Skip to content

Hide Navigation Hide TOC

Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31)

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures:

Remove Legacy Software:

  • Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash).
  • Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.

Disable Unused Features:

  • Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required.
  • Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.

Control Applications Installed by Users:

  • Use Case: Prevent users from installing unauthorized software via group policies or other management tools.
  • Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.

Remove Unnecessary Services:

  • Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices.
  • Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.

Restrict Add-ons and Plugins:

  • Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes.
  • Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.
Cluster A Galaxy A Cluster B Galaxy B Level
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 1
Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Downgrade Attack - T1562.010 (824add00-99a1-4b15-9a2d-6c5683b7b497) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
VBA Stomping - T1564.007 (c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534) Attack Pattern 1
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Exploitation of Remote Services - T1210 (9db0cf3a-a3c9-4012-8268-123b9db6fd82) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern 1
Cloud Application Integration - T1671 (c31aebd6-c9b5-420f-ba2a-5853bbf897fa) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
ClickOnce - T1127.002 (cc279e50-df85-4c8e-be80-6dc2eda8849c) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
JamPlus - T1127.003 (7d356151-a69d-404e-896b-71618952702a) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern 1
Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Mavinject - T1218.013 (1bae753e-8e52-4055-a66d-2ead90303ca9) Attack Pattern 1
InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Verclsid - T1218.012 (808e6329-ca91-4b87-ac2d-8eadc5f8f327) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
MMC - T1218.014 (ffbcfdb0-de22-4106-9ed3-fc23c8a01407) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Container Administration Command - T1609 (7b50a1d3-4ca7-45d1-989d-a6503f04bfe1) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 1
Exfiltration Over Physical Medium - T1052 (e6415f09-df0e-48de-9aba-928c902b7549) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Emond - T1546.014 (9c45eaa3-8604-4780-8988-b5074dbb9ecd) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern 1
Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Communication Through Removable Media - T1092 (64196062-5210-42c3-9a02-563a0d1797ef) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 1
Escape to Host - T1611 (4a5b7ade-8bb5-4853-84ed-23f262002665) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Re-opened Applications - T1547.007 (e5cc9e7a-e61a-46a1-b869-55fb6eab058e) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Electron Applications - T1218.015 (561ae9aa-c28a-4144-9eec-e7027a14c8c3) Attack Pattern 1
Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Regsvcs/Regasm - T1218.009 (c48a67ee-b657-45c1-91bf-6cdbe27205f8) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
ARP Cache Poisoning - T1557.002 (cabe189c-a0e3-4965-a473-dcff00f17213) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331) Attack Pattern 1
Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Screensaver - T1546.002 (ce4b7013-640e-48a9-b501-d0025a95f4bf) Attack Pattern 1
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Wordlist Scanning - T1595.003 (bed04f7d-e48a-4e76-bd0f-4c57fe31fc46) Attack Pattern 1
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Direct Cloud VM Connections - T1021.008 (45241b9e-9bbc-4826-a2cc-78855e51ca09) Attack Pattern 1
LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action 1
Disable or Remove Feature or Program - M1042 (eb88d97c-32f1-40be-80f0-d61a4b0b4b31) Course of Action Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern 1
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern 2
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306) Attack Pattern 2
Downgrade Attack - T1562.010 (824add00-99a1-4b15-9a2d-6c5683b7b497) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2
VBA Stomping - T1564.007 (c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2
Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 2
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern ClickOnce - T1127.002 (cc279e50-df85-4c8e-be80-6dc2eda8849c) Attack Pattern 2
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4) Attack Pattern 2
JamPlus - T1127.003 (7d356151-a69d-404e-896b-71618952702a) Attack Pattern Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern 2
Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87) Attack Pattern Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Mavinject - T1218.013 (1bae753e-8e52-4055-a66d-2ead90303ca9) Attack Pattern 2
InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Verclsid - T1218.012 (808e6329-ca91-4b87-ac2d-8eadc5f8f327) Attack Pattern 2
MMC - T1218.014 (ffbcfdb0-de22-4106-9ed3-fc23c8a01407) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 2
Emond - T1546.014 (9c45eaa3-8604-4780-8988-b5074dbb9ecd) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Exfiltration Over Physical Medium - T1052 (e6415f09-df0e-48de-9aba-928c902b7549) Attack Pattern Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 2
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern 2
Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 2
Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Re-opened Applications - T1547.007 (e5cc9e7a-e61a-46a1-b869-55fb6eab058e) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Electron Applications - T1218.015 (561ae9aa-c28a-4144-9eec-e7027a14c8c3) Attack Pattern 2
Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Regsvcs/Regasm - T1218.009 (c48a67ee-b657-45c1-91bf-6cdbe27205f8) Attack Pattern 2
ARP Cache Poisoning - T1557.002 (cabe189c-a0e3-4965-a473-dcff00f17213) Attack Pattern Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 2
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern 2
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern 2
Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern 2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern Screensaver - T1546.002 (ce4b7013-640e-48a9-b501-d0025a95f4bf) Attack Pattern 2
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b) Attack Pattern Wordlist Scanning - T1595.003 (bed04f7d-e48a-4e76-bd0f-4c57fe31fc46) Attack Pattern 2
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 2
Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Direct Cloud VM Connections - T1021.008 (45241b9e-9bbc-4826-a2cc-78855e51ca09) Attack Pattern 2
LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern 2