Skip to content

Hide Navigation Hide TOC

Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31)

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures:

Remove Legacy Software:

  • Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash).
  • Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.

Disable Unused Features:

  • Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required.
  • Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.

Control Applications Installed by Users:

  • Use Case: Prevent users from installing unauthorized software via group policies or other management tools.
  • Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.

Remove Unnecessary Services:

  • Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices.
  • Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.

Restrict Add-ons and Plugins:

  • Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes.
  • Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.
Cluster A Galaxy A Cluster B Galaxy B Level
Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Communication Through Removable Media - T1092 (64196062-5210-42c3-9a02-563a0d1797ef) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071) Attack Pattern 1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Escape to Host - T1611 (4a5b7ade-8bb5-4853-84ed-23f262002665) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern 1
Re-opened Applications - T1547.007 (e5cc9e7a-e61a-46a1-b869-55fb6eab058e) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Electron Applications - T1218.015 (561ae9aa-c28a-4144-9eec-e7027a14c8c3) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern 1
Regsvcs/Regasm - T1218.009 (c48a67ee-b657-45c1-91bf-6cdbe27205f8) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
ARP Cache Poisoning - T1557.002 (cabe189c-a0e3-4965-a473-dcff00f17213) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 1
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Screensaver - T1546.002 (ce4b7013-640e-48a9-b501-d0025a95f4bf) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 1
Wordlist Scanning - T1595.003 (bed04f7d-e48a-4e76-bd0f-4c57fe31fc46) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 1
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern 1
Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Direct Cloud VM Connections - T1021.008 (45241b9e-9bbc-4826-a2cc-78855e51ca09) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 1
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
VBA Stomping - T1564.007 (c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Downgrade Attack - T1562.010 (824add00-99a1-4b15-9a2d-6c5683b7b497) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Exploitation of Remote Services - T1210 (9db0cf3a-a3c9-4012-8268-123b9db6fd82) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 1
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Cloud Application Integration - T1671 (c31aebd6-c9b5-420f-ba2a-5853bbf897fa) Attack Pattern 1
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Verclsid - T1218.012 (808e6329-ca91-4b87-ac2d-8eadc5f8f327) Attack Pattern 1
ClickOnce - T1127.002 (cc279e50-df85-4c8e-be80-6dc2eda8849c) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action JamPlus - T1127.003 (7d356151-a69d-404e-896b-71618952702a) Attack Pattern 1
Mavinject - T1218.013 (1bae753e-8e52-4055-a66d-2ead90303ca9) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Container Administration Command - T1609 (7b50a1d3-4ca7-45d1-989d-a6503f04bfe1) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
MMC - T1218.014 (ffbcfdb0-de22-4106-9ed3-fc23c8a01407) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Exfiltration Over Physical Medium - T1052 (e6415f09-df0e-48de-9aba-928c902b7549) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Emond - T1546.014 (9c45eaa3-8604-4780-8988-b5074dbb9ecd) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829) Attack Pattern Exfiltration Over Physical Medium - T1052 (e6415f09-df0e-48de-9aba-928c902b7549) Attack Pattern 2
Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 2
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern 2
Re-opened Applications - T1547.007 (e5cc9e7a-e61a-46a1-b869-55fb6eab058e) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Electron Applications - T1218.015 (561ae9aa-c28a-4144-9eec-e7027a14c8c3) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern 2
Regsvcs/Regasm - T1218.009 (c48a67ee-b657-45c1-91bf-6cdbe27205f8) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
ARP Cache Poisoning - T1557.002 (cabe189c-a0e3-4965-a473-dcff00f17213) Attack Pattern Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 2
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern 2
Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern 2
Screensaver - T1546.002 (ce4b7013-640e-48a9-b501-d0025a95f4bf) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Wordlist Scanning - T1595.003 (bed04f7d-e48a-4e76-bd0f-4c57fe31fc46) Attack Pattern Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b) Attack Pattern 2
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern 2
Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Direct Cloud VM Connections - T1021.008 (45241b9e-9bbc-4826-a2cc-78855e51ca09) Attack Pattern 2
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 2
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 2
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern 2
Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern VBA Stomping - T1564.007 (c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b) Attack Pattern 2
Downgrade Attack - T1562.010 (824add00-99a1-4b15-9a2d-6c5683b7b497) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2
Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 2
Verclsid - T1218.012 (808e6329-ca91-4b87-ac2d-8eadc5f8f327) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern ClickOnce - T1127.002 (cc279e50-df85-4c8e-be80-6dc2eda8849c) Attack Pattern 2
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern JamPlus - T1127.003 (7d356151-a69d-404e-896b-71618952702a) Attack Pattern 2
Mavinject - T1218.013 (1bae753e-8e52-4055-a66d-2ead90303ca9) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd) Attack Pattern Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87) Attack Pattern 2
InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
MMC - T1218.014 (ffbcfdb0-de22-4106-9ed3-fc23c8a01407) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Emond - T1546.014 (9c45eaa3-8604-4780-8988-b5074dbb9ecd) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2