Skip to content

Hide Navigation Hide TOC

File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c)

A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs).

This data component can be collected through the following measures:

Windows

  • Sysmon: Event ID 11: Logs file creation events, capturing details like the file path, hash, and creation time.
  • Windows Event Log: Enable "Object Access" auditing in Group Policy to track file creation under Event ID 4663.
  • PowerShell: Real-time monitoring of file creation:Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663}

Linux

  • Auditd: Use audit rules to monitor file creation: auditctl -w /path/to/directory -p w -k file_creation
  • View logs: ausearch -k file_creation
  • Inotify: Monitor file creation with inotifywait: inotifywait -m /path/to/watch -e create

macOS

  • Unified Logs: Use the macOS Unified Logging System to capture file creation events.
  • FSEvents: Use File System Events to monitor file creation: fs_usage | grep create

Network Devices

  • NAS Logs: Monitor file creation events on network-attached storage devices.
  • SMB Logs: Collect logs of file creation activities over SMB/CIFS protocols.

SIEM Integration

  • Forward logs from all platforms (Windows, Linux, macOS) to a SIEM for central analysis and alerting.
Cluster A Galaxy A Cluster B Galaxy B Level
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Content Injection - T1659 (43c9bc06-715b-42db-972f-52d25c09a20c) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Login Hook - T1037.002 (43ba2b05-cf72-4b6c-8243-03a4aba41ee0) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Compiled HTML File - T1218.001 (a6937325-9321-4e2e-bb2b-3ed2d40b2a9d) Attack Pattern 1
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Transport Agent - T1505.002 (35187df2-31ed-43b6-a1f5-2f1d3d58d3f1) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Email Bombing - T1667 (bed81616-3dde-4685-be6e-ba9820f9a7ed) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component HTML Smuggling - T1027.006 (d4dc46e3-5ba5-45b9-8204-010867cacfcb) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Add-ins - T1137.006 (34f1d81d-fe88-4f97-bd3b-a3164536255d) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component RC Scripts - T1037.004 (dca670cf-eeec-438f-8185-fd959d9ef211) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) Attack Pattern 1
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Startup Items - T1037.005 (c0dfe7b0-b873-4618-9ff8-53e31f70907f) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component IIS Components - T1505.004 (b46a801b-fd98-491c-a25a-bca25d6e3001) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 1
Stored Data Manipulation - T1565.001 (1cfcb312-b8d7-47a4-b560-4b16cc677292) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component IDE Tunneling - T1219.001 (77e29a47-e263-4f11-8692-e5012f44dbac) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Executable Installer File Permissions Weakness - T1574.005 (70d81154-b187-45f9-8ec5-295d01255979) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern 1
Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Control Panel - T1218.002 (4ff5d6a8-c062-4c68-a778-36fc5edd564f) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Password Filter DLL - T1556.002 (3731fbcd-0e43-47ae-ae6c-d15e510f0d42) Attack Pattern 1
Office Test - T1137.002 (ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 1
Polymorphic Code - T1027.014 (b577dfc1-0177-4522-8d5a-782127c8592b) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component External Defacement - T1491.002 (0cfe31a7-81fc-472c-bc45-e2808d1066a3) Attack Pattern 1
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Bootkit - T1542.003 (1b7b1806-7746-41a1-a35d-e48dae25ddba) Attack Pattern 1
SVG Smuggling - T1027.017 (78b9e70d-1605-459c-b23d-e3a25036968c) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Runtime Data Manipulation - T1565.003 (32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Screensaver - T1546.002 (ce4b7013-640e-48a9-b501-d0025a95f4bf) Attack Pattern 1
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Trap - T1546.005 (63220765-d418-44de-8fae-694b3912317d) Attack Pattern 1
Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825) Attack Pattern 1
Port Monitors - T1547.010 (43881e51-ac74-445b-b4c6-f9f9e9bf23fe) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Network Provider DLL - T1556.008 (90c4a591-d02d-490b-92aa-619d9701ac04) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Compromise Host Software Binary - T1554 (960c3c86-1480-4d72-b4e0-8c242e84a5c5) Attack Pattern 1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component MMC - T1218.014 (ffbcfdb0-de22-4106-9ed3-fc23c8a01407) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component XDG Autostart Entries - T1547.013 (e0232cb0-ded5-4c2e-9dc7-2893142a5c11) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Emond - T1546.014 (9c45eaa3-8604-4780-8988-b5074dbb9ecd) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component AppDomainManager - T1574.014 (356662f7-e315-4759-86c9-6214e2a50ff8) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Direct Volume Access - T1006 (0c8ab3eb-df48-4b9c-ace7-beacaac81cc5) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Bandwidth Hijacking - T1496.002 (718cb208-6446-4572-a2f0-9c799c60091e) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Taint Shared Content - T1080 (246fd3c7-f5e3-466d-8787-4c13d9e3b61c) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Launch Daemon - T1543.004 (573ad264-1371-4ae0-8482-d2673b719dba) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 1
Software Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Forced Authentication - T1187 (b77cf5f3-6060-475d-bd60-40ccbf28fdc2) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Services File Permissions Weakness - T1574.010 (9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd) Attack Pattern 1
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Dylib Hijacking - T1574.004 (fc742192-19e3-466c-9eb5-964a97b29490) Attack Pattern 1
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
File/Path Exclusions - T1564.012 (09b008a9-b4eb-462a-a751-a0eb58050cd9) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Compile After Delivery - T1027.004 (c726e0a2-a57a-4b7b-a973-d0f013246617) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Remote Data Staging - T1074.002 (359b00ad-9425-420b-bba5-6de8d600cbc0) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Archive via Library - T1560.002 (41868330-6ee2-4d0f-b743-9f2294c3c9b6) Attack Pattern 1
Resource Forking - T1564.009 (b22e5153-ac28-4cc6-865c-2054e36285cb) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Unix Shell Configuration Modification - T1546.004 (b63a34e8-0a61-4c97-a23b-bf8a2ed812e2) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component LSASS Driver - T1547.008 (f0589bc3-a6ae-425a-a3d5-5659bfee07f4) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Network Logon Script - T1037.003 (c63a348e-ffc2-486a-b9d9-d7f11ec54d99) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Kernel Modules and Extensions - T1547.006 (a1b52199-c8c5-438a-9ded-656f1d0888c6) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Container Orchestration Job - T1053.007 (1126cab1-c700-412f-a510-61f4937bb096) Attack Pattern 1
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad) Attack Pattern 1
Bind Mounts - T1564.013 (5bd41255-a224-4425-a2e2-e9d293eafe1c) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component PowerShell Profile - T1546.013 (0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783) Attack Pattern 1
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Data Manipulation - T1565 (ac9e6b22-11bf-45d7-9181-c1cb08360931) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Login Items - T1547.015 (84601337-6a55-4ad7-9c35-79e0d1ea2ab3) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Installer Packages - T1546.016 (da051493-ae9c-4b1b-9760-c009c46c9b56) Attack Pattern 1
Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32) Attack Pattern File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2) Attack Pattern 1
File Creation (2b3bfe19-d59a-460d-93bb-2f546adc2d2c) mitre-data-component Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 1
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern Login Hook - T1037.002 (43ba2b05-cf72-4b6c-8243-03a4aba41ee0) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Compiled HTML File - T1218.001 (a6937325-9321-4e2e-bb2b-3ed2d40b2a9d) Attack Pattern 2
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern 2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern Transport Agent - T1505.002 (35187df2-31ed-43b6-a1f5-2f1d3d58d3f1) Attack Pattern 2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern HTML Smuggling - T1027.006 (d4dc46e3-5ba5-45b9-8204-010867cacfcb) Attack Pattern 2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Add-ins - T1137.006 (34f1d81d-fe88-4f97-bd3b-a3164536255d) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern 2
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern RC Scripts - T1037.004 (dca670cf-eeec-438f-8185-fd959d9ef211) Attack Pattern 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) Attack Pattern 2
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern Startup Items - T1037.005 (c0dfe7b0-b873-4618-9ff8-53e31f70907f) Attack Pattern 2
IIS Components - T1505.004 (b46a801b-fd98-491c-a25a-bca25d6e3001) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2
Stored Data Manipulation - T1565.001 (1cfcb312-b8d7-47a4-b560-4b16cc677292) Attack Pattern Data Manipulation - T1565 (ac9e6b22-11bf-45d7-9181-c1cb08360931) Attack Pattern 2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern IDE Tunneling - T1219.001 (77e29a47-e263-4f11-8692-e5012f44dbac) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Executable Installer File Permissions Weakness - T1574.005 (70d81154-b187-45f9-8ec5-295d01255979) Attack Pattern 2
Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b) Attack Pattern 2
Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101) Attack Pattern Software Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Control Panel - T1218.002 (4ff5d6a8-c062-4c68-a778-36fc5edd564f) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 2
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Password Filter DLL - T1556.002 (3731fbcd-0e43-47ae-ae6c-d15e510f0d42) Attack Pattern 2
Office Test - T1137.002 (ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a) Attack Pattern Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 2
Polymorphic Code - T1027.014 (b577dfc1-0177-4522-8d5a-782127c8592b) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b) Attack Pattern External Defacement - T1491.002 (0cfe31a7-81fc-472c-bc45-e2808d1066a3) Attack Pattern 2
Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern Bootkit - T1542.003 (1b7b1806-7746-41a1-a35d-e48dae25ddba) Attack Pattern 2
SVG Smuggling - T1027.017 (78b9e70d-1605-459c-b23d-e3a25036968c) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Data Manipulation - T1565 (ac9e6b22-11bf-45d7-9181-c1cb08360931) Attack Pattern Runtime Data Manipulation - T1565.003 (32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490) Attack Pattern 2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern Screensaver - T1546.002 (ce4b7013-640e-48a9-b501-d0025a95f4bf) Attack Pattern 2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584) Attack Pattern 2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern Trap - T1546.005 (63220765-d418-44de-8fae-694b3912317d) Attack Pattern 2
Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825) Attack Pattern 2
Port Monitors - T1547.010 (43881e51-ac74-445b-b4c6-f9f9e9bf23fe) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783) Attack Pattern Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99) Attack Pattern 2
Network Provider DLL - T1556.008 (90c4a591-d02d-490b-92aa-619d9701ac04) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
MMC - T1218.014 (ffbcfdb0-de22-4106-9ed3-fc23c8a01407) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
XDG Autostart Entries - T1547.013 (e0232cb0-ded5-4c2e-9dc7-2893142a5c11) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Emond - T1546.014 (9c45eaa3-8604-4780-8988-b5074dbb9ecd) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern AppDomainManager - T1574.014 (356662f7-e315-4759-86c9-6214e2a50ff8) Attack Pattern 2
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783) Attack Pattern Bandwidth Hijacking - T1496.002 (718cb208-6446-4572-a2f0-9c799c60091e) Attack Pattern 2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961) Attack Pattern 2
Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 2
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern 2
Launch Daemon - T1543.004 (573ad264-1371-4ae0-8482-d2673b719dba) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Services File Permissions Weakness - T1574.010 (9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd) Attack Pattern 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Dylib Hijacking - T1574.004 (fc742192-19e3-466c-9eb5-964a97b29490) Attack Pattern 2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern File/Path Exclusions - T1564.012 (09b008a9-b4eb-462a-a751-a0eb58050cd9) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Compile After Delivery - T1027.004 (c726e0a2-a57a-4b7b-a973-d0f013246617) Attack Pattern 2
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern Remote Data Staging - T1074.002 (359b00ad-9425-420b-bba5-6de8d600cbc0) Attack Pattern 2
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Archive via Library - T1560.002 (41868330-6ee2-4d0f-b743-9f2294c3c9b6) Attack Pattern 2
Resource Forking - T1564.009 (b22e5153-ac28-4cc6-865c-2054e36285cb) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2
Unix Shell Configuration Modification - T1546.004 (b63a34e8-0a61-4c97-a23b-bf8a2ed812e2) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
LSASS Driver - T1547.008 (f0589bc3-a6ae-425a-a3d5-5659bfee07f4) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern Network Logon Script - T1037.003 (c63a348e-ffc2-486a-b9d9-d7f11ec54d99) Attack Pattern 2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Kernel Modules and Extensions - T1547.006 (a1b52199-c8c5-438a-9ded-656f1d0888c6) Attack Pattern 2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Container Orchestration Job - T1053.007 (1126cab1-c700-412f-a510-61f4937bb096) Attack Pattern 2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Bind Mounts - T1564.013 (5bd41255-a224-4425-a2e2-e9d293eafe1c) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2
PowerShell Profile - T1546.013 (0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 2
Login Items - T1547.015 (84601337-6a55-4ad7-9c35-79e0d1ea2ab3) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern Installer Packages - T1546.016 (da051493-ae9c-4b1b-9760-c009c46c9b56) Attack Pattern 2
Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2