From c720e077e260aaac20b1d8943dffcda6a435a674 Mon Sep 17 00:00:00 2001 From: Cody Thomas Date: Wed, 16 Dec 2020 09:08:34 -0800 Subject: [PATCH 01/23] Update shell_elevated.py updating shell_elevated to not make all parameters required. --- .../apfell/mythic/agent_functions/shell_elevated.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Payload_Types/apfell/mythic/agent_functions/shell_elevated.py b/Payload_Types/apfell/mythic/agent_functions/shell_elevated.py index c22f98a94..9769f27ec 100644 --- a/Payload_Types/apfell/mythic/agent_functions/shell_elevated.py +++ b/Payload_Types/apfell/mythic/agent_functions/shell_elevated.py @@ -18,15 +18,18 @@ def __init__(self, command_line): description="Use supplied creds or prompt the user for creds", ), "user": CommandParameter( - name="user", type=ParameterType.Credential_Account + name="user", type=ParameterType.Credential_Account, + required=False ), "credential": CommandParameter( - name="credential", type=ParameterType.Credential_Value + name="credential", type=ParameterType.Credential_Value, + required=False ), "prompt": CommandParameter( name="prompt", type=ParameterType.String, description="What prompt to display to the user when asking for creds", + required=False ), } From 76744698657c2df62ff3126db8d94f7d67f3f2e9 Mon Sep 17 00:00:00 2001 From: pangolinsec <75450454+pangolinsec@users.noreply.github.com> Date: Fri, 18 Dec 2020 16:02:09 -0500 Subject: [PATCH 02/23] Added verbosity to the comment on wrapped_payloads Clarified that, when writing a wrapper, devs need to modify the `wrapped_payloads` variable to include the name of the new wrapper for each payload that they want to be able to utilize. This is a pretty trivial change, but it caught me for a bit while writing a wrapper. --- Example_Payload_Type/mythic/agent_functions/builder.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Example_Payload_Type/mythic/agent_functions/builder.py b/Example_Payload_Type/mythic/agent_functions/builder.py index c24455cb5..1b8f072df 100644 --- a/Example_Payload_Type/mythic/agent_functions/builder.py +++ b/Example_Payload_Type/mythic/agent_functions/builder.py @@ -12,7 +12,7 @@ class Atlas(PayloadType): author = "@Airzero24" # author of the payload type supported_os = [SupportedOS.Windows] # supported OS and architecture combos wrapper = False # does this payload type act as a wrapper for another payloads inside of it? - wrapped_payloads = [] # if so, which payload types + wrapped_payloads = [] # if so, which payload types. If you are writing a wrapper, you will need to modify this variable (adding in your wrapper's name) in the builder.py of each payload that you want to utilize your wrapper. note = """Any note you want to show up about your payload type in the UI""" supports_dynamic_loading = False # setting this to True allows users to only select a subset of commands when generating a payload build_parameters = { From c63df67f4287fdb715181ccf8cb8ffdad20e6ba6 Mon Sep 17 00:00:00 2001 From: matterpreter Date: Wed, 20 Jan 2021 10:16:45 -0500 Subject: [PATCH 03/23] Fixing missing spaces in process command line arguments --- Payload_Types/poseidon/agent_code/ps/ps_linux.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Payload_Types/poseidon/agent_code/ps/ps_linux.go b/Payload_Types/poseidon/agent_code/ps/ps_linux.go index 0d5fec950..24d6e7149 100755 --- a/Payload_Types/poseidon/agent_code/ps/ps_linux.go +++ b/Payload_Types/poseidon/agent_code/ps/ps_linux.go @@ -84,7 +84,8 @@ func (p *UnixProcess) BundleID() string { func getProcessCmdline(pid int) string { filename := fmt.Sprintf("/proc/%d/cmdline", pid) f, _ := ioutil.ReadFile(filename) - return string(f) + p := strings.ReplaceAll(string(f), "\x00", " ") + return p } func getProcessOwner(pid int) (string, error) { filename := fmt.Sprintf("/proc/%d/task", pid) From 7541a1e0dd8de16e07feefe3d3cb66ca0b1b0ccc Mon Sep 17 00:00:00 2001 From: Iorpim Date: Thu, 21 Jan 2021 04:02:41 -0300 Subject: [PATCH 04/23] Added SSLv3 extensions to certificate In order to fix browser certificate errors the "v3_req" extensions flag was added to the _openssl_ command in the start script --- start_mythic.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/start_mythic.sh b/start_mythic.sh index 8fa6d00bb..eb3c778b3 100755 --- a/start_mythic.sh +++ b/start_mythic.sh @@ -39,7 +39,7 @@ fi if [ ! -f "./mythic-docker/app/ssl/mythic-ssl.key" ]; then echo -e "${BLUE}[*]${NC} Failed to find ssl keys, generating new ones" - openssl req -new -x509 -keyout ./mythic-docker/app/ssl/mythic-ssl.key -out ./mythic-docker/app/ssl/mythic-cert.pem -days 365 -nodes -subj "/C=US" >/dev/null 2>&1 + openssl req -new -x509 -keyout ./mythic-docker/app/ssl/mythic-ssl.key -out ./mythic-docker/app/ssl/mythic-cert.pem -days 365 -extensions v3_req -nodes -subj "/C=US" >/dev/null 2>&1 echo -e "${GREEN}[+]${NC} Generated new SSL self signed certificates" fi server_port=`jq ".listen_port" "mythic-docker/config.json"` From a1a508b3bd37695d8ded9f4a24ceb4ca8bab0ef0 Mon Sep 17 00:00:00 2001 From: Matthew Conway Date: Tue, 26 Jan 2021 22:05:38 -0800 Subject: [PATCH 05/23] Fix mythic.py for use with existing API tokens When you use this Mythic API wrapper with an existing API token instead of a username and password, this duplicate call `self._apitoken = apitoken` overwrites `self._apitoken` with the string value of your token--clobbering the instance of `APIToken` that was just set on the line before it. Later on when that value is used, the SDK will complain that the string doesn't have a `token_value` attribute: AttributeError: 'str' object has no attribute 'token_value' --- Mythic_CLI/mythic.py | 1 - 1 file changed, 1 deletion(-) diff --git a/Mythic_CLI/mythic.py b/Mythic_CLI/mythic.py index 682e60015..994519265 100644 --- a/Mythic_CLI/mythic.py +++ b/Mythic_CLI/mythic.py @@ -3351,7 +3351,6 @@ def __init__( self._apitoken = apitoken else: self._apitoken = APIToken(token_value=apitoken) - self._apitoken = apitoken self._access_token = access_token self._refresh_token = refresh_token self._server_ip = server_ip From 6d1ec50b533e9f756f909b0edd104a6f9465fd24 Mon Sep 17 00:00:00 2001 From: Cody Thomas Date: Wed, 3 Feb 2021 17:55:20 -0800 Subject: [PATCH 06/23] Update callbacks.js fixed quick issue of default values for boolean parameter types processed as strings rather than boolean values --- mythic-docker/app/templates/callbacks.js | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/mythic-docker/app/templates/callbacks.js b/mythic-docker/app/templates/callbacks.js index 755e5fad4..a24db6404 100755 --- a/mythic-docker/app/templates/callbacks.js +++ b/mythic-docker/app/templates/callbacks.js @@ -1675,7 +1675,15 @@ var task_data = new Vue({ }else if(param.type === "Number"){ param.number_value = param.default_value; }else if(param.type === "Boolean"){ - param.boolean_value = param.default_value; + if(typeof param.default_value === "string"){ + try{ + param.boolean_value = JSON.parse(param.default_value.toLowerCase()); + }catch(error){ + console.log(error); + param.boolean_value = false; + } + } + else{param.boolean_value = param.default_value;} } //console.log(param); if (param.name in last_vals) { @@ -4194,4 +4202,4 @@ function add_update_file_browser(search, element) { } else { return false; } -} \ No newline at end of file +} From e05188ab11a42ff99b917c42cc17d47e36e85623 Mon Sep 17 00:00:00 2001 From: Cody Thomas Date: Thu, 4 Feb 2021 07:58:45 -0800 Subject: [PATCH 07/23] Update callbacks.js updated same boolean parameter check to resetting default values in parameter box --- mythic-docker/app/templates/callbacks.js | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/mythic-docker/app/templates/callbacks.js b/mythic-docker/app/templates/callbacks.js index a24db6404..1c1945f37 100755 --- a/mythic-docker/app/templates/callbacks.js +++ b/mythic-docker/app/templates/callbacks.js @@ -2831,7 +2831,15 @@ var params_table = new Vue({ }else if(this.command_params[i].type === "Number"){ this.command_params[i].number_value = this.command_params[i].default_value; }else if(this.command_params[i].type === "Boolean"){ - this.command_params[i].boolean_value = this.command_params[i].default_value; + if(typeof this.command_params[i].default_value === "string"){ + try{ + this.command_params[i].boolean_value = JSON.parse( this.command_params[i].default_value.toLowerCase()); + }catch(error){ + console.log(error); + this.command_params[i].boolean_value = false; + } + } + else{this.command_params[i].boolean_value = this.command_params[i].default_value;} } } }, From 27109f3595fc37597aeea472cbc5f8765f57fcce Mon Sep 17 00:00:00 2001 From: Derek Rook Date: Tue, 9 Feb 2021 13:54:31 -0800 Subject: [PATCH 08/23] Add non interactive run capability to start_mythic script --- start_mythic.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/start_mythic.sh b/start_mythic.sh index eb3c778b3..dee31a3c3 100755 --- a/start_mythic.sh +++ b/start_mythic.sh @@ -1,4 +1,8 @@ #! /bin/bash + +# Set working directory for unattended starts +cd "${0%/*}" + RED='\033[1;31m' NC='\033[0m' # No Color GREEN='\033[1;32m' From 983799e76c86ac29b7b768149fc3e726e4a20617 Mon Sep 17 00:00:00 2001 From: D00MFist <17372992+D00MFist@users.noreply.github.com> Date: Mon, 1 Mar 2021 13:31:22 -0500 Subject: [PATCH 09/23] Updating small typo --- documentation-docker/content/Agents/apfell/commands/add_user.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation-docker/content/Agents/apfell/commands/add_user.md b/documentation-docker/content/Agents/apfell/commands/add_user.md index 07251cfe2..dbb709f4c 100644 --- a/documentation-docker/content/Agents/apfell/commands/add_user.md +++ b/documentation-docker/content/Agents/apfell/commands/add_user.md @@ -68,7 +68,7 @@ Add a local user to the system by wrapping the Apple binary, dscl. - Required Value: False - Default Value: Jamf Support User -#### usernane +#### username - Description: POSIX username for account - Required Value: False From 90bd90ce71ca02476add91fee53e5878b774658f Mon Sep 17 00:00:00 2001 From: D00MFist <17372992+D00MFist@users.noreply.github.com> Date: Mon, 1 Mar 2021 13:33:32 -0500 Subject: [PATCH 10/23] add note for dropdown menu --- .../content/Agents/apfell/commands/add_user.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/documentation-docker/content/Agents/apfell/commands/add_user.md b/documentation-docker/content/Agents/apfell/commands/add_user.md index dbb709f4c..6e0a3d9bb 100644 --- a/documentation-docker/content/Agents/apfell/commands/add_user.md +++ b/documentation-docker/content/Agents/apfell/commands/add_user.md @@ -22,13 +22,13 @@ Add a local user to the system by wrapping the Apple binary, dscl. #### passwd -- Description: password of the user that will execute the commands +- Description: password of the user that will execute the commands. For dropdown menu: Must be present under Credentials operational view. - Required Value: True - Default Value: None #### user -- Description: username that will execute the commands +- Description: username that will execute the commands. For dropdown menu: Must be present under Credentials operational view. - Required Value: True - Default Value: None From 41fe5ba42a6d3ae04e152acb287a8d92b3024938 Mon Sep 17 00:00:00 2001 From: D00MFist <17372992+D00MFist@users.noreply.github.com> Date: Mon, 1 Mar 2021 13:35:00 -0500 Subject: [PATCH 11/23] small typo update --- Payload_Types/apfell/mythic/agent_functions/add_user.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Payload_Types/apfell/mythic/agent_functions/add_user.py b/Payload_Types/apfell/mythic/agent_functions/add_user.py index 874be811d..18a14096f 100644 --- a/Payload_Types/apfell/mythic/agent_functions/add_user.py +++ b/Payload_Types/apfell/mythic/agent_functions/add_user.py @@ -66,7 +66,7 @@ def __init__(self, command_line): description="Full user name", ), "username": CommandParameter( - name="usernane", + name="username", type=ParameterType.String, required=False, default_value=".jamf_support", From 44ead80eeb30d6a6c2e899aff1830f151e1d096f Mon Sep 17 00:00:00 2001 From: D00MFist <17372992+D00MFist@users.noreply.github.com> Date: Mon, 1 Mar 2021 13:40:48 -0500 Subject: [PATCH 12/23] Updated for artifact creation & Big Sur --- Payload_Types/apfell/agent_code/persist_launch.js | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/Payload_Types/apfell/agent_code/persist_launch.js b/Payload_Types/apfell/agent_code/persist_launch.js index 7550c3ed4..7a0df5dfe 100755 --- a/Payload_Types/apfell/agent_code/persist_launch.js +++ b/Payload_Types/apfell/agent_code/persist_launch.js @@ -35,7 +35,6 @@ exports.persist_launch = function(task, command, params){ template += "\n\n" // now we need to actually write out the plist to disk let response = ""; - let output = {"user_output":response, "completed": true}; if(config.hasOwnProperty('LocalAgent') && config['LocalAgent'] === true){ let path = "~/Library/LaunchAgents/"; path = $(path).stringByExpandingTildeInPath; @@ -44,15 +43,16 @@ exports.persist_launch = function(task, command, params){ $.fileManager.createDirectoryAtPathWithIntermediateDirectoriesAttributesError(path, false, $(), $()); } path = $(path.js + "/" + label + ".plist"); - response = write_data_to_file(template, path); - output["artifacts"] = [{"base_artifact": "File Create", "artifact": path}]; + response = write_data_to_file(template, path) + " to " + ObjC.deepUnwrap(path); + let artifacts = {'user_output': response, 'artifacts': [{'base_artifact': 'File Create', 'artifact': ObjC.deepUnwrap(path)}], "completed": true}; + return artifacts } else if(config.hasOwnProperty('LaunchPath') && config['LaunchPath'] !== ""){ - response = write_data_to_file(template, $(config['LaunchPath'])); - output["artifacts"] = [{"base_artifact": "File Create", "artifact": config["LaunchPath"]}]; + response = write_data_to_file(template, $(config['LaunchPath'])) + " to " + config["LaunchPath"]; + let artifacts = {'user_output': response, 'artifacts': [{'base_artifact': 'File Create', 'artifact': config["LaunchPath"]}], "completed": true}; + return artifacts } - output["user_output"] = response; - return output; + return artifacts }catch(error){ return {"user_output":error.toString(), "completed": true, "status": "error"}; From eee0189343121c2b881657bb5928d927af6a8a56 Mon Sep 17 00:00:00 2001 From: D00MFist <17372992+D00MFist@users.noreply.github.com> Date: Mon, 1 Mar 2021 13:42:13 -0500 Subject: [PATCH 13/23] Updated icon path for Big Sur & past OS --- Payload_Types/apfell/agent_code/prompt.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Payload_Types/apfell/agent_code/prompt.js b/Payload_Types/apfell/agent_code/prompt.js index a02b2d861..c749a5e57 100755 --- a/Payload_Types/apfell/agent_code/prompt.js +++ b/Payload_Types/apfell/agent_code/prompt.js @@ -4,7 +4,7 @@ exports.prompt = function(task, command, params){ else{config = [];} let title = "Application Needs to Update"; if(config.hasOwnProperty("title") && config['title'] !== ""){title = config['title'];} - let icon = "/System/Library/CoreServices/Software Update.app/Contents/Resources/SoftwareUpdate.icns"; + let icon = "/System/Library/PreferencePanes/SoftwareUpdate.prefPane/Contents/Resources/SoftwareUpdate.icns"; if(config.hasOwnProperty("icon") && config['icon'] !== ""){icon = config['icon'];} let text = "An application needs permission to update"; if(config.hasOwnProperty("text") && config['text'] !== ""){text = config['text'];} From 9ce031a2aaee4c9d6302937cddf4ae51a5a7b1e0 Mon Sep 17 00:00:00 2001 From: D00MFist <17372992+D00MFist@users.noreply.github.com> Date: Mon, 1 Mar 2021 13:48:44 -0500 Subject: [PATCH 14/23] Updated the APIs for Big Sur --- Payload_Types/apfell/mythic/agent_functions/test_password.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Payload_Types/apfell/mythic/agent_functions/test_password.py b/Payload_Types/apfell/mythic/agent_functions/test_password.py index 07fbc4600..8f1447f30 100644 --- a/Payload_Types/apfell/mythic/agent_functions/test_password.py +++ b/Payload_Types/apfell/mythic/agent_functions/test_password.py @@ -48,11 +48,11 @@ class TestPasswordCommand(CommandBase): async def create_tasking(self, task: MythicTask) -> MythicTask: resp = await MythicResponseRPC(task).register_artifact( - artifact_instance="$.CBIdentity.identityWithNameAuthority", + artifact_instance="$.ODNode.nodeWithSessionTypeError, recordWithRecordTypeNameAttributesError", artifact_type="API Called", ) resp = await MythicResponseRPC(task).register_artifact( - artifact_instance="user.authenticateWithPassword", + artifact_instance="user.verifyPasswordError", artifact_type="API Called", ) return task From ed01bf32aee879204027d61be8102aec166932ab Mon Sep 17 00:00:00 2001 From: D00MFist <17372992+D00MFist@users.noreply.github.com> Date: Mon, 1 Mar 2021 13:50:03 -0500 Subject: [PATCH 15/23] Updated for Big Sur APIs --- Payload_Types/apfell/agent_code/test_password.js | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/Payload_Types/apfell/agent_code/test_password.js b/Payload_Types/apfell/agent_code/test_password.js index 8b5c1f49a..2c0e48255 100755 --- a/Payload_Types/apfell/agent_code/test_password.js +++ b/Payload_Types/apfell/agent_code/test_password.js @@ -1,7 +1,9 @@ exports.test_password = function(task, command, params){ - ObjC.import('Collaboration'); - ObjC.import('CoreServices'); - let authority = $.CBIdentityAuthority.defaultIdentityAuthority; + ObjC.import("OpenDirectory"); + let session = $.ODSession.defaultSession; + let sessionType = 0x2201 // $.kODNodeTypeAuthentication + let recType = $.kODRecordTypeUsers + let node = $.ODNode.nodeWithSessionTypeError(session, sessionType, $()); let username = apfell.user; let password = ""; if(params.length > 0){ @@ -14,9 +16,9 @@ exports.test_password = function(task, command, params){ } // if no password is supplied, try an empty password } - let user = $.CBIdentity.identityWithNameAuthority($(username), authority); + let user = node.recordWithRecordTypeNameAttributesError(recType,$(username), $(), $()) if(user.js !== undefined){ - if(user.authenticateWithPassword($(password))){ + if(user.verifyPasswordError($(password),$())){ return {"user_output":"Successful authentication", "completed": true}; } else{ From 829f6c46399781051e02c3ca90479bd96c5ce9fb Mon Sep 17 00:00:00 2001 From: D00MFist <17372992+D00MFist@users.noreply.github.com> Date: Mon, 1 Mar 2021 15:47:58 -0500 Subject: [PATCH 16/23] Removed dropdown notes --- .../content/Agents/apfell/commands/add_user.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/documentation-docker/content/Agents/apfell/commands/add_user.md b/documentation-docker/content/Agents/apfell/commands/add_user.md index 6e0a3d9bb..cdd431a2e 100644 --- a/documentation-docker/content/Agents/apfell/commands/add_user.md +++ b/documentation-docker/content/Agents/apfell/commands/add_user.md @@ -22,13 +22,13 @@ Add a local user to the system by wrapping the Apple binary, dscl. #### passwd -- Description: password of the user that will execute the commands. For dropdown menu: Must be present under Credentials operational view. +- Description: password of the user that will execute the commands. - Required Value: True - Default Value: None #### user -- Description: username that will execute the commands. For dropdown menu: Must be present under Credentials operational view. +- Description: username that will execute the commands. - Required Value: True - Default Value: None From e7652dcf4d64d78e6c858bd669014e23e521deeb Mon Sep 17 00:00:00 2001 From: D00MFist <17372992+D00MFist@users.noreply.github.com> Date: Mon, 1 Mar 2021 15:51:19 -0500 Subject: [PATCH 17/23] added iterm popup note --- documentation-docker/content/Agents/apfell/commands/iTerm.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/documentation-docker/content/Agents/apfell/commands/iTerm.md b/documentation-docker/content/Agents/apfell/commands/iTerm.md index 1b9e6e7a3..48ba9c349 100644 --- a/documentation-docker/content/Agents/apfell/commands/iTerm.md +++ b/documentation-docker/content/Agents/apfell/commands/iTerm.md @@ -12,6 +12,8 @@ Read the contents of all open iTerm tabs if iTerms is open, otherwise just infor - Version: 1 - Author: @its_a_feature_ +{{% notice warning %}} In Mojave+ (10.14+) this will cause a popup the first time asking for permission for your process to access iTerm. {{% /notice %}} + ### Arguments ## Usage From a054e1110d04dcee79c815ae439d52107fe69740 Mon Sep 17 00:00:00 2001 From: D00MFist <17372992+D00MFist@users.noreply.github.com> Date: Mon, 1 Mar 2021 15:56:15 -0500 Subject: [PATCH 18/23] Added System events popup note --- .../content/Agents/apfell/commands/persist_folderaction.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/documentation-docker/content/Agents/apfell/commands/persist_folderaction.md b/documentation-docker/content/Agents/apfell/commands/persist_folderaction.md index f5489d5a0..c95155f3d 100644 --- a/documentation-docker/content/Agents/apfell/commands/persist_folderaction.md +++ b/documentation-docker/content/Agents/apfell/commands/persist_folderaction.md @@ -12,6 +12,8 @@ Use Folder Actions to persist a compiled script on disk. You can either specify - Version: 1 - Author: @its_a_feature_ +{{% notice warning %}} In Mojave+ (10.14+) this will cause a popup the first time asking for permission for your process to access System Events. {{% /notice %}} + ### Arguments #### code From b2a89593a6532645c439aecc6738e06712a63422 Mon Sep 17 00:00:00 2001 From: D00MFist <17372992+D00MFist@users.noreply.github.com> Date: Mon, 1 Mar 2021 15:57:54 -0500 Subject: [PATCH 19/23] Updated icon path --- documentation-docker/content/Agents/apfell/commands/prompt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation-docker/content/Agents/apfell/commands/prompt.md b/documentation-docker/content/Agents/apfell/commands/prompt.md index 1ae2dded8..7a14174cd 100644 --- a/documentation-docker/content/Agents/apfell/commands/prompt.md +++ b/documentation-docker/content/Agents/apfell/commands/prompt.md @@ -25,7 +25,7 @@ Create a custom prompt to ask the user for credentials where you can provide tit - Description: full path to .icns file to use - Required Value: False -- Default Value: "/System/Library/CoreServices/Software Update.app/Contents/Resources/SoftwareUpdate.icns" +- Default Value: "/System/Library/PreferencePanes/SoftwareUpdate.prefPane/Contents/Resources/SoftwareUpdate.icns" #### text From 6fdd3f0d97b92ab8f7a1a176a849ad9df3ad534c Mon Sep 17 00:00:00 2001 From: D00MFist <17372992+D00MFist@users.noreply.github.com> Date: Mon, 1 Mar 2021 16:01:04 -0500 Subject: [PATCH 20/23] Updated to use OpenDirectory framework --- .../content/Agents/apfell/commands/test_password.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/documentation-docker/content/Agents/apfell/commands/test_password.md b/documentation-docker/content/Agents/apfell/commands/test_password.md index 60e4f74ab..5a8ca72b3 100644 --- a/documentation-docker/content/Agents/apfell/commands/test_password.md +++ b/documentation-docker/content/Agents/apfell/commands/test_password.md @@ -36,11 +36,15 @@ test_password username password - T1110 ## Detailed Summary -Uses the Collaboration and CoreServices Frameworks to test a local username/password combination. +Uses the OpenDirectory Framework to test a local username/password combination. ```JavaScript -let user = $.CBIdentity.identityWithNameAuthority($(username), authority); +let session = $.ODSession.defaultSession; +let sessionType = 0x2201 // $.kODNodeTypeAuthentication +let recType = $.kODRecordTypeUsers +let node = $.ODNode.nodeWithSessionTypeError(session, sessionType, $()); +let user = node.recordWithRecordTypeNameAttributesError(recType,$(username), $(), $()) if(user.js !== undefined){ - if(user.authenticateWithPassword($(password))){ + if(user.verifyPasswordError($(password),$())){ return {"user_output":"Successful authentication", "completed": true}; } else{ From c82266cfb290bb2520b5fccb90a53250aed47f73 Mon Sep 17 00:00:00 2001 From: Cody Thomas Date: Wed, 24 Mar 2021 17:28:06 -0700 Subject: [PATCH 21/23] updated hostnames to always be uppercase --- README.md | 2 +- mythic-docker/app/api/callback_api.py | 6 ++--- mythic-docker/app/api/file_api.py | 6 ++--- mythic-docker/app/api/file_browser_api.py | 22 +++++++-------- mythic-docker/app/api/payloadonhost_api.py | 6 ++--- mythic-docker/app/api/processlist_api.py | 6 ++--- mythic-docker/app/api/rabbitmq_api.py | 6 ++--- mythic-docker/app/api/response_api.py | 6 ++--- mythic-docker/app/templates/base.html | 2 +- mythic-docker/app/templates/callbacks.js | 31 +++++++++++++++------- 10 files changed, 52 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index 75f5b2348..4c69cdd8f 100755 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ A cross-platform, post-exploit, red teaming framework built with python3, docker * Objective By the Sea 2019 talk on JXA: https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf * Objective By the sea 2019 Video: https://www.youtube.com/watch?v=E-QEsGsq3uI&list=PLliknDIoYszvTDaWyTh6SYiTccmwOsws8&index=17 -* Current Version: 2.1.17 +* Current Version: 2.1.18 ## Documentation diff --git a/mythic-docker/app/api/callback_api.py b/mythic-docker/app/api/callback_api.py index 26c7d7ef6..6db91b25f 100755 --- a/mythic-docker/app/api/callback_api.py +++ b/mythic-docker/app/api/callback_api.py @@ -486,7 +486,7 @@ async def create_callback_func(data, request): cal = await db_objects.create( Callback, user=data["user"], - host=data["host"], + host=data["host"].upper(), pid=data["pid"], ip=data["ip"], description=payload.tag, @@ -511,7 +511,7 @@ async def create_callback_func(data, request): ) await db_objects.create( db_model.PayloadOnHost, - host=data["host"], + host=data["host"].upper(), payload=payload, operation=payload.operation, ) @@ -735,7 +735,7 @@ async def update_callback(data, UUID): if "ip" in data: cal.ip = data["ip"] if "host" in data: - cal.host = data["host"] + cal.host = data["host"].upper() if "external_ip" in data: cal.external_ip = data["external_ip"] if "integrity_level" in data: diff --git a/mythic-docker/app/api/file_api.py b/mythic-docker/app/api/file_api.py index 9cbed351d..6f28abb8e 100755 --- a/mythic-docker/app/api/file_api.py +++ b/mythic-docker/app/api/file_api.py @@ -359,7 +359,7 @@ async def create_filemeta_in_database_func(data): fb_object = await db_objects.get( query, full_path=data["full_path"].encode("unicode-escape"), - host=data["host"].encode("unicode-escape"), + host=data["host"].upper().encode("unicode-escape"), ) file_browser = fb_object except Exception as e: @@ -382,7 +382,7 @@ async def create_filemeta_in_database_func(data): file_browser=file_browser, filename=filename.name, is_download_from_agent=True, - host=data["host"].encode("unicode-escape"), + host=data["host"].upper().encode("unicode-escape"), ) if filemeta.is_screenshot: await log_to_siem(task.to_json(), mythic_object="file_screenshot") @@ -489,7 +489,7 @@ async def download_file_to_disk_func(data): file_meta = await db_objects.get(query, agent_file_id=data["file_id"]) file_meta.chunks_received = file_meta.chunks_received + 1 if "host" in data and data["host"] is not None and data["host"] != "": - file_meta.host = data["host"].encode("unicode-escape") + file_meta.host = data["host"].upper().encode("unicode-escape") if "full_path" in data and data["full_path"] is not None and data["full_path"] != "": file_meta.full_remote_path = data["full_path"].encode("unicode-escape") if file_meta.file_browser is None: diff --git a/mythic-docker/app/api/file_browser_api.py b/mythic-docker/app/api/file_browser_api.py index 9fe5adc9e..dc077b9c5 100644 --- a/mythic-docker/app/api/file_browser_api.py +++ b/mythic-docker/app/api/file_browser_api.py @@ -62,9 +62,9 @@ async def get_filebrowser_tree_for_operation(operation_name): final_output = {} for e in objs: e_json = e.to_json() - if e_json["host"] not in final_output: - final_output[e_json["host"]] = [] - final_output[e_json["host"]].append(e_json) + if e_json["host"].upper() not in final_output: + final_output[e_json["host"].upper()] = [] + final_output[e_json["host"].upper()].append(e_json) return {"status": "success", "output": final_output} except Exception as e: print(e) @@ -102,7 +102,7 @@ async def store_response_into_filebrowserobj(operation, task, response): filebrowserobj = await db_objects.get( query, operation=operation, - host=response["host"].encode("unicode-escape"), + host=response["host"].upper().encode("unicode-escape"), name=response["name"].encode("unicode-escape"), is_file=response["is_file"], parent=parent, @@ -127,7 +127,7 @@ async def store_response_into_filebrowserobj(operation, task, response): db_model.FileBrowserObj, task=task, operation=operation, - host=response["host"].encode("unicode-escape"), + host=response["host"].upper().encode("unicode-escape"), name=response["name"].encode("unicode-escape"), permissions=js.dumps(response["permissions"]).encode("unicode-escape"), parent=parent, @@ -152,7 +152,7 @@ async def store_response_into_filebrowserobj(operation, task, response): newfileobj = await db_objects.get( query, operation=operation, - host=response["host"].encode("unicode-escape"), + host=response["host"].upper().encode("unicode-escape"), name=f["name"].encode("unicode-escape"), is_file=f["is_file"], parent=filebrowserobj, @@ -172,7 +172,7 @@ async def store_response_into_filebrowserobj(operation, task, response): db_model.FileBrowserObj, task=task, operation=operation, - host=response["host"].encode("unicode-escape"), + host=response["host"].upper().encode("unicode-escape"), parent=filebrowserobj, permissions=js.dumps(f["permissions"]).encode("unicode-escape"), parent_path=str(parent_path).encode("unicode-escape"), @@ -213,7 +213,7 @@ async def add_upload_file_to_file_browser(operation, task, file, data): await store_response_into_filebrowserobj(operation, task, data) fbo_query = await db_model.filebrowserobj_query() fbo = await db_objects.get(fbo_query, operation=operation, - host=data["host"].encode("unicode-escape"), + host=data["host"].upper().encode("unicode-escape"), full_path=data["full_path"].encode("unicode-escape")) file.file_browser = fbo except Exception as e: @@ -267,7 +267,7 @@ async def create_and_check_parents(operation, task, response): try: parent = await db_objects.get( query, - host=response["host"].encode("unicode-escape"), + host=response["host"].upper().encode("unicode-escape"), parent=parent_obj, name=name.encode("unicode-escape"), operation=operation, @@ -280,7 +280,7 @@ async def create_and_check_parents(operation, task, response): db_model.FileBrowserObj, task=task, operation=operation, - host=response["host"].encode("unicode-escape"), + host=response["host"].upper().encode("unicode-escape"), name=name.encode("unicode-escape"), parent=parent_obj, parent_path=parent_path_name.encode("unicode-escape"), @@ -503,7 +503,7 @@ async def get_filebrowsobj_permissions_by_path(request, user): return json({"status": "error", "error": "Missing host parameter"}) if "full_path" not in data: return json({"status": "error", "error": "Missing full_path parameter"}) - file = await db_objects.get(query, operation=operation, host=data["host"].encode("unicode-escape"), + file = await db_objects.get(query, operation=operation, host=data["host"].upper().encode("unicode-escape"), full_path=data["full_path"].encode("unicode-escape")) return json({"status": "success", "permissions": file.permissions}) except Exception as e: diff --git a/mythic-docker/app/api/payloadonhost_api.py b/mythic-docker/app/api/payloadonhost_api.py index d4eca547f..0f226daaf 100644 --- a/mythic-docker/app/api/payloadonhost_api.py +++ b/mythic-docker/app/api/payloadonhost_api.py @@ -70,7 +70,7 @@ async def add_payload_to_host(request, user): try: payloadonhost = await db_objects.get( db_model.PayloadOnHost, - host=data["host"], + host=data["host"].upper(), payload=payload, operation=operation, deleted=False, @@ -78,7 +78,7 @@ async def add_payload_to_host(request, user): except Exception as e: payloadonhost = await db_objects.create( db_model.PayloadOnHost, - host=data["host"], + host=data["host"].upper(), payload=payload, operation=operation, ) @@ -149,7 +149,7 @@ async def delete_payloadonhost_by_host(request, user, host: str): ) query = await db_model.operation_query() operation = await db_objects.get(query, name=user["current_operation"]) - hostname = base64.b64decode(host).decode() + hostname = base64.b64decode(host).decode().upper() poh_query = await db_model.payloadonhost_query() poh = await db_objects.execute( poh_query.where( diff --git a/mythic-docker/app/api/processlist_api.py b/mythic-docker/app/api/processlist_api.py index 31aff96e9..8e2d452d0 100755 --- a/mythic-docker/app/api/processlist_api.py +++ b/mythic-docker/app/api/processlist_api.py @@ -51,7 +51,7 @@ async def get_a_process_list(request, user, pid, host): operation = await db_objects.get(query, name=user["current_operation"]) except Exception as e: return json({"status": "error", "error": "failed to get current operation"}) - host = base64.b64decode(host).decode("utf-8") + host = base64.b64decode(host).decode("utf-8").upper() query = await db_model.processlist_query() if pid > 0: try: @@ -132,7 +132,7 @@ async def get_adjacent_process_list(request, user): query.where( (db_model.ProcessList.operation == operation) & (db_model.ProcessList.id < data["pid"]) - & (db_model.ProcessList.host == data["host"]) + & (db_model.ProcessList.host == data["host"].upper()) ) .order_by(-db_model.ProcessList.id) .limit(1) @@ -158,7 +158,7 @@ async def get_adjacent_process_list(request, user): query.where( (db_model.ProcessList.operation == operation) & (db_model.ProcessList.id > data["pid"]) - & (db_model.ProcessList.host == data["host"]) + & (db_model.ProcessList.host == data["host"].upper()) ) .order_by(db_model.ProcessList.timestamp) .limit(1) diff --git a/mythic-docker/app/api/rabbitmq_api.py b/mythic-docker/app/api/rabbitmq_api.py index 2088ae14a..2fb69ebe7 100755 --- a/mythic-docker/app/api/rabbitmq_api.py +++ b/mythic-docker/app/api/rabbitmq_api.py @@ -585,7 +585,7 @@ async def handle_automated_payload_creation_response(task, rsp, data, host): await db_objects.update(task) await db_objects.create( db_model.PayloadOnHost, - host=host, + host=host.upper(), payload=payload, operation=payload.operation, task=task, @@ -779,7 +779,7 @@ async def register_artifact(request): task=task, artifact_instance=request["artifact_instance"].encode(), artifact=artifact, - host=request["host"], + host=request["host"].upper(), operation=task.callback.operation, ) await log_to_siem(art.to_json(), mythic_object="artifact_new") @@ -803,7 +803,7 @@ async def register_payload_on_host(request): payloadquery = await db_model.payload_query() payload = await db_objects.get(payloadquery, uuid=request["uuid"], operation=task.operation) payload_on_host = await db_objects.create(db_model.PayloadOnHost, payload=payload, - host=request["host"].encode(), operation=task.operation, task=task) + host=request["host"].upper().encode(), operation=task.operation, task=task) return {"status": "success"} except Exception as e: return {"status": "error", "error": "Failed to find payload"} diff --git a/mythic-docker/app/api/response_api.py b/mythic-docker/app/api/response_api.py index 86745b2b1..348c491f4 100755 --- a/mythic-docker/app/api/response_api.py +++ b/mythic-docker/app/api/response_api.py @@ -320,7 +320,7 @@ async def post_agent_response(agent_message, UUID): fobj = await db_objects.get( filebrowserquery, operation=task.callback.operation, - host=f["host"].encode("unicode-escape"), + host=f["host"].upper().encode("unicode-escape"), full_path=f["path"].encode("unicode-escape"), deleted=False, ) @@ -490,7 +490,7 @@ async def post_agent_response(agent_message, UUID): f = await db_objects.create( db_model.FileMeta, task=task, - host=host.encode("unicode-escape"), + host=host.upper().encode("unicode-escape"), total_chunks=file_meta.total_chunks, chunks_received=file_meta.chunks_received, chunk_size=file_meta.chunk_size, @@ -519,7 +519,7 @@ async def post_agent_response(agent_message, UUID): + parsed_response["full_path"] ).encode("unicode-escape") if host != file_meta.host: - file_meta.host = host.encode("unicode-escape") + file_meta.host = host.upper().encode("unicode-escape") await db_objects.update(file_meta) if file_meta.full_remote_path != "": await add_upload_file_to_file_browser(task.callback.operation, task, file_meta, diff --git a/mythic-docker/app/templates/base.html b/mythic-docker/app/templates/base.html index 723ac1ba4..aee9d2b29 100755 --- a/mythic-docker/app/templates/base.html +++ b/mythic-docker/app/templates/base.html @@ -725,7 +725,7 @@
Operational Feeds
- v2.1.17 + v2.1.18 {% endif %} diff --git a/mythic-docker/app/templates/callbacks.js b/mythic-docker/app/templates/callbacks.js index 1c1945f37..98f83ed6f 100755 --- a/mythic-docker/app/templates/callbacks.js +++ b/mythic-docker/app/templates/callbacks.js @@ -4149,7 +4149,7 @@ function process_file_browser_data(data){ }); } // what if we're adding a new top level root - if (data['parent'] === null) { + if (data['parent'] === null && data["file_browser"] === undefined) { for (let i = 0; i < meta['file_browser'][data['host']]['children'].length; i++) { if (data['name'] in meta['file_browser'][data['host']]['children'][i]) { Object.assign(meta['file_browser'][data['host']]['children'][i][data['name']]['data'], @@ -4178,14 +4178,26 @@ function process_file_browser_data(data){ function add_update_file_browser(search, element) { //recursive base case //ust check to see if it's the one we're looking for otherwise return up - if (element['data']['id'] === search['id']) { - Object.assign(element['data'], - element['data'], - search); - task_data.$forceUpdate(); - return true; + if (search["file_browser"] !== undefined){ + //we're looking at a file_meta object that's downloading + if(search["file_browser"] === element["data"]["id"]) { + Object.assign(element['data'], + element['data'], + search); + task_data.$forceUpdate(); + return true; + } + }else{ + //we're looking at file browsing data + if(search["id"] === element["data"]["id"]){ + Object.assign(element['data'], + element['data'], + search); + task_data.$forceUpdate(); + return true; + } } - if(element["is_file"]){return false;} + if(element["data"]["is_file"]){return false;} //we aren't in the base case, so let's iterate through the current item's children if (element['children'] !== undefined) { for (let i = 0; i < element['children'].length; i++) { @@ -4196,9 +4208,8 @@ function add_update_file_browser(search, element) { } } } - //if we get here, and parent is true, then we are the parent and failed to find the child, so we need to add it - if (element['data']['id'] === search['parent']) { + if (search["file_browser"] === undefined && element["data"]['id'] === search['parent']) { let new_data = {}; new_data[search['name']] = {"data": search, "children": []}; if(element['children'] === undefined){ From 8222d2f86e81dc77ce31f8c2fd9ebb0c409bedee Mon Sep 17 00:00:00 2001 From: Tim Makram Ghatas Date: Fri, 26 Mar 2021 16:09:41 +0100 Subject: [PATCH 22/23] escape user provided data in browser scripts --- Payload_Types/apfell/mythic/browser_scripts/download.js | 4 ++-- Payload_Types/apfell/mythic/browser_scripts/list_apps.js | 4 ++-- Payload_Types/apfell/mythic/browser_scripts/screenshot.js | 4 ++-- .../apfell/mythic/browser_scripts/terminals_read.js | 4 ++-- Payload_Types/atlas/mythic/browser_scripts/ls.js | 4 ++-- Payload_Types/atlas/mythic/browser_scripts/ps.js | 4 ++-- .../poseidon/mythic/browser_scripts/list_entitlements.js | 6 +++--- Payload_Types/poseidon/mythic/browser_scripts/ls.js | 6 +++--- Payload_Types/poseidon/mythic/browser_scripts/ps.js | 4 ++-- 9 files changed, 20 insertions(+), 20 deletions(-) diff --git a/Payload_Types/apfell/mythic/browser_scripts/download.js b/Payload_Types/apfell/mythic/browser_scripts/download.js index a479717b5..717e099fc 100644 --- a/Payload_Types/apfell/mythic/browser_scripts/download.js +++ b/Payload_Types/apfell/mythic/browser_scripts/download.js @@ -7,11 +7,11 @@ function(task, responses){ return "
Finished Downloading " + escapeHTML(file_name) + ". Click here to download
"; } }catch(error){ - return "
Error: " + error.toString() + "\n" + JSON.stringify(responses, null, 2) + "
"; + return "
Error: " + error.toString() + "\n" + escapeHTML(JSON.stringify(responses, null, 2)) + "
"; } } if(task.status === 'error'){ return "
 Error: untoggle for error message(s)
"; } return "
 Downloading...
"; -} \ No newline at end of file +} diff --git a/Payload_Types/apfell/mythic/browser_scripts/list_apps.js b/Payload_Types/apfell/mythic/browser_scripts/list_apps.js index 97f52d04c..89e2dc9bf 100644 --- a/Payload_Types/apfell/mythic/browser_scripts/list_apps.js +++ b/Payload_Types/apfell/mythic/browser_scripts/list_apps.js @@ -27,8 +27,8 @@ function(task, response){ }); } catch(error){ - "
Error: " + error.toString() + "\n" + JSON.stringify(response, null, 2) + "
"; + "
Error: " + error.toString() + "\n" + escapeHTML(JSON.stringify(response, null, 2)) + "
"; } } return support_scripts['apfell_create_table']([{"name":"pid","size":"2em"},{"name":"arch","size":"2em"},{"name":"name", "size":"10em"}, {"name":"frontMost","size":"3em"},{"name":"bin_path","size":"20em"}], rows); -} \ No newline at end of file +} diff --git a/Payload_Types/apfell/mythic/browser_scripts/screenshot.js b/Payload_Types/apfell/mythic/browser_scripts/screenshot.js index fbe9d0e18..83854817f 100644 --- a/Payload_Types/apfell/mythic/browser_scripts/screenshot.js +++ b/Payload_Types/apfell/mythic/browser_scripts/screenshot.js @@ -11,10 +11,10 @@ function(task, responses){ output += "
"; return output; }catch(error){ - return "
Error: " + error.toString() + "\n" + JSON.stringify(responses, null, 2) + "
"; + return "
Error: " + error.toString() + "\n" + escapeHTML(JSON.stringify(responses, null, 2)) + "
"; } } if(task.status === 'processing' || task.status === "processed"){ return "
 downloading pieces ...
"; } -} \ No newline at end of file +} diff --git a/Payload_Types/apfell/mythic/browser_scripts/terminals_read.js b/Payload_Types/apfell/mythic/browser_scripts/terminals_read.js index 6ae06b0de..795bbd7ca 100644 --- a/Payload_Types/apfell/mythic/browser_scripts/terminals_read.js +++ b/Payload_Types/apfell/mythic/browser_scripts/terminals_read.js @@ -19,8 +19,8 @@ function(task, responses){ } } catch(error){ - return "
Error: " + error.toString() + "\n" + JSON.stringify(responses, null, 2) + "
"; + return "
Error: " + error.toString() + "\n" + escapeHTML(JSON.stringify(responses, null, 2)) + "
"; } } return output; -} \ No newline at end of file +} diff --git a/Payload_Types/atlas/mythic/browser_scripts/ls.js b/Payload_Types/atlas/mythic/browser_scripts/ls.js index 1cf45e319..287f47dd0 100644 --- a/Payload_Types/atlas/mythic/browser_scripts/ls.js +++ b/Payload_Types/atlas/mythic/browser_scripts/ls.js @@ -5,7 +5,7 @@ function(task, response) { var data = JSON.parse(response[i]['response']); } catch (error) { //return error.ToString(); - return response; + return escapeHTML(response); } data.forEach(function (r) { @@ -27,4 +27,4 @@ function(task, response) { "name": "Size", "size": "2em" }, {"name": "Lastmodified", "size": "3em"}, {"name": "IsDir", "size": "2em"}], rows); -} \ No newline at end of file +} diff --git a/Payload_Types/atlas/mythic/browser_scripts/ps.js b/Payload_Types/atlas/mythic/browser_scripts/ps.js index cd5de114b..eebc2c35d 100644 --- a/Payload_Types/atlas/mythic/browser_scripts/ps.js +++ b/Payload_Types/atlas/mythic/browser_scripts/ps.js @@ -4,7 +4,7 @@ function(task, response){ try{ var data = JSON.parse(response[i]['response']); }catch(error){ - return response; + return escapeHTML(response); } data.forEach(function(r){ let row_style = ""; @@ -18,4 +18,4 @@ function(task, response){ }); } return support_scripts['atlas_create_table']([{"name":"process_id", "size":"10em"},{"name":"parent_process_id", "size":"10em"}, {"name": "user", "size": "10em"},{"name":"path", "size":""}], rows); -} \ No newline at end of file +} diff --git a/Payload_Types/poseidon/mythic/browser_scripts/list_entitlements.js b/Payload_Types/poseidon/mythic/browser_scripts/list_entitlements.js index 06116bbd4..a211f1543 100644 --- a/Payload_Types/poseidon/mythic/browser_scripts/list_entitlements.js +++ b/Payload_Types/poseidon/mythic/browser_scripts/list_entitlements.js @@ -26,8 +26,8 @@ function(task, responses){ } } } - return "
" + JSON.stringify(dict, null, 6) + "
"; + return "
" + escapeHTML(JSON.stringify(dict, null, 6)) + "
"; }catch(error){ - return "
" + error.toString() + JSON.stringify(responses, null, 6) +  "
"; + return "
" + error.toString() + escapeHTML(JSON.stringify(responses, null, 6)) +  "
"; } -} \ No newline at end of file +} diff --git a/Payload_Types/poseidon/mythic/browser_scripts/ls.js b/Payload_Types/poseidon/mythic/browser_scripts/ls.js index 99a87b222..6487e66ee 100644 --- a/Payload_Types/poseidon/mythic/browser_scripts/ls.js +++ b/Payload_Types/poseidon/mythic/browser_scripts/ls.js @@ -12,7 +12,7 @@ function(task, responses){ if( !data['is_file'] ){ row_style = "background-color: #5E28DC"} let row = {"name": escapeHTML(data['name']), "size": escapeHTML(data['size']), "row-style": row_style, "cell-style": {}}; let perm_data = data['permissions']; - row['permissions'] = perm_data["permissions"]; + row['permissions'] = escapeHTML(perm_data["permissions"]); rows.push(row); if(!data.hasOwnProperty('files')){data['files'] = []} data['files'].forEach(function(r){ @@ -21,7 +21,7 @@ function(task, responses){ let row = {"name": escapeHTML(r['name']), "size": escapeHTML(r['size']), "row-style": row_style, "cell-style": {}}; let perm_data = r['permissions']; perm_data = data['permissions']; - row['permissions'] = perm_data["permissions"]; + row['permissions'] = escapeHTML(perm_data["permissions"]); rows.push(row); }); } @@ -33,4 +33,4 @@ function(task, responses){ console.log(error); return "
 Error: untoggle for error message(s)
"; } -} \ No newline at end of file +} diff --git a/Payload_Types/poseidon/mythic/browser_scripts/ps.js b/Payload_Types/poseidon/mythic/browser_scripts/ps.js index 0bd94d9d4..1acec8133 100644 --- a/Payload_Types/poseidon/mythic/browser_scripts/ps.js +++ b/Payload_Types/poseidon/mythic/browser_scripts/ps.js @@ -5,7 +5,7 @@ function(task, response){ try{ var data = JSON.parse(response[i]['response']); }catch(error){ - return response; + return escapeHTML(response); } data.forEach(function(r){ let row_style = ""; @@ -37,4 +37,4 @@ function(task, response){ {"name":"path", "size":""} ], rows); return output; -} \ No newline at end of file +} From 25ae4cc7e9ce9bd73b356cd0147244299359fd33 Mon Sep 17 00:00:00 2001 From: Iorpim Date: Wed, 5 May 2021 12:58:30 -0300 Subject: [PATCH 23/23] Updated Att&ck to version 9.0 A few "attackmappings" caused the Payload Types to break as the attack.json was missing newly introduced techniques. attack_parse.py was also updated to account for now optional fields. --- mythic-docker/app/attack_parse.py | 57 ++++++++++--------- .../app/default_files/other_info/attack.json | 2 +- 2 files changed, 31 insertions(+), 28 deletions(-) diff --git a/mythic-docker/app/attack_parse.py b/mythic-docker/app/attack_parse.py index f10bd356a..c39dd15fa 100755 --- a/mythic-docker/app/attack_parse.py +++ b/mythic-docker/app/attack_parse.py @@ -1,27 +1,30 @@ -import json as js -import pprint - -file = open("full_attack.json", "r") -output = open("small_attack.json", "w") -attack = js.load(file) -attack_list = [] -for obj in attack["objects"]: - if obj["type"] == "attack-pattern": - t_num = "Not Found" # just an error case - for ext_ref in obj["external_references"]: - if "external_id" in ext_ref and ext_ref["source_name"] == "mitre-attack": - t_num = ext_ref["external_id"] - name = obj["name"] - os = " ".join(obj["x_mitre_platforms"]) - tactics = [ - x["phase_name"] - for x in obj["kill_chain_phases"] - if x["kill_chain_name"] == "mitre-attack" - ] - tactics = " ".join(tactics) - # tactic = obj['kill_chain_phases'][0]['phase_name'] - attack_list.append( - {"t_num": t_num, "name": name, "os": os, "tactic": tactics} - ) -full_output = {"techniques": attack_list} -output.write(js.dumps(full_output)) +import json as js +import pprint + +file = open("full_attack.json", "r") +output = open("small_attack.json", "w") +attack = js.load(file) +attack_list = [] +for obj in attack["objects"]: + if obj["type"] == "attack-pattern": + t_num = "Not Found" # just an error case + for ext_ref in obj["external_references"]: + if "external_id" in ext_ref and ext_ref["source_name"] == "mitre-attack": + t_num = ext_ref["external_id"] + name = obj["name"] + if "x_mitre_platforms" in obj: # "x_mitre_platform" is now not always present + os = " ".join(obj["x_mitre_platforms"]) + else: + os = "" + tactics = [ + x["phase_name"] + for x in (obj["kill_chain_phases"] if "kill_chain_phases" in obj else []) # Neither is "kill_chain_phases" + if x["kill_chain_name"] == "mitre-attack" + ] + tactics = " ".join(tactics) + # tactic = obj['kill_chain_phases'][0]['phase_name'] + attack_list.append( + {"t_num": t_num, "name": name, "os": os, "tactic": tactics} + ) +full_output = {"techniques": attack_list} +output.write(js.dumps(full_output)) diff --git a/mythic-docker/app/default_files/other_info/attack.json b/mythic-docker/app/default_files/other_info/attack.json index f5b75c72e..300f3c339 100755 --- a/mythic-docker/app/default_files/other_info/attack.json +++ b/mythic-docker/app/default_files/other_info/attack.json @@ -1 +1 @@ -{"techniques": [{"t_num": "T1156", "name": ".bash_profile and .bashrc", "os": "Linux macOS", "tactic": "persistence"}, {"t_num": "T1134", "name": "Access Token Manipulation", "os": "Windows", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1015", "name": "Accessibility Features", "os": "Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1087", "name": "Account Discovery", "os": "Linux macOS Windows", "tactic": "discovery"}, {"t_num": "T1098", "name": "Account Manipulation", "os": "Windows", "tactic": "credential-access persistence"}, {"t_num": "T1182", "name": "AppCert DLLs", "os": "Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1103", "name": "AppInit DLLs", "os": "Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1155", "name": "AppleScript", "os": "macOS", "tactic": "execution lateral-movement"}, {"t_num": "T1017", "name": "Application Deployment Software", "os": "Linux macOS Windows", "tactic": "lateral-movement"}, {"t_num": "T1138", "name": "Application Shimming", "os": "Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1010", "name": "Application Window Discovery", "os": "macOS Windows", "tactic": "discovery"}, {"t_num": "T1123", "name": "Audio Capture", "os": "Linux macOS Windows", "tactic": "collection"}, {"t_num": "T1131", "name": "Authentication Package", "os": "Windows", "tactic": "persistence"}, {"t_num": "T1119", "name": "Automated Collection", "os": "Linux macOS Windows", "tactic": "collection"}, {"t_num": "T1020", "name": "Automated Exfiltration", "os": "Linux macOS Windows", "tactic": "exfiltration"}, {"t_num": "T1197", "name": "BITS Jobs", "os": "Windows", "tactic": "defense-evasion persistence"}, {"t_num": "T1139", "name": "Bash History", "os": "Linux macOS", "tactic": "credential-access"}, {"t_num": "T1009", "name": "Binary Padding", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1067", "name": "Bootkit", "os": "Linux Windows", "tactic": "persistence"}, {"t_num": "T1217", "name": "Browser Bookmark Discovery", "os": "Linux Windows macOS", "tactic": "discovery"}, {"t_num": "T1176", "name": "Browser Extensions", "os": "Linux macOS Windows", "tactic": "persistence"}, {"t_num": "T1110", "name": "Brute Force", "os": "Linux macOS Windows", "tactic": "credential-access"}, {"t_num": "T1088", "name": "Bypass User Account Control", "os": "Windows", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1191", "name": "CMSTP", "os": "Windows", "tactic": "defense-evasion execution"}, {"t_num": "T1042", "name": "Change Default File Association", "os": "Windows", "tactic": "persistence"}, {"t_num": "T1146", "name": "Clear Command History", "os": "Linux macOS", "tactic": "defense-evasion"}, {"t_num": "T1115", "name": "Clipboard Data", "os": "Linux Windows macOS", "tactic": "collection"}, {"t_num": "T1116", "name": "Code Signing", "os": "macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1059", "name": "Command-Line Interface", "os": "Linux macOS Windows", "tactic": "execution"}, {"t_num": "T1043", "name": "Commonly Used Port", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1092", "name": "Communication Through Removable Media", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1500", "name": "Compile After Delivery", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1223", "name": "Compiled HTML File", "os": "Windows", "tactic": "defense-evasion execution"}, {"t_num": "T1109", "name": "Component Firmware", "os": "Windows", "tactic": "defense-evasion persistence"}, {"t_num": "T1122", "name": "Component Object Model Hijacking", "os": "Windows", "tactic": "defense-evasion persistence"}, {"t_num": "T1090", "name": "Connection Proxy", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1196", "name": "Control Panel Items", "os": "Windows", "tactic": "defense-evasion execution"}, {"t_num": "T1136", "name": "Create Account", "os": "Linux macOS Windows", "tactic": "persistence"}, {"t_num": "T1003", "name": "Credential Dumping", "os": "Windows Linux macOS", "tactic": "credential-access"}, {"t_num": "T1081", "name": "Credentials in Files", "os": "Linux macOS Windows", "tactic": "credential-access"}, {"t_num": "T1214", "name": "Credentials in Registry", "os": "Windows", "tactic": "credential-access"}, {"t_num": "T1094", "name": "Custom Command and Control Protocol", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1024", "name": "Custom Cryptographic Protocol", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1207", "name": "DCShadow", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1038", "name": "DLL Search Order Hijacking", "os": "Windows", "tactic": "persistence privilege-escalation defense-evasion"}, {"t_num": "T1073", "name": "DLL Side-Loading", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1002", "name": "Data Compressed", "os": "Linux Windows macOS", "tactic": "exfiltration"}, {"t_num": "T1485", "name": "Data Destruction", "os": "Linux macOS Windows", "tactic": "impact"}, {"t_num": "T1132", "name": "Data Encoding", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1022", "name": "Data Encrypted", "os": "Linux macOS Windows", "tactic": "exfiltration"}, {"t_num": "T1486", "name": "Data Encrypted for Impact", "os": "Linux macOS Windows", "tactic": "impact"}, {"t_num": "T1001", "name": "Data Obfuscation", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1074", "name": "Data Staged", "os": "Linux macOS Windows", "tactic": "collection"}, {"t_num": "T1030", "name": "Data Transfer Size Limits", "os": "Linux macOS Windows", "tactic": "exfiltration"}, {"t_num": "T1213", "name": "Data from Information Repositories", "os": "Linux Windows macOS", "tactic": "collection"}, {"t_num": "T1005", "name": "Data from Local System", "os": "Linux macOS Windows", "tactic": "collection"}, {"t_num": "T1039", "name": "Data from Network Shared Drive", "os": "Linux macOS Windows", "tactic": "collection"}, {"t_num": "T1025", "name": "Data from Removable Media", "os": "Linux macOS Windows", "tactic": "collection"}, {"t_num": "T1491", "name": "Defacement", "os": "Linux macOS Windows", "tactic": "impact"}, {"t_num": "T1140", "name": "Deobfuscate/Decode Files or Information", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1089", "name": "Disabling Security Tools", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1488", "name": "Disk Content Wipe", "os": "Linux macOS Windows", "tactic": "impact"}, {"t_num": "T1487", "name": "Disk Structure Wipe", "os": "Windows macOS Linux", "tactic": "impact"}, {"t_num": "T1175", "name": "Distributed Component Object Model", "os": "Windows", "tactic": "lateral-movement"}, {"t_num": "T1172", "name": "Domain Fronting", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1483", "name": "Domain Generation Algorithms", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1482", "name": "Domain Trust Discovery", "os": "Windows", "tactic": "discovery"}, {"t_num": "T1189", "name": "Drive-by Compromise", "os": "Windows Linux macOS", "tactic": "initial-access"}, {"t_num": "T1157", "name": "Dylib Hijacking", "os": "macOS", "tactic": "persistence privilege-escalation"}, {"t_num": "T1173", "name": "Dynamic Data Exchange", "os": "Windows", "tactic": "execution"}, {"t_num": "T1114", "name": "Email Collection", "os": "Windows", "tactic": "collection"}, {"t_num": "T1499", "name": "Endpoint Denial of Service", "os": "Linux macOS Windows", "tactic": "impact"}, {"t_num": "T1480", "name": "Execution Guardrails", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1106", "name": "Execution through API", "os": "Windows", "tactic": "execution"}, {"t_num": "T1129", "name": "Execution through Module Load", "os": "Windows", "tactic": "execution"}, {"t_num": "T1048", "name": "Exfiltration Over Alternative Protocol", "os": "Linux macOS Windows", "tactic": "exfiltration"}, {"t_num": "T1041", "name": "Exfiltration Over Command and Control Channel", "os": "Linux macOS Windows", "tactic": "exfiltration"}, {"t_num": "T1011", "name": "Exfiltration Over Other Network Medium", "os": "Linux macOS Windows", "tactic": "exfiltration"}, {"t_num": "T1052", "name": "Exfiltration Over Physical Medium", "os": "Linux macOS Windows", "tactic": "exfiltration"}, {"t_num": "T1190", "name": "Exploit Public-Facing Application", "os": "Linux Windows macOS", "tactic": "initial-access"}, {"t_num": "T1203", "name": "Exploitation for Client Execution", "os": "Linux Windows macOS", "tactic": "execution"}, {"t_num": "T1212", "name": "Exploitation for Credential Access", "os": "Linux Windows macOS", "tactic": "credential-access"}, {"t_num": "T1211", "name": "Exploitation for Defense Evasion", "os": "Linux Windows macOS", "tactic": "defense-evasion"}, {"t_num": "T1068", "name": "Exploitation for Privilege Escalation", "os": "Linux macOS Windows", "tactic": "privilege-escalation"}, {"t_num": "T1210", "name": "Exploitation of Remote Services", "os": "Linux Windows macOS", "tactic": "lateral-movement"}, {"t_num": "T1133", "name": "External Remote Services", "os": "Windows", "tactic": "persistence initial-access"}, {"t_num": "T1181", "name": "Extra Window Memory Injection", "os": "Windows", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1008", "name": "Fallback Channels", "os": "Linux Windows macOS", "tactic": "command-and-control"}, {"t_num": "T1107", "name": "File Deletion", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1222", "name": "File Permissions Modification", "os": "Linux Windows macOS", "tactic": "defense-evasion"}, {"t_num": "T1006", "name": "File System Logical Offsets", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1044", "name": "File System Permissions Weakness", "os": "Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1083", "name": "File and Directory Discovery", "os": "Linux macOS Windows", "tactic": "discovery"}, {"t_num": "T1495", "name": "Firmware Corruption", "os": "Linux macOS Windows", "tactic": "impact"}, {"t_num": "T1187", "name": "Forced Authentication", "os": "Windows", "tactic": "credential-access"}, {"t_num": "T1144", "name": "Gatekeeper Bypass", "os": "macOS", "tactic": "defense-evasion"}, {"t_num": "T1061", "name": "Graphical User Interface", "os": "Linux macOS Windows", "tactic": "execution"}, {"t_num": "T1484", "name": "Group Policy Modification", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1148", "name": "HISTCONTROL", "os": "Linux macOS", "tactic": "defense-evasion"}, {"t_num": "T1200", "name": "Hardware Additions", "os": "Windows Linux macOS", "tactic": "initial-access"}, {"t_num": "T1158", "name": "Hidden Files and Directories", "os": "Linux macOS Windows", "tactic": "defense-evasion persistence"}, {"t_num": "T1147", "name": "Hidden Users", "os": "macOS", "tactic": "defense-evasion"}, {"t_num": "T1143", "name": "Hidden Window", "os": "macOS", "tactic": "defense-evasion"}, {"t_num": "T1179", "name": "Hooking", "os": "Windows", "tactic": "persistence privilege-escalation credential-access"}, {"t_num": "T1062", "name": "Hypervisor", "os": "Windows", "tactic": "persistence"}, {"t_num": "T1183", "name": "Image File Execution Options Injection", "os": "Windows", "tactic": "privilege-escalation persistence defense-evasion"}, {"t_num": "T1054", "name": "Indicator Blocking", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1066", "name": "Indicator Removal from Tools", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1070", "name": "Indicator Removal on Host", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1202", "name": "Indirect Command Execution", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1490", "name": "Inhibit System Recovery", "os": "Windows macOS Linux", "tactic": "impact"}, {"t_num": "T1056", "name": "Input Capture", "os": "Linux macOS Windows", "tactic": "collection credential-access"}, {"t_num": "T1141", "name": "Input Prompt", "os": "macOS Windows", "tactic": "credential-access"}, {"t_num": "T1130", "name": "Install Root Certificate", "os": "Linux Windows macOS", "tactic": "defense-evasion"}, {"t_num": "T1118", "name": "InstallUtil", "os": "Windows", "tactic": "defense-evasion execution"}, {"t_num": "T1208", "name": "Kerberoasting", "os": "Windows", "tactic": "credential-access"}, {"t_num": "T1215", "name": "Kernel Modules and Extensions", "os": "Linux macOS", "tactic": "persistence"}, {"t_num": "T1142", "name": "Keychain", "os": "macOS", "tactic": "credential-access"}, {"t_num": "T1161", "name": "LC_LOAD_DYLIB Addition", "os": "macOS", "tactic": "persistence"}, {"t_num": "T1149", "name": "LC_MAIN Hijacking", "os": "macOS", "tactic": "defense-evasion"}, {"t_num": "T1171", "name": "LLMNR/NBT-NS Poisoning and Relay", "os": "Windows", "tactic": "credential-access"}, {"t_num": "T1177", "name": "LSASS Driver", "os": "Windows", "tactic": "execution persistence"}, {"t_num": "T1159", "name": "Launch Agent", "os": "macOS", "tactic": "persistence"}, {"t_num": "T1160", "name": "Launch Daemon", "os": "macOS", "tactic": "persistence privilege-escalation"}, {"t_num": "T1152", "name": "Launchctl", "os": "macOS", "tactic": "defense-evasion execution persistence"}, {"t_num": "T1168", "name": "Local Job Scheduling", "os": "Linux macOS", "tactic": "persistence execution"}, {"t_num": "T1162", "name": "Login Item", "os": "macOS", "tactic": "persistence"}, {"t_num": "T1037", "name": "Logon Scripts", "os": "macOS Windows", "tactic": "lateral-movement persistence"}, {"t_num": "T1185", "name": "Man in the Browser", "os": "Windows", "tactic": "collection"}, {"t_num": "T1036", "name": "Masquerading", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1031", "name": "Modify Existing Service", "os": "Windows", "tactic": "persistence"}, {"t_num": "T1112", "name": "Modify Registry", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1170", "name": "Mshta", "os": "Windows", "tactic": "defense-evasion execution"}, {"t_num": "T1104", "name": "Multi-Stage Channels", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1188", "name": "Multi-hop Proxy", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1026", "name": "Multiband Communication", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1079", "name": "Multilayer Encryption", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1096", "name": "NTFS File Attributes", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1128", "name": "Netsh Helper DLL", "os": "Windows", "tactic": "persistence"}, {"t_num": "T1498", "name": "Network Denial of Service", "os": "Linux macOS Windows", "tactic": "impact"}, {"t_num": "T1046", "name": "Network Service Scanning", "os": "Linux Windows macOS", "tactic": "discovery"}, {"t_num": "T1126", "name": "Network Share Connection Removal", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1135", "name": "Network Share Discovery", "os": "macOS Windows", "tactic": "discovery"}, {"t_num": "T1040", "name": "Network Sniffing", "os": "Linux macOS Windows", "tactic": "credential-access discovery"}, {"t_num": "T1050", "name": "New Service", "os": "Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1027", "name": "Obfuscated Files or Information", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1137", "name": "Office Application Startup", "os": "Windows", "tactic": "persistence"}, {"t_num": "T1075", "name": "Pass the Hash", "os": "Windows", "tactic": "lateral-movement"}, {"t_num": "T1097", "name": "Pass the Ticket", "os": "Windows", "tactic": "lateral-movement"}, {"t_num": "T1174", "name": "Password Filter DLL", "os": "Windows", "tactic": "credential-access"}, {"t_num": "T1201", "name": "Password Policy Discovery", "os": "Windows Linux macOS", "tactic": "discovery"}, {"t_num": "T1034", "name": "Path Interception", "os": "Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1120", "name": "Peripheral Device Discovery", "os": "Windows", "tactic": "discovery"}, {"t_num": "T1069", "name": "Permission Groups Discovery", "os": "Linux macOS Windows", "tactic": "discovery"}, {"t_num": "T1150", "name": "Plist Modification", "os": "macOS", "tactic": "defense-evasion persistence privilege-escalation"}, {"t_num": "T1205", "name": "Port Knocking", "os": "Linux macOS", "tactic": "defense-evasion persistence command-and-control"}, {"t_num": "T1013", "name": "Port Monitors", "os": "Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1086", "name": "PowerShell", "os": "Windows", "tactic": "execution"}, {"t_num": "T1145", "name": "Private Keys", "os": "Linux macOS Windows", "tactic": "credential-access"}, {"t_num": "T1057", "name": "Process Discovery", "os": "Linux macOS Windows", "tactic": "discovery"}, {"t_num": "T1186", "name": "Process Doppelg\u00e4nging", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1093", "name": "Process Hollowing", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1055", "name": "Process Injection", "os": "Linux macOS Windows", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1012", "name": "Query Registry", "os": "Windows", "tactic": "discovery"}, {"t_num": "T1163", "name": "Rc.common", "os": "macOS", "tactic": "persistence"}, {"t_num": "T1164", "name": "Re-opened Applications", "os": "macOS", "tactic": "persistence"}, {"t_num": "T1108", "name": "Redundant Access", "os": "Linux macOS Windows", "tactic": "defense-evasion persistence"}, {"t_num": "T1060", "name": "Registry Run Keys / Startup Folder", "os": "Windows", "tactic": "persistence"}, {"t_num": "T1121", "name": "Regsvcs/Regasm", "os": "Windows", "tactic": "defense-evasion execution"}, {"t_num": "T1117", "name": "Regsvr32", "os": "Windows", "tactic": "defense-evasion execution"}, {"t_num": "T1219", "name": "Remote Access Tools", "os": "Linux Windows macOS", "tactic": "command-and-control"}, {"t_num": "T1076", "name": "Remote Desktop Protocol", "os": "Windows", "tactic": "lateral-movement"}, {"t_num": "T1105", "name": "Remote File Copy", "os": "Linux macOS Windows", "tactic": "command-and-control lateral-movement"}, {"t_num": "T1021", "name": "Remote Services", "os": "Linux macOS Windows", "tactic": "lateral-movement"}, {"t_num": "T1018", "name": "Remote System Discovery", "os": "Linux macOS Windows", "tactic": "discovery"}, {"t_num": "T1091", "name": "Replication Through Removable Media", "os": "Windows", "tactic": "lateral-movement initial-access"}, {"t_num": "T1496", "name": "Resource Hijacking", "os": "Linux macOS Windows", "tactic": "impact"}, {"t_num": "T1014", "name": "Rootkit", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1085", "name": "Rundll32", "os": "Windows", "tactic": "defense-evasion execution"}, {"t_num": "T1494", "name": "Runtime Data Manipulation", "os": "Linux macOS Windows", "tactic": "impact"}, {"t_num": "T1178", "name": "SID-History Injection", "os": "Windows", "tactic": "privilege-escalation"}, {"t_num": "T1198", "name": "SIP and Trust Provider Hijacking", "os": "Windows", "tactic": "defense-evasion persistence"}, {"t_num": "T1184", "name": "SSH Hijacking", "os": "Linux macOS", "tactic": "lateral-movement"}, {"t_num": "T1053", "name": "Scheduled Task", "os": "Windows", "tactic": "execution persistence privilege-escalation"}, {"t_num": "T1029", "name": "Scheduled Transfer", "os": "Linux macOS Windows", "tactic": "exfiltration"}, {"t_num": "T1113", "name": "Screen Capture", "os": "Linux macOS Windows", "tactic": "collection"}, {"t_num": "T1180", "name": "Screensaver", "os": "Windows", "tactic": "persistence"}, {"t_num": "T1064", "name": "Scripting", "os": "Linux macOS Windows", "tactic": "defense-evasion execution"}, {"t_num": "T1063", "name": "Security Software Discovery", "os": "macOS Windows", "tactic": "discovery"}, {"t_num": "T1101", "name": "Security Support Provider", "os": "Windows", "tactic": "persistence"}, {"t_num": "T1167", "name": "Securityd Memory", "os": "macOS", "tactic": "credential-access"}, {"t_num": "T1035", "name": "Service Execution", "os": "Windows", "tactic": "execution"}, {"t_num": "T1058", "name": "Service Registry Permissions Weakness", "os": "Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1489", "name": "Service Stop", "os": "Windows", "tactic": "impact"}, {"t_num": "T1166", "name": "Setuid and Setgid", "os": "Linux macOS", "tactic": "privilege-escalation persistence"}, {"t_num": "T1051", "name": "Shared Webroot", "os": "Windows", "tactic": "lateral-movement"}, {"t_num": "T1023", "name": "Shortcut Modification", "os": "Windows", "tactic": "persistence"}, {"t_num": "T1218", "name": "Signed Binary Proxy Execution", "os": "Windows", "tactic": "defense-evasion execution"}, {"t_num": "T1216", "name": "Signed Script Proxy Execution", "os": "Windows", "tactic": "defense-evasion execution"}, {"t_num": "T1045", "name": "Software Packing", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1153", "name": "Source", "os": "Linux macOS", "tactic": "execution"}, {"t_num": "T1151", "name": "Space after Filename", "os": "Linux macOS", "tactic": "defense-evasion execution"}, {"t_num": "T1193", "name": "Spearphishing Attachment", "os": "Windows macOS Linux", "tactic": "initial-access"}, {"t_num": "T1192", "name": "Spearphishing Link", "os": "Windows macOS Linux", "tactic": "initial-access"}, {"t_num": "T1194", "name": "Spearphishing via Service", "os": "Windows macOS Linux", "tactic": "initial-access"}, {"t_num": "T1071", "name": "Standard Application Layer Protocol", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1032", "name": "Standard Cryptographic Protocol", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1095", "name": "Standard Non-Application Layer Protocol", "os": "Windows Linux macOS", "tactic": "command-and-control"}, {"t_num": "T1165", "name": "Startup Items", "os": "macOS", "tactic": "persistence privilege-escalation"}, {"t_num": "T1492", "name": "Stored Data Manipulation", "os": "Linux macOS Windows", "tactic": "impact"}, {"t_num": "T1169", "name": "Sudo", "os": "Linux macOS", "tactic": "privilege-escalation"}, {"t_num": "T1206", "name": "Sudo Caching", "os": "Linux macOS", "tactic": "privilege-escalation"}, {"t_num": "T1195", "name": "Supply Chain Compromise", "os": "Linux Windows macOS", "tactic": "initial-access"}, {"t_num": "T1019", "name": "System Firmware", "os": "Windows", "tactic": "persistence"}, {"t_num": "T1082", "name": "System Information Discovery", "os": "Linux macOS Windows", "tactic": "discovery"}, {"t_num": "T1016", "name": "System Network Configuration Discovery", "os": "Linux macOS Windows", "tactic": "discovery"}, {"t_num": "T1049", "name": "System Network Connections Discovery", "os": "Linux macOS Windows", "tactic": "discovery"}, {"t_num": "T1033", "name": "System Owner/User Discovery", "os": "Linux macOS Windows", "tactic": "discovery"}, {"t_num": "T1007", "name": "System Service Discovery", "os": "Windows", "tactic": "discovery"}, {"t_num": "T1124", "name": "System Time Discovery", "os": "Windows", "tactic": "discovery"}, {"t_num": "T1501", "name": "Systemd Service", "os": "Linux", "tactic": "persistence"}, {"t_num": "T1080", "name": "Taint Shared Content", "os": "Windows", "tactic": "lateral-movement"}, {"t_num": "T1221", "name": "Template Injection", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1072", "name": "Third-party Software", "os": "Linux macOS Windows", "tactic": "execution lateral-movement"}, {"t_num": "T1209", "name": "Time Providers", "os": "Windows", "tactic": "persistence"}, {"t_num": "T1099", "name": "Timestomp", "os": "Linux Windows", "tactic": "defense-evasion"}, {"t_num": "T1493", "name": "Transmitted Data Manipulation", "os": "Linux macOS Windows", "tactic": "impact"}, {"t_num": "T1154", "name": "Trap", "os": "Linux macOS", "tactic": "execution persistence"}, {"t_num": "T1127", "name": "Trusted Developer Utilities", "os": "Windows", "tactic": "defense-evasion execution"}, {"t_num": "T1199", "name": "Trusted Relationship", "os": "Linux Windows macOS", "tactic": "initial-access"}, {"t_num": "T1111", "name": "Two-Factor Authentication Interception", "os": "Linux Windows macOS", "tactic": "credential-access"}, {"t_num": "T1065", "name": "Uncommonly Used Port", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1204", "name": "User Execution", "os": "Linux Windows macOS", "tactic": "execution"}, {"t_num": "T1078", "name": "Valid Accounts", "os": "Linux macOS Windows", "tactic": "defense-evasion persistence privilege-escalation initial-access"}, {"t_num": "T1125", "name": "Video Capture", "os": "Windows macOS", "tactic": "collection"}, {"t_num": "T1497", "name": "Virtualization/Sandbox Evasion", "os": "Windows", "tactic": "defense-evasion discovery"}, {"t_num": "T1102", "name": "Web Service", "os": "Linux macOS Windows", "tactic": "command-and-control defense-evasion"}, {"t_num": "T1100", "name": "Web Shell", "os": "Linux Windows macOS", "tactic": "persistence privilege-escalation"}, {"t_num": "T1077", "name": "Windows Admin Shares", "os": "Windows", "tactic": "lateral-movement"}, {"t_num": "T1047", "name": "Windows Management Instrumentation", "os": "Windows", "tactic": "execution"}, {"t_num": "T1084", "name": "Windows Management Instrumentation Event Subscription", "os": "Windows", "tactic": "persistence"}, {"t_num": "T1028", "name": "Windows Remote Management", "os": "Windows", "tactic": "execution lateral-movement"}, {"t_num": "T1004", "name": "Winlogon Helper DLL", "os": "Windows", "tactic": "persistence"}, {"t_num": "T1220", "name": "XSL Script Processing", "os": "Windows", "tactic": "defense-evasion execution"}]} \ No newline at end of file +{"techniques": [{"t_num": "T1003.008", "name": "/etc/passwd and /etc/shadow", "os": "Linux", "tactic": "credential-access"}, {"t_num": "T1557.002", "name": "ARP Cache Poisoning", "os": "Linux Windows macOS", "tactic": "credential-access collection"}, {"t_num": "T1558.004", "name": "AS-REP Roasting", "os": "Windows", "tactic": "credential-access"}, {"t_num": "T1548", "name": "Abuse Elevation Control Mechanism", "os": "Linux macOS Windows", "tactic": "privilege-escalation defense-evasion"}, {"t_num": "T1134", "name": "Access Token Manipulation", "os": "Windows", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1015", "name": "Accessibility Features", "os": "", "tactic": ""}, {"t_num": "T1546.008", "name": "Accessibility Features", "os": "Windows", "tactic": "privilege-escalation persistence"}, {"t_num": "T1531", "name": "Account Access Removal", "os": "Linux macOS Windows", "tactic": "impact"}, {"t_num": "T1087", "name": "Account Discovery", "os": "Windows Azure AD Office 365 SaaS IaaS Linux macOS Google Workspace", "tactic": "discovery"}, {"t_num": "T1098", "name": "Account Manipulation", "os": "Windows Azure AD Office 365 IaaS Linux macOS Google Workspace", "tactic": "persistence"}, {"t_num": "T1583", "name": "Acquire Infrastructure", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1595", "name": "Active Scanning", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1547.014", "name": "Active Setup", "os": "Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1098.003", "name": "Add Office 365 Global Administrator Role", "os": "Office 365", "tactic": "persistence"}, {"t_num": "T1137.006", "name": "Add-ins", "os": "Windows Office 365", "tactic": "persistence"}, {"t_num": "T1098.001", "name": "Additional Cloud Credentials", "os": "IaaS Azure AD", "tactic": "persistence"}, {"t_num": "T1182", "name": "AppCert DLLs", "os": "", "tactic": ""}, {"t_num": "T1546.009", "name": "AppCert DLLs", "os": "Windows", "tactic": "privilege-escalation persistence"}, {"t_num": "T1103", "name": "AppInit DLLs", "os": "", "tactic": ""}, {"t_num": "T1546.010", "name": "AppInit DLLs", "os": "Windows", "tactic": "privilege-escalation persistence"}, {"t_num": "T1155", "name": "AppleScript", "os": "", "tactic": ""}, {"t_num": "T1059.002", "name": "AppleScript", "os": "macOS", "tactic": "execution"}, {"t_num": "T1527", "name": "Application Access Token", "os": "", "tactic": ""}, {"t_num": "T1550.001", "name": "Application Access Token", "os": "Office 365 SaaS Google Workspace", "tactic": "defense-evasion lateral-movement"}, {"t_num": "T1017", "name": "Application Deployment Software", "os": "", "tactic": ""}, {"t_num": "T1499.003", "name": "Application Exhaustion Flood", "os": "Windows Azure AD Office 365 SaaS IaaS Linux macOS Google Workspace", "tactic": "impact"}, {"t_num": "T1071", "name": "Application Layer Protocol", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1138", "name": "Application Shimming", "os": "", "tactic": ""}, {"t_num": "T1546.011", "name": "Application Shimming", "os": "Windows", "tactic": "privilege-escalation persistence"}, {"t_num": "T1010", "name": "Application Window Discovery", "os": "macOS Windows", "tactic": "discovery"}, {"t_num": "T1499.004", "name": "Application or System Exploitation", "os": "Windows Azure AD Office 365 SaaS IaaS Linux macOS Google Workspace", "tactic": "impact"}, {"t_num": "T1560", "name": "Archive Collected Data", "os": "Linux macOS Windows", "tactic": "collection"}, {"t_num": "T1560.003", "name": "Archive via Custom Method", "os": "Linux macOS Windows", "tactic": "collection"}, {"t_num": "T1560.002", "name": "Archive via Library", "os": "Linux macOS Windows", "tactic": "collection"}, {"t_num": "T1560.001", "name": "Archive via Utility", "os": "Linux macOS Windows", "tactic": "collection"}, {"t_num": "T1573.002", "name": "Asymmetric Cryptography", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1055.004", "name": "Asynchronous Procedure Call", "os": "Windows", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1053.001", "name": "At (Linux)", "os": "Linux", "tactic": "execution persistence privilege-escalation"}, {"t_num": "T1053.002", "name": "At (Windows)", "os": "Windows", "tactic": "execution persistence privilege-escalation"}, {"t_num": "T1123", "name": "Audio Capture", "os": "Linux macOS Windows", "tactic": "collection"}, {"t_num": "T1131", "name": "Authentication Package", "os": "", "tactic": ""}, {"t_num": "T1547.002", "name": "Authentication Package", "os": "Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1119", "name": "Automated Collection", "os": "Linux macOS Windows", "tactic": "collection"}, {"t_num": "T1020", "name": "Automated Exfiltration", "os": "Linux macOS Windows Network", "tactic": "exfiltration"}, {"t_num": "T1197", "name": "BITS Jobs", "os": "Windows", "tactic": "defense-evasion persistence"}, {"t_num": "T1139", "name": "Bash History", "os": "", "tactic": ""}, {"t_num": "T1552.003", "name": "Bash History", "os": "Linux macOS", "tactic": "credential-access"}, {"t_num": "T1102.002", "name": "Bidirectional Communication", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1009", "name": "Binary Padding", "os": "", "tactic": ""}, {"t_num": "T1027.001", "name": "Binary Padding", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1547", "name": "Boot or Logon Autostart Execution", "os": "Linux macOS Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1037", "name": "Boot or Logon Initialization Scripts", "os": "macOS Windows Linux", "tactic": "persistence privilege-escalation"}, {"t_num": "T1067", "name": "Bootkit", "os": "", "tactic": ""}, {"t_num": "T1542.003", "name": "Bootkit", "os": "Linux Windows", "tactic": "persistence defense-evasion"}, {"t_num": "T1583.005", "name": "Botnet", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1584.005", "name": "Botnet", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1217", "name": "Browser Bookmark Discovery", "os": "Linux Windows macOS", "tactic": "discovery"}, {"t_num": "T1176", "name": "Browser Extensions", "os": "Linux macOS Windows", "tactic": "persistence"}, {"t_num": "T1110", "name": "Brute Force", "os": "Windows Azure AD Office 365 SaaS IaaS Linux macOS Google Workspace Containers", "tactic": "credential-access"}, {"t_num": "T1612", "name": "Build Image on Host", "os": "Containers", "tactic": "defense-evasion"}, {"t_num": "T1591.002", "name": "Business Relationships", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1088", "name": "Bypass User Account Control", "os": "", "tactic": ""}, {"t_num": "T1548.002", "name": "Bypass User Account Control", "os": "Windows", "tactic": "privilege-escalation defense-evasion"}, {"t_num": "T1596.004", "name": "CDNs", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1191", "name": "CMSTP", "os": "", "tactic": ""}, {"t_num": "T1218.003", "name": "CMSTP", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1574.012", "name": "COR_PROFILER", "os": "Windows", "tactic": "persistence privilege-escalation defense-evasion"}, {"t_num": "T1003.005", "name": "Cached Domain Credentials", "os": "Windows", "tactic": "credential-access"}, {"t_num": "T1042", "name": "Change Default File Association", "os": "", "tactic": ""}, {"t_num": "T1546.001", "name": "Change Default File Association", "os": "Windows", "tactic": "privilege-escalation persistence"}, {"t_num": "T1146", "name": "Clear Command History", "os": "", "tactic": ""}, {"t_num": "T1070.003", "name": "Clear Command History", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1070.002", "name": "Clear Linux or Mac System Logs", "os": "Linux macOS", "tactic": "defense-evasion"}, {"t_num": "T1070.001", "name": "Clear Windows Event Logs", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1592.004", "name": "Client Configurations", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1115", "name": "Clipboard Data", "os": "Linux Windows macOS", "tactic": "collection"}, {"t_num": "T1136.003", "name": "Cloud Account", "os": "Azure AD Office 365 IaaS Google Workspace", "tactic": "persistence"}, {"t_num": "T1087.004", "name": "Cloud Account", "os": "Azure AD Office 365 SaaS IaaS Google Workspace", "tactic": "discovery"}, {"t_num": "T1078.004", "name": "Cloud Accounts", "os": "Azure AD Office 365 SaaS IaaS Google Workspace", "tactic": "defense-evasion persistence privilege-escalation initial-access"}, {"t_num": "T1069.003", "name": "Cloud Groups", "os": "Azure AD Office 365 SaaS IaaS Google Workspace", "tactic": "discovery"}, {"t_num": "T1580", "name": "Cloud Infrastructure Discovery", "os": "IaaS", "tactic": "discovery"}, {"t_num": "T1522", "name": "Cloud Instance Metadata API", "os": "", "tactic": ""}, {"t_num": "T1552.005", "name": "Cloud Instance Metadata API", "os": "IaaS", "tactic": "credential-access"}, {"t_num": "T1538", "name": "Cloud Service Dashboard", "os": "Azure AD Office 365 IaaS Google Workspace", "tactic": "discovery"}, {"t_num": "T1526", "name": "Cloud Service Discovery", "os": "Azure AD Office 365 SaaS IaaS Google Workspace", "tactic": "discovery"}, {"t_num": "T1116", "name": "Code Signing", "os": "", "tactic": ""}, {"t_num": "T1553.002", "name": "Code Signing", "os": "macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1587.002", "name": "Code Signing Certificates", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1588.003", "name": "Code Signing Certificates", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1553.006", "name": "Code Signing Policy Modification", "os": "Windows macOS", "tactic": "defense-evasion"}, {"t_num": "T1059", "name": "Command and Scripting Interpreter", "os": "Linux macOS Windows Network", "tactic": "execution"}, {"t_num": "T1043", "name": "Commonly Used Port", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1092", "name": "Communication Through Removable Media", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1500", "name": "Compile After Delivery", "os": "", "tactic": ""}, {"t_num": "T1027.004", "name": "Compile After Delivery", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1223", "name": "Compiled HTML File", "os": "", "tactic": ""}, {"t_num": "T1218.001", "name": "Compiled HTML File", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1109", "name": "Component Firmware", "os": "", "tactic": ""}, {"t_num": "T1542.002", "name": "Component Firmware", "os": "Windows", "tactic": "persistence defense-evasion"}, {"t_num": "T1559.001", "name": "Component Object Model", "os": "Windows", "tactic": "execution"}, {"t_num": "T1122", "name": "Component Object Model Hijacking", "os": "", "tactic": ""}, {"t_num": "T1546.015", "name": "Component Object Model Hijacking", "os": "Windows", "tactic": "privilege-escalation persistence"}, {"t_num": "T1175", "name": "Component Object Model and Distributed COM", "os": "Windows", "tactic": "lateral-movement execution"}, {"t_num": "T1586", "name": "Compromise Accounts", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1554", "name": "Compromise Client Software Binary", "os": "Linux macOS Windows", "tactic": "persistence"}, {"t_num": "T1195.003", "name": "Compromise Hardware Supply Chain", "os": "Linux macOS Windows", "tactic": "initial-access"}, {"t_num": "T1584", "name": "Compromise Infrastructure", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "os": "Linux macOS Windows", "tactic": "initial-access"}, {"t_num": "T1195.002", "name": "Compromise Software Supply Chain", "os": "Linux macOS Windows", "tactic": "initial-access"}, {"t_num": "T1213.001", "name": "Confluence", "os": "SaaS", "tactic": "collection"}, {"t_num": "T1552.007", "name": "Container API", "os": "Containers", "tactic": "credential-access"}, {"t_num": "T1609", "name": "Container Administration Command", "os": "Containers", "tactic": "execution"}, {"t_num": "T1053.007", "name": "Container Orchestration Job", "os": "Containers", "tactic": "execution persistence privilege-escalation"}, {"t_num": "T1613", "name": "Container and Resource Discovery", "os": "Containers", "tactic": "discovery"}, {"t_num": "T1218.002", "name": "Control Panel", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1196", "name": "Control Panel Items", "os": "", "tactic": ""}, {"t_num": "T1136", "name": "Create Account", "os": "Windows Azure AD Office 365 IaaS Linux macOS Google Workspace", "tactic": "persistence"}, {"t_num": "T1578.002", "name": "Create Cloud Instance", "os": "IaaS", "tactic": "defense-evasion"}, {"t_num": "T1134.002", "name": "Create Process with Token", "os": "Windows", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1578.001", "name": "Create Snapshot", "os": "IaaS", "tactic": "defense-evasion"}, {"t_num": "T1543", "name": "Create or Modify System Process", "os": "Windows macOS Linux", "tactic": "persistence privilege-escalation"}, {"t_num": "T1056.004", "name": "Credential API Hooking", "os": "Windows", "tactic": "collection credential-access"}, {"t_num": "T1110.004", "name": "Credential Stuffing", "os": "Windows Azure AD Office 365 SaaS IaaS Linux macOS Google Workspace Containers", "tactic": "credential-access"}, {"t_num": "T1589.001", "name": "Credentials", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1552.001", "name": "Credentials In Files", "os": "Windows IaaS Linux macOS Containers", "tactic": "credential-access"}, {"t_num": "T1555", "name": "Credentials from Password Stores", "os": "Linux macOS Windows", "tactic": "credential-access"}, {"t_num": "T1503", "name": "Credentials from Web Browsers", "os": "", "tactic": ""}, {"t_num": "T1555.003", "name": "Credentials from Web Browsers", "os": "Linux macOS Windows", "tactic": "credential-access"}, {"t_num": "T1081", "name": "Credentials in Files", "os": "", "tactic": ""}, {"t_num": "T1214", "name": "Credentials in Registry", "os": "", "tactic": ""}, {"t_num": "T1552.002", "name": "Credentials in Registry", "os": "Windows", "tactic": "credential-access"}, {"t_num": "T1053.003", "name": "Cron", "os": "Linux macOS", "tactic": "execution persistence privilege-escalation"}, {"t_num": "T1094", "name": "Custom Command and Control Protocol", "os": "", "tactic": ""}, {"t_num": "T1024", "name": "Custom Cryptographic Protocol", "os": "", "tactic": ""}, {"t_num": "T1003.006", "name": "DCSync", "os": "Windows", "tactic": "credential-access"}, {"t_num": "T1038", "name": "DLL Search Order Hijacking", "os": "", "tactic": ""}, {"t_num": "T1574.001", "name": "DLL Search Order Hijacking", "os": "Windows", "tactic": "persistence privilege-escalation defense-evasion"}, {"t_num": "T1073", "name": "DLL Side-Loading", "os": "", "tactic": ""}, {"t_num": "T1574.002", "name": "DLL Side-Loading", "os": "Windows", "tactic": "persistence privilege-escalation defense-evasion"}, {"t_num": "T1071.004", "name": "DNS", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1590.002", "name": "DNS", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1568.003", "name": "DNS Calculation", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1583.002", "name": "DNS Server", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1584.002", "name": "DNS Server", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1596.001", "name": "DNS/Passive DNS", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1002", "name": "Data Compressed", "os": "", "tactic": ""}, {"t_num": "T1485", "name": "Data Destruction", "os": "Windows IaaS Linux macOS", "tactic": "impact"}, {"t_num": "T1132", "name": "Data Encoding", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1022", "name": "Data Encrypted", "os": "", "tactic": ""}, {"t_num": "T1486", "name": "Data Encrypted for Impact", "os": "Linux macOS Windows IaaS", "tactic": "impact"}, {"t_num": "T1565", "name": "Data Manipulation", "os": "Linux macOS Windows", "tactic": "impact"}, {"t_num": "T1001", "name": "Data Obfuscation", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1074", "name": "Data Staged", "os": "Windows IaaS Linux macOS", "tactic": "collection"}, {"t_num": "T1030", "name": "Data Transfer Size Limits", "os": "Linux macOS Windows", "tactic": "exfiltration"}, {"t_num": "T1530", "name": "Data from Cloud Storage Object", "os": "IaaS", "tactic": "collection"}, {"t_num": "T1602", "name": "Data from Configuration Repository", "os": "Network", "tactic": "collection"}, {"t_num": "T1213", "name": "Data from Information Repositories", "os": "Linux Windows macOS SaaS Office 365 Google Workspace", "tactic": "collection"}, {"t_num": "T1005", "name": "Data from Local System", "os": "Linux macOS Windows", "tactic": "collection"}, {"t_num": "T1039", "name": "Data from Network Shared Drive", "os": "Linux macOS Windows", "tactic": "collection"}, {"t_num": "T1025", "name": "Data from Removable Media", "os": "Linux macOS Windows", "tactic": "collection"}, {"t_num": "T1102.001", "name": "Dead Drop Resolver", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1491", "name": "Defacement", "os": "Windows IaaS Linux macOS", "tactic": "impact"}, {"t_num": "T1078.001", "name": "Default Accounts", "os": "Windows Azure AD Office 365 SaaS IaaS Linux macOS Google Workspace Containers", "tactic": "defense-evasion persistence privilege-escalation initial-access"}, {"t_num": "T1578.003", "name": "Delete Cloud Instance", "os": "IaaS", "tactic": "defense-evasion"}, {"t_num": "T1140", "name": "Deobfuscate/Decode Files or Information", "os": "Windows Linux macOS", "tactic": "defense-evasion"}, {"t_num": "T1610", "name": "Deploy Container", "os": "Containers", "tactic": "defense-evasion execution"}, {"t_num": "T1591.001", "name": "Determine Physical Locations", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1587", "name": "Develop Capabilities", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1587.003", "name": "Digital Certificates", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1588.004", "name": "Digital Certificates", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1596.003", "name": "Digital Certificates", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1498.001", "name": "Direct Network Flood", "os": "Windows Azure AD Office 365 SaaS IaaS Linux macOS Google Workspace", "tactic": "impact"}, {"t_num": "T1006", "name": "Direct Volume Access", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1562.008", "name": "Disable Cloud Logs", "os": "IaaS", "tactic": "defense-evasion"}, {"t_num": "T1600.002", "name": "Disable Crypto Hardware", "os": "Network", "tactic": "defense-evasion"}, {"t_num": "T1562.002", "name": "Disable Windows Event Logging", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1562.007", "name": "Disable or Modify Cloud Firewall", "os": "IaaS", "tactic": "defense-evasion"}, {"t_num": "T1562.004", "name": "Disable or Modify System Firewall", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1562.001", "name": "Disable or Modify Tools", "os": "Windows macOS Linux Containers IaaS", "tactic": "defense-evasion"}, {"t_num": "T1089", "name": "Disabling Security Tools", "os": "", "tactic": ""}, {"t_num": "T1488", "name": "Disk Content Wipe", "os": "", "tactic": ""}, {"t_num": "T1561.001", "name": "Disk Content Wipe", "os": "Linux macOS Windows", "tactic": "impact"}, {"t_num": "T1487", "name": "Disk Structure Wipe", "os": "", "tactic": ""}, {"t_num": "T1561.002", "name": "Disk Structure Wipe", "os": "Linux macOS Windows", "tactic": "impact"}, {"t_num": "T1561", "name": "Disk Wipe", "os": "Linux macOS Windows", "tactic": "impact"}, {"t_num": "T1021.003", "name": "Distributed Component Object Model", "os": "Windows", "tactic": "lateral-movement"}, {"t_num": "T1136.002", "name": "Domain Account", "os": "Windows macOS Linux", "tactic": "persistence"}, {"t_num": "T1087.002", "name": "Domain Account", "os": "Linux macOS Windows", "tactic": "discovery"}, {"t_num": "T1078.002", "name": "Domain Accounts", "os": "Linux macOS Windows", "tactic": "defense-evasion persistence privilege-escalation initial-access"}, {"t_num": "T1556.001", "name": "Domain Controller Authentication", "os": "Windows", "tactic": "credential-access defense-evasion persistence"}, {"t_num": "T1172", "name": "Domain Fronting", "os": "", "tactic": ""}, {"t_num": "T1090.004", "name": "Domain Fronting", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1483", "name": "Domain Generation Algorithms", "os": "", "tactic": ""}, {"t_num": "T1568.002", "name": "Domain Generation Algorithms", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1069.002", "name": "Domain Groups", "os": "Linux macOS Windows", "tactic": "discovery"}, {"t_num": "T1484", "name": "Domain Policy Modification", "os": "Windows Azure AD", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1590.001", "name": "Domain Properties", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1482", "name": "Domain Trust Discovery", "os": "Windows", "tactic": "discovery"}, {"t_num": "T1484.002", "name": "Domain Trust Modification", "os": "Windows Azure AD", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1583.001", "name": "Domains", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1584.001", "name": "Domains", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1601.002", "name": "Downgrade System Image", "os": "Network", "tactic": "defense-evasion"}, {"t_num": "T1189", "name": "Drive-by Compromise", "os": "Windows Linux macOS SaaS", "tactic": "initial-access"}, {"t_num": "T1608.004", "name": "Drive-by Target", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1157", "name": "Dylib Hijacking", "os": "", "tactic": ""}, {"t_num": "T1574.004", "name": "Dylib Hijacking", "os": "macOS", "tactic": "persistence privilege-escalation defense-evasion"}, {"t_num": "T1173", "name": "Dynamic Data Exchange", "os": "", "tactic": ""}, {"t_num": "T1559.002", "name": "Dynamic Data Exchange", "os": "Windows", "tactic": "execution"}, {"t_num": "T1574.006", "name": "Dynamic Linker Hijacking", "os": "Linux macOS", "tactic": "persistence privilege-escalation defense-evasion"}, {"t_num": "T1568", "name": "Dynamic Resolution", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1055.001", "name": "Dynamic-link Library Injection", "os": "Windows", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1514", "name": "Elevated Execution with Prompt", "os": "", "tactic": ""}, {"t_num": "T1548.004", "name": "Elevated Execution with Prompt", "os": "macOS", "tactic": "privilege-escalation defense-evasion"}, {"t_num": "T1087.003", "name": "Email Account", "os": "Windows Office 365 Google Workspace", "tactic": "discovery"}, {"t_num": "T1585.002", "name": "Email Accounts", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1586.002", "name": "Email Accounts", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1589.002", "name": "Email Addresses", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1114", "name": "Email Collection", "os": "Windows Office 365 Google Workspace", "tactic": "collection"}, {"t_num": "T1114.003", "name": "Email Forwarding Rule", "os": "Office 365 Windows Google Workspace", "tactic": "collection"}, {"t_num": "T1519", "name": "Emond", "os": "", "tactic": ""}, {"t_num": "T1546.014", "name": "Emond", "os": "macOS", "tactic": "privilege-escalation persistence"}, {"t_num": "T1589.003", "name": "Employee Names", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1573", "name": "Encrypted Channel", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1499", "name": "Endpoint Denial of Service", "os": "Windows Azure AD Office 365 SaaS IaaS Linux macOS Google Workspace Containers", "tactic": "impact"}, {"t_num": "T1480.001", "name": "Environmental Keying", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1611", "name": "Escape to Host", "os": "Windows Linux Containers", "tactic": "privilege-escalation"}, {"t_num": "T1585", "name": "Establish Accounts", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1546", "name": "Event Triggered Execution", "os": "Linux macOS Windows", "tactic": "privilege-escalation persistence"}, {"t_num": "T1098.002", "name": "Exchange Email Delegate Permissions", "os": "Windows Office 365", "tactic": "persistence"}, {"t_num": "T1574.005", "name": "Executable Installer File Permissions Weakness", "os": "Windows", "tactic": "persistence privilege-escalation defense-evasion"}, {"t_num": "T1480", "name": "Execution Guardrails", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1048", "name": "Exfiltration Over Alternative Protocol", "os": "Linux macOS Windows", "tactic": "exfiltration"}, {"t_num": "T1048.002", "name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "os": "Linux macOS Windows", "tactic": "exfiltration"}, {"t_num": "T1011.001", "name": "Exfiltration Over Bluetooth", "os": "Linux macOS Windows", "tactic": "exfiltration"}, {"t_num": "T1041", "name": "Exfiltration Over C2 Channel", "os": "Linux macOS Windows", "tactic": "exfiltration"}, {"t_num": "T1011", "name": "Exfiltration Over Other Network Medium", "os": "Linux macOS Windows", "tactic": "exfiltration"}, {"t_num": "T1052", "name": "Exfiltration Over Physical Medium", "os": "Linux macOS Windows", "tactic": "exfiltration"}, {"t_num": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "os": "Linux macOS Windows", "tactic": "exfiltration"}, {"t_num": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "os": "Linux macOS Windows", "tactic": "exfiltration"}, {"t_num": "T1567", "name": "Exfiltration Over Web Service", "os": "Linux macOS Windows", "tactic": "exfiltration"}, {"t_num": "T1052.001", "name": "Exfiltration over USB", "os": "Linux macOS Windows", "tactic": "exfiltration"}, {"t_num": "T1567.002", "name": "Exfiltration to Cloud Storage", "os": "Linux macOS Windows", "tactic": "exfiltration"}, {"t_num": "T1567.001", "name": "Exfiltration to Code Repository", "os": "Linux macOS Windows", "tactic": "exfiltration"}, {"t_num": "T1190", "name": "Exploit Public-Facing Application", "os": "Windows IaaS Network Linux macOS Containers", "tactic": "initial-access"}, {"t_num": "T1203", "name": "Exploitation for Client Execution", "os": "Linux Windows macOS", "tactic": "execution"}, {"t_num": "T1212", "name": "Exploitation for Credential Access", "os": "Linux Windows macOS", "tactic": "credential-access"}, {"t_num": "T1211", "name": "Exploitation for Defense Evasion", "os": "Linux Windows macOS", "tactic": "defense-evasion"}, {"t_num": "T1068", "name": "Exploitation for Privilege Escalation", "os": "Linux macOS Windows Containers", "tactic": "privilege-escalation"}, {"t_num": "T1210", "name": "Exploitation of Remote Services", "os": "Linux Windows macOS", "tactic": "lateral-movement"}, {"t_num": "T1587.004", "name": "Exploits", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1588.005", "name": "Exploits", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1491.002", "name": "External Defacement", "os": "Windows IaaS Linux macOS", "tactic": "impact"}, {"t_num": "T1090.002", "name": "External Proxy", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1133", "name": "External Remote Services", "os": "Windows Linux Containers", "tactic": "persistence initial-access"}, {"t_num": "T1181", "name": "Extra Window Memory Injection", "os": "", "tactic": ""}, {"t_num": "T1055.011", "name": "Extra Window Memory Injection", "os": "Windows", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1008", "name": "Fallback Channels", "os": "Linux Windows macOS", "tactic": "command-and-control"}, {"t_num": "T1568.001", "name": "Fast Flux DNS", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1107", "name": "File Deletion", "os": "", "tactic": ""}, {"t_num": "T1070.004", "name": "File Deletion", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1044", "name": "File System Permissions Weakness", "os": "", "tactic": ""}, {"t_num": "T1071.002", "name": "File Transfer Protocols", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1083", "name": "File and Directory Discovery", "os": "Linux macOS Windows", "tactic": "discovery"}, {"t_num": "T1222", "name": "File and Directory Permissions Modification", "os": "Linux Windows macOS", "tactic": "defense-evasion"}, {"t_num": "T1592.003", "name": "Firmware", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1495", "name": "Firmware Corruption", "os": "Linux macOS Windows", "tactic": "impact"}, {"t_num": "T1187", "name": "Forced Authentication", "os": "Windows", "tactic": "credential-access"}, {"t_num": "T1606", "name": "Forge Web Credentials", "os": "SaaS Windows macOS Linux Azure AD Office 365 Google Workspace", "tactic": "credential-access"}, {"t_num": "T1056.002", "name": "GUI Input Capture", "os": "macOS Windows", "tactic": "collection credential-access"}, {"t_num": "T1144", "name": "Gatekeeper Bypass", "os": "", "tactic": ""}, {"t_num": "T1553.001", "name": "Gatekeeper Bypass", "os": "macOS", "tactic": "defense-evasion"}, {"t_num": "T1592", "name": "Gather Victim Host Information", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1589", "name": "Gather Victim Identity Information", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1590", "name": "Gather Victim Network Information", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1591", "name": "Gather Victim Org Information", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1558.001", "name": "Golden Ticket", "os": "Windows", "tactic": "credential-access"}, {"t_num": "T1061", "name": "Graphical User Interface", "os": "Linux macOS Windows", "tactic": "execution"}, {"t_num": "T1484.001", "name": "Group Policy Modification", "os": "Windows", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1552.006", "name": "Group Policy Preferences", "os": "Windows", "tactic": "credential-access"}, {"t_num": "T1148", "name": "HISTCONTROL", "os": "", "tactic": ""}, {"t_num": "T1592.001", "name": "Hardware", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1200", "name": "Hardware Additions", "os": "Windows Linux macOS", "tactic": "initial-access"}, {"t_num": "T1564.005", "name": "Hidden File System", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1158", "name": "Hidden Files and Directories", "os": "", "tactic": ""}, {"t_num": "T1564.001", "name": "Hidden Files and Directories", "os": "Windows macOS Linux", "tactic": "defense-evasion"}, {"t_num": "T1147", "name": "Hidden Users", "os": "", "tactic": ""}, {"t_num": "T1564.002", "name": "Hidden Users", "os": "macOS", "tactic": "defense-evasion"}, {"t_num": "T1143", "name": "Hidden Window", "os": "", "tactic": ""}, {"t_num": "T1564.003", "name": "Hidden Window", "os": "macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1564", "name": "Hide Artifacts", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1574", "name": "Hijack Execution Flow", "os": "Linux macOS Windows", "tactic": "persistence privilege-escalation defense-evasion"}, {"t_num": "T1179", "name": "Hooking", "os": "", "tactic": ""}, {"t_num": "T1062", "name": "Hypervisor", "os": "Windows", "tactic": "persistence"}, {"t_num": "T1590.005", "name": "IP Addresses", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1591.003", "name": "Identify Business Tempo", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1591.004", "name": "Identify Roles", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1183", "name": "Image File Execution Options Injection", "os": "", "tactic": ""}, {"t_num": "T1546.012", "name": "Image File Execution Options Injection", "os": "Windows", "tactic": "privilege-escalation persistence"}, {"t_num": "T1562.003", "name": "Impair Command History Logging", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1562", "name": "Impair Defenses", "os": "Windows Office 365 IaaS Linux macOS Containers", "tactic": "defense-evasion"}, {"t_num": "T1525", "name": "Implant Internal Image", "os": "IaaS Containers", "tactic": "persistence"}, {"t_num": "T1054", "name": "Indicator Blocking", "os": "", "tactic": ""}, {"t_num": "T1562.006", "name": "Indicator Blocking", "os": "Windows macOS Linux", "tactic": "defense-evasion"}, {"t_num": "T1066", "name": "Indicator Removal from Tools", "os": "", "tactic": ""}, {"t_num": "T1027.005", "name": "Indicator Removal from Tools", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1070", "name": "Indicator Removal on Host", "os": "Linux macOS Windows Containers", "tactic": "defense-evasion"}, {"t_num": "T1202", "name": "Indirect Command Execution", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1105", "name": "Ingress Tool Transfer", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1490", "name": "Inhibit System Recovery", "os": "Windows macOS Linux", "tactic": "impact"}, {"t_num": "T1056", "name": "Input Capture", "os": "Linux macOS Windows Network", "tactic": "collection credential-access"}, {"t_num": "T1141", "name": "Input Prompt", "os": "", "tactic": ""}, {"t_num": "T1608.003", "name": "Install Digital Certificate", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1130", "name": "Install Root Certificate", "os": "", "tactic": ""}, {"t_num": "T1553.004", "name": "Install Root Certificate", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1118", "name": "InstallUtil", "os": "", "tactic": ""}, {"t_num": "T1218.004", "name": "InstallUtil", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1559", "name": "Inter-Process Communication", "os": "Windows", "tactic": "execution"}, {"t_num": "T1491.001", "name": "Internal Defacement", "os": "Linux macOS Windows", "tactic": "impact"}, {"t_num": "T1090.001", "name": "Internal Proxy", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1534", "name": "Internal Spearphishing", "os": "Windows macOS Linux Office 365 SaaS Google Workspace", "tactic": "lateral-movement"}, {"t_num": "T1016.001", "name": "Internet Connection Discovery", "os": "Windows Linux macOS", "tactic": "discovery"}, {"t_num": "T1036.001", "name": "Invalid Code Signature", "os": "macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1059.007", "name": "JavaScript", "os": "Windows macOS Linux", "tactic": "execution"}, {"t_num": "T1001.001", "name": "Junk Data", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1208", "name": "Kerberoasting", "os": "", "tactic": ""}, {"t_num": "T1558.003", "name": "Kerberoasting", "os": "Windows", "tactic": "credential-access"}, {"t_num": "T1215", "name": "Kernel Modules and Extensions", "os": "", "tactic": ""}, {"t_num": "T1547.006", "name": "Kernel Modules and Extensions", "os": "macOS Linux", "tactic": "persistence privilege-escalation"}, {"t_num": "T1142", "name": "Keychain", "os": "", "tactic": ""}, {"t_num": "T1555.001", "name": "Keychain", "os": "macOS", "tactic": "credential-access"}, {"t_num": "T1056.001", "name": "Keylogging", "os": "Windows macOS Linux Network", "tactic": "collection credential-access"}, {"t_num": "T1161", "name": "LC_LOAD_DYLIB Addition", "os": "", "tactic": ""}, {"t_num": "T1546.006", "name": "LC_LOAD_DYLIB Addition", "os": "macOS", "tactic": "privilege-escalation persistence"}, {"t_num": "T1149", "name": "LC_MAIN Hijacking", "os": "macOS", "tactic": "defense-evasion"}, {"t_num": "T1171", "name": "LLMNR/NBT-NS Poisoning and Relay", "os": "", "tactic": ""}, {"t_num": "T1557.001", "name": "LLMNR/NBT-NS Poisoning and SMB Relay", "os": "Windows", "tactic": "credential-access collection"}, {"t_num": "T1003.004", "name": "LSA Secrets", "os": "Windows", "tactic": "credential-access"}, {"t_num": "T1177", "name": "LSASS Driver", "os": "", "tactic": ""}, {"t_num": "T1547.008", "name": "LSASS Driver", "os": "Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1003.001", "name": "LSASS Memory", "os": "Windows", "tactic": "credential-access"}, {"t_num": "T1570", "name": "Lateral Tool Transfer", "os": "Linux macOS Windows", "tactic": "lateral-movement"}, {"t_num": "T1159", "name": "Launch Agent", "os": "", "tactic": ""}, {"t_num": "T1543.001", "name": "Launch Agent", "os": "macOS", "tactic": "persistence privilege-escalation"}, {"t_num": "T1160", "name": "Launch Daemon", "os": "", "tactic": ""}, {"t_num": "T1543.004", "name": "Launch Daemon", "os": "macOS", "tactic": "persistence privilege-escalation"}, {"t_num": "T1152", "name": "Launchctl", "os": "", "tactic": ""}, {"t_num": "T1569.001", "name": "Launchctl", "os": "macOS", "tactic": "execution"}, {"t_num": "T1053.004", "name": "Launchd", "os": "macOS", "tactic": "execution persistence privilege-escalation"}, {"t_num": "T1608.005", "name": "Link Target", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "os": "macOS Linux", "tactic": "defense-evasion"}, {"t_num": "T1136.001", "name": "Local Account", "os": "Linux macOS Windows", "tactic": "persistence"}, {"t_num": "T1087.001", "name": "Local Account", "os": "Linux macOS Windows", "tactic": "discovery"}, {"t_num": "T1078.003", "name": "Local Accounts", "os": "Linux macOS Windows Containers", "tactic": "defense-evasion persistence privilege-escalation initial-access"}, {"t_num": "T1074.001", "name": "Local Data Staging", "os": "Linux macOS Windows", "tactic": "collection"}, {"t_num": "T1114.001", "name": "Local Email Collection", "os": "Windows", "tactic": "collection"}, {"t_num": "T1069.001", "name": "Local Groups", "os": "Linux macOS Windows", "tactic": "discovery"}, {"t_num": "T1168", "name": "Local Job Scheduling", "os": "", "tactic": ""}, {"t_num": "T1162", "name": "Login Item", "os": "", "tactic": ""}, {"t_num": "T1037.002", "name": "Logon Script (Mac)", "os": "macOS", "tactic": "persistence privilege-escalation"}, {"t_num": "T1037.001", "name": "Logon Script (Windows)", "os": "Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1127.001", "name": "MSBuild", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1071.003", "name": "Mail Protocols", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1134.003", "name": "Make and Impersonate Token", "os": "Windows", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1204.002", "name": "Malicious File", "os": "Linux macOS Windows", "tactic": "execution"}, {"t_num": "T1204.003", "name": "Malicious Image", "os": "IaaS Containers", "tactic": "execution"}, {"t_num": "T1204.001", "name": "Malicious Link", "os": "Linux macOS Windows", "tactic": "execution"}, {"t_num": "T1156", "name": "Malicious Shell Modification", "os": "", "tactic": ""}, {"t_num": "T1587.001", "name": "Malware", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1588.001", "name": "Malware", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1185", "name": "Man in the Browser", "os": "Windows", "tactic": "collection"}, {"t_num": "T1557", "name": "Man-in-the-Middle", "os": "Windows macOS Linux", "tactic": "credential-access collection"}, {"t_num": "T1553.005", "name": "Mark-of-the-Web Bypass", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1036.004", "name": "Masquerade Task or Service", "os": "Windows Linux", "tactic": "defense-evasion"}, {"t_num": "T1036", "name": "Masquerading", "os": "Linux macOS Windows Containers", "tactic": "defense-evasion"}, {"t_num": "T1036.005", "name": "Match Legitimate Name or Location", "os": "Linux macOS Windows Containers", "tactic": "defense-evasion"}, {"t_num": "T1556", "name": "Modify Authentication Process", "os": "Windows Linux macOS Network", "tactic": "credential-access defense-evasion persistence"}, {"t_num": "T1578", "name": "Modify Cloud Compute Infrastructure", "os": "IaaS", "tactic": "defense-evasion"}, {"t_num": "T1031", "name": "Modify Existing Service", "os": "", "tactic": ""}, {"t_num": "T1112", "name": "Modify Registry", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1601", "name": "Modify System Image", "os": "Network", "tactic": "defense-evasion"}, {"t_num": "T1170", "name": "Mshta", "os": "", "tactic": ""}, {"t_num": "T1218.005", "name": "Mshta", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1218.007", "name": "Msiexec", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1104", "name": "Multi-Stage Channels", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1188", "name": "Multi-hop Proxy", "os": "", "tactic": ""}, {"t_num": "T1090.003", "name": "Multi-hop Proxy", "os": "Linux macOS Windows Network", "tactic": "command-and-control"}, {"t_num": "T1026", "name": "Multiband Communication", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1079", "name": "Multilayer Encryption", "os": "", "tactic": ""}, {"t_num": "T1003.003", "name": "NTDS", "os": "Windows", "tactic": "credential-access"}, {"t_num": "T1096", "name": "NTFS File Attributes", "os": "", "tactic": ""}, {"t_num": "T1564.004", "name": "NTFS File Attributes", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1106", "name": "Native API", "os": "Windows macOS Linux", "tactic": "execution"}, {"t_num": "T1128", "name": "Netsh Helper DLL", "os": "", "tactic": ""}, {"t_num": "T1546.007", "name": "Netsh Helper DLL", "os": "Windows", "tactic": "privilege-escalation persistence"}, {"t_num": "T1599.001", "name": "Network Address Translation Traversal", "os": "Network", "tactic": "defense-evasion"}, {"t_num": "T1599", "name": "Network Boundary Bridging", "os": "Network", "tactic": "defense-evasion"}, {"t_num": "T1498", "name": "Network Denial of Service", "os": "Windows Azure AD Office 365 SaaS IaaS Linux macOS Google Workspace Containers", "tactic": "impact"}, {"t_num": "T1556.004", "name": "Network Device Authentication", "os": "Network", "tactic": "credential-access defense-evasion persistence"}, {"t_num": "T1059.008", "name": "Network Device CLI", "os": "Network", "tactic": "execution"}, {"t_num": "T1602.002", "name": "Network Device Configuration Dump", "os": "Network", "tactic": "collection"}, {"t_num": "T1037.003", "name": "Network Logon Script", "os": "Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1590.006", "name": "Network Security Appliances", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1046", "name": "Network Service Scanning", "os": "Windows IaaS Linux macOS Containers", "tactic": "discovery"}, {"t_num": "T1126", "name": "Network Share Connection Removal", "os": "", "tactic": ""}, {"t_num": "T1070.005", "name": "Network Share Connection Removal", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1135", "name": "Network Share Discovery", "os": "macOS Windows Linux", "tactic": "discovery"}, {"t_num": "T1040", "name": "Network Sniffing", "os": "Linux macOS Windows Network", "tactic": "credential-access discovery"}, {"t_num": "T1590.004", "name": "Network Topology", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1590.003", "name": "Network Trust Dependencies", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1050", "name": "New Service", "os": "", "tactic": ""}, {"t_num": "T1095", "name": "Non-Application Layer Protocol", "os": "Windows Linux macOS Network", "tactic": "command-and-control"}, {"t_num": "T1132.002", "name": "Non-Standard Encoding", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1571", "name": "Non-Standard Port", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1003", "name": "OS Credential Dumping", "os": "Windows Linux macOS", "tactic": "credential-access"}, {"t_num": "T1499.001", "name": "OS Exhaustion Flood", "os": "Linux macOS Windows", "tactic": "impact"}, {"t_num": "T1027", "name": "Obfuscated Files or Information", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1588", "name": "Obtain Capabilities", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1218.008", "name": "Odbcconf", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1137", "name": "Office Application Startup", "os": "Windows Office 365", "tactic": "persistence"}, {"t_num": "T1137.001", "name": "Office Template Macros", "os": "Windows Office 365", "tactic": "persistence"}, {"t_num": "T1137.002", "name": "Office Test", "os": "Windows Office 365", "tactic": "persistence"}, {"t_num": "T1102.003", "name": "One-Way Communication", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1137.003", "name": "Outlook Forms", "os": "Windows Office 365", "tactic": "persistence"}, {"t_num": "T1137.004", "name": "Outlook Home Page", "os": "Windows Office 365", "tactic": "persistence"}, {"t_num": "T1137.005", "name": "Outlook Rules", "os": "Windows Office 365", "tactic": "persistence"}, {"t_num": "T1502", "name": "Parent PID Spoofing", "os": "", "tactic": ""}, {"t_num": "T1134.004", "name": "Parent PID Spoofing", "os": "Windows", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1075", "name": "Pass the Hash", "os": "", "tactic": ""}, {"t_num": "T1550.002", "name": "Pass the Hash", "os": "Windows", "tactic": "defense-evasion lateral-movement"}, {"t_num": "T1097", "name": "Pass the Ticket", "os": "", "tactic": ""}, {"t_num": "T1550.003", "name": "Pass the Ticket", "os": "Windows", "tactic": "defense-evasion lateral-movement"}, {"t_num": "T1110.002", "name": "Password Cracking", "os": "Linux macOS Windows Office 365 Azure AD", "tactic": "credential-access"}, {"t_num": "T1174", "name": "Password Filter DLL", "os": "", "tactic": ""}, {"t_num": "T1556.002", "name": "Password Filter DLL", "os": "Windows", "tactic": "credential-access defense-evasion persistence"}, {"t_num": "T1110.001", "name": "Password Guessing", "os": "Windows Azure AD Office 365 SaaS IaaS Linux macOS Google Workspace Containers", "tactic": "credential-access"}, {"t_num": "T1555.005", "name": "Password Managers", "os": "Linux macOS Windows", "tactic": "credential-access"}, {"t_num": "T1201", "name": "Password Policy Discovery", "os": "Windows Linux macOS", "tactic": "discovery"}, {"t_num": "T1110.003", "name": "Password Spraying", "os": "Windows Azure AD Office 365 SaaS IaaS Linux macOS Google Workspace Containers", "tactic": "credential-access"}, {"t_num": "T1601.001", "name": "Patch System Image", "os": "Network", "tactic": "defense-evasion"}, {"t_num": "T1034", "name": "Path Interception", "os": "Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1574.007", "name": "Path Interception by PATH Environment Variable", "os": "Windows", "tactic": "persistence privilege-escalation defense-evasion"}, {"t_num": "T1574.008", "name": "Path Interception by Search Order Hijacking", "os": "Windows", "tactic": "persistence privilege-escalation defense-evasion"}, {"t_num": "T1574.009", "name": "Path Interception by Unquoted Path", "os": "Windows", "tactic": "persistence privilege-escalation defense-evasion"}, {"t_num": "T1120", "name": "Peripheral Device Discovery", "os": "Windows macOS", "tactic": "discovery"}, {"t_num": "T1069", "name": "Permission Groups Discovery", "os": "Windows Azure AD Office 365 SaaS IaaS Linux macOS Google Workspace", "tactic": "discovery"}, {"t_num": "T1566", "name": "Phishing", "os": "Linux macOS Windows SaaS Office 365 Google Workspace", "tactic": "initial-access"}, {"t_num": "T1598", "name": "Phishing for Information", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1150", "name": "Plist Modification", "os": "", "tactic": ""}, {"t_num": "T1547.011", "name": "Plist Modification", "os": "macOS", "tactic": "persistence privilege-escalation"}, {"t_num": "T1556.003", "name": "Pluggable Authentication Modules", "os": "Linux macOS", "tactic": "credential-access defense-evasion persistence"}, {"t_num": "T1205.001", "name": "Port Knocking", "os": "Linux macOS Windows Network", "tactic": "defense-evasion persistence command-and-control"}, {"t_num": "T1013", "name": "Port Monitors", "os": "", "tactic": ""}, {"t_num": "T1547.010", "name": "Port Monitors", "os": "Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1055.002", "name": "Portable Executable Injection", "os": "Windows", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1086", "name": "PowerShell", "os": "", "tactic": ""}, {"t_num": "T1059.001", "name": "PowerShell", "os": "Windows", "tactic": "execution"}, {"t_num": "T1504", "name": "PowerShell Profile", "os": "", "tactic": ""}, {"t_num": "T1546.013", "name": "PowerShell Profile", "os": "Windows", "tactic": "privilege-escalation persistence"}, {"t_num": "T1542", "name": "Pre-OS Boot", "os": "Linux Windows Network", "tactic": "defense-evasion persistence"}, {"t_num": "T1547.012", "name": "Print Processors", "os": "Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1145", "name": "Private Keys", "os": "", "tactic": ""}, {"t_num": "T1552.004", "name": "Private Keys", "os": "Linux macOS Windows", "tactic": "credential-access"}, {"t_num": "T1003.007", "name": "Proc Filesystem", "os": "Linux", "tactic": "credential-access"}, {"t_num": "T1055.009", "name": "Proc Memory", "os": "Linux", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1057", "name": "Process Discovery", "os": "Linux macOS Windows", "tactic": "discovery"}, {"t_num": "T1186", "name": "Process Doppelg\u00e4nging", "os": "", "tactic": ""}, {"t_num": "T1055.013", "name": "Process Doppelg\u00e4nging", "os": "Windows", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1093", "name": "Process Hollowing", "os": "", "tactic": ""}, {"t_num": "T1055.012", "name": "Process Hollowing", "os": "Windows", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1055", "name": "Process Injection", "os": "Linux macOS Windows", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1001.003", "name": "Protocol Impersonation", "os": "Linux Windows macOS", "tactic": "command-and-control"}, {"t_num": "T1572", "name": "Protocol Tunneling", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1090", "name": "Proxy", "os": "Linux macOS Windows Network", "tactic": "command-and-control"}, {"t_num": "T1055.008", "name": "Ptrace System Calls", "os": "Linux", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1216.001", "name": "PubPrn", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1597.002", "name": "Purchase Technical Data", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1059.006", "name": "Python", "os": "Linux Windows macOS", "tactic": "execution"}, {"t_num": "T1012", "name": "Query Registry", "os": "Windows", "tactic": "discovery"}, {"t_num": "T1037.004", "name": "RC Scripts", "os": "macOS Linux", "tactic": "persistence privilege-escalation"}, {"t_num": "T1563.002", "name": "RDP Hijacking", "os": "Windows", "tactic": "lateral-movement"}, {"t_num": "T1542.004", "name": "ROMMONkit", "os": "Network", "tactic": "defense-evasion persistence"}, {"t_num": "T1163", "name": "Rc.common", "os": "", "tactic": ""}, {"t_num": "T1164", "name": "Re-opened Applications", "os": "", "tactic": ""}, {"t_num": "T1547.007", "name": "Re-opened Applications", "os": "macOS", "tactic": "persistence privilege-escalation"}, {"t_num": "T1600.001", "name": "Reduce Key Space", "os": "Network", "tactic": "defense-evasion"}, {"t_num": "T1108", "name": "Redundant Access", "os": "Windows Azure AD Office 365 SaaS IaaS Linux macOS", "tactic": "defense-evasion persistence"}, {"t_num": "T1498.002", "name": "Reflection Amplification", "os": "Windows Azure AD Office 365 SaaS IaaS Linux macOS Google Workspace", "tactic": "impact"}, {"t_num": "T1060", "name": "Registry Run Keys / Startup Folder", "os": "", "tactic": ""}, {"t_num": "T1547.001", "name": "Registry Run Keys / Startup Folder", "os": "Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1121", "name": "Regsvcs/Regasm", "os": "", "tactic": ""}, {"t_num": "T1218.009", "name": "Regsvcs/Regasm", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1117", "name": "Regsvr32", "os": "", "tactic": ""}, {"t_num": "T1218.010", "name": "Regsvr32", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1219", "name": "Remote Access Software", "os": "Linux Windows macOS", "tactic": "command-and-control"}, {"t_num": "T1074.002", "name": "Remote Data Staging", "os": "Windows IaaS Linux macOS", "tactic": "collection"}, {"t_num": "T1076", "name": "Remote Desktop Protocol", "os": "", "tactic": ""}, {"t_num": "T1021.001", "name": "Remote Desktop Protocol", "os": "Windows", "tactic": "lateral-movement"}, {"t_num": "T1114.002", "name": "Remote Email Collection", "os": "Office 365 Windows Google Workspace", "tactic": "collection"}, {"t_num": "T1563", "name": "Remote Service Session Hijacking", "os": "Linux macOS Windows", "tactic": "lateral-movement"}, {"t_num": "T1021", "name": "Remote Services", "os": "Linux macOS Windows", "tactic": "lateral-movement"}, {"t_num": "T1018", "name": "Remote System Discovery", "os": "Linux macOS Windows", "tactic": "discovery"}, {"t_num": "T1036.003", "name": "Rename System Utilities", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1091", "name": "Replication Through Removable Media", "os": "Windows", "tactic": "lateral-movement initial-access"}, {"t_num": "T1496", "name": "Resource Hijacking", "os": "Windows IaaS Linux macOS Containers", "tactic": "impact"}, {"t_num": "T1536", "name": "Revert Cloud Instance", "os": "", "tactic": ""}, {"t_num": "T1578.004", "name": "Revert Cloud Instance", "os": "IaaS", "tactic": "defense-evasion"}, {"t_num": "T1036.002", "name": "Right-to-Left Override", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1207", "name": "Rogue Domain Controller", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1014", "name": "Rootkit", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1564.006", "name": "Run Virtual Instance", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1085", "name": "Rundll32", "os": "", "tactic": ""}, {"t_num": "T1218.011", "name": "Rundll32", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1494", "name": "Runtime Data Manipulation", "os": "", "tactic": ""}, {"t_num": "T1565.003", "name": "Runtime Data Manipulation", "os": "Linux macOS Windows", "tactic": "impact"}, {"t_num": "T1606.002", "name": "SAML Tokens", "os": "Azure AD SaaS Windows Office 365 Google Workspace", "tactic": "credential-access"}, {"t_num": "T1178", "name": "SID-History Injection", "os": "", "tactic": ""}, {"t_num": "T1134.005", "name": "SID-History Injection", "os": "Windows", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1198", "name": "SIP and Trust Provider Hijacking", "os": "", "tactic": ""}, {"t_num": "T1553.003", "name": "SIP and Trust Provider Hijacking", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1021.002", "name": "SMB/Windows Admin Shares", "os": "Windows", "tactic": "lateral-movement"}, {"t_num": "T1602.001", "name": "SNMP (MIB Dump)", "os": "Network", "tactic": "collection"}, {"t_num": "T1505.001", "name": "SQL Stored Procedures", "os": "Windows Linux", "tactic": "persistence"}, {"t_num": "T1021.004", "name": "SSH", "os": "Linux macOS", "tactic": "lateral-movement"}, {"t_num": "T1098.004", "name": "SSH Authorized Keys", "os": "Linux macOS", "tactic": "persistence"}, {"t_num": "T1184", "name": "SSH Hijacking", "os": "", "tactic": ""}, {"t_num": "T1563.001", "name": "SSH Hijacking", "os": "Linux macOS", "tactic": "lateral-movement"}, {"t_num": "T1596.005", "name": "Scan Databases", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1595.001", "name": "Scanning IP Blocks", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1053.005", "name": "Scheduled Task", "os": "Windows", "tactic": "execution persistence privilege-escalation"}, {"t_num": "T1053", "name": "Scheduled Task/Job", "os": "Windows Linux macOS Containers", "tactic": "execution persistence privilege-escalation"}, {"t_num": "T1029", "name": "Scheduled Transfer", "os": "Linux macOS Windows", "tactic": "exfiltration"}, {"t_num": "T1113", "name": "Screen Capture", "os": "Linux macOS Windows", "tactic": "collection"}, {"t_num": "T1180", "name": "Screensaver", "os": "", "tactic": ""}, {"t_num": "T1546.002", "name": "Screensaver", "os": "Windows", "tactic": "privilege-escalation persistence"}, {"t_num": "T1064", "name": "Scripting", "os": "Linux macOS Windows", "tactic": "defense-evasion execution"}, {"t_num": "T1597", "name": "Search Closed Sources", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1593.002", "name": "Search Engines", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1596", "name": "Search Open Technical Databases", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1593", "name": "Search Open Websites/Domains", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1594", "name": "Search Victim-Owned Websites", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1003.002", "name": "Security Account Manager", "os": "Windows", "tactic": "credential-access"}, {"t_num": "T1063", "name": "Security Software Discovery", "os": "", "tactic": ""}, {"t_num": "T1518.001", "name": "Security Software Discovery", "os": "Windows Azure AD Office 365 SaaS IaaS Linux macOS Google Workspace", "tactic": "discovery"}, {"t_num": "T1101", "name": "Security Support Provider", "os": "", "tactic": ""}, {"t_num": "T1547.005", "name": "Security Support Provider", "os": "Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1167", "name": "Securityd Memory", "os": "", "tactic": ""}, {"t_num": "T1555.002", "name": "Securityd Memory", "os": "Linux macOS", "tactic": "credential-access"}, {"t_num": "T1583.004", "name": "Server", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1584.004", "name": "Server", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1505", "name": "Server Software Component", "os": "Windows Linux macOS", "tactic": "persistence"}, {"t_num": "T1035", "name": "Service Execution", "os": "", "tactic": ""}, {"t_num": "T1569.002", "name": "Service Execution", "os": "Windows", "tactic": "execution"}, {"t_num": "T1499.002", "name": "Service Exhaustion Flood", "os": "Windows Azure AD Office 365 SaaS IaaS Linux macOS Google Workspace", "tactic": "impact"}, {"t_num": "T1058", "name": "Service Registry Permissions Weakness", "os": "", "tactic": ""}, {"t_num": "T1489", "name": "Service Stop", "os": "Windows Linux macOS", "tactic": "impact"}, {"t_num": "T1574.010", "name": "Services File Permissions Weakness", "os": "Windows", "tactic": "persistence privilege-escalation defense-evasion"}, {"t_num": "T1574.011", "name": "Services Registry Permissions Weakness", "os": "Windows", "tactic": "persistence privilege-escalation defense-evasion"}, {"t_num": "T1166", "name": "Setuid and Setgid", "os": "", "tactic": ""}, {"t_num": "T1548.001", "name": "Setuid and Setgid", "os": "Linux macOS", "tactic": "privilege-escalation defense-evasion"}, {"t_num": "T1129", "name": "Shared Modules", "os": "Windows", "tactic": "execution"}, {"t_num": "T1051", "name": "Shared Webroot", "os": "Windows", "tactic": "lateral-movement"}, {"t_num": "T1213.002", "name": "Sharepoint", "os": "Windows Office 365", "tactic": "collection"}, {"t_num": "T1023", "name": "Shortcut Modification", "os": "", "tactic": ""}, {"t_num": "T1547.009", "name": "Shortcut Modification", "os": "Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1218", "name": "Signed Binary Proxy Execution", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1216", "name": "Signed Script Proxy Execution", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1558.002", "name": "Silver Ticket", "os": "Windows", "tactic": "credential-access"}, {"t_num": "T1593.001", "name": "Social Media", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1585.001", "name": "Social Media Accounts", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1586.001", "name": "Social Media Accounts", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1592.002", "name": "Software", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1072", "name": "Software Deployment Tools", "os": "Linux macOS Windows", "tactic": "execution lateral-movement"}, {"t_num": "T1518", "name": "Software Discovery", "os": "Windows Azure AD Office 365 SaaS IaaS Linux macOS Google Workspace", "tactic": "discovery"}, {"t_num": "T1045", "name": "Software Packing", "os": "", "tactic": ""}, {"t_num": "T1027.002", "name": "Software Packing", "os": "macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1153", "name": "Source", "os": "Linux macOS", "tactic": "execution"}, {"t_num": "T1151", "name": "Space after Filename", "os": "", "tactic": ""}, {"t_num": "T1036.006", "name": "Space after Filename", "os": "Linux macOS", "tactic": "defense-evasion"}, {"t_num": "T1193", "name": "Spearphishing Attachment", "os": "", "tactic": ""}, {"t_num": "T1566.001", "name": "Spearphishing Attachment", "os": "macOS Windows Linux", "tactic": "initial-access"}, {"t_num": "T1598.002", "name": "Spearphishing Attachment", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1192", "name": "Spearphishing Link", "os": "", "tactic": ""}, {"t_num": "T1566.002", "name": "Spearphishing Link", "os": "Linux macOS Windows Office 365 SaaS Google Workspace", "tactic": "initial-access"}, {"t_num": "T1598.003", "name": "Spearphishing Link", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1598.001", "name": "Spearphishing Service", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1194", "name": "Spearphishing via Service", "os": "", "tactic": ""}, {"t_num": "T1566.003", "name": "Spearphishing via Service", "os": "Linux macOS Windows", "tactic": "initial-access"}, {"t_num": "T1608", "name": "Stage Capabilities", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1032", "name": "Standard Cryptographic Protocol", "os": "", "tactic": ""}, {"t_num": "T1132.001", "name": "Standard Encoding", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1165", "name": "Startup Items", "os": "", "tactic": ""}, {"t_num": "T1037.005", "name": "Startup Items", "os": "macOS", "tactic": "persistence privilege-escalation"}, {"t_num": "T1528", "name": "Steal Application Access Token", "os": "SaaS Office 365 Azure AD Google Workspace", "tactic": "credential-access"}, {"t_num": "T1539", "name": "Steal Web Session Cookie", "os": "Linux macOS Windows Office 365 SaaS Google Workspace", "tactic": "credential-access"}, {"t_num": "T1558", "name": "Steal or Forge Kerberos Tickets", "os": "Windows", "tactic": "credential-access"}, {"t_num": "T1027.003", "name": "Steganography", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1001.002", "name": "Steganography", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1492", "name": "Stored Data Manipulation", "os": "", "tactic": ""}, {"t_num": "T1565.001", "name": "Stored Data Manipulation", "os": "Linux macOS Windows", "tactic": "impact"}, {"t_num": "T1553", "name": "Subvert Trust Controls", "os": "Windows macOS Linux", "tactic": "defense-evasion"}, {"t_num": "T1169", "name": "Sudo", "os": "", "tactic": ""}, {"t_num": "T1206", "name": "Sudo Caching", "os": "", "tactic": ""}, {"t_num": "T1548.003", "name": "Sudo and Sudo Caching", "os": "Linux macOS", "tactic": "privilege-escalation defense-evasion"}, {"t_num": "T1195", "name": "Supply Chain Compromise", "os": "Linux Windows macOS", "tactic": "initial-access"}, {"t_num": "T1573.001", "name": "Symmetric Cryptography", "os": "Linux Windows macOS", "tactic": "command-and-control"}, {"t_num": "T1497.001", "name": "System Checks", "os": "Linux macOS Windows", "tactic": "defense-evasion discovery"}, {"t_num": "T1019", "name": "System Firmware", "os": "", "tactic": ""}, {"t_num": "T1542.001", "name": "System Firmware", "os": "Windows", "tactic": "persistence defense-evasion"}, {"t_num": "T1082", "name": "System Information Discovery", "os": "Windows IaaS Linux macOS", "tactic": "discovery"}, {"t_num": "T1614", "name": "System Location Discovery", "os": "Windows Linux macOS IaaS", "tactic": "discovery"}, {"t_num": "T1016", "name": "System Network Configuration Discovery", "os": "Linux macOS Windows", "tactic": "discovery"}, {"t_num": "T1049", "name": "System Network Connections Discovery", "os": "Windows IaaS Linux macOS", "tactic": "discovery"}, {"t_num": "T1033", "name": "System Owner/User Discovery", "os": "Linux macOS Windows", "tactic": "discovery"}, {"t_num": "T1007", "name": "System Service Discovery", "os": "Windows", "tactic": "discovery"}, {"t_num": "T1569", "name": "System Services", "os": "Windows macOS", "tactic": "execution"}, {"t_num": "T1529", "name": "System Shutdown/Reboot", "os": "Linux macOS Windows", "tactic": "impact"}, {"t_num": "T1124", "name": "System Time Discovery", "os": "Windows", "tactic": "discovery"}, {"t_num": "T1501", "name": "Systemd Service", "os": "", "tactic": ""}, {"t_num": "T1543.002", "name": "Systemd Service", "os": "Linux", "tactic": "persistence privilege-escalation"}, {"t_num": "T1053.006", "name": "Systemd Timers", "os": "Linux", "tactic": "execution persistence privilege-escalation"}, {"t_num": "T1542.005", "name": "TFTP Boot", "os": "Network", "tactic": "defense-evasion persistence"}, {"t_num": "T1080", "name": "Taint Shared Content", "os": "Windows", "tactic": "lateral-movement"}, {"t_num": "T1221", "name": "Template Injection", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1055.003", "name": "Thread Execution Hijacking", "os": "Windows", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1055.005", "name": "Thread Local Storage", "os": "Windows", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1597.001", "name": "Threat Intel Vendors", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1497.003", "name": "Time Based Evasion", "os": "Linux macOS Windows", "tactic": "defense-evasion discovery"}, {"t_num": "T1209", "name": "Time Providers", "os": "", "tactic": ""}, {"t_num": "T1547.003", "name": "Time Providers", "os": "Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1099", "name": "Timestomp", "os": "", "tactic": ""}, {"t_num": "T1070.006", "name": "Timestomp", "os": "Linux macOS Windows", "tactic": "defense-evasion"}, {"t_num": "T1134.001", "name": "Token Impersonation/Theft", "os": "Windows", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1588.002", "name": "Tool", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1020.001", "name": "Traffic Duplication", "os": "Network", "tactic": "exfiltration"}, {"t_num": "T1205", "name": "Traffic Signaling", "os": "Linux macOS Windows Network", "tactic": "defense-evasion persistence command-and-control"}, {"t_num": "T1537", "name": "Transfer Data to Cloud Account", "os": "IaaS", "tactic": "exfiltration"}, {"t_num": "T1493", "name": "Transmitted Data Manipulation", "os": "", "tactic": ""}, {"t_num": "T1565.002", "name": "Transmitted Data Manipulation", "os": "Linux macOS Windows", "tactic": "impact"}, {"t_num": "T1505.002", "name": "Transport Agent", "os": "Linux Windows", "tactic": "persistence"}, {"t_num": "T1154", "name": "Trap", "os": "", "tactic": ""}, {"t_num": "T1546.005", "name": "Trap", "os": "macOS Linux", "tactic": "privilege-escalation persistence"}, {"t_num": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1199", "name": "Trusted Relationship", "os": "Windows SaaS IaaS Linux macOS", "tactic": "initial-access"}, {"t_num": "T1111", "name": "Two-Factor Authentication Interception", "os": "Linux Windows macOS", "tactic": "credential-access"}, {"t_num": "T1065", "name": "Uncommonly Used Port", "os": "", "tactic": ""}, {"t_num": "T1059.004", "name": "Unix Shell", "os": "macOS Linux", "tactic": "execution"}, {"t_num": "T1546.004", "name": "Unix Shell Configuration Modification", "os": "Linux macOS", "tactic": "privilege-escalation persistence"}, {"t_num": "T1552", "name": "Unsecured Credentials", "os": "Windows Azure AD Office 365 SaaS IaaS Linux macOS Google Workspace Containers", "tactic": "credential-access"}, {"t_num": "T1535", "name": "Unused/Unsupported Cloud Regions", "os": "IaaS", "tactic": "defense-evasion"}, {"t_num": "T1608.001", "name": "Upload Malware", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1608.002", "name": "Upload Tool", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1550", "name": "Use Alternate Authentication Material", "os": "Windows Office 365 SaaS Google Workspace", "tactic": "defense-evasion lateral-movement"}, {"t_num": "T1497.002", "name": "User Activity Based Checks", "os": "Linux macOS Windows", "tactic": "defense-evasion discovery"}, {"t_num": "T1204", "name": "User Execution", "os": "Linux Windows macOS IaaS Containers", "tactic": "execution"}, {"t_num": "T1564.007", "name": "VBA Stomping", "os": "Linux Windows macOS", "tactic": "defense-evasion"}, {"t_num": "T1055.014", "name": "VDSO Hijacking", "os": "Linux", "tactic": "defense-evasion privilege-escalation"}, {"t_num": "T1021.005", "name": "VNC", "os": "Linux macOS Windows", "tactic": "lateral-movement"}, {"t_num": "T1078", "name": "Valid Accounts", "os": "Windows Azure AD Office 365 SaaS IaaS Linux macOS Google Workspace Containers", "tactic": "defense-evasion persistence privilege-escalation initial-access"}, {"t_num": "T1218.012", "name": "Verclsid", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1125", "name": "Video Capture", "os": "Windows macOS", "tactic": "collection"}, {"t_num": "T1583.003", "name": "Virtual Private Server", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1584.003", "name": "Virtual Private Server", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1497", "name": "Virtualization/Sandbox Evasion", "os": "Windows macOS Linux", "tactic": "defense-evasion discovery"}, {"t_num": "T1059.005", "name": "Visual Basic", "os": "Windows macOS Linux", "tactic": "execution"}, {"t_num": "T1588.006", "name": "Vulnerabilities", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1595.002", "name": "Vulnerability Scanning", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1596.002", "name": "WHOIS", "os": "PRE", "tactic": "reconnaissance"}, {"t_num": "T1600", "name": "Weaken Encryption", "os": "Network", "tactic": "defense-evasion"}, {"t_num": "T1606.001", "name": "Web Cookies", "os": "Linux macOS Windows SaaS", "tactic": "credential-access"}, {"t_num": "T1056.003", "name": "Web Portal Capture", "os": "Linux macOS Windows", "tactic": "collection credential-access"}, {"t_num": "T1071.001", "name": "Web Protocols", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1102", "name": "Web Service", "os": "Linux macOS Windows", "tactic": "command-and-control"}, {"t_num": "T1583.006", "name": "Web Services", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1584.006", "name": "Web Services", "os": "PRE", "tactic": "resource-development"}, {"t_num": "T1506", "name": "Web Session Cookie", "os": "", "tactic": ""}, {"t_num": "T1550.004", "name": "Web Session Cookie", "os": "Office 365 SaaS Google Workspace", "tactic": "defense-evasion lateral-movement"}, {"t_num": "T1100", "name": "Web Shell", "os": "", "tactic": ""}, {"t_num": "T1505.003", "name": "Web Shell", "os": "Linux Windows macOS", "tactic": "persistence"}, {"t_num": "T1077", "name": "Windows Admin Shares", "os": "", "tactic": ""}, {"t_num": "T1059.003", "name": "Windows Command Shell", "os": "Windows", "tactic": "execution"}, {"t_num": "T1555.004", "name": "Windows Credential Manager", "os": "Windows", "tactic": "credential-access"}, {"t_num": "T1222.001", "name": "Windows File and Directory Permissions Modification", "os": "Windows", "tactic": "defense-evasion"}, {"t_num": "T1047", "name": "Windows Management Instrumentation", "os": "Windows", "tactic": "execution"}, {"t_num": "T1084", "name": "Windows Management Instrumentation Event Subscription", "os": "", "tactic": ""}, {"t_num": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "os": "Windows", "tactic": "privilege-escalation persistence"}, {"t_num": "T1028", "name": "Windows Remote Management", "os": "", "tactic": ""}, {"t_num": "T1021.006", "name": "Windows Remote Management", "os": "Windows", "tactic": "lateral-movement"}, {"t_num": "T1543.003", "name": "Windows Service", "os": "Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1004", "name": "Winlogon Helper DLL", "os": "", "tactic": ""}, {"t_num": "T1547.004", "name": "Winlogon Helper DLL", "os": "Windows", "tactic": "persistence privilege-escalation"}, {"t_num": "T1547.013", "name": "XDG Autostart Entries", "os": "Linux", "tactic": "persistence privilege-escalation"}, {"t_num": "T1220", "name": "XSL Script Processing", "os": "Windows", "tactic": "defense-evasion"}]} \ No newline at end of file