Skip to content

Hide Navigation Hide TOC

Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31)

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures:

Remove Legacy Software:

  • Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash).
  • Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.

Disable Unused Features:

  • Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required.
  • Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.

Control Applications Installed by Users:

  • Use Case: Prevent users from installing unauthorized software via group policies or other management tools.
  • Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.

Remove Unnecessary Services:

  • Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices.
  • Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.

Restrict Add-ons and Plugins:

  • Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes.
  • Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.
Cluster A Galaxy A Cluster B Galaxy B Level
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Electron Applications - T1218.015 (561ae9aa-c28a-4144-9eec-e7027a14c8c3) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1
Downgrade Attack - T1689 (30904c16-39f9-41c6-b01a-500eb8878442) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern 1
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Direct Cloud VM Connections - T1021.008 (45241b9e-9bbc-4826-a2cc-78855e51ca09) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Regsvcs/Regasm - T1218.009 (c48a67ee-b657-45c1-91bf-6cdbe27205f8) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern 1
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Name Resolution Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 1
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Wordlist Scanning - T1595.003 (bed04f7d-e48a-4e76-bd0f-4c57fe31fc46) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 1
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Exploitation of Remote Services - T1210 (9db0cf3a-a3c9-4012-8268-123b9db6fd82) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Screensaver - T1546.002 (ce4b7013-640e-48a9-b501-d0025a95f4bf) Attack Pattern 1
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Cloud Application Integration - T1671 (c31aebd6-c9b5-420f-ba2a-5853bbf897fa) Attack Pattern 1
SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Exfiltration Over Physical Medium - T1052 (e6415f09-df0e-48de-9aba-928c902b7549) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern 1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Communication Through Removable Media - T1092 (64196062-5210-42c3-9a02-563a0d1797ef) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Container Administration Command - T1609 (7b50a1d3-4ca7-45d1-989d-a6503f04bfe1) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
VBA Stomping - T1564.007 (c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87) Attack Pattern 1
Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Re-opened Applications - T1547.007 (e5cc9e7a-e61a-46a1-b869-55fb6eab058e) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 1
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern 1
ClickOnce - T1127.002 (cc279e50-df85-4c8e-be80-6dc2eda8849c) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Escape to Host - T1611 (4a5b7ade-8bb5-4853-84ed-23f262002665) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action JamPlus - T1127.003 (7d356151-a69d-404e-896b-71618952702a) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern 1
CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Mavinject - T1218.013 (1bae753e-8e52-4055-a66d-2ead90303ca9) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107) Attack Pattern 1
SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Verclsid - T1218.012 (808e6329-ca91-4b87-ac2d-8eadc5f8f327) Attack Pattern 1
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
ARP Cache Poisoning - T1557.002 (cabe189c-a0e3-4965-a473-dcff00f17213) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 1
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action MMC - T1218.014 (ffbcfdb0-de22-4106-9ed3-fc23c8a01407) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Emond - T1546.014 (9c45eaa3-8604-4780-8988-b5074dbb9ecd) Attack Pattern 1
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Electron Applications - T1218.015 (561ae9aa-c28a-4144-9eec-e7027a14c8c3) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071) Attack Pattern 2
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern 2
Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Direct Cloud VM Connections - T1021.008 (45241b9e-9bbc-4826-a2cc-78855e51ca09) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Regsvcs/Regasm - T1218.009 (c48a67ee-b657-45c1-91bf-6cdbe27205f8) Attack Pattern 2
Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern Name Resolution Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 2
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b) Attack Pattern Wordlist Scanning - T1595.003 (bed04f7d-e48a-4e76-bd0f-4c57fe31fc46) Attack Pattern 2
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern Screensaver - T1546.002 (ce4b7013-640e-48a9-b501-d0025a95f4bf) Attack Pattern 2
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d) Attack Pattern 2
SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd) Attack Pattern Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87) Attack Pattern 2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern VBA Stomping - T1564.007 (c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b) Attack Pattern 2
Exfiltration Over Physical Medium - T1052 (e6415f09-df0e-48de-9aba-928c902b7549) Attack Pattern Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829) Attack Pattern 2
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern 2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Re-opened Applications - T1547.007 (e5cc9e7a-e61a-46a1-b869-55fb6eab058e) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 2
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern 2
ClickOnce - T1127.002 (cc279e50-df85-4c8e-be80-6dc2eda8849c) Attack Pattern Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern 2
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern JamPlus - T1127.003 (7d356151-a69d-404e-896b-71618952702a) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3) Attack Pattern 2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern 2
CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Mavinject - T1218.013 (1bae753e-8e52-4055-a66d-2ead90303ca9) Attack Pattern 2
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107) Attack Pattern 2
SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Verclsid - T1218.012 (808e6329-ca91-4b87-ac2d-8eadc5f8f327) Attack Pattern 2
ARP Cache Poisoning - T1557.002 (cabe189c-a0e3-4965-a473-dcff00f17213) Attack Pattern Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern MMC - T1218.014 (ffbcfdb0-de22-4106-9ed3-fc23c8a01407) Attack Pattern 2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern Emond - T1546.014 (9c45eaa3-8604-4780-8988-b5074dbb9ecd) Attack Pattern 2