| Scenario | Description | Link |
|---|---|---|
| cn-001.json | Native API call(s) were used to collect a screenshot. | cn-001.json |
| cn-002.json | Execute PowerShell from cmd.exe to collect and compress files of specific extensions. | cn-002.json |
| cn-003.json | Load custom PowerShell module and take screenshots. | cn-003.json |
| cn-004.json | Perform e-mail collection from custom PowerShell module. | cn-004.json |
| cn-005.json | Get contents of clipboard. | cn-005.json |
| Scenario | Description | Link |
|---|---|---|
| ca-001.json | Download Mimikatz Binary | ca-001.json |
| ca-002.json | Dumping credentials via wmidump (Mimikatz) | cn-002.json |
| ca-003.json | Mimikatz lsadump::sam is executed via Invoke-Mimikatz to dump hashes via process injection into LSASS. | ca-003.json |
| Scenario | Description | Link |
|---|---|---|
| de-001.json | Invoke UAC bypass sdctl | de-001.json |
| de-002.json | Timestomp kxwn.lock | de-002.json |
| de-003.json | Delete registry entries post-UAC Bypass | de-003.json |
| Scenario | Description | Link |
|---|---|---|
| dv-001.json | Triage host for information | dv-001.json |
| dv-002.json | The net utility is executed via cmd to enumerate hosts within the domain. | dv-002.json |
| dv-003.json | Delete registry entries post-UAC Bypass | dv-003.json |
| dv-004.json | Get domain controller and curret user SID for the domain | dv-004.json |
| Scenario | Description | Link |
|---|---|---|
| im-001.json | Go Multiplatform Ransomware Emulation | im-001.json |
| im-002.json | Powershell Ransomware Emulation | im-002.json |
| Scenario | Description | Link |
|---|---|---|
| cc-001.json | Use Certutil.exe to download a file from a remote server | cc-001.json |
| cc-002.json | Use Bitsadmin.exe to download a file from a remote server | cc-002.json |