Skip to content

Latest commit

 

History

History
984 lines (972 loc) · 69.3 KB

windows-index.md

File metadata and controls

984 lines (972 loc) · 69.3 KB
Raw

Windows Atomic Tests by ATT&CK Tactic & Technique

privilege-escalation

defense-evasion

  • T1548 Abuse Elevation Control Mechanism CONTRIBUTE A TEST
  • T1134 Access Token Manipulation CONTRIBUTE A TEST
  • T1055.004 Asynchronous Procedure Call
    • Atomic Test #1: Process Injection via C# [windows]
  • T1197 BITS Jobs
    • Atomic Test #1: Bitsadmin Download (cmd) [windows]
    • Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
    • Atomic Test #3: Persist, Download, & Execute [windows]
    • Atomic Test #4: Bits download using destktopimgdownldr.exe (cmd) [windows]
  • T1027.001 Binary Padding CONTRIBUTE A TEST
  • T1542.003 Bootkit CONTRIBUTE A TEST
  • T1548.002 Bypass User Access Control
    • Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
    • Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
    • Atomic Test #3: Bypass UAC using Fodhelper [windows]
    • Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
    • Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
    • Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
    • Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
  • T1218.003 CMSTP
    • Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
    • Atomic Test #2: CMSTP Executing UAC Bypass [windows]
  • T1574.012 COR_PROFILER
    • Atomic Test #1: User scope COR_PROFILER [windows]
    • Atomic Test #2: System Scope COR_PROFILER [windows]
    • Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
  • T1070.001 Clear Windows Event Logs
    • Atomic Test #1: Clear Logs [windows]
    • Atomic Test #2: Delete System Logs Using Clear-EventLog [windows]
  • T1553.002 Code Signing CONTRIBUTE A TEST
  • T1027.004 Compile After Delivery
    • Atomic Test #1: Compile After Delivery using csc.exe [windows]
    • Atomic Test #2: Dynamic C# Compile [windows]
  • T1218.001 Compiled HTML File
    • Atomic Test #1: Compiled HTML Help Local Payload [windows]
    • Atomic Test #2: Compiled HTML Help Remote Payload [windows]
  • T1542.002 Component Firmware CONTRIBUTE A TEST
  • T1218.002 Control Panel
    • Atomic Test #1: Control Panel Items [windows]
  • T1134.002 Create Process with Token CONTRIBUTE A TEST
  • T1574.001 DLL Search Order Hijacking
    • Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
  • T1574.002 DLL Side-Loading
    • Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
  • T1078.001 Default Accounts
    • Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
  • T1140 Deobfuscate/Decode Files or Information
    • Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
    • Atomic Test #2: Certutil Rename and Decode [windows]
  • T1006 Direct Volume Access CONTRIBUTE A TEST
  • T1562.002 Disable Windows Event Logging
    • Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
    • Atomic Test #2: Kill Event Log Service Threads [windows]
  • T1562.004 Disable or Modify System Firewall
    • Atomic Test #2: Disable Microsoft Defender Firewall [windows]
    • Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
    • Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
    • Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
    • Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows]
  • T1562.001 Disable or Modify Tools
    • Atomic Test #9: Unload Sysmon Filter Driver [windows]
    • Atomic Test #10: Uninstall Sysmon [windows]
    • Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows]
    • Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
    • Atomic Test #13: Disable Arbitrary Security Windows Service [windows]
    • Atomic Test #14: Tamper with Windows Defender ATP PowerShell [windows]
    • Atomic Test #15: Tamper with Windows Defender Command Prompt [windows]
    • Atomic Test #16: Tamper with Windows Defender Registry [windows]
    • Atomic Test #17: Disable Microsoft Office Security Features [windows]
    • Atomic Test #18: Remove Windows Defender Definition Files [windows]
    • Atomic Test #19: Stop and Remove Arbitrary Security Windows Service [windows]
    • Atomic Test #20: Uninstall Crowdstrike Falcon on Windows [windows]
    • Atomic Test #21: Tamper with Windows Defender Evade Scanning -Folder [windows]
    • Atomic Test #22: Tamper with Windows Defender Evade Scanning -Extension [windows]
    • Atomic Test #23: Tamper with Windows Defender Evade Scanning -Process [windows]
  • T1078.002 Domain Accounts CONTRIBUTE A TEST
  • T1556.001 Domain Controller Authentication CONTRIBUTE A TEST
  • T1055.001 Dynamic-link Library Injection CONTRIBUTE A TEST
  • T1480.001 Environmental Keying CONTRIBUTE A TEST
  • T1574.005 Executable Installer File Permissions Weakness CONTRIBUTE A TEST
  • T1480 Execution Guardrails CONTRIBUTE A TEST
  • T1211 Exploitation for Defense Evasion CONTRIBUTE A TEST
  • T1055.011 Extra Window Memory Injection CONTRIBUTE A TEST
  • T1070.004 File Deletion
    • Atomic Test #4: Delete a single file - Windows cmd [windows]
    • Atomic Test #5: Delete an entire folder - Windows cmd [windows]
    • Atomic Test #6: Delete a single file - Windows PowerShell [windows]
    • Atomic Test #7: Delete an entire folder - Windows PowerShell [windows]
    • Atomic Test #9: Delete-PrefetchFile [windows]
    • Atomic Test #10: Delete TeamViewer Log Files [windows]
  • T1222 File and Directory Permissions Modification CONTRIBUTE A TEST
  • T1484 Group Policy Modification CONTRIBUTE A TEST
  • T1564.005 Hidden File System CONTRIBUTE A TEST
  • T1564.001 Hidden Files and Directories
    • Atomic Test #3: Create Windows System File with Attrib [windows]
    • Atomic Test #4: Create Windows Hidden File with Attrib [windows]
  • T1564.003 Hidden Window
    • Atomic Test #1: Hidden Window [windows]
  • T1564 Hide Artifacts CONTRIBUTE A TEST
  • T1574 Hijack Execution Flow CONTRIBUTE A TEST
  • T1562 Impair Defenses CONTRIBUTE A TEST
  • T1562.006 Indicator Blocking CONTRIBUTE A TEST
  • T1027.005 Indicator Removal from Tools CONTRIBUTE A TEST
  • T1070 Indicator Removal on Host
    • Atomic Test #1: Indicator Removal using FSUtil [windows]
  • T1202 Indirect Command Execution
    • Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
    • Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
  • T1553.004 Install Root Certificate
    • Atomic Test #4: Install root CA on Windows [windows]
  • T1218.004 InstallUtil
    • Atomic Test #1: CheckIfInstallable method call [windows]
    • Atomic Test #2: InstallHelper method call [windows]
    • Atomic Test #3: InstallUtil class constructor method call [windows]
    • Atomic Test #4: InstallUtil Install method call [windows]
    • Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
    • Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
    • Atomic Test #7: InstallUtil HelpText method call [windows]
    • Atomic Test #8: InstallUtil evasive invocation [windows]
  • T1036.001 Invalid Code Signature CONTRIBUTE A TEST
  • T1078.003 Local Accounts CONTRIBUTE A TEST
  • T1127.001 MSBuild
    • Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
  • T1134.003 Make and Impersonate Token CONTRIBUTE A TEST
  • T1036.004 Masquerade Task or Service CONTRIBUTE A TEST
  • T1036 Masquerading CONTRIBUTE A TEST
  • T1036.005 Match Legitimate Name or Location CONTRIBUTE A TEST
  • T1556 Modify Authentication Process CONTRIBUTE A TEST
  • T1112 Modify Registry
    • Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
    • Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
    • Atomic Test #3: Modify registry to store logon credentials [windows]
    • Atomic Test #4: Add domain to Trusted sites Zone [windows]
    • Atomic Test #5: Javascript in registry [windows]
  • T1218.005 Mshta
    • Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
    • Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
    • Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows]
  • T1218.007 Msiexec
    • Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows]
    • Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows]
    • Atomic Test #3: Msiexec.exe - Execute Arbitrary DLL [windows]
  • T1564.004 NTFS File Attributes
    • Atomic Test #1: Alternate Data Streams (ADS) [windows]
    • Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows]
    • Atomic Test #3: Create ADS command prompt [windows]
    • Atomic Test #4: Create ADS PowerShell [windows]
  • T1070.005 Network Share Connection Removal
    • Atomic Test #1: Add Network Share [windows]
    • Atomic Test #2: Remove Network Share [windows]
    • Atomic Test #3: Remove Network Share PowerShell [windows]
  • T1027 Obfuscated Files or Information
    • Atomic Test #2: Execute base64-encoded PowerShell [windows]
    • Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
    • Atomic Test #4: Execution from Compressed File [windows]
  • T1218.008 Odbcconf
    • Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
  • T1134.004 Parent PID Spoofing
    • Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
  • T1550.002 Pass the Hash
    • Atomic Test #1: Mimikatz Pass the Hash [windows]
    • Atomic Test #2: crackmapexec Pass the Hash [windows]
  • T1550.003 Pass the Ticket
    • Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
  • T1556.002 Password Filter DLL
    • Atomic Test #1: Install and Register Password Filter DLL [windows]
  • T1574.007 Path Interception by PATH Environment Variable CONTRIBUTE A TEST
  • T1574.008 Path Interception by Search Order Hijacking CONTRIBUTE A TEST
  • T1574.009 Path Interception by Unquoted Path
    • Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
  • T1205.001 Port Knocking CONTRIBUTE A TEST
  • T1055.002 Portable Executable Injection CONTRIBUTE A TEST
  • T1542 Pre-OS Boot CONTRIBUTE A TEST
  • T1055.013 Process Doppelgänging CONTRIBUTE A TEST
  • T1055.012 Process Hollowing
    • Atomic Test #1: Process Hollowing using PowerShell [windows]
  • T1055 Process Injection
    • Atomic Test #1: Process Injection via mavinject.exe [windows]
  • T1216.001 PubPrn
    • Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
  • T1108 Redundant Access CONTRIBUTE A TEST
  • T1218.009 Regsvcs/Regasm
    • Atomic Test #1: Regasm Uninstall Method Call Test [windows]
    • Atomic Test #2: Regsvcs Uninstall Method Call Test [windows]
  • T1218.010 Regsvr32
    • Atomic Test #1: Regsvr32 local COM scriptlet execution [windows]
    • Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
    • Atomic Test #3: Regsvr32 local DLL execution [windows]
    • Atomic Test #4: Regsvr32 Registering Non DLL [windows]
  • T1036.003 Rename System Utilities
    • Atomic Test #1: Masquerading as Windows LSASS process [windows]
    • Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows]
    • Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows]
    • Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows]
    • Atomic Test #6: Masquerading - non-windows exe running as windows exe [windows]
    • Atomic Test #7: Masquerading - windows exe running as different windows exe [windows]
    • Atomic Test #8: Malicious process Masquerading as LSM.exe [windows]
    • Atomic Test #9: File Extension Masquerading [windows]
  • T1036.002 Right-to-Left Override CONTRIBUTE A TEST
  • T1207 Rogue Domain Controller
    • Atomic Test #1: DCShadow - Mimikatz [windows]
  • T1014 Rootkit
    • Atomic Test #3: Windows Signed Driver Rootkit Test [windows]
  • T1564.006 Run Virtual Instance CONTRIBUTE A TEST
  • T1218.011 Rundll32
    • Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
    • Atomic Test #2: Rundll32 execute VBscript command [windows]
    • Atomic Test #3: Rundll32 advpack.dll Execution [windows]
    • Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows]
    • Atomic Test #5: Rundll32 syssetup.dll Execution [windows]
    • Atomic Test #6: Rundll32 setupapi.dll Execution [windows]
  • T1134.005 SID-History Injection CONTRIBUTE A TEST
  • T1553.003 SIP and Trust Provider Hijacking CONTRIBUTE A TEST
  • T1064 Scripting CONTRIBUTE A TEST
  • T1574.010 Services File Permissions Weakness CONTRIBUTE A TEST
  • T1574.011 Services Registry Permissions Weakness
    • Atomic Test #1: Service Registry Permissions Weakness [windows]
  • T1218 Signed Binary Proxy Execution
    • Atomic Test #1: mavinject - Inject DLL into running process [windows]
    • Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
    • Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
    • Atomic Test #4: InfDefaultInstall.exe .inf Execution [windows]
    • Atomic Test #5: ProtocolHandler.exe Downloaded a Suspicious File [windows]
  • T1216 Signed Script Proxy Execution
    • Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
    • Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
  • T1027.002 Software Packing CONTRIBUTE A TEST
  • T1027.003 Steganography CONTRIBUTE A TEST
  • T1553 Subvert Trust Controls CONTRIBUTE A TEST
  • T1497.001 System Checks CONTRIBUTE A TEST
  • T1542.001 System Firmware CONTRIBUTE A TEST
  • T1221 Template Injection CONTRIBUTE A TEST
  • T1055.003 Thread Execution Hijacking CONTRIBUTE A TEST
  • T1055.005 Thread Local Storage CONTRIBUTE A TEST
  • T1497.003 Time Based Evasion CONTRIBUTE A TEST
  • T1070.006 Timestomp
    • Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]
    • Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]
    • Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows]
    • Atomic Test #8: Windows - Timestomp a File [windows]
  • T1134.001 Token Impersonation/Theft CONTRIBUTE A TEST
  • T1205 Traffic Signaling CONTRIBUTE A TEST
  • T1127 Trusted Developer Utilities Proxy Execution CONTRIBUTE A TEST
  • T1550 Use Alternate Authentication Material CONTRIBUTE A TEST
  • T1497.002 User Activity Based Checks CONTRIBUTE A TEST
  • T1078 Valid Accounts CONTRIBUTE A TEST
  • T1497 Virtualization/Sandbox Evasion CONTRIBUTE A TEST
  • T1222.001 Windows File and Directory Permissions Modification
    • Atomic Test #1: Take ownership using takeown utility [windows]
    • Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows]
    • Atomic Test #3: attrib - Remove read-only attribute [windows]
    • Atomic Test #4: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style [windows]
  • T1220 XSL Script Processing
    • Atomic Test #1: MSXSL Bypass using local files [windows]
    • Atomic Test #2: MSXSL Bypass using remote files [windows]
    • Atomic Test #3: WMIC bypass using local XSL file [windows]
    • Atomic Test #4: WMIC bypass using remote XSL file [windows]

persistence

impact

discovery

  • T1087 Account Discovery CONTRIBUTE A TEST
  • T1010 Application Window Discovery
    • Atomic Test #1: List Process Main Windows - C# .NET [windows]
  • T1217 Browser Bookmark Discovery
    • Atomic Test #4: List Google Chrome Bookmarks on Windows with powershell [windows]
    • Atomic Test #5: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt [windows]
    • Atomic Test #6: List Mozilla Firefox bookmarks on Windows with command prompt [windows]
    • Atomic Test #7: List Internet Explorer Bookmarks using the command prompt [windows]
  • T1087.002 Domain Account
    • Atomic Test #1: Enumerate all accounts (Domain) [windows]
    • Atomic Test #2: Enumerate all accounts via PowerShell (Domain) [windows]
    • Atomic Test #3: Enumerate logged on users via CMD (Domain) [windows]
    • Atomic Test #4: Automated AD Recon (ADRecon) [windows]
    • Atomic Test #5: Adfind -Listing password policy [windows]
  • T1069.002 Domain Groups
    • Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
    • Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
    • Atomic Test #3: Elevated group enumeration using net group (Domain) [windows]
    • Atomic Test #4: Find machines where user has local admin access (PowerView) [windows]
    • Atomic Test #5: Find local admins on all machines in domain (PowerView) [windows]
    • Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
    • Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
  • T1482 Domain Trust Discovery
    • Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
    • Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
    • Atomic Test #3: Powershell enumerate domains and forests [windows]
  • T1087.003 Email Account CONTRIBUTE A TEST
  • T1083 File and Directory Discovery
    • Atomic Test #1: File and Directory Discovery (cmd.exe) [windows]
    • Atomic Test #2: File and Directory Discovery (PowerShell) [windows]
  • T1087.001 Local Account
    • Atomic Test #8: Enumerate all accounts on Windows (Local) [windows]
    • Atomic Test #9: Enumerate all accounts via PowerShell (Local) [windows]
    • Atomic Test #10: Enumerate logged on users via CMD (Local) [windows]
    • Atomic Test #11: Enumerate logged on users via PowerShell [windows]
  • T1069.001 Local Groups
    • Atomic Test #2: Basic Permission Groups Discovery Windows (Local) [windows]
    • Atomic Test #3: Permission Groups Discovery PowerShell (Local) [windows]
  • T1046 Network Service Scanning
    • Atomic Test #3: Port Scan NMap for Windows [windows]
  • T1135 Network Share Discovery
    • Atomic Test #2: Network Share Discovery command prompt [windows]
    • Atomic Test #3: Network Share Discovery PowerShell [windows]
    • Atomic Test #4: View available share drives [windows]
    • Atomic Test #5: Share Discovery with PowerView [windows]
  • T1040 Network Sniffing
    • Atomic Test #3: Packet Capture Windows Command Prompt [windows]
    • Atomic Test #4: Windows Internal Packet Capture [windows]
  • T1201 Password Policy Discovery
    • Atomic Test #5: Examine local password policy - Windows [windows]
    • Atomic Test #6: Examine domain password policy - Windows [windows]
  • T1120 Peripheral Device Discovery CONTRIBUTE A TEST
  • T1069 Permission Groups Discovery CONTRIBUTE A TEST
  • T1057 Process Discovery
    • Atomic Test #2: Process Discovery - tasklist [windows]
  • T1012 Query Registry
    • Atomic Test #1: Query Registry [windows]
  • T1018 Remote System Discovery
    • Atomic Test #1: Remote System Discovery - net [windows]
    • Atomic Test #2: Remote System Discovery - net group Domain Computers [windows]
    • Atomic Test #3: Remote System Discovery - nltest [windows]
    • Atomic Test #4: Remote System Discovery - ping sweep [windows]
    • Atomic Test #5: Remote System Discovery - arp [windows]
    • Atomic Test #8: Remote System Discovery - nslookup [windows]
    • Atomic Test #9: Remote System Discovery - adidnsdump [windows]
  • T1518.001 Security Software Discovery
    • Atomic Test #1: Security Software Discovery [windows]
    • Atomic Test #2: Security Software Discovery - powershell [windows]
    • Atomic Test #4: Security Software Discovery - Sysmon Service [windows]
    • Atomic Test #5: Security Software Discovery - AV Discovery via WMI [windows]
  • T1518 Software Discovery
    • Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
    • Atomic Test #2: Applications Installed [windows]
  • T1497.001 System Checks CONTRIBUTE A TEST
  • T1082 System Information Discovery
    • Atomic Test #1: System Information Discovery [windows]
    • Atomic Test #6: Hostname Discovery (Windows) [windows]
    • Atomic Test #8: Windows MachineGUID Discovery [windows]
  • T1016 System Network Configuration Discovery
    • Atomic Test #1: System Network Configuration Discovery on Windows [windows]
    • Atomic Test #2: List Windows Firewall Rules [windows]
    • Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows]
    • Atomic Test #5: List Open Egress Ports [windows]
  • T1049 System Network Connections Discovery
    • Atomic Test #1: System Network Connections Discovery [windows]
    • Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
  • T1033 System Owner/User Discovery
    • Atomic Test #1: System Owner/User Discovery [windows]
    • Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
  • T1007 System Service Discovery
    • Atomic Test #1: System Service Discovery [windows]
    • Atomic Test #2: System Service Discovery - net.exe [windows]
  • T1124 System Time Discovery
    • Atomic Test #1: System Time Discovery [windows]
    • Atomic Test #2: System Time Discovery - PowerShell [windows]
  • T1497.003 Time Based Evasion CONTRIBUTE A TEST
  • T1497.002 User Activity Based Checks CONTRIBUTE A TEST
  • T1497 Virtualization/Sandbox Evasion CONTRIBUTE A TEST

command-and-control

collection

execution

  • T1053.002 At (Windows)
    • Atomic Test #1: At.exe Scheduled task [windows]
  • T1059 Command and Scripting Interpreter CONTRIBUTE A TEST
  • T1559.001 Component Object Model CONTRIBUTE A TEST
  • T1175 Component Object Model and Distributed COM CONTRIBUTE A TEST
  • T1559.002 Dynamic Data Exchange
    • Atomic Test #1: Execute Commands [windows]
    • Atomic Test #2: Execute PowerShell script via Word DDE [windows]
    • Atomic Test #3: DDEAUTO [windows]
  • T1203 Exploitation for Client Execution CONTRIBUTE A TEST
  • T1061 Graphical User Interface CONTRIBUTE A TEST
  • T1559 Inter-Process Communication CONTRIBUTE A TEST
  • T1059.007 JavaScript/JScript CONTRIBUTE A TEST
  • T1204.002 Malicious File
    • Atomic Test #1: OSTap Style Macro Execution [windows]
    • Atomic Test #2: OSTap Payload Download [windows]
    • Atomic Test #3: Maldoc choice flags command execution [windows]
    • Atomic Test #4: OSTAP JS version [windows]
  • T1204.001 Malicious Link CONTRIBUTE A TEST
  • T1106 Native API
    • Atomic Test #1: Execution through API - CreateProcess [windows]
  • T1059.001 PowerShell
    • Atomic Test #1: Mimikatz [windows]
    • Atomic Test #2: Run BloodHound from local disk [windows]
    • Atomic Test #3: Run Bloodhound from Memory using Download Cradle [windows]
    • Atomic Test #4: Obfuscation Tests [windows]
    • Atomic Test #5: Mimikatz - Cradlecraft PsSendKeys [windows]
    • Atomic Test #6: Invoke-AppPathBypass [windows]
    • Atomic Test #7: Powershell MsXml COM object - with prompt [windows]
    • Atomic Test #8: Powershell XML requests [windows]
    • Atomic Test #9: Powershell invoke mshta.exe download [windows]
    • Atomic Test #10: Powershell Invoke-DownloadCradle [windows]
    • Atomic Test #11: PowerShell Fileless Script Execution [windows]
    • Atomic Test #12: PowerShell Downgrade Attack [windows]
    • Atomic Test #13: NTFS Alternate Data Stream Access [windows]
    • Atomic Test #14: PowerShell Session Creation and Use [windows]
  • T1059.006 Python CONTRIBUTE A TEST
  • T1053.005 Scheduled Task
    • Atomic Test #1: Scheduled Task Startup Script [windows]
    • Atomic Test #2: Scheduled task Local [windows]
    • Atomic Test #3: Scheduled task Remote [windows]
    • Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
  • T1053 Scheduled Task/Job CONTRIBUTE A TEST
  • T1064 Scripting CONTRIBUTE A TEST
  • T1569.002 Service Execution
    • Atomic Test #1: Execute a Command as a Service [windows]
    • Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
  • T1129 Shared Modules CONTRIBUTE A TEST
  • T1072 Software Deployment Tools CONTRIBUTE A TEST
  • T1569 System Services CONTRIBUTE A TEST
  • T1204 User Execution CONTRIBUTE A TEST
  • T1059.005 Visual Basic
    • Atomic Test #1: Visual Basic script execution to gather local computer information [windows]
  • T1059.003 Windows Command Shell
    • Atomic Test #1: Create and Execute Batch Script [windows]
  • T1047 Windows Management Instrumentation
    • Atomic Test #1: WMI Reconnaissance Users [windows]
    • Atomic Test #2: WMI Reconnaissance Processes [windows]
    • Atomic Test #3: WMI Reconnaissance Software [windows]
    • Atomic Test #4: WMI Reconnaissance List Remote Services [windows]
    • Atomic Test #5: WMI Execute Local Process [windows]
    • Atomic Test #6: WMI Execute Remote Process [windows]

exfiltration

credential-access

lateral-movement

initial-access