Hide Navigation Hide TOC

Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)

Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as cmd.exe, bash, zsh, PowerShell, or programmatic execution. Examples:

• Windows Command Prompt
  • dir – Lists directory contents.
  • net user – Queries or manipulates user accounts.
  • tasklist – Lists running processes.
• PowerShell
  • Get-Process – Retrieves processes running on a system.
  • Set-ExecutionPolicy – Changes PowerShell script execution policies.
  • Invoke-WebRequest – Downloads remote resources.
• Linux Shell
  • ls – Lists files in a directory.
  • cat /etc/passwd – Reads the user accounts file.
  • curl http://malicious-site.com – Retrieves content from a malicious URL.
• Container Environments
  • docker exec – Executes a command inside a running container.
  • kubectl exec – Runs commands in Kubernetes pods.
• macOS Terminal
  • open – Opens files or URLs.
  • dscl . -list /Users – Lists all users on the system.
  • osascript -e – Executes AppleScript commands.

This data component can be collected through the following measures:

Enable Command Logging

• Windows:
  • Enable PowerShell logging: Set-ExecutionPolicy Bypass, Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1
  • Enable Windows Event Logging:
    • Event ID 4688: Tracks process creation, including command-line arguments.
    • Event ID 4104: Logs PowerShell script block execution.
• Linux/macOS:
  • Enable shell history logging in .bashrc or .zshrc: export HISTTIMEFORMAT="%d/%m/%y %T ", export PROMPT_COMMAND='history -a; history -w'
  • Use audit frameworks (e.g., auditd) to log command executions. Example rule to log all execve syscalls: -a always,exit -F arch=b64 -S execve -k cmd_exec
• Containers:
  • Use runtime-specific tools like Docker’s --log-driver or Kubernetes Audit Logs to capture exec commands.

Integrate with Centralized Logging

• Collect logs using a SIEM (e.g., Splunk) or cloud-based log aggregation tools like AWS CloudWatch or Azure Monitor. Example Splunk Search for Windows Event 4688: index=windows EventID=4688 CommandLine=*

Use Endpoint Detection and Response (EDR) Tools

• Monitor command executions via EDR solutions

Deploy Sysmon for Advanced Logging (Windows)

• Use Sysmon's Event ID 1 to log process creation with command-line arguments

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Exfiltration Over Physical Medium - T1052 (e6415f09-df0e-48de-9aba-928c902b7549)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Network Device CLI - T1059.008 (818302b2-d640-477b-bf88-873120ce85c4)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Login Hook - T1037.002 (43ba2b05-cf72-4b6c-8243-03a4aba41ee0)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Compiled HTML File - T1218.001 (a6937325-9321-4e2e-bb2b-3ed2d40b2a9d)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
System Shutdown/Reboot - T1529 (ff73aa03-0090-4464-83ac-f89e233c02bc)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Exclusive Control - T1668 (dff263cc-328e-42b4-afbc-1fee8b6a8913)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Add-ins - T1137.006 (34f1d81d-fe88-4f97-bd3b-a3164536255d)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Regsvcs/Regasm - T1218.009 (c48a67ee-b657-45c1-91bf-6cdbe27205f8)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Cloud Administration Command - T1651 (d94b3ae9-8059-4989-8e9f-ea0f601f80a7)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Group Policy Discovery - T1615 (1b20efbf-8063-4fc3-a07d-b575318a301b)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
RC Scripts - T1037.004 (dca670cf-eeec-438f-8185-fd959d9ef211)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Systemd Timers - T1053.006 (a542bac9-7bc1-4da7-9a09-96f69e23cc21)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Startup Items - T1037.005 (c0dfe7b0-b873-4618-9ff8-53e31f70907f)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Cloud Groups - T1069.003 (16e94db9-b5b1-4cd0-b851-f38fbd0a70f2)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Disk Structure Wipe - T1561.002 (0af0ca99-357d-4ba1-805f-674fdfb7bef9)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Email Account - T1087.003 (4bc31b94-045b-4752-8920-aebaebdb6470)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
IIS Components - T1505.004 (b46a801b-fd98-491c-a25a-bca25d6e3001)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
AppleScript - T1059.002 (37b11151-1776-4f8f-b328-30939fbf2ceb)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Cloud Account - T1087.004 (8f104855-e5b7-4077-b1f5-bc3103b41abe)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Outlook Home Page - T1137.004 (bf147104-abf9-4221-95d1-e81585859441)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
PubPrn - T1216.001 (09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Setuid and Setgid - T1548.001 (6831414d-bb70-42b7-8030-d4e06b2660c9)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Cloud API - T1059.009 (55bb4471-ff1f-43b4-88c1-c9384ec47abf)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
System Script Proxy Execution - T1216 (f6fe9070-7a65-49ea-ae72-76292f42cebe)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Lua - T1059.011 (afddee82-3385-4682-ad90-eeced33f2d07)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
SyncAppvPublishingServer - T1216.002 (e6f19759-dde3-47fc-99cc-d9f5fa4ade60)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
ClickOnce - T1127.002 (cc279e50-df85-4c8e-be80-6dc2eda8849c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Image File Execution Options Injection - T1546.012 (6d4a7fb3-5a24-42be-ae61-6728a2b581f6)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
vSphere Installation Bundles - T1505.006 (f8ba7d61-11c5-4130-bafd-7c3ff5fbf4b5)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Control Panel - T1218.002 (4ff5d6a8-c062-4c68-a778-36fc5edd564f)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Unix Shell - T1623.001 (693cdbff-ea73-49c6-ac3f-91e7285c31d1)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Office Test - T1137.002 (ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command and Scripting Interpreter - T1623 (29f1f56c-7b7a-4c14-9e39-59577ea2743c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Device Driver Discovery - T1652 (215d9700-5881-48b8-8265-6449dbb7195d)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Launchctl - T1569.001 (810aa4ad-61c9-49cb-993f-daa06199421d)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Downgrade Attack - T1562.010 (824add00-99a1-4b15-9a2d-6c5683b7b497)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Data from Network Shared Drive - T1039 (ae676644-d2d2-41b7-af7e-9bed1b55898c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Hypervisor CLI - T1059.012 (d2d642da-61ff-4211-b4df-7923c9ca220c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Screensaver - T1546.002 (ce4b7013-640e-48a9-b501-d0025a95f4bf)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Outlook Forms - T1137.003 (a9e2cea0-c805-4bf8-9e31-f5f0513a3634)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Gatekeeper Bypass - T1553.001 (31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Systemctl - T1569.003 (4b46767d-4a61-4f30-995e-c19a75c2e536)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Installer Packages - T1546.016 (da051493-ae9c-4b1b-9760-c009c46c9b56)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Outlook Rules - T1137.005 (3d1b9d7e-3921-4d25-845a-7d9f15c0da44)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Trap - T1546.005 (63220765-d418-44de-8fae-694b3912317d)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Netsh Helper DLL - T1546.007 (f63fe421-b1d1-45c0-b8a7-02cd16ff2bed)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
AppInit DLLs - T1546.010 (cc89ecbd-3d33-4a41-bcca-001e702d18fd)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Exfiltration Over Webhook - T1567.004 (43f2776f-b4bd-4118-94b8-fee47e69676d)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Email Hiding Rules - T1564.008 (0cf55441-b176-4332-89e7-2c4c7799d0ff)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Verclsid - T1218.012 (808e6329-ca91-4b87-ac2d-8eadc5f8f327)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Mavinject - T1218.013 (1bae753e-8e52-4055-a66d-2ead90303ca9)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Virtual Machine Discovery - T1673 (6bc7f9aa-b91f-4b23-84b8-5e756eba68eb)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Ignore Process Interrupts - T1564.011 (4a2975db-414e-4c0c-bd92-775987514b4b)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
MMC - T1218.014 (ffbcfdb0-de22-4106-9ed3-fc23c8a01407)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
XDG Autostart Entries - T1547.013 (e0232cb0-ded5-4c2e-9dc7-2893142a5c11)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
COR_PROFILER - T1574.012 (ffeb0780-356e-4261-b036-cfb6bd234335)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Emond - T1546.014 (9c45eaa3-8604-4780-8988-b5074dbb9ecd)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Bash History - T1552.003 (8187bd2a-866f-4457-9009-86b0ddedffa3)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Plist File Modification - T1647 (7d20fff9-8751-404e-badd-ccd71bda0236)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Trust Modification - T1484.002 (24769ab5-14bd-4f4e-a752-cfb185da53ee)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
AutoHotKey & AutoIT - T1059.010 (3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Authentication Package - T1547.002 (b8cfed42-6a8a-4989-ad72-541af74475ec)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Direct Volume Access - T1006 (0c8ab3eb-df48-4b9c-ace7-beacaac81cc5)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Bandwidth Hijacking - T1496.002 (718cb208-6446-4572-a2f0-9c799c60091e)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Securityd Memory - T1555.002 (1a80d097-54df-41d8-9d33-34e755ec5e72)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Container API - T1552.007 (f8ef3a62-3f44-40a4-abca-761ab235c436)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Password Policy Discovery - T1201 (b6075259-dba3-44e9-87c7-e954f37ec0d5)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Wi-Fi Discovery - T1016.002 (494ab9f0-36e0-4b06-b10d-57285b040a06)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
/etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Indirect Command Execution - T1202 (3b0e52ce-517a-4614-a523-1bd5deef6c5e)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Re-opened Applications - T1547.007 (e5cc9e7a-e61a-46a1-b869-55fb6eab058e)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Launch Daemon - T1543.004 (573ad264-1371-4ae0-8482-d2673b719dba)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Container Service - T1543.005 (b0e54bf7-835e-4f44-bd8e-62f431b9b76a)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Clear Mailbox Data - T1070.008 (438c967d-3996-4870-bfc2-3954752a1927)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Time Providers - T1547.003 (61afc315-860c-4364-825d-0d62b2e91edc)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Software Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Exfiltration to Code Repository - T1567.001 (86a96bf6-cf8b-411c-aaeb-8959944d64f7)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Impair Command History Logging - T1562.003 (8f504411-cb96-4dac-a537-8d2bb7679c59)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
LC_LOAD_DYLIB Addition - T1546.006 (10ff21b9-5a01-4268-a1b5-3b55015f1847)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Data Destruction - T1662 (9ef14445-6f35-4ed0-a042-5024f13a9242)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Remote Data Staging - T1074.002 (359b00ad-9425-420b-bba5-6de8d600cbc0)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Compile After Delivery - T1027.004 (c726e0a2-a57a-4b7b-a973-d0f013246617)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
TCC Manipulation - T1548.006 (e8a0a025-3601-4755-abfb-8d08283329fb)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
AppCert DLLs - T1546.009 (7d57b371-10c2-45e5-b3cc-83a8fb380e4c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Resource Forking - T1564.009 (b22e5153-ac28-4cc6-865c-2054e36285cb)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
GUI Input Capture - T1056.002 (a2029942-0a85-4947-b23c-ca434698171d)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Unix Shell Configuration Modification - T1546.004 (b63a34e8-0a61-4c97-a23b-bf8a2ed812e2)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Network Logon Script - T1037.003 (c63a348e-ffc2-486a-b9d9-d7f11ec54d99)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Kernel Modules and Extensions - T1547.006 (a1b52199-c8c5-438a-9ded-656f1d0888c6)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Power Settings - T1653 (ea071aa0-8f17-416f-ab0d-2bab7e79003d)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Container Administration Command - T1609 (7b50a1d3-4ca7-45d1-989d-a6503f04bfe1)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Reversible Encryption - T1556.005 (d50955c2-272d-4ac8-95da-10c29dda1c48)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Services Registry Permissions Weakness - T1574.011 (17cc750b-e95b-4d7d-9dde-49e0de24148c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001 (79a4052e-1a89-4b09-aea6-51f1d11fe19c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Log Enumeration - T1654 (866d0d6d-02c6-42bd-aa2f-02907fdc0969)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Electron Applications - T1218.015 (561ae9aa-c28a-4144-9eec-e7027a14c8c3)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Application Shimming - T1546.011 (42fe883a-21ea-4cfb-b94a-78b6476dcc83)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Bind Mounts - T1564.013 (5bd41255-a224-4425-a2e2-e9d293eafe1c)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Clear Network Connection History and Configurations - T1070.007 (3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
PowerShell Profile - T1546.013 (0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Extended Attributes - T1564.014 (762e6f29-a62f-4d96-91ed-d0073181431f)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Windows File and Directory Permissions Modification - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Terminal Services DLL - T1505.005 (379809f6-2fac-42c1-bd2e-e9dee70b27f8)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Disable or Modify Linux Audit System - T1562.012 (562e9b64-7239-493d-80f4-2bff900d9054)	Attack Pattern	Command Execution (685f917a-e95e-4ba0-ade1-c7d354dae6e0)	mitre-data-component	1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Network Device CLI - T1059.008 (818302b2-d640-477b-bf88-873120ce85c4)	Attack Pattern	2
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004)	Attack Pattern	Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	2
Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a)	Attack Pattern	Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	2
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	Login Hook - T1037.002 (43ba2b05-cf72-4b6c-8243-03a4aba41ee0)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Compiled HTML File - T1218.001 (a6937325-9321-4e2e-bb2b-3ed2d40b2a9d)	Attack Pattern	2
Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0)	Attack Pattern	Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21)	Attack Pattern	2
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	2
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	Add-ins - T1137.006 (34f1d81d-fe88-4f97-bd3b-a3164536255d)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Regsvcs/Regasm - T1218.009 (c48a67ee-b657-45c1-91bf-6cdbe27205f8)	Attack Pattern	2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	2
Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac)	Attack Pattern	Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967)	Attack Pattern	2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	2
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	RC Scripts - T1037.004 (dca670cf-eeec-438f-8185-fd959d9ef211)	Attack Pattern	2
Systemd Timers - T1053.006 (a542bac9-7bc1-4da7-9a09-96f69e23cc21)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	2
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	Startup Items - T1037.005 (c0dfe7b0-b873-4618-9ff8-53e31f70907f)	Attack Pattern	2
Cloud Groups - T1069.003 (16e94db9-b5b1-4cd0-b851-f38fbd0a70f2)	Attack Pattern	Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	2
Disk Structure Wipe - T1561.002 (0af0ca99-357d-4ba1-805f-674fdfb7bef9)	Attack Pattern	Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967)	Attack Pattern	2
Email Account - T1087.003 (4bc31b94-045b-4752-8920-aebaebdb6470)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0)	Attack Pattern	2
IIS Components - T1505.004 (b46a801b-fd98-491c-a25a-bca25d6e3001)	Attack Pattern	Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	AppleScript - T1059.002 (37b11151-1776-4f8f-b328-30939fbf2ceb)	Attack Pattern	2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	2
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	Cloud Account - T1087.004 (8f104855-e5b7-4077-b1f5-bc3103b41abe)	Attack Pattern	2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	Outlook Home Page - T1137.004 (bf147104-abf9-4221-95d1-e81585859441)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	2
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	2
Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d)	Attack Pattern	Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	2
System Script Proxy Execution - T1216 (f6fe9070-7a65-49ea-ae72-76292f42cebe)	Attack Pattern	PubPrn - T1216.001 (09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	Setuid and Setgid - T1548.001 (6831414d-bb70-42b7-8030-d4e06b2660c9)	Attack Pattern	2
Cloud API - T1059.009 (55bb4471-ff1f-43b4-88c1-c9384ec47abf)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96)	Attack Pattern	Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Lua - T1059.011 (afddee82-3385-4682-ad90-eeced33f2d07)	Attack Pattern	2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	2
System Script Proxy Execution - T1216 (f6fe9070-7a65-49ea-ae72-76292f42cebe)	Attack Pattern	SyncAppvPublishingServer - T1216.002 (e6f19759-dde3-47fc-99cc-d9f5fa4ade60)	Attack Pattern	2
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b)	Attack Pattern	ClickOnce - T1127.002 (cc279e50-df85-4c8e-be80-6dc2eda8849c)	Attack Pattern	2
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	2
CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Image File Execution Options Injection - T1546.012 (6d4a7fb3-5a24-42be-ae61-6728a2b581f6)	Attack Pattern	2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb)	Attack Pattern	vSphere Installation Bundles - T1505.006 (f8ba7d61-11c5-4130-bafd-7c3ff5fbf4b5)	Attack Pattern	2
Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101)	Attack Pattern	Software Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8)	Attack Pattern	2
InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	2
Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Control Panel - T1218.002 (4ff5d6a8-c062-4c68-a778-36fc5edd564f)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336)	Attack Pattern	2
Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	2
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	2
Command and Scripting Interpreter - T1623 (29f1f56c-7b7a-4c14-9e39-59577ea2743c)	Attack Pattern	Unix Shell - T1623.001 (693cdbff-ea73-49c6-ac3f-91e7285c31d1)	Attack Pattern	2
Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	2
Office Test - T1137.002 (ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a)	Attack Pattern	Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	2
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	2
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	Launchctl - T1569.001 (810aa4ad-61c9-49cb-993f-daa06199421d)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Downgrade Attack - T1562.010 (824add00-99a1-4b15-9a2d-6c5683b7b497)	Attack Pattern	2
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Hypervisor CLI - T1059.012 (d2d642da-61ff-4211-b4df-7923c9ca220c)	Attack Pattern	2
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Screensaver - T1546.002 (ce4b7013-640e-48a9-b501-d0025a95f4bf)	Attack Pattern	2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	Outlook Forms - T1137.003 (a9e2cea0-c805-4bf8-9e31-f5f0513a3634)	Attack Pattern	2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584)	Attack Pattern	2
Gatekeeper Bypass - T1553.001 (31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5)	Attack Pattern	2
Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Systemctl - T1569.003 (4b46767d-4a61-4f30-995e-c19a75c2e536)	Attack Pattern	System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	2
SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8)	Attack Pattern	Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5)	Attack Pattern	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Installer Packages - T1546.016 (da051493-ae9c-4b1b-9760-c009c46c9b56)	Attack Pattern	2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	Outlook Rules - T1137.005 (3d1b9d7e-3921-4d25-845a-7d9f15c0da44)	Attack Pattern	2
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Trap - T1546.005 (63220765-d418-44de-8fae-694b3912317d)	Attack Pattern	2
Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	2
Netsh Helper DLL - T1546.007 (f63fe421-b1d1-45c0-b8a7-02cd16ff2bed)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825)	Attack Pattern	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	AppInit DLLs - T1546.010 (cc89ecbd-3d33-4a41-bcca-001e702d18fd)	Attack Pattern	2
Exfiltration Over Webhook - T1567.004 (43f2776f-b4bd-4118-94b8-fee47e69676d)	Attack Pattern	Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Email Hiding Rules - T1564.008 (0cf55441-b176-4332-89e7-2c4c7799d0ff)	Attack Pattern	2
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783)	Attack Pattern	Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99)	Attack Pattern	2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	2
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	2
Verclsid - T1218.012 (808e6329-ca91-4b87-ac2d-8eadc5f8f327)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	2
Mavinject - T1218.013 (1bae753e-8e52-4055-a66d-2ead90303ca9)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Ignore Process Interrupts - T1564.011 (4a2975db-414e-4c0c-bd92-775987514b4b)	Attack Pattern	2
MMC - T1218.014 (ffbcfdb0-de22-4106-9ed3-fc23c8a01407)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	2
XDG Autostart Entries - T1547.013 (e0232cb0-ded5-4c2e-9dc7-2893142a5c11)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	COR_PROFILER - T1574.012 (ffeb0780-356e-4261-b036-cfb6bd234335)	Attack Pattern	2
Emond - T1546.014 (9c45eaa3-8604-4780-8988-b5074dbb9ecd)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	2
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	2
Bash History - T1552.003 (8187bd2a-866f-4457-9009-86b0ddedffa3)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	2
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c)	Attack Pattern	Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5)	Attack Pattern	2
Trust Modification - T1484.002 (24769ab5-14bd-4f4e-a752-cfb185da53ee)	Attack Pattern	Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d)	Attack Pattern	2
Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e)	Attack Pattern	TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4)	Attack Pattern	2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	AutoHotKey & AutoIT - T1059.010 (3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5)	Attack Pattern	2
Authentication Package - T1547.002 (b8cfed42-6a8a-4989-ad72-541af74475ec)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3)	Attack Pattern	2
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783)	Attack Pattern	Bandwidth Hijacking - T1496.002 (718cb208-6446-4572-a2f0-9c799c60091e)	Attack Pattern	2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Securityd Memory - T1555.002 (1a80d097-54df-41d8-9d33-34e755ec5e72)	Attack Pattern	2
Container API - T1552.007 (f8ef3a62-3f44-40a4-abca-761ab235c436)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Wi-Fi Discovery - T1016.002 (494ab9f0-36e0-4b06-b10d-57285b040a06)	Attack Pattern	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da)	Attack Pattern	2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	/etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4)	Attack Pattern	2
Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	2
Re-opened Applications - T1547.007 (e5cc9e7a-e61a-46a1-b869-55fb6eab058e)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Launch Daemon - T1543.004 (573ad264-1371-4ae0-8482-d2673b719dba)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530)	Attack Pattern	2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Container Service - T1543.005 (b0e54bf7-835e-4f44-bd8e-62f431b9b76a)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a)	Attack Pattern	2
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Mailbox Data - T1070.008 (438c967d-3996-4870-bfc2-3954752a1927)	Attack Pattern	2
Time Providers - T1547.003 (61afc315-860c-4364-825d-0d62b2e91edc)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	2
Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd)	Attack Pattern	Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc)	Attack Pattern	2
Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	2
Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829)	Attack Pattern	Exfiltration Over Physical Medium - T1052 (e6415f09-df0e-48de-9aba-928c902b7549)	Attack Pattern	2
Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	2
Exfiltration to Code Repository - T1567.001 (86a96bf6-cf8b-411c-aaeb-8959944d64f7)	Attack Pattern	Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	2
Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345)	Attack Pattern	File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a)	Attack Pattern	2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	2
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Impair Command History Logging - T1562.003 (8f504411-cb96-4dac-a537-8d2bb7679c59)	Attack Pattern	2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	2
LC_LOAD_DYLIB Addition - T1546.006 (10ff21b9-5a01-4268-a1b5-3b55015f1847)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	2
User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	2
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	2
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Remote Data Staging - T1074.002 (359b00ad-9425-420b-bba5-6de8d600cbc0)	Attack Pattern	2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Compile After Delivery - T1027.004 (c726e0a2-a57a-4b7b-a973-d0f013246617)	Attack Pattern	2
Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	TCC Manipulation - T1548.006 (e8a0a025-3601-4755-abfb-8d08283329fb)	Attack Pattern	2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	AppCert DLLs - T1546.009 (7d57b371-10c2-45e5-b3cc-83a8fb380e4c)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	2
Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	2
Resource Forking - T1564.009 (b22e5153-ac28-4cc6-865c-2054e36285cb)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d)	Attack Pattern	2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	GUI Input Capture - T1056.002 (a2029942-0a85-4947-b23c-ca434698171d)	Attack Pattern	2
Unix Shell Configuration Modification - T1546.004 (b63a34e8-0a61-4c97-a23b-bf8a2ed812e2)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	Network Logon Script - T1037.003 (c63a348e-ffc2-486a-b9d9-d7f11ec54d99)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33)	Attack Pattern	2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Kernel Modules and Extensions - T1547.006 (a1b52199-c8c5-438a-9ded-656f1d0888c6)	Attack Pattern	2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21)	Attack Pattern	2
Reversible Encryption - T1556.005 (d50955c2-272d-4ac8-95da-10c29dda1c48)	Attack Pattern	Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84)	Attack Pattern	2
Services Registry Permissions Weakness - T1574.011 (17cc750b-e95b-4d7d-9dde-49e0de24148c)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	2
Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001 (79a4052e-1a89-4b09-aea6-51f1d11fe19c)	Attack Pattern	Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	2
Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	2
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Electron Applications - T1218.015 (561ae9aa-c28a-4144-9eec-e7027a14c8c3)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Application Shimming - T1546.011 (42fe883a-21ea-4cfb-b94a-78b6476dcc83)	Attack Pattern	2
Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36)	Attack Pattern	2
Bind Mounts - T1564.013 (5bd41255-a224-4425-a2e2-e9d293eafe1c)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Network Connection History and Configurations - T1070.007 (3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc)	Attack Pattern	2
PowerShell Profile - T1546.013 (0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	2
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Extended Attributes - T1564.014 (762e6f29-a62f-4d96-91ed-d0073181431f)	Attack Pattern	2
Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Windows File and Directory Permissions Modification - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee)	Attack Pattern	File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196)	Attack Pattern	2
SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4)	Attack Pattern	Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb)	Attack Pattern	Terminal Services DLL - T1505.005 (379809f6-2fac-42c1-bd2e-e9dee70b27f8)	Attack Pattern	2
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	2
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Linux Audit System - T1562.012 (562e9b64-7239-493d-80f4-2bff900d9054)	Attack Pattern	2