2ceb)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c)	Attack Pattern	2
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	Cloud Account - T1087.004 (8f104855-e5b7-4077-b1f5-bc3103b41abe)	Attack Pattern	2
Outlook Home Page - T1137.004 (bf147104-abf9-4221-95d1-e81585859441)	Attack Pattern	Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	2
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d)	Attack Pattern	Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	2
PubPrn - T1216.001 (09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58)	Attack Pattern	System Script Proxy Execution - T1216 (f6fe9070-7a65-49ea-ae72-76292f42cebe)	Attack Pattern	2
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	2
Setuid and Setgid - T1548.001 (6831414d-bb70-42b7-8030-d4e06b2660c9)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	2
Cloud API - T1059.009 (55bb4471-ff1f-43b4-88c1-c9384ec47abf)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96)	Attack Pattern	Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b)	Attack Pattern	2
Lua - T1059.011 (afddee82-3385-4682-ad90-eeced33f2d07)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	2
SyncAppvPublishingServer - T1216.002 (e6f19759-dde3-47fc-99cc-d9f5fa4ade60)	Attack Pattern	System Script Proxy Execution - T1216 (f6fe9070-7a65-49ea-ae72-76292f42cebe)	Attack Pattern	2
ClickOnce - T1127.002 (cc279e50-df85-4c8e-be80-6dc2eda8849c)	Attack Pattern	Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b)	Attack Pattern	2
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	2
CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	2
Image File Execution Options Injection - T1546.012 (6d4a7fb3-5a24-42be-ae61-6728a2b581f6)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	2
Software Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8)	Attack Pattern	Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107)	Attack Pattern	2
Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Control Panel - T1218.002 (4ff5d6a8-c062-4c68-a778-36fc5edd564f)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071)	Attack Pattern	2
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	2
Unix Shell - T1623.001 (693cdbff-ea73-49c6-ac3f-91e7285c31d1)	Attack Pattern	Command and Scripting Interpreter - T1623 (29f1f56c-7b7a-4c14-9e39-59577ea2743c)	Attack Pattern	2
Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	2
Office Test - T1137.002 (ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a)	Attack Pattern	Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	2
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	2
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	Launchctl - T1569.001 (810aa4ad-61c9-49cb-993f-daa06199421d)	Attack Pattern	2
Downgrade Attack - T1562.010 (824add00-99a1-4b15-9a2d-6c5683b7b497)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Hypervisor CLI - T1059.012 (d2d642da-61ff-4211-b4df-7923c9ca220c)	Attack Pattern	2
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Screensaver - T1546.002 (ce4b7013-640e-48a9-b501-d0025a95f4bf)	Attack Pattern	2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	Outlook Forms - T1137.003 (a9e2cea0-c805-4bf8-9e31-f5f0513a3634)	Attack Pattern	2
Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Gatekeeper Bypass - T1553.001 (31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5)	Attack Pattern	2
Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	Systemctl - T1569.003 (4b46767d-4a61-4f30-995e-c19a75c2e536)	Attack Pattern	2
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5)	Attack Pattern	SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8)	Attack Pattern	2
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	Outlook Rules - T1137.005 (3d1b9d7e-3921-4d25-845a-7d9f15c0da44)	Attack Pattern	2
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Trap - T1546.005 (63220765-d418-44de-8fae-694b3912317d)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d)	Attack Pattern	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Netsh Helper DLL - T1546.007 (f63fe421-b1d1-45c0-b8a7-02cd16ff2bed)	Attack Pattern	2
Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	AppInit DLLs - T1546.010 (cc89ecbd-3d33-4a41-bcca-001e702d18fd)	Attack Pattern	2
Exfiltration Over Webhook - T1567.004 (43f2776f-b4bd-4118-94b8-fee47e69676d)	Attack Pattern	Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	2
Email Hiding Rules - T1564.008 (0cf55441-b176-4332-89e7-2c4c7799d0ff)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	2
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783)	Attack Pattern	Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	2
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	2
Verclsid - T1218.012 (808e6329-ca91-4b87-ac2d-8eadc5f8f327)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Mavinject - T1218.013 (1bae753e-8e52-4055-a66d-2ead90303ca9)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Ignore Process Interrupts - T1564.011 (4a2975db-414e-4c0c-bd92-775987514b4b)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	MMC - T1218.014 (ffbcfdb0-de22-4106-9ed3-fc23c8a01407)	Attack Pattern	2
XDG Autostart Entries - T1547.013 (e0232cb0-ded5-4c2e-9dc7-2893142a5c11)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
COR_PROFILER - T1574.012 (ffeb0780-356e-4261-b036-cfb6bd234335)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	2
Emond - T1546.014 (9c45eaa3-8604-4780-8988-b5074dbb9ecd)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	2
Bash History - T1552.003 (8187bd2a-866f-4457-9009-86b0ddedffa3)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	2
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5)	Attack Pattern	RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c)	Attack Pattern	2
Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d)	Attack Pattern	Trust Modification - T1484.002 (24769ab5-14bd-4f4e-a752-cfb185da53ee)	Attack Pattern	2
TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4)	Attack Pattern	Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e)	Attack Pattern	2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d)	Attack Pattern	2
AutoHotKey & AutoIT - T1059.010 (3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Authentication Package - T1547.002 (b8cfed42-6a8a-4989-ad72-541af74475ec)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3)	Attack Pattern	2
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783)	Attack Pattern	Bandwidth Hijacking - T1496.002 (718cb208-6446-4572-a2f0-9c799c60091e)	Attack Pattern	2
Securityd Memory - T1555.002 (1a80d097-54df-41d8-9d33-34e755ec5e72)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Container API - T1552.007 (f8ef3a62-3f44-40a4-abca-761ab235c436)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Wi-Fi Discovery - T1016.002 (494ab9f0-36e0-4b06-b10d-57285b040a06)	Attack Pattern	2
Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	2
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	/etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf)	Attack Pattern	2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	2
Re-opened Applications - T1547.007 (e5cc9e7a-e61a-46a1-b869-55fb6eab058e)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Launch Daemon - T1543.004 (573ad264-1371-4ae0-8482-d2673b719dba)	Attack Pattern	2
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	2
Container Service - T1543.005 (b0e54bf7-835e-4f44-bd8e-62f431b9b76a)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	2
Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Mailbox Data - T1070.008 (438c967d-3996-4870-bfc2-3954752a1927)	Attack Pattern	2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Time Providers - T1547.003 (61afc315-860c-4364-825d-0d62b2e91edc)	Attack Pattern	2
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	2
Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd)	Attack Pattern	Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87)	Attack Pattern	2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	2
Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc)	Attack Pattern	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	2
Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829)	Attack Pattern	Exfiltration Over Physical Medium - T1052 (e6415f09-df0e-48de-9aba-928c902b7549)	Attack Pattern	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c)	Attack Pattern	2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	2
Exfiltration to Code Repository - T1567.001 (86a96bf6-cf8b-411c-aaeb-8959944d64f7)	Attack Pattern	Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	2
File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196)	Attack Pattern	Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345)	Attack Pattern	2
Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	2
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Impair Command History Logging - T1562.003 (8f504411-cb96-4dac-a537-8d2bb7679c59)	Attack Pattern	2
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	LC_LOAD_DYLIB Addition - T1546.006 (10ff21b9-5a01-4268-a1b5-3b55015f1847)	Attack Pattern	2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	2
User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	2
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	2
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Remote Data Staging - T1074.002 (359b00ad-9425-420b-bba5-6de8d600cbc0)	Attack Pattern	2
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Compile After Delivery - T1027.004 (c726e0a2-a57a-4b7b-a973-d0f013246617)	Attack Pattern	2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0)	Attack Pattern	2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	TCC Manipulation - T1548.006 (e8a0a025-3601-4755-abfb-8d08283329fb)	Attack Pattern	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	2
AppCert DLLs - T1546.009 (7d57b371-10c2-45e5-b3cc-83a8fb380e4c)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	2
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Resource Forking - T1564.009 (b22e5153-ac28-4cc6-865c-2054e36285cb)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d)	Attack Pattern	2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	GUI Input Capture - T1056.002 (a2029942-0a85-4947-b23c-ca434698171d)	Attack Pattern	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Unix Shell Configuration Modification - T1546.004 (b63a34e8-0a61-4c97-a23b-bf8a2ed812e2)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b)	Attack Pattern	2
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	Network Logon Script - T1037.003 (c63a348e-ffc2-486a-b9d9-d7f11ec54d99)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33)	Attack Pattern	2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Kernel Modules and Extensions - T1547.006 (a1b52199-c8c5-438a-9ded-656f1d0888c6)	Attack Pattern	2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21)	Attack Pattern	2
Reversible Encryption - T1556.005 (d50955c2-272d-4ac8-95da-10c29dda1c48)	Attack Pattern	Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84)	Attack Pattern	2
Services Registry Permissions Weakness - T1574.011 (17cc750b-e95b-4d7d-9dde-49e0de24148c)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	2
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001 (79a4052e-1a89-4b09-aea6-51f1d11fe19c)	Attack Pattern	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae)	Attack Pattern	2
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Electron Applications - T1218.015 (561ae9aa-c28a-4144-9eec-e7027a14c8c3)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Application Shimming - T1546.011 (42fe883a-21ea-4cfb-b94a-78b6476dcc83)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Bind Mounts - T1564.013 (5bd41255-a224-4425-a2e2-e9d293eafe1c)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Network Connection History and Configurations - T1070.007 (3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc)	Attack Pattern	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	PowerShell Profile - T1546.013 (0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3)	Attack Pattern	2
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995)	Attack Pattern	2
Extended Attributes - T1564.014 (762e6f29-a62f-4d96-91ed-d0073181431f)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	2
File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196)	Attack Pattern	Windows File and Directory Permissions Modification - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee)	Attack Pattern	2
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4)	Attack Pattern	2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb)	Attack Pattern	Terminal Services DLL - T1505.005 (379809f6-2fac-42c1-bd2e-e9dee70b27f8)	Attack Pattern	2
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Installer Packages - T1546.016 (da051493-ae9c-4b1b-9760-c009c46c9b56)	Attack Pattern	2
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	2
vSphere Installation Bundles - T1505.006 (f8ba7d61-11c5-4130-bafd-7c3ff5fbf4b5)	Attack Pattern	Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb)	Attack Pattern	2
Disable or Modify Linux Audit System - T1562.012 (562e9b64-7239-493d-80f4-2bff900d9054)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	2
Network Device CLI - T1059.008 (818302b2-d640-477b-bf88-873120ce85c4)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004)	Attack Pattern	2
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a)	Attack Pattern	2