Skip to content

Hide Navigation Hide TOC

Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31)

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures:

Remove Legacy Software:

  • Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash).
  • Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.

Disable Unused Features:

  • Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required.
  • Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.

Control Applications Installed by Users:

  • Use Case: Prevent users from installing unauthorized software via group policies or other management tools.
  • Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.

Remove Unnecessary Services:

  • Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices.
  • Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.

Restrict Add-ons and Plugins:

  • Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes.
  • Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.
Cluster A Galaxy A Cluster B Galaxy B Level
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Cloud Application Integration - T1671 (c31aebd6-c9b5-420f-ba2a-5853bbf897fa) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd) Attack Pattern 1
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Exfiltration Over Physical Medium - T1052 (e6415f09-df0e-48de-9aba-928c902b7549) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 1
Communication Through Removable Media - T1092 (64196062-5210-42c3-9a02-563a0d1797ef) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Container Administration Command - T1609 (7b50a1d3-4ca7-45d1-989d-a6503f04bfe1) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
VBA Stomping - T1564.007 (c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern 1
Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534) Attack Pattern 1
MMC - T1218.014 (ffbcfdb0-de22-4106-9ed3-fc23c8a01407) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331) Attack Pattern 1
Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action ClickOnce - T1127.002 (cc279e50-df85-4c8e-be80-6dc2eda8849c) Attack Pattern 1
Escape to Host - T1611 (4a5b7ade-8bb5-4853-84ed-23f262002665) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Mavinject - T1218.013 (1bae753e-8e52-4055-a66d-2ead90303ca9) Attack Pattern 1
Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern 1
JamPlus - T1127.003 (7d356151-a69d-404e-896b-71618952702a) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Verclsid - T1218.012 (808e6329-ca91-4b87-ac2d-8eadc5f8f327) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action ARP Cache Poisoning - T1557.002 (cabe189c-a0e3-4965-a473-dcff00f17213) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern 1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Re-opened Applications - T1547.007 (e5cc9e7a-e61a-46a1-b869-55fb6eab058e) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Emond - T1546.014 (9c45eaa3-8604-4780-8988-b5074dbb9ecd) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Electron Applications - T1218.015 (561ae9aa-c28a-4144-9eec-e7027a14c8c3) Attack Pattern 1
Downgrade Attack - T1689 (30904c16-39f9-41c6-b01a-500eb8878442) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern 1
Direct Cloud VM Connections - T1021.008 (45241b9e-9bbc-4826-a2cc-78855e51ca09) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Regsvcs/Regasm - T1218.009 (c48a67ee-b657-45c1-91bf-6cdbe27205f8) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 1
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern 1
Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Name Resolution Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern 1
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Wordlist Scanning - T1595.003 (bed04f7d-e48a-4e76-bd0f-4c57fe31fc46) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern 1
Exploitation of Remote Services - T1210 (9db0cf3a-a3c9-4012-8268-123b9db6fd82) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Screensaver - T1546.002 (ce4b7013-640e-48a9-b501-d0025a95f4bf) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern 1
Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4) Attack Pattern 2
Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87) Attack Pattern Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd) Attack Pattern 2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 2
VBA Stomping - T1564.007 (c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2
Exfiltration Over Physical Medium - T1052 (e6415f09-df0e-48de-9aba-928c902b7549) Attack Pattern Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829) Attack Pattern 2
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern 2
MMC - T1218.014 (ffbcfdb0-de22-4106-9ed3-fc23c8a01407) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 2
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern 2
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern ClickOnce - T1127.002 (cc279e50-df85-4c8e-be80-6dc2eda8849c) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3) Attack Pattern 2
Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Mavinject - T1218.013 (1bae753e-8e52-4055-a66d-2ead90303ca9) Attack Pattern 2
Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern 2
InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern 2
JamPlus - T1127.003 (7d356151-a69d-404e-896b-71618952702a) Attack Pattern Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Verclsid - T1218.012 (808e6329-ca91-4b87-ac2d-8eadc5f8f327) Attack Pattern 2
ARP Cache Poisoning - T1557.002 (cabe189c-a0e3-4965-a473-dcff00f17213) Attack Pattern Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 2
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern 2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Re-opened Applications - T1547.007 (e5cc9e7a-e61a-46a1-b869-55fb6eab058e) Attack Pattern 2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern Emond - T1546.014 (9c45eaa3-8604-4780-8988-b5074dbb9ecd) Attack Pattern 2
Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Electron Applications - T1218.015 (561ae9aa-c28a-4144-9eec-e7027a14c8c3) Attack Pattern 2
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern 2
Direct Cloud VM Connections - T1021.008 (45241b9e-9bbc-4826-a2cc-78855e51ca09) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Regsvcs/Regasm - T1218.009 (c48a67ee-b657-45c1-91bf-6cdbe27205f8) Attack Pattern 2
Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Name Resolution Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern 2
Wordlist Scanning - T1595.003 (bed04f7d-e48a-4e76-bd0f-4c57fe31fc46) Attack Pattern Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern Screensaver - T1546.002 (ce4b7013-640e-48a9-b501-d0025a95f4bf) Attack Pattern 2
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern 2
Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2