"description":"route can be used to find or change information within the local system IP routing table.[[Citation: TechNet Route]]\n\nAliases: route, route.exe",
],
"meta":{
"uuid":"0c8465c0-d0b4-4670-992e-4eee8d7ff952"
"uuid":"c11ac61d-50f4-444f-85d8-6f006067f0de",
},
"refs":[
"value":"at",
"https://attack.mitre.org/wiki/Software/S0103",
"description":"at is used to schedule tasks on a system to run at a specified date or time.[[Citation: TechNet At]]\n\nAliases: at, at.exe"
"description":"The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface.[[Citation: Microsoft Tasklist]]",
"description":"route can be used to find or change information within the local system IP routing table.[[Citation: TechNet Route]]\n\nAliases: route, route.exe"
"description":"Windows Credential Editor is a password dumping tool.[[Citation: Amplia WCE]]\n\nAliases: Windows Credential Editor, WCE",
],
"meta":{
"uuid":"2e45723a-31da-4a7e-aaa6-e01998a6788f"
"uuid":"242f3da3-4425-4d11-8f5c-b842886da966",
},
"refs":[
"value":"Tasklist",
"https://attack.mitre.org/wiki/Software/S0005",
"description":"The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface.[[Citation: Microsoft Tasklist]]"
"description":"schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time.[[Citation: TechNet Schtasks]]\n\nAliases: schtasks, schtasks.exe",
],
"meta":{
"uuid":"242f3da3-4425-4d11-8f5c-b842886da966"
"uuid":"c9703cd3-141c-43a0-a926-380082be5d04",
},
"refs":[
"value":"Windows Credential Editor",
"https://attack.mitre.org/wiki/Software/S0111",
"description":"Windows Credential Editor is a password dumping tool.[[Citation: Amplia WCE]]\n\nAliases: Windows Credential Editor, WCE"
"description":"UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.[[Citation: Github UACMe]]",
],
"meta":{
"uuid":"c9703cd3-141c-43a0-a926-380082be5d04"
"refs":[
},
"https://attack.mitre.org/wiki/Software/S0116",
"value":"schtasks",
"https://github.com/hfiref0x/UACME"
"description":"schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time.[[Citation: TechNet Schtasks]]\n\nAliases: schtasks, schtasks.exe"
],
},
"uuid":"102c3898-85e0-43ee-ae28-62a0a3ed9507"
{
}
"meta":{
},
"refs":[
{
"https://attack.mitre.org/wiki/Software/S0116",
"value":"ifconfig",
"https://github.com/hfiref0x/UACME"
"description":"ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system.[[Citation: Wikipedia Ifconfig]]",
],
"meta":{
"uuid":"102c3898-85e0-43ee-ae28-62a0a3ed9507"
"refs":[
},
"https://attack.mitre.org/wiki/Software/S0101",
"value":"UACMe",
"https://en.wikipedia.org/wiki/Ifconfig"
"description":"UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.[[Citation: Github UACMe]]"
],
},
"uuid":"362dc67f-4e85-4562-9dac-1b6b7f3ec4b5"
{
}
"meta":{
},
"refs":[
{
"https://attack.mitre.org/wiki/Software/S0101",
"value":"Mimikatz",
"https://en.wikipedia.org/wiki/Ifconfig"
"description":"Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.[[Citation: Deply Mimikatz]][[Citation: Adsecurity Mimikatz Guide]]",
],
"meta":{
"uuid":"362dc67f-4e85-4562-9dac-1b6b7f3ec4b5"
"refs":[
},
"https://attack.mitre.org/wiki/Software/S0002",
"value":"ifconfig",
"https://adsecurity.org/?page%20id=1821",
"description":"ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system.[[Citation: Wikipedia Ifconfig]]"
"https://github.com/gentilkiwi/mimikatz"
},
],
{
"uuid":"afc079f3-c0ea-4096-b75d-3f05338b7f60"
"meta":{
}
"refs":[
},
"https://attack.mitre.org/wiki/Software/S0002",
{
"https://adsecurity.org/?page%20id=1821",
"value":"xCmd",
"https://github.com/gentilkiwi/mimikatz"
"description":"xCmd is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems.[[Citation: xCmd]]",
"description":"Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.[[Citation: Deply Mimikatz]][[Citation: Adsecurity Mimikatz Guide]]"
"description":"Systeminfo is a Windows utility that can be used to gather detailed information about a computer.[[Citation: TechNet Systeminfo]]\n\nAliases: Systeminfo, systeminfo.exe",
],
"meta":{
"uuid":"4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b"
"uuid":"7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1",
},
"refs":[
"value":"xCmd",
"https://attack.mitre.org/wiki/Software/S0096",
"description":"xCmd is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems.[[Citation: xCmd]]"
"description":"netsh is a scripting utility used to interact with networking components on local or remote systems.[[Citation: TechNet Netsh]]\n\nAliases: netsh, netsh.exe",
],
"meta":{
"uuid":"7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1"
"uuid":"5a63f900-5e7e-4928-a746-dd4558e1df71",
},
"refs":[
"value":"Systeminfo",
"https://attack.mitre.org/wiki/Software/S0108",
"description":"Systeminfo is a Windows utility that can be used to gather detailed information about a computer.[[Citation: TechNet Systeminfo]]\n\nAliases: systeminfo.exe, Systeminfo"
"description":"dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain.[[Citation: TechNet Dsquery]] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.\n\nAliases: dsquery, dsquery.exe",
],
"meta":{
"uuid":"5a63f900-5e7e-4928-a746-dd4558e1df71"
"uuid":"38952eac-cb1b-4a71-bad2-ee8223a1c8fe",
},
"refs":[
"value":"netsh",
"https://attack.mitre.org/wiki/Software/S0105",
"description":"netsh is a scripting utility used to interact with networking components on local or remote systems.[[Citation: TechNet Netsh]]\n\nAliases: netsh, netsh.exe"
"description":"gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems.[[Citation: TrueSec Gsecdump]]",
"description":"dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain.[[Citation: TechNet Dsquery]] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.\n\nAliases: dsquery, dsquery.exe"
"description":"Ping is an operating system utility commonly used to troubleshoot and verify network connections.[[Citation: TechNet Ping]]\n\nAliases: Ping, ping.exe",
],
"meta":{
"uuid":"b07c2c47-fefb-4d7c-a69e-6a3296171f54"
"uuid":"b77b563c-34bb-4fb8-86a3-3694338f7b47",
},
"refs":[
"value":"gsecdump",
"https://attack.mitre.org/wiki/Software/S0097",
"description":"gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems.[[Citation: TrueSec Gsecdump]]"
"description":"Ping is an operating system utility commonly used to troubleshoot and verify network connections.[[Citation: TechNet Ping]]\n\nAliases: ping.exe, Ping"
"description":"Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process.[[Citation: Mandiant APT1]]",
"description":"Pass-The-Hash Toolkit is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems.[[Citation: Mandiant APT1]]",
"description":"Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process.[[Citation: Mandiant APT1]]"
"description":"FTP is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.[[Citation: Wikipedia FTP]]\n\nAliases: FTP, ftp.exe",
],
"meta":{
"uuid":"a52edc76-328d-4596-85e7-d56ef5a9eb69"
"uuid":"cf23bf4a-e003-4116-bbae-1ea6c558d565",
},
"refs":[
"value":"Pass-The-Hash Toolkit",
"https://attack.mitre.org/wiki/Software/S0095",
"description":"Pass-The-Hash Toolkit is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems.[[Citation: Mandiant APT1]]"
"description":"ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration.[[Citation: TechNet Ipconfig]]\n\nAliases: ipconfig, ipconfig.exe",
],
"meta":{
"uuid":"cf23bf4a-e003-4116-bbae-1ea6c558d565"
"uuid":"294e2560-bd48-44b2-9da2-833b5588ad11",
},
"refs":[
"value":"FTP",
"https://attack.mitre.org/wiki/Software/S0100",
"description":"FTP is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.[[Citation: Wikipedia FTP]]\n\nAliases: FTP, ftp.exe"
"description":"nbtstat is a utility used to troubleshoot NetBIOS name resolution.[[Citation: TechNet Nbtstat]]\n\nAliases: nbtstat, nbtstat.exe",
],
"meta":{
"uuid":"294e2560-bd48-44b2-9da2-833b5588ad11"
"uuid":"b35068ec-107a-4266-bda8-eb7036267aea",
},
"refs":[
"value":"ipconfig",
"https://attack.mitre.org/wiki/Software/S0102",
"description":"ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration.[[Citation: TechNet Ipconfig]]\n\nAliases: ipconfig, ipconfig.exe"
"description":"HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. [[Citation: Operation Quantum Entanglement]]\n\nAliases: HTRAN, HUC Packet Transmit Tool",
],
"meta":{
"uuid":"3e205e84-9f90-4b4b-8896-c82189936a15"
"uuid":"d5e96a35-7b0b-4c6a-9533-d63ecbda563e",
},
"refs":[
"value":"certutil",
"https://attack.mitre.org/wiki/Software/S0040",
"description":"Certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services.[[Citation: TechNet Certutil]]\n\nAliases: certutil, certutil.exe"
"description":"netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics.[[Citation: TechNet Netstat]]\n\nAliases: netstat, netstat.exe",
],
"meta":{
"uuid":"b35068ec-107a-4266-bda8-eb7036267aea"
"uuid":"4664b683-f578-434f-919b-1c1aad2a1111",
},
"refs":[
"value":"nbtstat",
"https://attack.mitre.org/wiki/Software/S0104",
"description":"nbtstat is a utility used to troubleshoot NetBIOS name resolution.[[Citation: TechNet Nbtstat]]\n\nAliases: nbtstat, nbtstat.exe"
"description":"pwdump is a credential dumper.[[Citation: Wikipedia pwdump]]",
],
"meta":{
"uuid":"d5e96a35-7b0b-4c6a-9533-d63ecbda563e"
"refs":[
},
"https://attack.mitre.org/wiki/Software/S0006",
"value":"HTRAN",
"https://en.wikipedia.org/wiki/Pwdump"
"description":"HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. [[Citation: Operation Quantum Entanglement]]\n\nAliases: HTRAN, HUC Packet Transmit Tool"
"description":"Cachedump is a publicly-available tool that program extracts cached password hashes from a system’s registry.[[Citation: Mandiant APT1]]",
"description":"netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics.[[Citation: TechNet Netstat]]\n\nAliases: netstat, netstat.exe"
{
},
"value":"Net",
{
"description":"The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections.Net has a great deal of functionality,[[Citation: Savill 1999]] much of which is useful for an adversary, such as gathering system and network information for [[Discovery]], moving laterally through [[Windows admin shares]] using <code>net use</code> commands, and interacting with services.\n\nAliases: Net, net.exe",
"description":"PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.[[Citation: Russinovich Sysinternals]][[Citation: SANS PsExec]]",
"uuid":"c9cd7ec9-40b7-49db-80be-1399eddd9c52"
"meta":{
},
"refs":[
"value":"Cachedump",
"https://attack.mitre.org/wiki/Software/S0029",
"description":"Cachedump is a publicly-available tool that program extracts cached password hashes from a system\u2019s registry.[[Citation: Mandiant APT1]]"
"description":"The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections.Net has a great deal of functionality,[[Citation: Savill 1999]] much of which is useful for an adversary, such as gathering system and network information for [[Discovery]], moving laterally through [[Windows admin shares]] using <code>net use</code> commands, and interacting with services.\n\nAliases: Net, net.exe"
"description":"cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities.[[Citation: TechNet Cmd]]\n\nCmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., <code>dir</code>[[Citation: TechNet Dir]]), deleting files (e.g., <code>del</code>[[Citation: TechNet Del]]), and copying files (e.g., <code>copy</code>[[Citation: TechNet Copy]]).\n\nAliases: cmd, cmd.exe",
],
"meta":{
"uuid":"ff6caf67-ea1f-4895-b80e-4bb0fc31c6db"
"uuid":"bba595da-b73a-4354-aa6c-224d4de7cb4e",
},
"refs":[
"value":"PsExec",
"https://attack.mitre.org/wiki/Software/S0106",
"description":"PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.[[Citation: Russinovich Sysinternals]][[Citation: SANS PsExec]]"
"description":"Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information.Reg are known to be used by persistent threats.[[Citation: Windows Commands JPCERT]]\n\nAliases: Reg, reg.exe",
"value":"Arp",
"meta":{
"description":"Arp displays information about a system's Address Resolution Protocol (ARP) cache.[[Citation: TechNet Arp]]\n\nAliases: Arp, arp.exe"
"description":"cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities.[[Citation: TechNet Cmd]]\n\nCmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., <code>dir</code>[[Citation: TechNet Dir]]), deleting files (e.g., <code>del</code>[[Citation: TechNet Del]]), and copying files (e.g., <code>copy</code>[[Citation: TechNet Copy]]).\n\nAliases: cmd, cmd.exe"
"description":"Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as \u201cadversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors\u201d. Cobalt Strike\u2019s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[[Citation: cobaltstrike manual]]\n\nThe list of techniques below focuses on Cobalt Strike\u2019s ATT&CK-relevant tactics."
"description":"Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information.Reg are known to be used by persistent threats.[[Citation: Windows Commands JPCERT]]\n\nAliases: Reg, reg.exe"
Deborah Servili